From 9603b08d60aef500f59a999b75651430d86d78af Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Sun, 15 Mar 2026 19:06:21 -0700
Subject: [PATCH 1/4] ci: add CodeQL for javascript-typescript, python, ruby

---
 .github/workflows/codeql.yml | 47 ++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)
 create mode 100644 .github/workflows/codeql.yml

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
new file mode 100644
index 0000000..c79aff4
--- /dev/null
+++ b/.github/workflows/codeql.yml
@@ -0,0 +1,47 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [main, master, develop, regression-audit]
+    paths-ignore:
+      - "**/*.php"
+      - "**/*.md"
+  pull_request:
+    branches: [main, master, develop, regression-audit]
+    paths-ignore:
+      - "**/*.php"
+      - "**/*.md"
+  schedule:
+    - cron: "30 1 * * 1"
+  workflow_dispatch:
+
+concurrency:
+  group: codeql-${{ github.ref }}-${{ matrix.language }}
+  cancel-in-progress: true
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["javascript-typescript", "python", "ruby"]
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3
+        with:
+          languages: ${{ matrix.language }}
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3
+        with:
+          category: "/language:${{ matrix.language }}"

From 743ba749312ed5f62deb2dafd9bd4aaffb4990b2 Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Sun, 15 Mar 2026 22:47:49 -0700
Subject: [PATCH 2/4] fix(ci): use specific runner labels, fix codeql
 concurrency

---
 .github/workflows/codeql.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index c79aff4..bae6fa5 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -16,7 +16,7 @@ on:
   workflow_dispatch:
 
 concurrency:
-  group: codeql-${{ github.ref }}-${{ matrix.language }}
+  group: codeql-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:

From 543e4c9c44a31073984c643aee2fa046733497a0 Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Wed, 8 Apr 2026 22:46:05 -0700
Subject: [PATCH 3/4] fix(security): defense-in-depth hardening for
 plugin_syslog

Automated fixes:
- XSS: escape request variables in HTML output
- SQLi: convert string-concat queries to prepared statements
- Deserialization: add allowed_classes=>false
- Temp files: replace rand() with tempnam()

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
---
 syslog.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/syslog.php b/syslog.php
index 185e0cd..55b8c43 100644
--- a/syslog.php
+++ b/syslog.php
@@ -1173,7 +1173,7 @@ function syslog_filter($sql_where, $tab) {
 							<?php print __('From', 'syslog');?>
 						</td>
 						<td>
-							<input type='text' id='date1' size='18' value='<?php print get_request_var('date1');?>'>
+							<input type='text' id='date1' size='18' value='<?php print html_escape_request_var('date1'); ?>'>
 						</td>
 						<td>
 							<i title='<?php print __esc('Start Date Selector', 'syslog');?>' class='calendar fa fa-calendar-alt' id='startDate'></i>
@@ -1182,7 +1182,7 @@ function syslog_filter($sql_where, $tab) {
 							<?php print __('To', 'syslog');?>
 						</td>
 						<td>
-							<input type='text' id='date2' size='18' value='<?php print get_request_var('date2');?>'>
+							<input type='text' id='date2' size='18' value='<?php print html_escape_request_var('date2'); ?>'>
 						</td>
 						<td>
 							<i title='<?php print __esc('End Date Selector', 'syslog');?>' class='calendar fa fa-calendar-alt' id='endDate'></i>
@@ -1454,7 +1454,7 @@ function syslog_filter($sql_where, $tab) {
 							</select>
 						</td>
 						<?php } else { ?>
-						<input type='hidden' id='removal' value='<?php print get_request_var('removal');?>'>
+						<input type='hidden' id='removal' value='<?php print html_escape_request_var('removal'); ?>'>
 						<?php } ?>
 						<?php if (get_nfilter_request_var('tab') == 'syslog') { ?>
 						<td>

From b2864760d1457bee6b8f46851fe24c1c70001cc6 Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Wed, 8 Apr 2026 23:22:23 -0700
Subject: [PATCH 4/4] security: replace legacy XML import with secure helper in
 plugin_syslog

---
 syslog_alerts.php  | 13 +------------
 syslog_removal.php | 13 +------------
 syslog_reports.php | 13 +------------
 3 files changed, 3 insertions(+), 36 deletions(-)

diff --git a/syslog_alerts.php b/syslog_alerts.php
index 74c49b9..34347d3 100644
--- a/syslog_alerts.php
+++ b/syslog_alerts.php
@@ -939,18 +939,7 @@ function import() {
 }
 
 function alert_import() {
-	if (trim(get_nfilter_request_var('import_text') != '')) {
-		/* textbox input */
-		$xml_data = get_nfilter_request_var('import_text');
-	} elseif (($_FILES['import_file']['tmp_name'] != 'none') && ($_FILES['import_file']['tmp_name'] != '')) {
-		/* file upload */
-		$fp = fopen($_FILES['import_file']['tmp_name'],'r');
-		$xml_data = fread($fp, filesize($_FILES['import_file']['tmp_name']));
-		fclose($fp);
-	} else {
-		header('Location: syslog_alerts.php?header=false');
-		exit;
-	}
+	$xml_data = syslog_get_import_xml_payload('syslog_alerts.php?header=false');
 
 	$xml_array = xml2array($xml_data);
 
diff --git a/syslog_removal.php b/syslog_removal.php
index f7b5e94..44e72ac 100644
--- a/syslog_removal.php
+++ b/syslog_removal.php
@@ -739,18 +739,7 @@ function import() {
 }
 
 function removal_import() {
-	if (trim(get_nfilter_request_var('import_text') != '')) {
-		/* textbox input */
-		$xml_data = get_nfilter_request_var('import_text');
-	} elseif (($_FILES['import_file']['tmp_name'] != 'none') && ($_FILES['import_file']['tmp_name'] != '')) {
-		/* file upload */
-		$fp = fopen($_FILES['import_file']['tmp_name'],'r');
-		$xml_data = fread($fp, filesize($_FILES['import_file']['tmp_name']));
-		fclose($fp);
-	} else {
-		header('Location: syslog_removal.php?header=false');
-		exit;
-	}
+	$xml_data = syslog_get_import_xml_payload('syslog_removal.php?header=false');
 
 	/* obtain debug information if it's set */
 	$xml_array = xml2array($xml_data);
diff --git a/syslog_reports.php b/syslog_reports.php
index f0caec2..117d8f5 100644
--- a/syslog_reports.php
+++ b/syslog_reports.php
@@ -801,18 +801,7 @@ function import() {
 }
 
 function report_import() {
-	if (trim(get_nfilter_request_var('import_text') != '')) {
-		/* textbox input */
-		$xml_data = get_nfilter_request_var('import_text');
-	} elseif (($_FILES['import_file']['tmp_name'] != 'none') && ($_FILES['import_file']['tmp_name'] != '')) {
-		/* file upload */
-		$fp = fopen($_FILES['import_file']['tmp_name'],'r');
-		$xml_data = fread($fp, filesize($_FILES['import_file']['tmp_name']));
-		fclose($fp);
-	} else {
-		header('Location: syslog_reports.php?header=false');
-		exit;
-	}
+	$xml_data = syslog_get_import_xml_payload('syslog_reports.php?header=false');
 
 	/* obtain debug information if it's set */
 	$xml_array = xml2array($xml_data);