Skip to content

fix(security): defense-in-depth hardening for plugin_mikrotik #91

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
somethingwithproof wants to merge 2 commits into
base: develop
Choose a base branch
from
Draft

fix(security): defense-in-depth hardening for plugin_mikrotik #91

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
08c114f
fix(security): defense-in-depth hardening for plugin_mikrotik
somethingwithproof Apr 9, 2026
f79f68b
fix(ci): Dependabot composer ecosystem, CodeQL PHP coverage
somethingwithproof Apr 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,3 @@
locales/po/*.mo
\!templates/**
.omc/
14 changes: 7 additions & 7 deletions mikrotik.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -294,7 +294,7 @@ function clearFilter() {
<?php print __('Search', 'mikrotik');?>
</td>
<td>
<input id='filter' type='text' size='25' value='<?php print get_request_var('filter');?>'>
<input id='filter' type='text' size='25' value='<?php print html_escape_request_var('filter'); ?>'>
</td>
<td>
<?php print __('Device', 'mikrotik');?>
Expand Down Expand Up @@ -582,7 +582,7 @@ function clearFilter() {
<?php print __('Search', 'mikrotik');?>
</td>
<td>
<input id='filter' type='text' size='25' value='<?php print get_request_var('filter');?>'>
<input id='filter' type='text' size='25' value='<?php print html_escape_request_var('filter'); ?>'>
</td>
<td>
<?php print __('Device', 'mikrotik');?>
Expand Down Expand Up @@ -869,7 +869,7 @@ function clearFilter() {
<?php print __('Search', 'mikrotik');?>
</td>
<td>
<input id='filter' type='text' size='25' value='<?php print get_request_var('filter');?>'>
<input id='filter' type='text' size='25' value='<?php print html_escape_request_var('filter'); ?>'>
</td>
<td>
<?php print __('Device', 'mikrotik');?>
Expand Down Expand Up @@ -1097,7 +1097,7 @@ function clearFilter() {
<?php print __('Search', 'mikrotik');?>
</td>
<td>
<input id='filter' type='text' size='25' value='<?php print get_request_var('filter');?>'>
<input id='filter' type='text' size='25' value='<?php print html_escape_request_var('filter'); ?>'>
</td>
<td>
<?php print __('Device', 'mikrotik');?>
Expand Down Expand Up @@ -1671,7 +1671,7 @@ function clearFilter() {
<?php print __('Search', 'mikrotik');?>
</td>
<td>
<input id='filter' type='text' size='25' value='<?php print get_request_var('filter');?>'>
<input id='filter' type='text' size='25' value='<?php print html_escape_request_var('filter'); ?>'>
</td>
<td>
<?php print __('Status', 'mikrotik');?>
Expand Down Expand Up @@ -2290,7 +2290,7 @@ function clearFilter() {
<?php print __('Search', 'mikrotik');?>
</td>
<td>
<input id='filter' type='text' size='25' value='<?php print get_request_var('filter');?>'>
<input id='filter' type='text' size='25' value='<?php print html_escape_request_var('filter'); ?>'>
</td>
<td>
<?php print __('Device', 'mikrotik');?>
Expand Down Expand Up @@ -2585,7 +2585,7 @@ function clearFilter() {
<?php print __('Search', 'mikrotik');?>
</td>
<td>
<input id='filter' type='text' size='25' value='<?php print get_request_var('filter');?>'>
<input id='filter' type='text' size='25' value='<?php print html_escape_request_var('filter'); ?>'>
</td>
<td>
<?php print __('Device', 'mikrotik');?>
Expand Down
2 changes: 1 addition & 1 deletion mikrotik_users.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ function form_actions() {

/* if we are to save this form, instead of display it */
if (isset_request_var('selected_items')) {
$selected_items = unserialize(stripslashes(get_request_var('selected_items')));
$selected_items = unserialize(stripslashes(get_request_var('selected_items', array('allowed_classes' => false))));
Copy link

Copilot AI Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The allowed_classes option is being passed to get_request_var() instead of to unserialize(). In Cacti, the 2nd argument to get_request_var() is a default value; passing an array here will make stripslashes() receive an array (PHP warning) and unserialize() will still run without allowed_classes => false, reintroducing object injection risk. Pass the options as the second parameter to unserialize() (and keep get_request_var('selected_items') returning a string).

Suggested change
$selected_items = unserialize(stripslashes(get_request_var('selected_items', array('allowed_classes' => false))));
$selected_items = unserialize(stripslashes(get_request_var('selected_items')), array('allowed_classes' => false));

Copilot uses AI. Check for mistakes.

if (get_request_var('drp_action') == '1') { /* delete */
if (!isset_request_var('delete_type')) { set_request_var('delete_type', 2); }
Expand Down
6 changes: 3 additions & 3 deletions poller_graphs.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,14 +133,14 @@ function add_graphs() {
// /* check to see if the template exists */
// debug('Host Template Set');
//
// if (db_fetch_cell("SELECT count(*) FROM host_template WHERE id=$host_template")) {
// if (db_fetch_cell_prepared('SELECT count(*) FROM host_template WHERE id = ?', array($host_template))) {
// debug('Host Template Exists');
//
// $host_id = db_fetch_cell("SELECT id FROM host WHERE host_template_id=$host_template");
// $host_id = db_fetch_cell_prepared('SELECT id FROM host WHERE host_template_id = ?', array($host_template));
// if (empty($host_id)) {
// debug('MikroTik Summary Device Not Found, Adding');
// } else {
// debug("Host Exists Hostname is '" . db_fetch_cell("SELECT description FROM host WHERE id=$host_id"). "'");
// debug("Host Exists Hostname is '" . db_fetch_cell_prepared('SELECT description FROM host WHERE id = ?', array($host_id)). "'");
// }
//
//
Expand Down
4 changes: 2 additions & 2 deletions poller_mikrotik.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -308,7 +308,7 @@ function process_hosts() {
if ($processes < $concurrent_processes) {
/* put a placeholder in place to prevent overloads on slow systems */
$key = rand();
db_execute("INSERT INTO plugin_mikrotik_processes (pid, taskid, started) VALUES ($key, $seed, NOW())");
db_execute_prepared('INSERT INTO plugin_mikrotik_processes (pid, taskid, started) VALUES (?, ?, NOW())', array($key, $seed));

print "NOTE: Launching Host Collector For: '" . $host['description'] . '[' . $host['hostname'] . "]'\n";
process_host($host['host_id'], $seed, $key);
Expand All @@ -329,7 +329,7 @@ function process_hosts() {

/* wait for all processes to end or max run time */
while (true) {
$processes_left = db_fetch_cell("SELECT count(*) FROM plugin_mikrotik_processes WHERE taskid=$seed");
$processes_left = db_fetch_cell_prepared('SELECT count(*) FROM plugin_mikrotik_processes WHERE taskid = ?', array($seed));
$pl = db_fetch_cell('SELECT count(*) FROM plugin_mikrotik_processes');

if ($processes_left == 0) {
Expand Down