diff --git a/.github/workflows/plugin-ci-workflow.yml b/.github/workflows/plugin-ci-workflow.yml index 86237dc..3840fa2 100644 --- a/.github/workflows/plugin-ci-workflow.yml +++ b/.github/workflows/plugin-ci-workflow.yml @@ -143,7 +143,7 @@ jobs: run: sudo apt-get update - name: Install System Dependencies - run: sudo apt-get install -y apache2 snmp snmpd rrdtool fping libapache2-mod-php${{ matrix.php }} + run: sudo apt-get install -y apache2 snmp snmpd rrdtool fping - name: Start SNMPD Agent and Test run: | diff --git a/functions.php b/functions.php index 1e54c13..2a147b7 100644 --- a/functions.php +++ b/functions.php @@ -47,6 +47,10 @@ function syslog_include_js() { - + '> + + diff --git a/syslog.php b/syslog.php index 0d1c45c..80165d8 100644 --- a/syslog.php +++ b/syslog.php @@ -1184,11 +1184,11 @@ function syslog_filter($sql_where, $tab) { ?> - + $save_html "; @@ -856,7 +856,7 @@ function syslog_alerts() { 'user' => [__('By User', 'syslog'), 'DESC'] ]; - $nav = html_nav_bar('syslog_alerts.php?filter=' . get_request_var('filter'), MAX_DISPLAY_PAGES, get_request_var('page'), $rows, $total_rows, cacti_sizeof($display_text) + 1, __('Alerts', 'syslog'), 'page', 'main'); + $nav = html_nav_bar('syslog_alerts.php?filter=' . rawurlencode(get_request_var('filter')), MAX_DISPLAY_PAGES, get_request_var('page'), $rows, $total_rows, cacti_sizeof($display_text) + 1, __('Alerts', 'syslog'), 'page', 'main'); form_start('syslog_alerts.php', 'chk'); diff --git a/syslog_removal.php b/syslog_removal.php index e047e68..b8768b5 100644 --- a/syslog_removal.php +++ b/syslog_removal.php @@ -234,7 +234,7 @@ function form_actions() { - + $save_html "; @@ -667,7 +667,7 @@ function syslog_removal() { form_start('syslog_removal.php', 'chk'); - $nav = html_nav_bar('syslog_removal.php?filter=' . get_request_var('filter'), MAX_DISPLAY_PAGES, get_request_var('page'), $rows, $total_rows, cacti_sizeof($display_text) + 1, __('Rules', 'syslog'), 'page', 'main'); + $nav = html_nav_bar('syslog_removal.php?filter=' . rawurlencode(get_request_var('filter')), MAX_DISPLAY_PAGES, get_request_var('page'), $rows, $total_rows, cacti_sizeof($display_text) + 1, __('Rules', 'syslog'), 'page', 'main'); print $nav; diff --git a/syslog_reports.php b/syslog_reports.php index fd7b212..ecf2ef1 100644 --- a/syslog_reports.php +++ b/syslog_reports.php @@ -206,7 +206,7 @@ function form_actions() { - + $save_html \n"; @@ -704,7 +704,7 @@ function syslog_report() { 'user' => [__('By User', 'syslog'), 'DESC'] ]; - $nav = html_nav_bar('syslog_reports.php?filter=' . get_request_var('filter'), MAX_DISPLAY_PAGES, get_request_var('page'), $rows, $total_rows, cacti_sizeof($display_text) + 1, __('Reports', 'syslog'), 'page', 'main'); + $nav = html_nav_bar('syslog_reports.php?filter=' . rawurlencode(get_request_var('filter')), MAX_DISPLAY_PAGES, get_request_var('page'), $rows, $total_rows, cacti_sizeof($display_text) + 1, __('Reports', 'syslog'), 'page', 'main'); form_start('syslog_reports.php', 'chk'); diff --git a/tests/regression/issue259_csrf_purge_test.php b/tests/regression/issue259_csrf_purge_test.php new file mode 100644 index 0000000..b2d30c0 --- /dev/null +++ b/tests/regression/issue259_csrf_purge_test.php @@ -0,0 +1,120 @@ + breakout in HTML script context +if (strpos($setup, 'JSON_HEX_TAG') === false) { + fwrite(STDERR, "json_encode() must use JSON_HEX_TAG to prevent script-context breakout.\n"); + exit(1); +} + +if (strpos($setup, 'JSON_HEX_AMP') === false) { + fwrite(STDERR, "json_encode() must use JSON_HEX_AMP to escape ampersands in script context.