mirror/librenms-librenms
1
0
Fork 0
mirror of https://github.com/librenms/librenms.git synced 2024-10-07 16:52:45 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update Tnmsne table backend (#15384)

Browse Source 
remove ridiculous sql injection vulnerability
This commit is contained in:
Tony Murray
2023-10-05 03:32:21 -05:00
committed by GitHub
parent 3294af6721
commit 9fca01830c
5 changed files with 112 additions and 119 deletions
Download Patch File Download Diff File Expand all files Collapse all files

110
app/Http/Controllers/Table/TnmsneController.php Normal file
View File

@@ -0,0 +1,110 @@
<?php
/*
* TnmsNeInfoController.php
*
* -Description-
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
* @package LibreNMS
* @link http://librenms.org
* @copyright 2023 Tony Murray
* @author Tony Murray <murraytony@gmail.com>
*/
namespace App\Http\Controllers\Table;
use App\Models\TnmsneInfo;
use Illuminate\Http\Request;
class TnmsneController extends TableController
{
protected function rules()
{
return [
'device_id' => 'nullable|integer',
];
}
protected function sortFields($request)
{
return [
'neName',
'neLocation',
'neType',
'neOpMode',
'neAlarm',
'neOpState',
];
}
protected function searchFields(Request $request)
{
return [
'neName',
'neLocation',
'neType',
'neOpMode',
'neAlarm',
'neOpState',
];
}
protected function filterFields(Request $request)
{
return ['device_id'];
}
/**
* @inheritDoc
*/
protected function baseQuery(Request $request)
{
return TnmsneInfo::query();
}
/**
* @param TnmsneInfo $tnmsne
* @return array
*/
public function formatItem($tnmsne)
{
$neOp = $tnmsne->neOpMode == 'operation'
? '<span style="min-width:40px;" class="label label-success">operation</span>'
: '<span style="min-width:40px;" class="label label-danger">' . htmlspecialchars($tnmsne->neOpMode) . '</span>';
$opState = $tnmsne->neOpState == 'enabled'
? '<td class="list"><span style="min-width:40px;" class="label label-success">enabled</span></td>'
: '<td class="list"><span style="min-width:40px;" class="label label-danger">' . htmlspecialchars($tnmsne->neOpState) . '</span></td>';
return [
'neName' => htmlspecialchars($tnmsne->neName),
'neLocation' => htmlspecialchars($tnmsne->neLocation),
'neType' => htmlspecialchars($tnmsne->neType),
'neOpMode' => $neOp,
'neAlarm' => $this->getAlarmLabel($tnmsne->neAlarm),
'neOpState' => $opState,
];
}
private function getAlarmLabel(string $neAlarm): string
{
return match ($neAlarm) {
'cleared' => '<span style="min-width:40px;" class="label label-success">cleared</span>',
'warning' => '<span style="min-width:40px;" class="label label-warning">warning</span>',
'minor', 'major', 'critical', 'indeterminate' => '<span style="min-width:40px;" class="label label-danger">' . htmlspecialchars($neAlarm) . '</span>',
default => '<span style="min-width:40px;" class="label label-default">' . htmlspecialchars($neAlarm) . '</span>',
};
}
}

7
includes/common.php
View File

@@ -445,13 +445,6 @@ function is_customoid_graph($type, $subtype)
return false;
} // is_customoid_graph
function search_phrase_column($c)
{
global $searchPhrase;
return "$c LIKE '%$searchPhrase%'";
} // search_phrase_column
/**
* Parse location field for coordinates
*

3
includes/html/pages/device/tnmsne.inc.php
View File

@@ -27,11 +27,10 @@ $pagetitle[] = 'Hardware';
post: function()
{
return {
id: "tnmsneinfo",
device_id: '<?php echo htmlspecialchars($device['device_id']); ?>',
};
},
url: "ajax_table.php",
url: "<?php echo route('table.tnmsne') ?>",
formatters: {
},
templates: {

