fix(security): defense-in-depth hardening for plugin_mactrack#325
Merged
TheWitness merged 6 commits intoCacti:developfrom Apr 24, 2026
Merged
fix(security): defense-in-depth hardening for plugin_mactrack#325TheWitness merged 6 commits intoCacti:developfrom
TheWitness merged 6 commits intoCacti:developfrom
Conversation
Automated fixes: - XSS: escape request variables in HTML output - SQLi: convert string-concat queries to prepared statements - Deserialization: add allowed_classes=>false - Temp files: replace rand() with tempnam() Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
Contributor
There was a problem hiding this comment.
Pull request overview
Defense-in-depth security hardening for the plugin_mactrack codebase by reducing XSS exposure in UI filters and tightening PHP deserialization behavior.
Changes:
- Hardened multiple
unserialize()call sites by addingallowed_classes => false. - Escaped request variables used inside HTML
valueattributes viahtml_escape_request_var(). - Updated Net_DNS2 cache loaders to use hardened unserialization when reading persisted cache state.
Reviewed changes
Copilot reviewed 15 out of 15 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| Net/DNS2/Cache/Shm.php | Adds allowed_classes => false when unserializing shared-memory cache data. |
| Net/DNS2/Cache/File.php | Adds allowed_classes => false when unserializing file cache data. |
| Net/DNS2/Cache.php | Adds allowed_classes => false when unserializing cached response objects. |
| mactrack_view_macs.php | Hardens deserialization of selected_items; escapes filter input value. |
| mactrack_view_ips.php | Escapes hidden page request variable in form. |
| mactrack_view_interfaces.php | Escapes filter request variable in input value attribute. |
| mactrack_view_devices.php | Escapes filter and hidden page request variables in form. |
| mactrack_view_arp.php | Escapes filter request variable in input value attribute. |
| mactrack_vendormacs.php | Escapes filter request variable in input value attribute. |
| mactrack_snmp.php | Escapes filter and hidden page request variables in form. |
| mactrack_macwatch.php | Escapes filter and hidden page request variables in form. |
| mactrack_macauth.php | Escapes filter and hidden page request variables in form. |
| mactrack_devices.php | Escapes filter request variable in input value attribute. |
| mactrack_device_types.php | Escapes filter request variable in input value attribute. |
| lib/mactrack_functions.php | Escapes filter request variable in site filter input value attribute. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This was referenced Apr 9, 2026
Replace .click(fn) with .on('click', fn), .change(fn) with
.on('change', fn), .submit(fn) with .on('submit', fn), .unbind()
with .off(), and .resize(fn) with .on('resize', fn).
These shorthands were deprecated in jQuery 3.3 and will be removed
in jQuery 4.0. Cacti core ships jQuery 3.x on develop.
Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
- Change Dependabot ecosystem from npm to composer (PHP-only repo) - Remove PHP from CodeQL paths-ignore so security PRs get analysis - Remove committed .omc session artifacts, add .omc/ to .gitignore Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
Contributor
Author
|
Converted to draft to serialize the stack in this repo. Blocked by #324; will un-draft after that merges to avoid cross-PR merge conflicts. |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
TheWitness
previously approved these changes
Apr 24, 2026
xmacan
approved these changes
Apr 24, 2026
xmacan
previously approved these changes
Apr 24, 2026
xmacan
approved these changes
Apr 24, 2026
xmacan
approved these changes
Apr 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Automated defense-in-depth hardening addressing 76 security audit findings.
html_escape_request_var()allowed_classes => falsetounserialize()callsrand()withtempnam()All changes are PHP 7.0+ compatible for Cacti 1.2.x.
Test plan