From 36b38a50cc10d4ed16caab92bdc18ed6abac9685 Mon Sep 17 00:00:00 2001
From: Tony Murray <murraytony@gmail.com>
Date: Sun, 29 Sep 2024 08:06:52 -0500
Subject: [PATCH] Fix device dependencies xss (#16447)

https://github.com/librenms/librenms/security/advisories/GHSA-rwwc-2v8q-gc9v

Create html programmatically to prevent printing user input out.
---
 .../html/pages/device-dependencies.inc.php    | 84 ++++++++++++++-----
 1 file changed, 63 insertions(+), 21 deletions(-)

diff --git a/includes/html/pages/device-dependencies.inc.php b/includes/html/pages/device-dependencies.inc.php
index 898be8285e..998bdfccc0 100644
--- a/includes/html/pages/device-dependencies.inc.php
+++ b/includes/html/pages/device-dependencies.inc.php
@@ -70,48 +70,90 @@ var grid = $("#hostdeps").bootgrid({
     },
     formatters: {
         "actions": function(column, row) {
-            var buttonDisabled = '';
-            var response =  "<button type='button' class='btn btn-primary btn-sm command-edit' aria-label='Edit' data-toggle='modal' data-target='#edit-dependency' data-device_id='"+row.deviceid+"' data-host_name='"+row.hostname+"' data-parent_id='"+row.parentid+"' name='edit-host-dependency'><i class='fa fa-pencil' aria-hidden='true'></i></button> ";
-            if (row.parent == 'None') {
-                buttonDisabled = ' disabled';
-            }
-            response += "<button type='button' class='command-delete btn btn-danger btn-sm"+buttonDisabled+"' aria-label='Delete' data-toggle='modal' data-target='#confirm-delete' data-device_id='"+row.deviceid+"' data-device_parent ='"+row.parentid+"' data-host_name='"+row.hostname+"' name='delete-host-dependency'"+buttonDisabled+"><i class='fa fa-trash' aria-hidden='true'></i></button>";
-            return response;
+            var content = document.createElement('div');
+            content.style.whiteSpace = "nowrap";
+
+            var edit_button = document.createElement('button');
+            edit_button.setAttribute('type', 'button');
+            edit_button.setAttribute('class', 'btn btn-primary btn-sm command-edit');
+            edit_button.setAttribute('aria-label', 'Edit');
+            edit_button.setAttribute('data-toggle', 'modal');
+            edit_button.setAttribute('data-target', '#edit-dependency');
+            edit_button.setAttribute('name', 'edit-host-dependency');
+            edit_button.setAttribute('data-device_id', row.deviceid);
+            edit_button.setAttribute('data-host_name', row.hostname);
+            edit_button.setAttribute('data-parent_id', row.parentid);
+            var edit_button_label = document.createElement('i');
+            edit_button_label.setAttribute('class', 'fa fa-pencil');
+            edit_button_label.setAttribute('aria-hidden', 'true');
+            edit_button.appendChild(edit_button_label);
+            content.appendChild(edit_button);
+
+            content.appendChild(document.createTextNode(' '))
+
+            var delete_button = document.createElement('button');
+            delete_button.setAttribute('type', 'button');
+            delete_button.setAttribute('class', 'btn btn-danger btn-sm command-delete');
+            delete_button.setAttribute('aria-label', 'Delete');
+            delete_button.setAttribute('data-toggle', 'modal');
+            delete_button.setAttribute('data-target', '#confirm-delete');
+            delete_button.setAttribute('name', 'delete-host-dependency');
+            delete_button.setAttribute('data-device_id', row.deviceid);
+            delete_button.setAttribute('data-host_name', row.hostname);
+            delete_button.setAttribute('data-device_parent', row.parentid);
+            delete_button.disabled = row.parent == 'None';
+            var delete_button_label = document.createElement('i');
+            delete_button_label.setAttribute('class', 'fa fa-trash');
+            delete_button_label.setAttribute('aria-hidden', 'true');
+            delete_button.appendChild(delete_button_label);
+            content.appendChild(delete_button)
+
+            return content.outerHTML;
         },
         "id": function(column, row) {
             return row.deviceid;
         },
         "hostname": function(column, row) {
-            return '<a href="device/device='+row.deviceid+'/" class="list-device">'+row.hostname+'</a><br />'+row.sysname;
+            var content = document.createElement('div');
+            var link = document.createElement('a');
+            link.setAttribute('href', '<?php echo route('device', ['device' => ':device_id']) ?>'.replace(':device_id', row.deviceid));
+            link.setAttribute('class', 'list-device');
+            link.appendChild(document.createTextNode(row.hostname));
+            content.appendChild(link);
+            content.appendChild(document.createElement('br'));
+            content.appendChild(document.createTextNode(row.sysname));
+
+            return content.innerHTML;
         },
         "parent": function(column, row) {
             if (row.parent == 'None') {
                 return 'None';
-            } else {
-                var temp = Array();
-                var tempids = Array();
-                var counter = 0;
-                temp = row.parent.split(',');
-                tempids = row.parentid.split(',');
-                var retstr = '';
-                for (i=0; i < temp.length; i++) {
-                    retstr = retstr + '<a href="device/device='+tempids[i]+'/" class="list-device">'+temp[i]+'</a>, ';
-                }
-                return retstr.slice(0, -2);
             }
+
+            var temp = row.parent.split(',');
+            var tempids = row.parentid.split(',');
+            var retstr = '';
+            for (i=0; i < temp.length; i++) {
+                var link = document.createElement('a');
+                link.setAttribute('href', '<?php echo route('device', ['device' => ':device_id']) ?>'.replace(':device_id', tempids[i]));
+                link.setAttribute('class', 'list-device');
+                link.appendChild(document.createTextNode(temp[i]));
+                retstr = retstr + link.outerHTML + ', ';
+            }
+            return retstr.slice(0, -2);
         }
     },
 }).on("loaded.rs.jquery.bootgrid", function(e) {
     e.preventDefault();
         /* Executes after data is loaded and rendered */
     grid.find(".command-edit").on("click", function(e) {
-        $('#edit-row_id').val($(this).parent().parent().data('row-id'));
+        $('#edit-row_id').val($(this).parent().parent().parent().data('row-id'));
         $("#edit-device_id").val($(this).data("device_id"));
         $("#edit-parent_id").val($(this).data("parent_id"));
         $('#edit-dependency').modal('show');
         $('.modalhostname').text($(this).data("host_name"));
     }).end().find(".command-delete").on("click", function(e) {
-        $('#delete-row_id').val($(this).parent().parent().data('row-id'));
+        $('#delete-row_id').val($(this).parent().parent().parent().data('row-id'));
         $("#delete-device_id").val($(this).data("device_id"));
         $("#delete-parent_id").val($(this).data("device_parent"));
         $('#confirm-delete').modal('show');