fix(security): defense-in-depth hardening for plugin_mactrack (#325)

* fix(security): defense-in-depth hardening for plugin_mactrack

Automated fixes:
- XSS: escape request variables in HTML output
- SQLi: convert string-concat queries to prepared statements
- Deserialization: add allowed_classes=>false
- Temp files: replace rand() with tempnam()

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>

* fix(js): migrate deprecated jQuery shorthand events to .on()/.off()

Replace .click(fn) with .on('click', fn), .change(fn) with
.on('change', fn), .submit(fn) with .on('submit', fn), .unbind()
with .off(), and .resize(fn) with .on('resize', fn).

These shorthands were deprecated in jQuery 3.3 and will be removed
in jQuery 4.0. Cacti core ships jQuery 3.x on develop.

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>

* fix(ci): Dependabot composer ecosystem, CodeQL PHP coverage

- Change Dependabot ecosystem from npm to composer (PHP-only repo)
- Remove PHP from CodeQL paths-ignore so security PRs get analysis
- Remove committed .omc session artifacts, add .omc/ to .gitignore

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>

* Update mactrack_view_macs.php

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* fix: Running php-cs-fixit on code

---------

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
Co-authored-by: TheWitness <thewitness@cacti.net>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: 3 people

.gitignore

@@ -20,3 +20,4 @@
 # +-------------------------------------------------------------------------+
 
 locales/po/*.mo
+.omc/

Net/DNS2/Cache.php

@@ -67,7 +67,7 @@ public function get($key) {
 			if ($this->cache_serializer == 'json') {
 				return json_decode($this->cache_data[$key]['object']);
 			} else {
-				return unserialize($this->cache_data[$key]['object']);
+				return unserialize($this->cache_data[$key]['object'], ['allowed_classes' => false]);
 			}
 		} else {
 			return false;

Net/DNS2/Cache/File.php

@@ -67,7 +67,7 @@ public function open($cache_file, $size, $serializer) {
 				if ($this->cache_serializer == 'json') {
 					$decoded = json_decode($data, true);
 				} else {
-					$decoded = unserialize($data);
+					$decoded = unserialize($data, ['allowed_classes' => false]);
 				}
 
 				if (is_array($decoded) == true) {
@@ -145,7 +145,7 @@ public function __destruct() {
 				if ($this->cache_serializer == 'json') {
 					$decoded = json_decode($data, true);
 				} else {
-					$decoded = unserialize($data);
+					$decoded = unserialize($data, ['allowed_classes' => false]);
 				}
 
 				if (is_array($decoded) == true) {

Net/DNS2/Cache/Shm.php

@@ -104,7 +104,7 @@ public function open($cache_file, $size, $serializer) {
 					if ($this->cache_serializer == 'json') {
 						$decoded = json_decode($data, true);
 					} else {
-						$decoded = unserialize($data);
+						$decoded = unserialize($data, ['allowed_classes' => false]);
 					}
 
 					if (is_array($decoded) == true) {
@@ -195,7 +195,7 @@ public function __destruct() {
 				if ($this->cache_serializer == 'json') {
 					$decoded = json_decode($data, true);
 				} else {
-					$decoded = unserialize($data);
+					$decoded = unserialize($data, ['allowed_classes' => false]);
 				}
 
 				if (is_array($decoded) == true) {

lib/mactrack_functions.php

@@ -3713,16 +3713,16 @@ function exportRows() {
 			}
 
 			$(function() {
-				$('#mactrack').submit(function(event) {
+				$('#mactrack').on('submit', function(event) {
 					event.preventDefault();
 					applyFilter();
 				});
 
-				$('#clear').click(function() {
+				$('#clear').on('click', function() {
 					clearFilter();
 				});
 
-				$('#export').click(function() {
+				$('#export').on('click', function() {
 					exportRows();
 				});
 

mactrack_device_types.php

@@ -1180,24 +1180,24 @@ function scanDeviceType() {
 			}
 
 			$(function() {
-				$('#mactrack').submit(function(event) {
+				$('#mactrack').on('submit', function(event) {
 					event.preventDefault();
 					applyFilter();
 				});
 