\n"); + exit(1); +} + +if (strpos($setup, 'JSON_HEX_APOS') === false) { + fwrite(STDERR, "json_encode() must use JSON_HEX_APOS.\n"); + exit(1); +} + +if (strpos($setup, 'JSON_HEX_QUOT') === false) { + fwrite(STDERR, "json_encode() must use JSON_HEX_QUOT.\n"); + exit(1); +} + +// Verify user-facing messages do not expose CSRF internals (log messages may use "CSRF") +if (preg_match('/raise_message\\s*\\(\\s*[^,]+,\\s*__\\(\\s*([\'\"])[^\'\"]*CSRF[^\'\"]*\\1/si', $setup)) { + fwrite(STDERR, "User-facing raise_message must not expose CSRF internals to end users.\n"); + exit(1); +} + +// Verify generic user-facing message is present +if (strpos($setup, "Invalid request. Please try again.") === false) { + fwrite(STDERR, "Fail-closed branch must use generic 'Invalid request. Please try again.' message.\n"); + exit(1); +} + +// Verify fail-closed raise_message uses MESSAGE_LEVEL_ERROR severity +if (strpos($setup, "raise_message('syslog_csrf_unavailable', __('Invalid request. Please try again.', 'syslog'), MESSAGE_LEVEL_ERROR)") === false) { + fwrite(STDERR, "Fail-closed branch raise_message must use MESSAGE_LEVEL_ERROR severity.\n"); + exit(1); +} + +// Verify log message does not expose internal function name +if (strpos($setup, 'csrf_check() unavailable') !== false) { + fwrite(STDERR, "Log message must not name internal validation function.\n"); + exit(1); +} + +echo "issue259_csrf_purge_test passed\n"; diff --git a/tests/regression/issue279_bulk_form_and_nav_encoding_test.php b/tests/regression/issue279_bulk_form_and_nav_encoding_test.php new file mode 100644 index 0000000..63f8e23 --- /dev/null +++ b/tests/regression/issue279_bulk_form_and_nav_encoding_test.php @@ -0,0 +1,58 @@ + file_get_contents(__DIR__ . '/../../syslog_removal.php'), + 'syslog_alerts.php' => file_get_contents(__DIR__ . '/../../syslog_alerts.php'), + 'syslog_reports.php' => file_get_contents(__DIR__ . '/../../syslog_reports.php'), + 'syslog.php' => file_get_contents(__DIR__ . '/../../syslog.php'), +); + +foreach ($targets as $file => $contents) { + if ($contents === false) { + fwrite(STDERR, "Unable to read $file\n"); + exit(1); + } +} + +foreach (array('syslog_removal.php', 'syslog_alerts.php', 'syslog_reports.php') as $file) { + if (strpos($targets[$file], "html_escape(get_request_var('drp_action'))") === false) { + fwrite(STDERR, "Expected escaped drp_action hidden field in $file\n"); + exit(1); + } + + if (strpos($targets[$file], "rawurlencode(get_request_var('filter'))") === false) { + fwrite(STDERR, "Expected URL-encoded filter nav value in $file\n"); + exit(1); + } + + if (strpos($targets[$file], "") !== false) { + fwrite(STDERR, "Legacy raw drp_action hidden field remains in $file\n"); + exit(1); + } +} + +$syslog = $targets['syslog.php']; + +if (strpos($syslog, "pageTab: ,") === false) { + fwrite(STDERR, "Expected JSON-encoded syslog pageTab value\n"); + exit(1); +} + +foreach (array( + "syslog_json_encode_for_script(__('Enter a search term', 'syslog'))", + "syslog_json_encode_for_script(__('Select Device(s)', 'syslog'))", + "syslog_json_encode_for_script(__('Devices Selected', 'syslog'))", + "syslog_json_encode_for_script(__('All Devices Selected', 'syslog'))", +) as $needle) { + if (strpos($syslog, $needle) === false) { + fwrite(STDERR, "Expected JS-safe initSyslogMain text encoding\n"); + exit(1); + } +} + +if (strpos($syslog, "pageTab: ''") !== false) { + fwrite(STDERR, "Legacy raw pageTab JS assignment still present\n"); + exit(1); +} + +echo "OK\n";