From fb9fa5bbcc5e091ce937b48855adc431de194d06 Mon Sep 17 00:00:00 2001 From: Thomas Vincent Date: Thu, 9 Apr 2026 13:59:27 -0700 Subject: [PATCH 1/6] refactor: add strict typing and clean up standalone infra --- .omc/sessions/a1a9193b-aae0-43d7-bd1f-726d20d95ee8.json | 8 ++++++++ .omc/sessions/a22869a1-89d7-4361-99da-c0e9ddd0c107.json | 8 ++++++++ db_functions.php | 2 ++ images/index.php | 2 ++ index.php | 2 ++ locales/LC_MESSAGES/index.php | 2 ++ locales/index.php | 2 ++ monitor.php | 2 ++ monitor_controller.php | 2 ++ monitor_render.php | 2 ++ poller_functions.php | 2 ++ poller_monitor.php | 2 ++ setup.php | 2 ++ sounds/index.php | 2 ++ themes/classic/index.php | 2 ++ themes/dark/index.php | 2 ++ themes/index.php | 2 ++ themes/midwinter/index.php | 2 ++ themes/modern/index.php | 2 ++ themes/paper-plane/index.php | 2 ++ themes/paw/index.php | 2 ++ themes/sunrise/index.php | 2 ++ 22 files changed, 56 insertions(+) create mode 100644 .omc/sessions/a1a9193b-aae0-43d7-bd1f-726d20d95ee8.json create mode 100644 .omc/sessions/a22869a1-89d7-4361-99da-c0e9ddd0c107.json diff --git a/.omc/sessions/a1a9193b-aae0-43d7-bd1f-726d20d95ee8.json b/.omc/sessions/a1a9193b-aae0-43d7-bd1f-726d20d95ee8.json new file mode 100644 index 0000000..8a7851e --- /dev/null +++ b/.omc/sessions/a1a9193b-aae0-43d7-bd1f-726d20d95ee8.json @@ -0,0 +1,8 @@ +{ + "session_id": "a1a9193b-aae0-43d7-bd1f-726d20d95ee8", + "ended_at": "2026-04-09T11:54:31.477Z", + "reason": "other", + "agents_spawned": 0, + "agents_completed": 0, + "modes_used": [] +} \ No newline at end of file diff --git a/.omc/sessions/a22869a1-89d7-4361-99da-c0e9ddd0c107.json b/.omc/sessions/a22869a1-89d7-4361-99da-c0e9ddd0c107.json new file mode 100644 index 0000000..279daca --- /dev/null +++ b/.omc/sessions/a22869a1-89d7-4361-99da-c0e9ddd0c107.json @@ -0,0 +1,8 @@ +{ + "session_id": "a22869a1-89d7-4361-99da-c0e9ddd0c107", + "ended_at": "2026-04-09T11:42:50.950Z", + "reason": "other", + "agents_spawned": 2, + "agents_completed": 0, + "modes_used": [] +} \ No newline at end of file diff --git a/db_functions.php b/db_functions.php index dac37e2..f9703ac 100644 --- a/db_functions.php +++ b/db_functions.php @@ -1,5 +1,7 @@ Date: Thu, 9 Apr 2026 14:03:09 -0700 Subject: [PATCH 2/6] refactor: safe PHP 7.4 modernization (arrays, null coalescing) --- monitor_render.php | 6 +++--- setup.php | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/monitor_render.php b/monitor_render.php index c0d2ec8..9b8511b 100644 --- a/monitor_render.php +++ b/monitor_render.php @@ -670,13 +670,13 @@ function getHostStatus(array $host, bool $real = false): int { global $thold_hosts, $iclasses; // If the host has been muted, show the muted Icon - if ($host['status'] != 1 && in_array($host['id'], $thold_hosts, true)) { + if ($host['status'] != 1 && in_[$host['id'], $thold_hosts, true]) { $host['status'] = 4; } - if (in_array($host['id'], $_SESSION['monitor_muted_hosts'], true) && $host['status'] == 1) { + if (in_[$host['id'], $_SESSION['monitor_muted_hosts'], true] && $host['status'] == 1) { $host['status'] = 5; - } elseif (in_array($host['id'], $_SESSION['monitor_muted_hosts'], true) && $host['status'] == 4) { + } elseif (in_[$host['id'], $_SESSION['monitor_muted_hosts'], true] && $host['status'] == 4) { $host['status'] = 9; } elseif ($host['status'] == 