backport: consolidated security hardening and bugfixes for main

Author: somethingwithproof

CHANGELOG.md

@@ -3,9 +3,7 @@
 --- develop ---
 
 * issue#250: Fix date filter persistence by validating before shift_span detection
-* issue#258: Execute CREATE TABLE SQL correctly during replication sync
-* issue#278: Extract duplicated alert command execution paths in syslog_process_alerts
-* issue#278: Extract alert command execution into shared helper in functions.php; command tokenization now uses preg_split (handles tabs and consecutive spaces); /bin/sh fallback for non-executable command templates removed (use absolute paths with execute bit set)
+* issue#260: Replace eval-based callback execution in autocomplete handling
 * issue: Making changes to support Cacti 1.3
 * issue: Don't use MyISAM for non-analytical tables
 * issue: The install advisor for Syslog was broken in current Cacti releases

js/functions.js

@@ -220,7 +220,11 @@ function initSyslogMain(config) {
 
 							$.each(data, function(index, hostData) {
 								if ($('#host option[value="'+index+'"]').length == 0) {
-									$('#host').append('<option class="'+hostData.class+'" value="'+index+'">'+hostData.host+'</option>');
+									var option = $('<option>')
+										.addClass(hostData.class || '')
+										.val(index)
+										.text(hostData.host);
+									$('#host').append(option);
 								}
 							});
 
@@ -567,6 +571,25 @@ function initSyslogReports() {
  * Autocomplete Form Callback Functions
  * ======================================================================== */
 
+/**
+ * Validate and invoke a named callback function specified as a string
+ * @param {string} onChange - Name of the global function to call (e.g. 'myCallback')
+ */
+function runSyslogAutocompleteOnChange(onChange) {
+	if (typeof onChange !== 'string') {
+		return;
+	}
+
+	var callbackName = onChange.trim().replace(/\(\)\s*$/, '');
+	if (!callbackName.match(/^[A-Za-z_$][A-Za-z0-9_$]*$/)) {
+		return;
+	}
+
+	if (typeof window[callbackName] === 'function') {
+		window[callbackName]();
+	}
+}
+
 /**
  * Initialize autocomplete for form dropdown fields
  * @param {string} formName - The name of the form field
@@ -591,7 +614,7 @@ function initSyslogAutocomplete(formName, callback, onChange) {
 					$('#' + formName).val(ui.item.value);
 				}
 				if (onChange) {
-					eval(onChange);
+					runSyslogAutocompleteOnChange(onChange);
 				}
 			}
 		}).css('border', 'none').css('background-color', 'transparent');

setup.php

@@ -1573,6 +1573,25 @@ function syslog_utilities_action($action) {
 	}
 
 	if ($action == 'purge_syslog_hosts') {
+		if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
+			raise_message('syslog_error', __('Invalid request. This action requires a CSRF protected POST.', 'syslog'), MESSAGE_LEVEL_ERROR);
+			header('Location: utilities.php');
+			exit;
+		}
+
+		if (function_exists('csrf_check')) {
+			if (!csrf_check(false)) {
+				raise_message('syslog_error', __('Invalid request. This action requires a CSRF protected POST.', 'syslog'), MESSAGE_LEVEL_ERROR);
+				header('Location: utilities.php');
+				exit;
+			}
+		} else {
+			cacti_log('WARNING: syslog purge blocked -- CSRF validation unavailable', false, 'SYSLOG');
+			raise_message('syslog_error', __('Invalid request. Please try again.', 'syslog'), MESSAGE_LEVEL_ERROR);
+			header('Location: utilities.php');
+			exit;
+		}
+
 		$records = 0;
 
 		syslog_db_execute('DELETE FROM syslog_hosts
@@ -1625,7 +1644,50 @@ function syslog_utilities_list() {
 
