fix(security): defense-in-depth hardening for plugin_thold#767
Open
somethingwithproof wants to merge 2 commits intoCacti:developfrom
Open
fix(security): defense-in-depth hardening for plugin_thold#767somethingwithproof wants to merge 2 commits intoCacti:developfrom
somethingwithproof wants to merge 2 commits intoCacti:developfrom
Conversation
Automated fixes: - XSS: escape request variables in HTML output - SQLi: convert string-concat queries to prepared statements - Deserialization: add allowed_classes=>false - Temp files: replace rand() with tempnam() Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Defense-in-depth security hardening for the Thold plugin, focusing on reducing common web attack surfaces (XSS/object injection) in request handling and data decoding paths.
Changes:
- Tighten deserialization by adding
allowed_classes => falseoncacti_unserialize()usage. - Reduce XSS risk by escaping request vars before placing them into HTML value attributes.
- Harden request-derived IDs used in JavaScript requests/URLs by filtering and casting to integers.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
thold_webapi.php |
Attempts to harden unserialize of selected_graphs_array (currently introduces an argument-mismatch bug). |
thold_process.php |
Uses allowed_classes => false when unserializing stored rrd_reindexed data. |
thold_graph.php |
Escapes page request var before embedding into hidden inputs. |
setup.php |
Filters/casts request IDs before embedding them into JS POST bodies and URLs. |
notify_lists.php |
Filters/casts request ID before embedding it into JS-generated filter URLs. |
| $return_array = false; | ||
|
|
||
| $selected_graphs_array = cacti_unserialize(stripslashes(get_nfilter_request_var('selected_graphs_array'))); | ||
| $selected_graphs_array = cacti_unserialize(stripslashes(get_nfilter_request_var('selected_graphs_array', array('allowed_classes' => false)))); |
There was a problem hiding this comment.
get_nfilter_request_var() is being called with a second argument (array('allowed_classes' => false)), but this codebase otherwise only calls it with a single parameter. This is likely a runtime error (too many arguments) and also doesn’t apply the allowed_classes restriction to the unserialize operation. Pass the options array to cacti_unserialize() instead (second parameter), and keep get_nfilter_request_var('selected_graphs_array') as-is.
Suggested change
| $selected_graphs_array = cacti_unserialize(stripslashes(get_nfilter_request_var('selected_graphs_array', array('allowed_classes' => false)))); | |
| $selected_graphs_array = cacti_unserialize(stripslashes(get_nfilter_request_var('selected_graphs_array')), array('allowed_classes' => false)); |
Replace .click(fn) with .on('click', fn), .change(fn) with
.on('change', fn), .submit(fn) with .on('submit', fn), .unbind()
with .off(), and .resize(fn) with .on('resize', fn).
These shorthands were deprecated in jQuery 3.3 and will be removed
in jQuery 4.0. Cacti core ships jQuery 3.x on develop.
Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Automated defense-in-depth hardening addressing 58 security audit findings.
html_escape_request_var()allowed_classes => falsetounserialize()callsrand()withtempnam()All changes are PHP 7.0+ compatible for Cacti 1.2.x.
Test plan