fix(security): XSS, SQL injection, object injection, and command injection hardening

.github/workflows/php-syntax.yml

@@ -0,0 +1,52 @@
+name: PHP Syntax
+
+on:
+  pull_request:
+  push:
+    branches:
+      - develop
+
+permissions:
+  contents: read
+
+concurrency:
+  group: php-syntax-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  lint:
+    name: PHP ${{ matrix.php }} syntax
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        php: ['7.4', '8.0', '8.1', '8.2', '8.3', '8.4']
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          php-version: ${{ matrix.php }}
+          tools: none
+          coverage: none
+
+      - name: Show PHP version
+        run: php -v
+
+      - name: Guard against corrupted refactor patterns
+        run: |
+          set -euo pipefail
+          if grep -R -n -E '\b(is_|in_|call_user_func_|port_list_to_|mactrack_display_|mactrack_device_action_)\[' --include='*.php' .; then
+            echo "Detected corrupted call-pattern rewrite(s)." >&2
+            exit 1
+          fi
+
+      - name: Lint PHP files
+        run: |
+          set -euo pipefail
+          git ls-files '*.php' | while IFS= read -r f; do
+            php -l "$f"
+          done

.gitignore

@@ -20,3 +20,4 @@
 # +-------------------------------------------------------------------------+
 
 locales/po/*.mo
+.omc/

images/index.php

@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types = 1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

includes/database.php

@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types = 1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

index.php

@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types = 1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

lib/index.php

@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types = 1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

lib/mactrack_3com.php

@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types = 1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

lib/mactrack_aruba_oscx.php

@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types = 1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

lib/mactrack_cabletron.php

@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types = 1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

lib/mactrack_cisco.php

@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types = 1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

lib/mactrack_dell.php

@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types = 1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

lib/mactrack_dlink.php

@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types = 1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

lib/mactrack_enterasys.php

@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types = 1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

lib/mactrack_enterasys_N7.php

@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types = 1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

lib/mactrack_extreme.php

@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types = 1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

lib/mactrack_foundry.php

@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types = 1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

lib/mactrack_functions.php

@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types = 1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |
@@ -560,7 +562,7 @@ function build_InterfacesTable(&$device, &$ifIndexes, $getLinkPorts = false, $ge
 	}
 
 	// required only for interfaces table
-	$db_data = db_fetch_assoc("SELECT * FROM mac_track_interfaces WHERE device_id='" . $device['device_id'] . "' ORDER BY ifIndex");
+	$db_data = db_fetch_assoc_prepared('SELECT * FROM mac_track_interfaces WHERE device_id = ? ORDER BY ifIndex', [$device['device_id']]);
 
 	if (cacti_sizeof($db_data)) {
 		foreach ($db_data as $interface) {
@@ -3125,8 +3127,7 @@ function mactrack_rescan($web = false) {
 			mactrack_log_action(__('Device Rescan \'%s\'', $dbinfo['hostname'], 'mactrack'));
 
 			// create the command script
-			$command_string = $config['base_path'] . '/plugins/mactrack/mactrack_scanner.php';
-			$extra_args     = ' -id=' . $dbinfo['device_id'] . ($web ? ' --web' : '');
+			$script_path = $config['base_path'] . '/plugins/mactrack/mactrack_scanner.php';
 
 			// print out the type, and device_id
 			$data['device_id'] = get_request_var('device_id');
@@ -3136,8 +3137,8 @@ function mactrack_rescan($web = false) {
 			ob_start();
 
 			// execute the command, and show the results
-			$command = read_config_option('path_php_binary') . ' -q ' . $command_string . $extra_args;
-			passthru($command);
+			$command = cacti_escapeshellarg(read_config_option('path_php_binary')) . ' -q ' . cacti_escapeshellarg($script_path) . ' -id=' . (int)$dbinfo['device_id'] . ($web ? ' --web' : '');
+			passthru($command); // nosemgrep: php.lang.security.exec-use.exec-use -- php binary and script_path are admin-configured bare paths, cacti_escapeshellarg'd; device_id cast to int
 
 			$data['content'] = ob_get_clean();
 		}
@@ -3165,8 +3166,7 @@ function mactrack_site_scan($web = false) {
 		mactrack_log_action(__('Site scan \'%s\'', $dbinfo['site_name'], 'mactrack'));
 
 		// create the command script
-		$command_string = $config['base_path'] . '/plugins/mactrack/poller_mactrack.php';
-		$extra_args     = ' --web -sid=' . $dbinfo['site_id'];
+		$script_path = $config['base_path'] . '/plugins/mactrack/poller_mactrack.php';
 
 		// print out the type, and device_id
 		$data['site_id'] = $site_id;
@@ -3175,8 +3175,9 @@ function mactrack_site_scan($web = false) {
 		ob_start();
 