 	<tr class='even'>
 		<td>
-			<a class='hyperLink' href='utilities.php?action=purge_syslog_hosts'><?php print __('Purge Syslog Devices', 'syslog');?></a>
+			<input id='syslog_purge_hosts' type='button' value='<?php print __esc('Purge Syslog Devices', 'syslog');?>'>
+			<div id='syslog_purge_dialog' style='display:none;'>
+				<p><?php print __esc('Are you sure you want to purge stale Syslog devices?', 'syslog');?></p>
+			</div>
+			<script type='text/javascript'>
+			$(function() {
+				$('#syslog_purge_hosts').on('click', function() {
+					$('#syslog_purge_dialog').dialog({
+						title: <?php print json_encode(__('Confirm Purge', 'syslog'), JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT);?>,
+						minHeight: 80,
+						minWidth: 400,
+						resizable: false,
+						draggable: true,
+						buttons: {
+							'Cancel': {
+								text: <?php print json_encode(__('Cancel', 'syslog'), JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT);?>,
+								id: 'btnPurgeCancel',
+								click: function() {
+									$(this).dialog('close');
+								}
+							},
+							'Continue': {
+								text: <?php print json_encode(__('Continue', 'syslog'), JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT);?>,
+								id: 'btnPurgeContinue',
+								click: function() {
+									$(this).dialog('close');
+
+									var postData = {
+										action: 'purge_syslog_hosts',
+										__csrf_magic: csrfMagicToken
+									};
+
+									if (typeof postUrl == 'function') {
+										postUrl({url: 'utilities.php', noState: true}, postData);
+									} else {
+										loadPageUsingPost('utilities.php', postData);
+									}
+								}
+							}
+						}
+					});
+				});
+			});
+			</script>
 		</td>
 		<td>
 			<?php print __('This menu pick provides a means to remove Devices that are no longer reporting into Cacti\'s syslog server.', 'syslog');?>

syslog.php

@@ -364,10 +364,10 @@ function syslog_statistics() {
 
 			form_alternate_row('line' . $i);
 
-			print '<td>' . (get_request_var('host') != '-2' ? $r['host']:'-') . '</td>';
-			print '<td>' . (get_request_var('facility') != '-2' ? ucfirst($r['facility']):'-') . '</td>';
-			print '<td>' . (get_request_var('priority') != '-2' ? ucfirst($r['priority']):'-') . '</td>';
-			print '<td>' . (get_request_var('program') != '-2' ? ucfirst($r['program']):'-') . '</td>';
+			print '<td>' . (get_request_var('host') != '-2' ? html_escape($r['host']):'-') . '</td>';
+			print '<td>' . (get_request_var('facility') != '-2' ? html_escape(ucfirst($r['facility'])):'-') . '</td>';
+			print '<td>' . (get_request_var('priority') != '-2' ? html_escape(ucfirst($r['priority'])):'-') . '</td>';
+			print '<td>' . (get_request_var('program') != '-2' ? html_escape(ucfirst($r['program'])):'-') . '</td>';
 			//print '<td class="right">' . $r['insert_time'] . '</td>';
 			print '<td class="right">' . $time . '</td>';
 			print '<td class="right">' . number_format_i18n($r['records'], -1)     . '</td>';
@@ -521,7 +521,7 @@ function syslog_stats_filter() {
 										$class = 'deviceUp';
 									}
 
-									print '<option class="' . $class . '" value="' . $host['host_id'] . '"'; if (get_request_var('host') == $host['host_id']) { print ' selected'; } print '>' . $host['host'] . '</option>';
+									print '<option class="' . $class . '" value="' . $host['host_id'] . '"'; if (get_request_var('host') == $host['host_id']) { print ' selected'; } print '>' . html_escape($host['host']) . '</option>';
 								}
 							}
 							?>
@@ -541,7 +541,7 @@ function syslog_stats_filter() {
 
 							if (cacti_sizeof($facilities)) {
 								foreach ($facilities as $r) {
-									print '<option value="' . $r['facility_id'] . '"'; if (get_request_var('facility') == $r['facility_id']) { print ' selected'; } print '>' . ucfirst($r['facility']) . "</option>\n";
+									print '<option value="' . $r['facility_id'] . '"'; if (get_request_var('facility') == $r['facility_id']) { print ' selected'; } print '>' . html_escape(ucfirst($r['facility'])) . "</option>\n";
 								}
 							}
 							?>
@@ -561,7 +561,7 @@ function syslog_stats_filter() {
 