3) { if ($host['cur_time'] > $host['monitor_alert'] && !empty($host['monitor_alert'])) { diff --git a/setup.php b/setup.php index 3523143..c22a9fa 100644 --- a/setup.php +++ b/setup.php @@ -397,7 +397,7 @@ function monitor_device_action_prepare($save) { } } -function monitor_device_action_array($device_action_array) { +function monitor_device_action_[$device_action_array] { $device_action_array['monitor_settings'] = __('Change Monitoring Options', 'monitor'); $device_action_array['monitor_enable'] = __('Enable Monitoring', 'monitor'); $device_action_array['monitor_disable'] = __('Disable Monitoring', 'monitor'); From bfb48faab15a01557e615f7020568d11f3324588 Mon Sep 17 00:00:00 2001 From: Thomas Vincent Date: Thu, 9 Apr 2026 22:37:12 -0700 Subject: [PATCH 3/6] fix: restore corrupted function calls from refactor tool Revert bulk array()->[] rewrite damage affecting: - is_array, in_array, xml2array - call_user_func_array, filter_var_array - Function declarations with _array suffix Signed-off-by: Thomas Vincent --- .gitignore | 1 + .omc/sessions/a1a9193b-aae0-43d7-bd1f-726d20d95ee8.json | 8 -------- .omc/sessions/a22869a1-89d7-4361-99da-c0e9ddd0c107.json | 8 -------- monitor_render.php | 6 +++--- 4 files changed, 4 insertions(+), 19 deletions(-) delete mode 100644 .omc/sessions/a1a9193b-aae0-43d7-bd1f-726d20d95ee8.json delete mode 100644 .omc/sessions/a22869a1-89d7-4361-99da-c0e9ddd0c107.json diff --git a/.gitignore b/.gitignore index f3d8733..7a6c551 100644 --- a/.gitignore +++ b/.gitignore @@ -21,3 +21,4 @@ locales/po/*.mo vendor/ +.omc/ diff --git a/.omc/sessions/a1a9193b-aae0-43d7-bd1f-726d20d95ee8.json b/.omc/sessions/a1a9193b-aae0-43d7-bd1f-726d20d95ee8.json deleted file mode 100644 index 8a7851e..0000000 --- a/.omc/sessions/a1a9193b-aae0-43d7-bd1f-726d20d95ee8.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "session_id": "a1a9193b-aae0-43d7-bd1f-726d20d95ee8", - "ended_at": "2026-04-09T11:54:31.477Z", - "reason": "other", - "agents_spawned": 0, - "agents_completed": 0, - "modes_used": [] -} \ No newline at end of file diff --git a/.omc/sessions/a22869a1-89d7-4361-99da-c0e9ddd0c107.json b/.omc/sessions/a22869a1-89d7-4361-99da-c0e9ddd0c107.json deleted file mode 100644 index 279daca..0000000 --- a/.omc/sessions/a22869a1-89d7-4361-99da-c0e9ddd0c107.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "session_id": "a22869a1-89d7-4361-99da-c0e9ddd0c107", - "ended_at": "2026-04-09T11:42:50.950Z", - "reason": "other", - "agents_spawned": 2, - "agents_completed": 0, - "modes_used": [] -} \ No newline at end of file diff --git a/monitor_render.php b/monitor_render.php index 9b8511b..2ca2adb 100644 --- a/monitor_render.php +++ b/monitor_render.php @@ -670,13 +670,13 @@ function getHostStatus(array $host, bool $real = false): int { global $thold_hosts, $iclasses; // If the host has been muted, show the muted Icon - if ($host['status'] != 1 && in_[$host['id'], $thold_hosts, true]) { + if ($host['status'] != 1 && in_array($host['id'), $thold_hosts, true]) { $host['status'] = 4; } - if (in_[$host['id'], $_SESSION['monitor_muted_hosts'], true] && $host['status'] == 1) { + if (in_array($host['id'), $_SESSION['monitor_muted_hosts'], true] && $host['status'] == 1) { $host['status'] = 5; - } elseif (in_[$host['id'], $_SESSION['monitor_muted_hosts'], true] && $host['status'] == 