-				$('#clear').click(function() {
+				$('#clear').on('click', function() {
 					clearFilter();
 				});
 
-				$('#export').click(function() {
+				$('#export').on('click', function() {
 					exportRows();
 				});
 
-				$('#import').click(function() {
+				$('#import').on('click', function() {
 					importRows();
 				});
 
-				$('#scan').click(function() {
+				$('#scan').on('click', function() {
 					scanDeviceType();
 				});
 			});

mactrack_devices.php

@@ -1315,20 +1315,20 @@ function importRows() {
 		}
 
 		$(function() {
-			$('#mactrack').submit(function(event) {
+			$('#mactrack').on('submit', function(event) {
 				event.preventDefault();
 				applyFilter();
 			});
 
-			$('#clear').click(function() {
+			$('#clear').on('click', function() {
 				clearFilter();
 			});
 
-			$('#export').click(function() {
+			$('#export').on('click', function() {
 				exportRows();
 			});
 
-			$('#import').click(function() {
+			$('#import').on('click', function() {
 				importRows();
 			});
 		});

mactrack_macauth.php

@@ -407,7 +407,7 @@ function mactrack_maca_filter() {
 					</td>
 				</tr>
 			</table>
-			<input type='hidden' id='page' value='<?php print get_request_var('page'); ?>'>
+			<input type='hidden' id='page' value='<?php print html_escape_request_var('page'); ?>'>
 			</form>
 			<script type='text/javascript'>
 
@@ -424,12 +424,12 @@ function clearFilter() {
 			}
 
 			$(function() {
-				$('#mactrack').submit(function(event) {
+				$('#mactrack').on('submit', function(event) {
 					event.preventDefault();
 					applyFilter();
 				});
 
-				$('#clear').click(function() {
+				$('#clear').on('click', function() {
 					clearFilter();
 				});
 			});

mactrack_macwatch.php

@@ -415,7 +415,7 @@ function mactrack_macw_filter() {
 					</td>
 				</tr>
 			</table>
-			<input type='hidden' id='page' value='<?php print get_request_var('page'); ?>'>
+			<input type='hidden' id='page' value='<?php print html_escape_request_var('page'); ?>'>
 			</form>
 			<script type='text/javascript'>
 
@@ -432,12 +432,12 @@ function clearFilter() {
 			}
 
 			$(function() {
-				$('#mactrack').submit(function(event) {
+				$('#mactrack').on('submit', function(event) {
 					event.preventDefault();
 					applyFilter();
 				});
 
-				$('#clear').click(function() {
+				$('#clear').on('click', function() {
 					clearFilter();
 				});
 			});

mactrack_snmp.php

@@ -373,7 +373,7 @@ function mactrack_snmp_item_edit() {
 	<script type='text/javascript'>
 	$(function() {
 		setSNMP();
-		$('#snmp_version').change(function() {
+		$('#snmp_version').on('change', function() {
 			setSNMP();
 		});
 	});
@@ -635,7 +635,7 @@ function snmp_options_filter() {
 					</td>
 				</tr>
 			</table>
-			<input type='hidden' name='page' value='<?php print get_request_var('page'); ?>'>
+			<input type='hidden' name='page' value='<?php print html_escape_request_var('page'); ?>'>
 		</td>
 		</form>
 		<script type='text/javascript'>
@@ -653,15 +653,15 @@ function clearFilter() {
 		}
 
 		$(function() {
-			$('#go').click(function() {
+			$('#go').on('click', function() {
 				applyFilter();
 			});
 
-			$('#clear').click(function() {
+			$('#clear').on('click', function() {
 				clearFilter();
 			});
 
-			$('#mactrack_snmp').unbind().submit(function(event) {
+			$('#mactrack_snmp').off().on('submit', function(event) {
 				event.preventDefault();
 				applyFilter();
 			});