 							if (cacti_sizeof($priorities)) {
 								foreach ($priorities as $r) {
-									print '<option value="' . $r['priority_id'] . '"'; if (get_request_var('priority') == $r['priority_id']) { print ' selected'; } print '>' . ucfirst($r['priority']) . "</option>\n";
+									print '<option value="' . $r['priority_id'] . '"'; if (get_request_var('priority') == $r['priority_id']) { print ' selected'; } print '>' . html_escape(ucfirst($r['priority'])) . "</option>\n";
 								}
 							}
 							?>
@@ -1367,7 +1367,7 @@ function syslog_filter($sql_where, $tab) {
 											}
 										}
 										print '>';
-										print $host['host'] . '</option>';
+										print html_escape($host['host']) . '</option>';
 									}
 								}
 								?>
@@ -2055,4 +2055,3 @@ function syslog_form_callback($form_name, $classic_sql, $column_display, $column
 		<?php
 	}
 }
-

syslog_removal.php

@@ -169,7 +169,7 @@ function form_actions() {
 				FROM `" . $syslogdb_default . "`.`syslog_remove`
 				WHERE id=" . $matches[1]);
 
-			$removal_list  .= '<li>' . $removal_info . '</li>';
+			$removal_list  .= '<li>' . html_escape($removal_info) . '</li>';
 			$removal_array[] = $matches[1];
 		}
 	}

syslog_reports.php

@@ -157,7 +157,7 @@ function form_actions() {
 				FROM `' . $syslogdb_default . '`.`syslog_reports`
 				WHERE id=' . $matches[1]);
 
-			$report_list  .= '<li>' . $report_info . '</li>';
+			$report_list  .= '<li>' . html_escape($report_info) . '</li>';
 			$report_array[] = $matches[1];
 		}
 	}

tests/regression/issue252_xss_output_test.php

@@ -0,0 +1,45 @@
+<?php
+
+$syslogPhp   = file_get_contents(dirname(__DIR__, 2) . '/syslog.php');
+$reportsPhp  = file_get_contents(dirname(__DIR__, 2) . '/syslog_reports.php');
+$removalPhp  = file_get_contents(dirname(__DIR__, 2) . '/syslog_removal.php');
+$functionsJs = file_get_contents(dirname(__DIR__, 2) . '/js/functions.js');
+
+if ($syslogPhp === false || $reportsPhp === false || $removalPhp === false || $functionsJs === false) {
+	fwrite(STDERR, "Failed to load one or more plugin files for issue252 checks.\n");
+	exit(1);
+}
+
+if (substr_count($syslogPhp, "html_escape(\$host['host'])") < 2) {
+	fwrite(STDERR, "Expected escaped host rendering in syslog.php output paths.\n");
+	exit(1);
+}
+
+if (strpos($reportsPhp, "html_escape(\$report_info)") === false) {
+	fwrite(STDERR, "Expected escaped report confirmation list entries.\n");
+	exit(1);
+}
+
+if (strpos($removalPhp, "html_escape(\$removal_info)") === false) {
+	fwrite(STDERR, "Expected escaped removal confirmation list entries.\n");
+	exit(1);
+}
+
+if (strpos($reportsPhp, "form_selectable_ecell(\$report['message'], \$report['id']);") === false) {
+	fwrite(STDERR, "Expected escaped report message cell rendering.\n");
+	exit(1);
+}
+
+if (strpos($functionsJs, "var option = $('<option>')") === false ||
+	strpos($functionsJs, ".text(hostData.host);") === false ||
+	strpos($functionsJs, "$('#host').append(option);") === false) {
+	fwrite(STDERR, "Expected DOM-safe host option rendering in js/functions.js.\n");
+	exit(1);
+}
+
+if (strpos($functionsJs, "$('#host').append('<option class=\"'+hostData.class+'\" value=\"'+index+'\">'+hostData.host+'</option>');") !== false) {
+	fwrite(STDERR, "Legacy unsafe host option HTML concatenation still present.\n");
+	exit(1);
+}
+
+echo "issue252_xss_output_test passed\n";

