fix(security): defense-in-depth hardening for plugin_mikrotik#91
fix(security): defense-in-depth hardening for plugin_mikrotik#91somethingwithproof wants to merge 2 commits into
Conversation
Automated fixes: - XSS: escape request variables in HTML output - SQLi: convert string-concat queries to prepared statements - Deserialization: add allowed_classes=>false - Temp files: replace rand() with tempnam() Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
There was a problem hiding this comment.
Pull request overview
This PR applies defense-in-depth hardening to the plugin_mikrotik plugin, focusing on reducing common injection risks (SQLi/XSS/deserialization) in Cacti 1.2.x-compatible PHP.
Changes:
- Convert some SQL statements to prepared statements in poller scripts.
- Escape the
filterrequest variable when rendered into HTML<input value=...>attributes. - Attempt to restrict
unserialize()behavior for request-provided serialized data.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
poller_mikrotik.php |
Replaces interpolated SQL with prepared statements for process tracking queries. |
poller_graphs.php |
Updates commented-out SQL examples to prepared-statement style (no runtime impact). |
mikrotik.php |
Escapes filter when echoed into HTML value attributes to reduce XSS risk. |
mikrotik_users.php |
Modifies request deserialization logic (currently incorrect; see comment). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| /* if we are to save this form, instead of display it */ | ||
| if (isset_request_var('selected_items')) { | ||
| $selected_items = unserialize(stripslashes(get_request_var('selected_items'))); | ||
| $selected_items = unserialize(stripslashes(get_request_var('selected_items', array('allowed_classes' => false)))); |
There was a problem hiding this comment.
The allowed_classes option is being passed to get_request_var() instead of to unserialize(). In Cacti, the 2nd argument to get_request_var() is a default value; passing an array here will make stripslashes() receive an array (PHP warning) and unserialize() will still run without allowed_classes => false, reintroducing object injection risk. Pass the options as the second parameter to unserialize() (and keep get_request_var('selected_items') returning a string).
| $selected_items = unserialize(stripslashes(get_request_var('selected_items', array('allowed_classes' => false)))); | |
| $selected_items = unserialize(stripslashes(get_request_var('selected_items')), array('allowed_classes' => false)); |
- Change Dependabot ecosystem from npm to composer (PHP-only repo) - Remove PHP from CodeQL paths-ignore so security PRs get analysis - Remove committed .omc session artifacts, add .omc/ to .gitignore Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
|
Converted to draft to serialize the stack in this repo. Blocked by #90; will un-draft after that merges to avoid cross-PR merge conflicts. |
Summary
Automated defense-in-depth hardening addressing 54 security audit findings.
html_escape_request_var()allowed_classes => falsetounserialize()callsrand()withtempnam()All changes are PHP 7.0+ compatible for Cacti 1.2.x.
Test plan