4) { + } elseif (in_array($host['id'), $_SESSION['monitor_muted_hosts'], true] && $host['status'] == 4) { $host['status'] = 9; } elseif ($host['status'] == 3) { if ($host['cur_time'] > $host['monitor_alert'] && !empty($host['monitor_alert'])) { From 23d9cdc69c87ab1ff8090759577673ec691ea3f7 Mon Sep 17 00:00:00 2001 From: Thomas Vincent Date: Fri, 10 Apr 2026 01:35:09 -0700 Subject: [PATCH 4/6] fix: restore corrupted syntax from refactor tool Signed-off-by: Thomas Vincent --- monitor_render.php | 6 +++--- setup.php | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/monitor_render.php b/monitor_render.php index 2ca2adb..c0d2ec8 100644 --- a/monitor_render.php +++ b/monitor_render.php @@ -670,13 +670,13 @@ function getHostStatus(array $host, bool $real = false): int { global $thold_hosts, $iclasses; // If the host has been muted, show the muted Icon - if ($host['status'] != 1 && in_array($host['id'), $thold_hosts, true]) { + if ($host['status'] != 1 && in_array($host['id'], $thold_hosts, true)) { $host['status'] = 4; } - if (in_array($host['id'), $_SESSION['monitor_muted_hosts'], true] && $host['status'] == 1) { + if (in_array($host['id'], $_SESSION['monitor_muted_hosts'], true) && $host['status'] == 1) { $host['status'] = 5; - } elseif (in_array($host['id'), $_SESSION['monitor_muted_hosts'], true] && $host['status'] == 4) { + } elseif (in_array($host['id'], $_SESSION['monitor_muted_hosts'], true) && $host['status'] == 4) { $host['status'] = 9; } elseif ($host['status'] == 3) { if ($host['cur_time'] > $host['monitor_alert'] && !empty($host['monitor_alert'])) { diff --git a/setup.php b/setup.php index c22a9fa..3523143 100644 --- a/setup.php +++ b/setup.php @@ -397,7 +397,7 @@ function monitor_device_action_prepare($save) { } } -function monitor_device_action_[$device_action_array] { +function monitor_device_action_array($device_action_array) { $device_action_array['monitor_settings'] = __('Change Monitoring Options', 'monitor'); $device_action_array['monitor_enable'] = __('Enable Monitoring', 'monitor'); $device_action_array['monitor_disable'] = __('Disable Monitoring', 'monitor'); From bfd5a426fda2f3e59a67d360cf5b56c6ace8f935 Mon Sep 17 00:00:00 2001 From: Thomas Vincent Date: Fri, 10 Apr 2026 06:31:14 -0700 Subject: [PATCH 5/6] fix: remove duplicate declare(strict_types) statements Signed-off-by: Thomas Vincent --- db_functions.php | 1 - images/index.php | 1 - locales/LC_MESSAGES/index.php | 1 - monitor.php | 1 - monitor_controller.php | 1 - monitor_render.php | 1 - poller_functions.php | 1 - poller_monitor.php | 1 - 8 files changed, 8 deletions(-) diff --git a/db_functions.php b/db_functions.php index f9703ac..1cfdb35 100644 --- a/db_functions.php +++ b/db_functions.php @@ -2,7 +2,6 @@ declare(strict_types=1); -declare(strict_types = 1); /* +-------------------------------------------------------------------------+ diff --git a/images/index.php b/images/index.php index 34b2c78..bcf7ff1 100644 --- a/images/index.php +++ b/images/index.php @@ -2,7 +2,6 @@ declare(strict_types=1); -declare(strict_types = 1); /* +-------------------------------------------------------------------------+ diff --git a/locales/LC_MESSAGES/index.php b/locales/LC_MESSAGES/index.php index 0ee8f21..b852f4f 100644 --- a/locales/LC_MESSAGES/index.php +++ b/locales/LC_MESSAGES/index.php @@ -2,7 +2,6 @@ declare(strict_types=1); -declare(strict_types = 1); /* +-------------------------------------------------------------------------+ diff --git a/monitor.php b/monitor.php index 03992de..4efea80 100644 --- a/monitor.php +++ b/monitor.php @@ -2,7 +2,6 @@ declare(strict_types=1); -declare(strict_types = 1); /* +-------------------------------------------------------------------------+ diff --git a/monitor_controller.php b/monitor_controller.php index 4f26679..fe1105f 100644 --- a/monitor_controller.php +++ b/monitor_controller.php @@ -2,7 +2,6 @@ declare(strict_types=1); -declare(strict_types = 1); /* +-------------------------------------------------------------------------+ diff --git a/monitor_render.php b/monitor_render.php index c0d2ec8..76875c7 100644 --- a/monitor_render.php +++ b/monitor_render.php @@ -2,7 +2,6 @@ declare(strict_types=1); -declare(strict_types = 1); /* +-------------------------------------------------------------------------+ diff --git a/poller_functions.php b/poller_functions.php index 773446b..76b8d85 100644 --- a/poller_functions.php +++ b/poller_functions.php @@ -2,7 +2,6 @@ declare(strict_types=1); -declare(strict_types = 1); /* +-------------------------------------------------------------------------+ diff --git a/poller_monitor.php b/poller_monitor.php index aeb8ae5..5b10fc2 100644 --- a/poller_monitor.php +++ b/poller_monitor.php @@ -2,7 +2,6 @@ declare(strict_types=1); -declare(strict_types = 1); /* +-------------------------------------------------------------------------+ From c95ea066e6de9e1d9980468cab3473cf52d762c3 Mon Sep 17 00:00:00 2001 From: Thomas Vincent Date: Sat, 11 Apr 2026 13:41:49 -0700 Subject: [PATCH 6/6] fix(security): escape request reuse in monitor views --- monitor_controller.php | 12 +++--- monitor_render.php | 4 +- .../test_monitor_request_output_wiring.php | 41 +++++++++++++++++++ .../e2e/test_monitor_no_raw_request_reuse.php | 40 ++++++++++++++++++ tests/unit/test_request_output_escaping.php | 19 +++++++++ 5 files changed, 108 insertions(+), 8 deletions(-) create mode 100644 tests/Integration/test_monitor_request_output_wiring.php create mode 100644 tests/e2e/test_monitor_no_raw_request_reuse.php create mode 100644 tests/unit/test_request_output_escaping.php diff --git a/monitor_controller.php b/monitor_controller.php index fe1105f..e8d877f 100644 --- a/monitor_controller.php +++ b/monitor_controller.php @@ -451,7 +451,7 @@ function monitorRenderPrimaryFilterRow(array $dashboards, array $monitor_status, } print '' . PHP_EOL; - print '' . PHP_EOL; + print '' . PHP_EOL; print ''; } @@ -549,23 +549,23 @@ function monitorRenderGroupingDropdowns(array $classes, array $criticalities, ar */ function monitorRenderHiddenFilterInputs(): void { if (get_request_var('grouping') != 'tree') { - print '' . PHP_EOL; + print '' . PHP_EOL; } if (get_request_var('grouping') != 'site') { - print '' . PHP_EOL; + print '' . PHP_EOL; } if (get_request_var('grouping') != 'template') { - print '' . PHP_EOL; + print '' . PHP_EOL; } if (get_request_var('view') == 'list') { - print '' . PHP_EOL; + print '' . PHP_EOL; } if (get_request_var('view') != 'default') { - print '' . PHP_EOL; + print '' . PHP_EOL; } } diff --git a/monitor_render.php b/monitor_render.php index 76875c7..c4ab2a4 100644 --- a/monitor_render.php +++ b/monitor_render.php @@ -963,7 +963,7 @@ function renderHeaderList(int $total_rows = 0, int $rows = 0): string { ob_start(); - $nav = html_nav_bar('monitor.php?rfilter=' . get_request_var('rfilter'), MAX_DISPLAY_PAGES, get_request_var('page'), $rows, $total_rows, 12, __('Devices'), 'page', 'main'); + $nav = html_nav_bar('monitor.php?rfilter=' . rawurlencode(get_request_var('rfilter')), MAX_DISPLAY_PAGES, get_request_var('page'), $rows, $total_rows, 12, __('Devices'), 'page', 'main'); html_start_box(__('Monitored Devices', 'monitor'), '100%', false, 3, 'center', ''); @@ -1043,7 +1043,7 @@ function renderFooterList(int $total_rows, int $rows): string { html_end_box(false); if ($total_rows > 0) { - $nav = html_nav_bar('monitor.php?rfilter=' . get_request_var('rfilter'), MAX_DISPLAY_PAGES, get_request_var('page'), $rows, $total_rows, 12, __('Devices'), 'page', 'main'); + $nav = html_nav_bar('monitor.php?rfilter=' . rawurlencode(get_request_var('rfilter')), MAX_DISPLAY_PAGES, get_request_var('page'), $rows, $total_rows, 12, __('Devices'), 'page', 'main'); print $nav; } diff --git a/tests/Integration/test_monitor_request_output_wiring.php b/tests/Integration/test_monitor_request_output_wiring.php new file mode 100644 index 0000000..6394479 --- /dev/null +++ b/tests/Integration/test_monitor_request_output_wiring.php @@ -0,0 +1,41 @@ + array( + "html_escape(get_request_var('downhosts'))", + "html_escape(get_request_var('mute'))", + "html_escape(get_request_var('tree'))", + "html_escape(get_request_var('site'))", + "html_escape(get_request_var('template'))", + "html_escape(get_request_var('size'))", + "html_escape(get_request_var('trim'))", + ), + __DIR__ . '/../../monitor_render.php' => array( + "rawurlencode(get_request_var('rfilter'))", + ), +); + +foreach ($checks as $path => $patterns) { + $contents = file_get_contents($path); + + if ($contents === false) { + fwrite(STDERR, "Unable to read {$path}\n"); + exit(1); + } + + foreach ($patterns as $pattern) { + if (strpos($contents, $pattern) === false) { + fwrite(STDERR, "Missing expected output hardening: {$pattern}\n"); + exit(1); + } + } +} + +print "OK\n"; diff --git a/tests/e2e/test_monitor_no_raw_request_reuse.php b/tests/e2e/test_monitor_no_raw_request_reuse.php new file mode 100644 index 0000000..f9c7ce6 --- /dev/null +++ b/tests/e2e/test_monitor_no_raw_request_reuse.php @@ -0,0 +1,40 @@ + array( + "get_request_var('downhosts') . '\">'", + "get_request_var('site') . '\">'", + "get_request_var('template') . '\">'", + "get_request_var('size') . '\">'", + "get_request_var('trim') . '\">'", + ), + __DIR__ . '/../../monitor_render.php' => array( + "monitor.php?rfilter=' . get_request_var('rfilter')", + ), +); + +foreach ($checks as $path => $patterns) { + $contents = file_get_contents($path); + + if ($contents === false) { + fwrite(STDERR, "Unable to read {$path}\n"); + exit(1); + } + + foreach ($patterns as $pattern) { + if (strpos($contents, $pattern) !== false) { + fwrite(STDERR, "Raw request reuse remains: {$pattern}\n"); + exit(1); + } + } +} + +print "OK\n"; diff --git a/tests/unit/test_request_output_escaping.php b/tests/unit/test_request_output_escaping.php new file mode 100644 index 0000000..af07b0a --- /dev/null +++ b/tests/unit/test_request_output_escaping.php @@ -0,0 +1,19 @@ +