tests/regression/issue259_csrf_purge_test.php

@@ -0,0 +1,106 @@
+<?php
+
+$setup = file_get_contents(dirname(__DIR__, 2) . '/setup.php');
+
+if ($setup === false) {
+	fwrite(STDERR, "Failed to read setup.php\n");
+	exit(1);
+}
+
+$required = array(
+	"if (\$_SERVER['REQUEST_METHOD'] !== 'POST')",
+	"if (function_exists('csrf_check'))",
+	"if (!csrf_check(false))",
+	"__csrf_magic: csrfMagicToken"
+);
+
+foreach ($required as $snippet) {
+	if (strpos($setup, $snippet) === false) {
+		fwrite(STDERR, "Missing expected CSRF hardening snippet: $snippet\n");
+		exit(1);
+	}
+}
+
+if (strpos($setup, "href='utilities.php?action=purge_syslog_hosts'") !== false) {
+	fwrite(STDERR, "Legacy GET purge link still present.\n");
+	exit(1);
+}
+
+// Verify fail-closed: the else branch (csrf_check unavailable) must reject, not fall through.
+// Assert globally safe properties rather than parsing the else block via brittle regex.
+
+// The fallback path must not attempt manual token checking
+if (strpos($setup, "\$_POST['__csrf_magic']") !== false) {
+	fwrite(STDERR, "Fallback CSRF branch must not check token presence; must fail closed.\n");
+	exit(1);
+}
+
+// The fallback path must log the blocked attempt
+if (strpos($setup, "cacti_log('WARNING: syslog purge blocked") === false) {
+	fwrite(STDERR, "Fail-closed branch must call cacti_log() to audit blocked purge attempts.\n");
+	exit(1);
+}
+
+// Log message must name the specific failure reason for incident response
+if (strpos($setup, 'CSRF validation unavailable') === false) {
+	fwrite(STDERR, "Log message must specify 'CSRF validation unavailable' for operational clarity.\n");
+	exit(1);
+}
+
+// Verify JS confirm() uses json_encode, not __esc() inside JS string
+if (preg_match("/confirm\(\s*'/", $setup)) {
+	fwrite(STDERR, "JS confirm() must use json_encode() for safe encoding, not __esc() in a quoted string.\n");
+	exit(1);
+}
+
+if (strpos($setup, 'json_encode(__(') === false) {
+	fwrite(STDERR, "Expected json_encode(__(...)) for JS-safe encoding of confirm message.\n");
+	exit(1);
+}
+
+// Verify json_encode uses JSON_HEX_TAG to prevent </script> breakout in HTML script context
+if (strpos($setup, 'JSON_HEX_TAG') === false) {
+	fwrite(STDERR, "json_encode() must use JSON_HEX_TAG to prevent script-context breakout.\n");
+	exit(1);
+}
+
+if (strpos($setup, 'JSON_HEX_AMP') === false) {
+	fwrite(STDERR, "json_encode() must use JSON_HEX_AMP to escape ampersands in script context.\n");
+	exit(1);
+}
+
+if (strpos($setup, 'JSON_HEX_APOS') === false) {
+	fwrite(STDERR, "json_encode() must use JSON_HEX_APOS.\n");
+	exit(1);
+}
+
+if (strpos($setup, 'JSON_HEX_QUOT') === false) {
+	fwrite(STDERR, "json_encode() must use JSON_HEX_QUOT.\n");
+	exit(1);
+}
+
+// Verify user-facing message does not expose CSRF internals (log message may use "CSRF")
+if (strpos($setup, "raise_message('syslog_error', __('CSRF") !== false) {
+	fwrite(STDERR, "User-facing raise_message must not expose CSRF internals to end users.\n");
+	exit(1);
+}
+
+// Verify generic user-facing message is present
+if (strpos($setup, "Invalid request. Please try again.") === false) {
+	fwrite(STDERR, "Fail-closed branch must use generic 'Invalid request. Please try again.' message.\n");
+	exit(1);
+}
+
+// Verify fail-closed raise_message uses MESSAGE_LEVEL_ERROR severity
+if (strpos($setup, "raise_message('syslog_error', __('Invalid request. Please try again.', 'syslog'), MESSAGE_LEVEL_ERROR)") === false) {
+	fwrite(STDERR, "Fail-closed branch raise_message must use MESSAGE_LEVEL_ERROR severity.\n");
+	exit(1);
+}
+
+// Verify log message does not expose internal function name
+if (strpos($setup, 'csrf_check() unavailable') !== false) {
+	fwrite(STDERR, "Log message must not name internal validation function.\n");
+	exit(1);
+}
+
+echo "issue259_csrf_purge_test passed\n";