Fix some xss injection for sysLocation and some other fields (#15183)

Reported by [Zluudg](https://huntr.dev/users/zluudg/)
2024-10-07 16:52:45 +00:00 · 2023-08-02 09:51:31 -05:00
parent d810c7a648
commit 3252ea37af
6 changed files with 22 additions and 22 deletions
--- a/app/Http/Controllers/Table/DeviceController.php
+++ b/app/Http/Controllers/Table/DeviceController.php
@@ -153,10 +153,10 @@ class DeviceController extends TableController
            'icon' => '<img src="' . asset($device->icon) . '" title="' . pathinfo($device->icon, PATHINFO_FILENAME) . '">',
            'hostname' => $this->getHostname($device),
            'metrics' => $this->getMetrics($device),
-            'hardware' => Rewrite::ciscoHardware($device),
-            'os' => $this->getOsText($device),
+            'hardware' => htmlspecialchars(Rewrite::ciscoHardware($device)),
+            'os' => htmlspecialchars($this->getOsText($device)),
            'uptime' => (! $device->status && ! $device->last_polled) ? __('Never polled') : Time::formatInterval($device->status ? $device->uptime : $device->last_polled->diffInSeconds(), true),
-            'location' => $this->getLocation($device),
+            'location' => htmlspecialchars($this->getLocation($device)),
            'actions' => view('device.actions', ['actions' => $this->getActions($device)])->__toString(),
            'device_id' => $device->device_id,
        ];
--- a/app/Http/Controllers/Table/LocationController.php
+++ b/app/Http/Controllers/Table/LocationController.php
@@ -79,7 +79,7 @@ class LocationController extends TableController
    {
        return [
            'id' => $location->id,
-            'location' => $location->location,
+            'location' => htmlspecialchars($location->location),
            'lat' => $location->lat,
            'lng' => $location->lng,
            'down' => $location->devices()->isDown()->count(),
--- a/includes/html/forms/get-host-dependencies.inc.php
+++ b/includes/html/forms/get-host-dependencies.inc.php
@@ -73,7 +73,7 @@ if (! Auth::user()->hasGlobalAdmin()) {
                    }

                    $hostname = format_hostname($myrow);
-                    $sysname = ($hostname == $myrow['sysName']) ? $myrow['hostname'] : $myrow['sysName'];
+                    $sysname = htmlspecialchars(($hostname == $myrow['sysName']) ? $myrow['hostname'] : $myrow['sysName']);
                    array_push($res_arr, ['deviceid' => $myrow['id'], 'hostname' => $hostname, 'sysname' => $sysname, 'parent' => $parent, 'parentid' => $myrow['parentid']]);
                }
                $status = ['current' => $_POST['current'], 'rowCount' => $_POST['rowCount'], 'rows' => $res_arr, 'total' => $rec_count];
--- a/includes/html/pages/devices.inc.php
+++ b/includes/html/pages/devices.inc.php
@@ -344,21 +344,21 @@ if ($format == 'graph') {
            },
            post: function () {
                return {
-                    format: '<?php echo $vars['format']; ?>',
+                    format: '<?php echo htmlspecialchars($vars['format']); ?>',
                    searchPhrase: '<?php echo htmlspecialchars($vars['searchquery'] ?? ''); ?>',
-                    os: '<?php echo $vars['os'] ?? ''; ?>',
-                    version: '<?php echo $vars['version'] ?? ''; ?>',
-                    hardware: '<?php echo $vars['hardware'] ?? ''; ?>',
-                    features: '<?php echo $vars['features'] ?? ''; ?>',
-                    location: '<?php echo $vars['location'] ?? ''; ?>',
-                    type: '<?php echo $vars['type'] ?? ''; ?>',
-                    state: '<?php echo $vars['state'] ?? ''; ?>',
-                    disabled: '<?php echo $vars['disabled'] ?? ''; ?>',
-                    ignore: '<?php echo $vars['ignore'] ?? ''; ?>',
-                    disable_notify: '<?php echo $vars['disable_notify'] ?? ''; ?>',
-                    group: '<?php echo $vars['group'] ?? ''; ?>',
