hardening: enforce POST+CSRF for purge syslog devices utility

.github/workflows/plugin-ci-workflow.yml

@@ -187,6 +187,16 @@ jobs:
           echo "Syntax errors found!"
           exit 1
         fi
+
+    - name: Run Plugin Regression Tests
+      run: |
+        cd ${{ github.workspace }}/cacti/plugins/syslog
+        if [ -d tests/regression ]; then
+          for test in tests/regression/*.php; do
+            [ -f "$test" ] || continue
+            php "$test"
+          done
+        fi
 
 
     - name: Run Cacti Poller

CHANGELOG.md

@@ -2,6 +2,7 @@
 
 --- develop ---
 
+* issue#259: Require POST + CSRF token for purge syslog devices utility action
 * issue: Making changes to support Cacti 1.3
 * issue: Don't use MyISAM for non-analytical tables
 * issue: The install advisor for Syslog was broken in current Cacti releases

setup.php

@@ -1566,6 +1566,24 @@ function syslog_utilities_action($action) {
 	}
 
 	if ($action == 'purge_syslog_hosts') {
+		if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
+			raise_message('syslog_error', __('Invalid request. This action requires a CSRF protected POST.', 'syslog'), MESSAGE_LEVEL_ERROR);
+			header('Location: utilities.php');
+			exit;
+		}
+
+		if (function_exists('csrf_check')) {
+			if (!csrf_check(false)) {
+				raise_message('syslog_error', __('Invalid request. This action requires a CSRF protected POST.', 'syslog'), MESSAGE_LEVEL_ERROR);
+				header('Location: utilities.php');
+				exit;
+			}
+		} elseif (!isset($_POST['__csrf_magic']) || trim($_POST['__csrf_magic']) === '') {
+			raise_message('syslog_error', __('Invalid request. This action requires a CSRF protected POST.', 'syslog'), MESSAGE_LEVEL_ERROR);
+			header('Location: utilities.php');
+			exit;
+		}
+
 		$records = 0;
 
 		syslog_db_execute('DELETE FROM syslog_hosts
@@ -1618,12 +1636,31 @@ function syslog_utilities_list() {
 
 	<tr class='even'>
 		<td>
-			<a class='hyperLink' href='utilities.php?action=purge_syslog_hosts'><?php print __('Purge Syslog Devices', 'syslog');?></a>
+			<input id='syslog_purge_hosts' type='button' value='<?php print __esc('Purge Syslog Devices', 'syslog');?>'>
+			<script type='text/javascript'>
+			$(function() {
+				$('#syslog_purge_hosts').on('click', function() {
+					if (!confirm('<?php print __esc('Are you sure you want to purge stale Syslog devices?', 'syslog');?>')) {
+						return;
+					}
+
+					var postData = {
+						action: 'purge_syslog_hosts',
+						__csrf_magic: csrfMagicToken
+					};
+
+					if (typeof postUrl == 'function') {
+						postUrl({url: 'utilities.php', noState: true}, postData);
+					} else {
+						loadPageUsingPost('utilities.php', postData);
+					}
+				});
+			});
+			</script>
 		</td>
 		<td>
 			<?php print __('This menu pick provides a means to remove Devices that are no longer reporting into Cacti\'s syslog server.', 'syslog');?>
 		</td>
 	</tr>
 	<?php
 }
-

tests/regression/issue259_csrf_purge_test.php

@@ -0,0 +1,29 @@
+<?php
+
+$setup = file_get_contents(dirname(__DIR__, 2) . '/setup.php');
+
+if ($setup === false) {
+	fwrite(STDERR, "Failed to read setup.php\n");
+	exit(1);
+}
+
+$required = array(
+	"if (\$_SERVER['REQUEST_METHOD'] !== 'POST')",
+	"if (function_exists('csrf_check'))",
+	"if (!csrf_check(false))",
+	"__csrf_magic: csrfMagicToken"
+);
+
+foreach ($required as $snippet) {
+	if (strpos($setup, $snippet) === false) {
+		fwrite(STDERR, "Missing expected CSRF hardening snippet: $snippet\n");
+		exit(1);
+	}
+}
+
+if (strpos($setup, "href='utilities.php?action=purge_syslog_hosts'") !== false) {
+	fwrite(STDERR, "Legacy GET purge link still present.\n");
+	exit(1);
+}
+
+echo "issue259_csrf_purge_test passed\n";