XSS fix, cont. again (#13778)

* XSS in alert template creation * XSS in alert rule name * XSS in service name & desc * style * strip_tags in alert_notes * strip_tags in create_alert_item * strip_tags in addsrv page
librenms · Feb 13, 2022 · 41ddce6 · 41ddce6
1 parent 0029e9f
commit 41ddce6
Show file tree

Hide file tree

Showing 6 changed files with 17 additions and 7 deletions.
diff --git a/includes/html/forms/alert-notes.inc.php b/includes/html/forms/alert-notes.inc.php
@@ -26,7 +26,7 @@
 
 $alert_id = $vars['alert_id'];
 $sub_type = $vars['sub_type'];
-$note = $vars['note'] ?: '';
+$note = strip_tags($vars['note']) ?: '';
 $status = 'error';
 
 if (is_numeric($alert_id)) {

diff --git a/includes/html/forms/alert-rules.inc.php b/includes/html/forms/alert-rules.inc.php
@@ -56,7 +56,7 @@
 $interval = $_POST['interval'];
 $mute = isset($_POST['mute']) ? $_POST['mute'] : null;
 $invert = isset($_POST['invert']) ? $_POST['invert'] : null;
-$name = $_POST['name'];
+$name = strip_tags($_POST['name']);
 $proc = $_POST['proc'];
 $recovery = ($vars['recovery']);
 $invert_map = isset($_POST['invert_map']) ? $_POST['invert_map'] : null;

diff --git a/includes/html/forms/alert-templates.inc.php b/includes/html/forms/alert-templates.inc.php
@@ -32,8 +32,11 @@
 $template_newid = 0;
 $create = true;
 
-$name = $vars['name'];
-if (isset($vars['template']) && empty(Blade::render($vars['template']))) {
+$name = strip_tags($vars['name']);
+if ((isset($vars['template']) && empty(Blade::render($vars['template']))) ||
+    (! empty($vars['title']) && empty(Blade::render($vars['title']))) ||
+    (! empty($vars['title_rec']) && empty(Blade::render($vars['title_rec'])))
+    ) {
     $message = 'Template failed to be parsed, please check the syntax';
 } elseif (! empty($name)) {
     if ($vars['template'] && is_numeric($vars['template_id'])) {

diff --git a/includes/html/forms/create-alert-item.inc.php b/includes/html/forms/create-alert-item.inc.php
@@ -27,7 +27,7 @@
 $interval = $_POST['interval'];
 $mute = $_POST['mute'];
 $invert = $_POST['invert'];
-$name = $_POST['name'];
+$name = strip_tages($_POST['name']);
 if ($_POST['proc'] != '') {
     $proc = $_POST['proc'];
 } else {

diff --git a/includes/html/forms/create-service.inc.php b/includes/html/forms/create-service.inc.php
@@ -28,7 +28,14 @@
     exit('ERROR: You need to be admin');
 }
 
-foreach (['desc', 'ip', 'ignore', 'disabled', 'param', 'name', 'template_id'] as $varname) {
+foreach (['desc', 'name'] as $varname) {
+    //sanitize description and name
+    if (isset($vars[$varname])) {
+        $$varname = strip_tags($vars[$varname]);
+        $update['service_' . $varname] = $$varname;
+    }
+}
+foreach (['ip', 'ignore', 'disabled', 'param', 'template_id'] as $varname) {
     if (isset($vars[$varname])) {
         $update['service_' . $varname] = $vars[$varname];
         $$varname = $vars[$varname];

diff --git a/includes/html/pages/addsrv.inc.php b/includes/html/pages/addsrv.inc.php
@@ -9,7 +9,7 @@
         if (Auth::user()->hasGlobalAdmin()) {
             $updated = '1';
 
-            $service_id = add_service($vars['device'], $vars['type'], $vars['descr'], $vars['ip'], $vars['params'], $vars['ignore'], $vars['disabled'], 0, $vars['name']);
+            $service_id = add_service($vars['device'], $vars['type'], strip_tags($vars['descr']), $vars['ip'], $vars['params'], $vars['ignore'], $vars['disabled'], 0, strip_tags($vars['name']));
             if ($service_id) {
                 $message .= $message_break . 'Service added (' . $service_id . ')!';
                 $message_break .= '<br />';