fix(security): defense-in-depth hardening for plugin_syslog (#303)

* ci: add CodeQL for javascript-typescript, python, ruby

* fix(ci): use specific runner labels, fix codeql concurrency

* fix(security): defense-in-depth hardening for plugin_syslog

Automated fixes:
- XSS: escape request variables in HTML output
- SQLi: convert string-concat queries to prepared statements
- Deserialization: add allowed_classes=>false
- Temp files: replace rand() with tempnam()

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>

* security: replace legacy XML import with secure helper in plugin_syslog

---------

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
Co-authored-by: TheWitness <thewitness@cacti.net>

Author: somethingwithproof

.github/workflows/codeql.yml

@@ -0,0 +1,47 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [main, master, develop, regression-audit]
+    paths-ignore:
+      - "**/*.php"
+      - "**/*.md"
+  pull_request:
+    branches: [main, master, develop, regression-audit]
+    paths-ignore:
+      - "**/*.php"
+      - "**/*.md"
+  schedule:
+    - cron: "30 1 * * 1"
+  workflow_dispatch:
+
+concurrency:
+  group: codeql-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["javascript-typescript", "python", "ruby"]
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3
+        with:
+          languages: ${{ matrix.language }}
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3
+        with:
+          category: "/language:${{ matrix.language }}"

syslog.php

@@ -1191,7 +1191,7 @@ function syslog_filter($sql_where, $tab) {
 							<?php print __('From', 'syslog');?>
 						</td>
 						<td>
-							<input type='text' id='date1' size='18' value='<?php print get_request_var('date1');?>'>
+							<input type='text' id='date1' size='18' value='<?php print html_escape_request_var('date1'); ?>'>
 						</td>
 						<td>
 							<i title='<?php print __esc('Start Date Selector', 'syslog');?>' class='calendar fa fa-calendar-alt' id='startDate'></i>
@@ -1200,7 +1200,7 @@ function syslog_filter($sql_where, $tab) {
 							<?php print __('To', 'syslog');?>
 						</td>
 						<td>
-							<input type='text' id='date2' size='18' value='<?php print get_request_var('date2');?>'>
+							<input type='text' id='date2' size='18' value='<?php print html_escape_request_var('date2'); ?>'>
 						</td>
 						<td>
 							<i title='<?php print __esc('End Date Selector', 'syslog');?>' class='calendar fa fa-calendar-alt' id='endDate'></i>
@@ -1472,7 +1472,7 @@ function syslog_filter($sql_where, $tab) {
 							</select>
 						</td>
 						<?php } else { ?>
-						<input type='hidden' id='removal' value='<?php print get_request_var('removal');?>'>
+						<input type='hidden' id='removal' value='<?php print html_escape_request_var('removal'); ?>'>
 						<?php } ?>
 						<?php if (get_nfilter_request_var('tab') == 'syslog') { ?>
 						<td>

syslog_alerts.php

@@ -934,20 +934,7 @@ function import() {
 }
 
 function alert_import() {
-	$import_text = get_nfilter_request_var('import_text');
-
-	if (trim($import_text) != '') {
-		/* textbox input */
-		$xml_data = $import_text;
-	} elseif (($_FILES['import_file']['tmp_name'] != 'none') && ($_FILES['import_file']['tmp_name'] != '')) {
-		/* file upload */
-		$fp = fopen($_FILES['import_file']['tmp_name'],'r');
-		$xml_data = fread($fp, filesize($_FILES['import_file']['tmp_name']));
-		fclose($fp);
-	} else {
-		header('Location: syslog_alerts.php?header=false');
-		exit;
-	}
+	$xml_data = syslog_get_import_xml_payload('syslog_alerts.php?header=false');
 
 	$xml_array = xml2array($xml_data);
 

syslog_removal.php

@@ -731,20 +731,7 @@ function import() {
 }
 
 function removal_import() {
-	$import_text = get_nfilter_request_var('import_text');
-
-	if (trim($import_text) != '') {
-		/* textbox input */
-		$xml_data = $import_text;
-	} elseif (($_FILES['import_file']['tmp_name'] != 'none') && ($_FILES['import_file']['tmp_name'] != '')) {
-		/* file upload */
-		$fp = fopen($_FILES['import_file']['tmp_name'],'r');
-		$xml_data = fread($fp, filesize($_FILES['import_file']['tmp_name']));
-		fclose($fp);
-	} else {
-		header('Location: syslog_removal.php?header=false');
-		exit;
-	}
+	$xml_data = syslog_get_import_xml_payload('syslog_removal.php?header=false');
 
 	/* obtain debug information if it's set */
 	$xml_array = xml2array($xml_data);

syslog_reports.php

@@ -796,20 +796,7 @@ function import() {
 }
 
 function report_import() {
-	$import_text = get_nfilter_request_var('import_text');
-
-	if (trim($import_text) != '') {
-		/* textbox input */
-		$xml_data = $import_text;
-	} elseif (($_FILES['import_file']['tmp_name'] != 'none') && ($_FILES['import_file']['tmp_name'] != '')) {
-		/* file upload */
-		$fp = fopen($_FILES['import_file']['tmp_name'],'r');
-		$xml_data = fread($fp, filesize($_FILES['import_file']['tmp_name']));
-		fclose($fp);
-	} else {
-		header('Location: syslog_reports.php?header=false');
-		exit;
-	}
+	$xml_data = syslog_get_import_xml_payload('syslog_reports.php?header=false');
 
 	/* obtain debug information if it's set */
 	$xml_array = xml2array($xml_data);