110
includes/html/table/tnmsneinfo.inc.php
View File

@@ -1,110 +0,0 @@
<?php
/*
* LibreNMS device MIB association browser
*
* Copyright (c) 2015 Gear Consulting Pty Ltd <github@libertysys.com.au>
*
* by Paul Gear
* based on code by Søren Friis Rosiak <sorenrosiak@gmail.com>
* in commit 054bf3ae209f34a2c3bc8968300722004903df1b
*
* This program is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation, either version 3 of the License, or (at your
* option) any later version. Please see LICENSE.txt at the top level of
* the source code distribution for details.
*/
$columns = [
'neName',
'neLocation',
'neType',
'neOpMode',
'neAlarm',
'neOpState',
];
if (isset($vars['device_id'])) {
$params = [
$vars['device_id'],
];
$sql = 'SELECT `neName`,`neLocation`,`neType`,`neOpMode`,`neAlarm`,`neOpState` FROM `tnmsneinfo`';
$wheresql = ' WHERE `device_id` = ?';
$sortcolumns = 3;
$count_sql = 'SELECT COUNT(id) FROM `tnmsneinfo`' . $wheresql;
// all columns are searchable - search across them
if (isset($searchPhrase) && ! empty($searchPhrase)) {
$searchsql = implode(' OR ', array_map('search_phrase_column', $columns));
$wheresql .= " AND ( $searchsql )";
}
$sql .= $wheresql;
// get total
$total = dbFetchCell($count_sql, $params);
if (empty($total)) {
$total = 0;
}
// set up default sort
if (! isset($sort) || empty($sort)) {
$sort = implode(', ', array_slice($columns, 0, $sortcolumns));
}
$sql .= " ORDER BY $sort";
// select only the required rows
if (isset($current)) {
$limit_low = (($current * $rowCount) - $rowCount);
$limit_high = $rowCount;
}
if ($rowCount != -1) {
$sql .= " LIMIT $limit_low,$limit_high";
}
// load data from database into response array
$response = [];
foreach (dbFetchRows($sql, $params) as $tnmsne) {
if ($tnmsne['neOpMode'] == 'operation') {
$neop = '<span style="min-width:40px; display:inlink-block;" class="label label-success">operation</span>';
} else {
$neop = '<span style="min-width:40px; display:inlink-block;" class="label label-danger">' . $tnmsne['neOpMode'] . '</span>';
}
switch ($tnmsne['neAlarm']) {
case 'cleared':
$alarm = '<span style="min-width:40px; display:inline-block;" class="label label-success">cleared</span>';
break;
case 'warning':
$alarm = '<span style="min-width:40px; display:inline-block;" class="label label-warning">warning</span>';
break;
case 'minor':
case 'major':
case 'critical':
case 'indeterminate':
$alarm = '<span style="min-width:40px; display:inline-block;" class="label label-danger">' . $tnmsne['neAlarm'] . '</span>';
break;
default:
$alarm = '<span style="min-width:40px; display:inline-block;" class="label label-default">' . $tnmsne['neAlarm'] . '</span>';
}
if ($tnmsne['neOpState'] == 'enabled') {
$opstate = '<td class="list"><span style="min-width:40px; display:inline-block;" class="label label-success">enabled</span></td>';
} else {
$opstate = '<td class="list"><span style="min-width:40px; display:inline-block;" class="label label-danger">' . $tnmsne['neOpState'] . '</span></td>';
}
$response[] = [
'neName' => $tnmsne['neName'],
'neLocation' => $tnmsne['neLocation'],
'neType' => $tnmsne['neType'],
'neOpMode' => $neop,
'neAlarm' => $alarm,
'neOpState' => $opstate,
];
}
$output = [
'current' => $current,
'rowCount' => $rowCount,
'rows' => $response,
'total' => $total,
];
echo json_encode($output, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE);
}

1
routes/web.php
View File

@@ -201,6 +201,7 @@ Route::middleware(['auth'])->group(function () {
Route::post('ports', 'PortsController')->name('table.ports');
Route::post('routes', 'RoutesTablesController');
Route::post('syslog', 'SyslogController');
Route::post('tnmsne', 'TnmsneController')->name('table.tnmsne');
Route::post('vminfo', 'VminfoController');
});