-                    poller_group: '<?php echo $vars['poller_group'] ?? ''; ?>',
-                    device_id: '<?php echo $vars['device_id'] ?? ''; ?>',
+                    os: '<?php echo htmlspecialchars($vars['os'] ?? ''); ?>',
+                    version: '<?php echo htmlspecialchars($vars['version'] ?? ''); ?>',
+                    hardware: '<?php echo htmlspecialchars($vars['hardware'] ?? ''); ?>',
+                    features: '<?php echo htmlspecialchars($vars['features'] ?? ''); ?>',
+                    location: '<?php echo htmlspecialchars($vars['location'] ?? ''); ?>',
+                    type: '<?php echo htmlspecialchars($vars['type'] ?? ''); ?>',
+                    state: '<?php echo htmlspecialchars($vars['state'] ?? ''); ?>',
+                    disabled: '<?php echo htmlspecialchars($vars['disabled'] ?? ''); ?>',
+                    ignore: '<?php echo htmlspecialchars($vars['ignore'] ?? ''); ?>',
+                    disable_notify: '<?php echo htmlspecialchars($vars['disable_notify'] ?? ''); ?>',
+                    group: '<?php echo htmlspecialchars($vars['group'] ?? ''); ?>',
+                    poller_group: '<?php echo htmlspecialchars($vars['poller_group'] ?? ''); ?>',
+                    device_id: '<?php echo htmlspecialchars($vars['device_id'] ?? ''); ?>',
                };
            },
            url: "<?php echo url('/ajax/table/device') ?>"
@@ -372,7 +372,7 @@ if ($format == 'graph') {
            "<form method='post' action='' class='form-inline devices-search-header' role='form'>" +
            "<?php echo addslashes(csrf_field()) ?>"+
            "<div class='form-group'>" +
-            "<input type='text' name='searchquery' id='searchquery' value='<?php echo $vars['searchquery'] ?? ''; ?>' class='form-control' placeholder='Search'>" +
+            "<input type='text' name='searchquery' id='searchquery' value='<?php echo htmlspecialchars($vars['searchquery'] ?? ''); ?>' class='form-control' placeholder='Search'>" +
            "</div>" +
            "<div class='form-group'><?php echo $state_selection ?></div>" +
            "<div class='form-group'><select name='os' id='os' class='form-control'></select></div>" +
--- a/includes/html/pages/services.inc.php
+++ b/includes/html/pages/services.inc.php
@@ -134,7 +134,7 @@ require_once 'includes/html/modal/delete_service.inc.php';
                foreach (dbFetchRows($host_sql, $host_par) as $device) {
                    $device_id = $device['device_id'];
                    $device_hostname = $device['hostname'];
-                    $device_sysName = $device['sysName'];
+                    $device_sysName = htmlspecialchars($device['sysName']);
                    $devlink = generate_device_link($device, null, ['tab' => 'services']);
                    if ($shift == 1) {
                        array_unshift($sql_param, $device_id);
--- a/includes/html/table/alerts.inc.php
+++ b/includes/html/table/alerts.inc.php
@@ -194,7 +194,7 @@ foreach (dbFetchRows($sql, $param) as $alert) {
        'details' => '<a class="fa-solid fa-plus incident-toggle" style="display:none" data-toggle="collapse" data-target="#incident' . $alert['id'] . '" data-parent="#alerts"></a>',
        'verbose_details' => "<button type='button' class='btn btn-alert-details command-alert-details' aria-label='Details' id='alert-details' data-alert_log_id='{$alert_log_id}'><i class='fa-solid fa-circle-info'></i></button>",
        'hostname' => $hostname,
-        'location' => generate_link($alert['location'], ['page' => 'devices', 'location' => $alert['location']]),
+        'location' => generate_link(htmlspecialchars($alert['location']), ['page' => 'devices', 'location' => $alert['location']]),
        'timestamp' => ($alert['timestamp_display'] ? $alert['timestamp_display'] : 'N/A'),
        'severity' => $severity_ico,
        'state' => $alert['state'],