 		// execute the command, and show the results
-		$command = read_config_option('path_php_binary') . ' -q ' . $command_string . $extra_args;
-		passthru($command);
+		// --web is unconditional here: mactrack_site_scan() is only reached via AJAX (mactrack_ajax.php), never from CLI
+		$command = cacti_escapeshellarg(read_config_option('path_php_binary')) . ' -q ' . cacti_escapeshellarg($script_path) . ' --web -sid=' . (int)$dbinfo['site_id'];
+		passthru($command); // nosemgrep: php.lang.security.exec-use.exec-use -- php binary and script_path are admin-configured bare paths, cacti_escapeshellarg'd; site_id cast to int
 
 		$data['content'] = ob_get_clean();
 	}
@@ -3639,7 +3640,7 @@ function mactrack_site_filter($page = 'mactrack_sites.php') {
 
 						if (get_request_var('site_id') == $site['site_id']) {
 							print ' selected';
-						} print '>' . $site['site_name'] . '</option>';
+						} print '>' . html_escape($site['site_name']) . '</option>';
 					}
 				}
 				?>
@@ -3665,7 +3666,7 @@ function mactrack_site_filter($page = 'mactrack_sites.php') {
 
 						if (get_request_var('device_type_id') == $device_type['device_type_id']) {
 							print ' selected';
-						} print '>' . $device_type['description'] . ' (' . $device_type['sysDescr_match'] . ')</option>';
+						} print '>' . html_escape($device_type['description']) . ' (' . html_escape($device_type['sysDescr_match']) . ')</option>';
 					}
 				}
 				?>

lib/mactrack_h3c_3com.php

@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types = 1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

lib/mactrack_hp.php

@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types = 1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

lib/mactrack_hp_ng.php

@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types = 1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

lib/mactrack_hp_ngi.php

@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types = 1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

lib/mactrack_juniper.php

@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types = 1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

lib/mactrack_linux.php

@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types = 1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

lib/mactrack_norbay.php

@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types = 1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

lib/mactrack_norbay_ng.php

@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types = 1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

lib/mactrack_tplink.php

@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types = 1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

lib/mactrack_trendnet.php

@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types = 1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

lib/mactrack_vendors.php

@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types = 1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

locales/LC_MESSAGES/index.php

@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types = 1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

locales/index.php

@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types = 1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

locales/po/index.php

@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types = 1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

mactrack_actions.php

@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types = 1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |
@@ -149,7 +151,7 @@ function sync_mactrack_to_cacti($mt_device) {
 		}
 
 		// fetch current data for cacti device
-		$cacti_device = db_fetch_row('SELECT * FROM host WHERE id=' . $mt_device['host_id']);
+		$cacti_device = db_fetch_row_prepared('SELECT * FROM host WHERE id = ?', [$mt_device['host_id']]);
 
 		if (cacti_sizeof($cacti_device)) {
 			// update cacti device
@@ -178,7 +180,7 @@ function sync_cacti_to_mactrack($device) {
 	if ((read_config_option('mt_update_policy', true) == 2) && ($device['id'] > 0)) {
 		// $devices holds the whole row from host table
 		// now fetch the related device from mac_track_devices, if any
-		$mt_device = db_fetch_row('SELECT * from mac_track_devices WHERE host_id=' . $device['id']);
+		$mt_device = db_fetch_row_prepared('SELECT * FROM mac_track_devices WHERE host_id = ?', [$device['id']]);
 
 		if (is_array($mt_device) && $mt_device) {
 			if (!isset($mt_device['snmp_engine_id'])) {

mactrack_ajax.php

@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types = 1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

mactrack_ajax_admin.php

@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types = 1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |

mactrack_convert.php

@@ -193,15 +193,15 @@ function mactrack_create_partitioned_table($engine = 'InnoDB', $charset, $collat
 						SELECT *
 						FROM mac_track_ports_backups
 						WHERE scan_date = ?',
-						array($sd['scan_date']));
+						[$sd['scan_date']]);
 
 					db_execute_prepared('DELETE FROM mac_track_ports_backup
 						WHERE scan_date = ?',
-						array($sd['scan_date']));
+						[$sd['scan_date']]);
 				}
 			}
 			*/
-			db_execute('INSERT mac_track_ports SELECT * FROM mac_track_ports_backup');
+			db_execute_prepared('INSERT INTO mac_track_ports SELECT * FROM mac_track_ports_backup');
 		}
 
 		db_execute('DROP TABLE mac_track_ports_backup');

mactrack_device_types.php

@@ -1,4 +1,6 @@
 <?php
+
+declare(strict_types = 1);
 /*
  +-------------------------------------------------------------------------+
  | Copyright (C) 2004-2026 The Cacti Group                                 |