Skip to content

fix(security): defense-in-depth hardening for plugin_flowview #250

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
somethingwithproof wants to merge 7 commits into
base: develop
Choose a base branch
from
Open

fix(security): defense-in-depth hardening for plugin_flowview #250

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
3334853
ci: add dependabot config with npm and github-actions
somethingwithproof Mar 15, 2026
c33d361
ci: add CodeQL (JS/TS, excludes PHP) with workflow_dispatch
somethingwithproof Mar 15, 2026
26a30ff
ci: remove CodeQL JS/TS workflow (no JavaScript in this repo)
somethingwithproof Mar 16, 2026
23e16ac
fix(security): defense-in-depth hardening for plugin_flowview
somethingwithproof Apr 9, 2026
4518338
fix(js): migrate deprecated jQuery shorthand events to .on()/.off()
somethingwithproof Apr 9, 2026
3bb9764
fix(ci): Dependabot composer ecosystem, CodeQL PHP coverage
somethingwithproof Apr 10, 2026
c67621c
style: remove trailing double semicolons
somethingwithproof Apr 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
Copy link

Copilot AI Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This Dependabot config enables the npm ecosystem in /, but the repo does not contain a package.json (or lockfile) at the root. That will cause Dependabot update jobs to fail. Either remove the npm entry or point it at the directory that actually contains package.json (and commit the manifest if it’s intended to exist).

Suggested change
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10

Copilot uses AI. Check for mistakes.
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
2 changes: 1 addition & 1 deletion Net/DNS2/Cache.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ public function get($key)
if ($this->cache_serializer == 'json') {
return json_decode($this->cache_data[$key]['object']);
} else {
return unserialize($this->cache_data[$key]['object']);
return unserialize($this->cache_data[$key]['object'], array('allowed_classes' => false));
}
Comment on lines 79 to 83
Copy link

Copilot AI Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

unserialize(..., ['allowed_classes' => false]) will prevent cached DNS response objects from being rehydrated as their original Net_DNS2_* classes when cache_serializer is serialize (it will return __PHP_Incomplete_Class trees). That breaks the documented behavior that serialize mode preserves class info and can break consumers relying on instanceof or methods. Consider either (a) switching cache serialization to a safe non-object format (e.g., JSON) when caching is enabled, or (b) using an explicit allowlist of the specific Net_DNS2_* classes that can appear in cached responses instead of false.

Copilot uses AI. Check for mistakes.
} else {

Expand Down
4 changes: 2 additions & 2 deletions Net/DNS2/Cache/File.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ public function open($cache_file, $size, $serializer)
$decoded = json_decode($data, true);
} else {

$decoded = unserialize($data);
$decoded = unserialize($data, array('allowed_classes' => false));
}

if (is_array($decoded) == true) {
Expand Down Expand Up @@ -170,7 +170,7 @@ public function __destruct()
$decoded = json_decode($data, true);
} else {

$decoded = unserialize($data);
$decoded = unserialize($data, array('allowed_classes' => false));
}

if (is_array($decoded) == true) {
Expand Down
4 changes: 2 additions & 2 deletions Net/DNS2/Cache/Shm.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,7 @@ public function open($cache_file, $size, $serializer)
$decoded = json_decode($data, true);
} else {

$decoded = unserialize($data);
$decoded = unserialize($data, array('allowed_classes' => false));
}

if (is_array($decoded) == true) {
Expand Down Expand Up @@ -213,7 +213,7 @@ public function __destruct()
$decoded = json_decode($data, true);
} else {

$decoded = unserialize($data);
$decoded = unserialize($data, array('allowed_classes' => false));
}

if (is_array($decoded) == true) {
Expand Down
4 changes: 2 additions & 2 deletions flowview_devices.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -568,14 +568,14 @@ function edit_device() {
</form>
<script type='text/javascript'>
function applyFilter() {
strURL = 'flowview_devices.php?action=edit&id=<?php print get_request_var('id');?>&tab=templates&header=false';
strURL = 'flowview_devices.php?action=edit&id=<?php print (int)get_filter_request_var('id'); ?>&tab=templates&header=false';
strURL += '&template=' + $('#template').val();
strURL += '&ex_addr=' + $('#ex_addr').val();
loadPageNoHeader(strURL);
}

function exportFilter() {
strURL = 'flowview_devices.php?action=export&id=<?php print get_request_var('id');?>&tab=templates&header=false';
strURL = 'flowview_devices.php?action=export&id=<?php print (int)get_filter_request_var('id'); ?>&tab=templates&header=false';
strURL += '&template=' + $('#template').val();
strURL += '&ex_addr=' + $('#ex_addr').val();

Expand Down
6 changes: 3 additions & 3 deletions flowview_schedules.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -546,7 +546,7 @@ function edit_log($header_label, $report) {
?>
<tr class='even'>
<td>
<form id='form_schedule' action='flowview_schedules.php?action=edit&tab=logs&id=<?php print get_request_var('id');?>'>
<form id='form_schedule' action='flowview_schedules.php?action=edit&tab=logs&id=<?php print (int)get_filter_request_var('id'); ?>'>
<table class='filterTable'>
<tr>
<td>
Expand Down Expand Up @@ -580,7 +580,7 @@ function edit_log($header_label, $report) {
</table>
</form>
<script type='text/javascript'>
var id = '<?php print get_request_var('id');?>';
var id = '<?php print (int)get_filter_request_var('id'); ?>';

function applyFilter() {
strURL = 'flowview_schedules.php?action=edit&id='+id+'&tab=logs&header=false';
Expand Down Expand Up @@ -716,7 +716,7 @@ function clearFilter() {
?>
<div id='reportDiv'></div>
<script type='text/javascript'>
var log_id='<?php print get_request_var('id');?>';
var log_id='<?php print (int)get_filter_request_var('id'); ?>';

function exportLog() {
document.location = 'flowview_schedules.php?action=download&id='+log_id;
Expand Down
Loading