From aed2c4dedc6e6f0dbe1e3f5f5e58b350d4557e47 Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Tue, 10 Mar 2026 13:51:15 -0700
Subject: [PATCH] hardening: enforce POST+CSRF for purge syslog devices utility

Refs #259

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
---
 setup.php                                     |  65 ++++++++++-
 tests/regression/issue259_csrf_purge_test.php | 106 ++++++++++++++++++
 2 files changed, 169 insertions(+), 2 deletions(-)
 create mode 100644 tests/regression/issue259_csrf_purge_test.php

diff --git a/setup.php b/setup.php
index a90cb01..507c229 100644
--- a/setup.php
+++ b/setup.php
@@ -1566,6 +1566,25 @@ function syslog_utilities_action($action) {
 	}
 
 	if ($action == 'purge_syslog_hosts') {
+		if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
+			raise_message('syslog_error', __('Invalid request. This action requires a CSRF protected POST.', 'syslog'), MESSAGE_LEVEL_ERROR);
+			header('Location: utilities.php');
+			exit;
+		}
+
+		if (function_exists('csrf_check')) {
+			if (!csrf_check(false)) {
+				raise_message('syslog_error', __('Invalid request. This action requires a CSRF protected POST.', 'syslog'), MESSAGE_LEVEL_ERROR);
+				header('Location: utilities.php');
+				exit;
+			}
+		} else {
+			cacti_log('WARNING: syslog purge blocked -- CSRF validation unavailable', false, 'SYSLOG');
+			raise_message('syslog_error', __('Invalid request. Please try again.', 'syslog'), MESSAGE_LEVEL_ERROR);
+			header('Location: utilities.php');
+			exit;
+		}
+
 		$records = 0;
 
 		syslog_db_execute('DELETE FROM syslog_hosts
@@ -1618,7 +1637,50 @@ function syslog_utilities_list() {
 
 	<tr class='even'>
 		<td>
-			<a class='hyperLink' href='utilities.php?action=purge_syslog_hosts'><?php print __('Purge Syslog Devices', 'syslog');?></a>
+			<input id='syslog_purge_hosts' type='button' value='<?php print __esc('Purge Syslog Devices', 'syslog');?>'>
+			<div id='syslog_purge_dialog' style='display:none;'>
+				<p><?php print __esc('Are you sure you want to purge stale Syslog devices?', 'syslog');?></p>
+			</div>
+			<script type='text/javascript'>
+			$(function() {
+				$('#syslog_purge_hosts').on('click', function() {
+					$('#syslog_purge_dialog').dialog({
+						title: <?php print json_encode(__('Confirm Purge', 'syslog'), JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT);?>,
+						minHeight: 80,
+						minWidth: 400,
+						resizable: false,
+						draggable: true,
+						buttons: {
+							'Cancel': {
+								text: <?php print json_encode(__('Cancel', 'syslog'), JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT);?>,
+								id: 'btnPurgeCancel',
+								click: function() {
+									$(this).dialog('close');
+								}
+							},
+							'Continue': {
+								text: <?php print json_encode(__('Continue', 'syslog'), JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT);?>,
+								id: 'btnPurgeContinue',
+								click: function() {
+									$(this).dialog('close');
+
+									var postData = {
+										action: 'purge_syslog_hosts',
+										__csrf_magic: csrfMagicToken
+									};
+
+									if (typeof postUrl == 'function') {
+										postUrl({url: 'utilities.php', noState: true}, postData);
+									} else {
+										loadPageUsingPost('utilities.php', postData);
+									}
+								}
+							}
+						}
+					});
+				});
+			});
+			</script>
 		</td>
 		<td>
 			<?php print __('This menu pick provides a means to remove Devices that are no longer reporting into Cacti\'s syslog server.', 'syslog');?>
@@ -1626,4 +1688,3 @@ function syslog_utilities_list() {
 	</tr>
 	<?php
 }
-
diff --git a/tests/regression/issue259_csrf_purge_test.php b/tests/regression/issue259_csrf_purge_test.php
new file mode 100644
index 0000000..54bdac2
--- /dev/null
+++ b/tests/regression/issue259_csrf_purge_test.php
@@ -0,0 +1,106 @@
+<?php
+
+$setup = file_get_contents(dirname(__DIR__, 2) . '/setup.php');
+
+if ($setup === false) {
+	fwrite(STDERR, "Failed to read setup.php\n");
+	exit(1);
+}
+
+$required = array(
+	"if (\$_SERVER['REQUEST_METHOD'] !== 'POST')",
+	"if (function_exists('csrf_check'))",
+	"if (!csrf_check(false))",
+	"__csrf_magic: csrfMagicToken"
+);
+
+foreach ($required as $snippet) {
+	if (strpos($setup, $snippet) === false) {
+		fwrite(STDERR, "Missing expected CSRF hardening snippet: $snippet\n");
+		exit(1);
+	}
+}
+
+if (strpos($setup, "href='utilities.php?action=purge_syslog_hosts'") !== false) {
+	fwrite(STDERR, "Legacy GET purge link still present.\n");
+	exit(1);
+}
+
+// Verify fail-closed: the else branch (csrf_check unavailable) must reject, not fall through.
+// Assert globally safe properties rather than parsing the else block via brittle regex.
+
+// The fallback path must not attempt manual token checking
+if (strpos($setup, "\$_POST['__csrf_magic']") !== false) {
+	fwrite(STDERR, "Fallback CSRF branch must not check token presence; must fail closed.\n");
+	exit(1);
+}
+
+// The fallback path must log the blocked attempt
+if (strpos($setup, "cacti_log('WARNING: syslog purge blocked") === false) {
+	fwrite(STDERR, "Fail-closed branch must call cacti_log() to audit blocked purge attempts.\n");
+	exit(1);
+}
+
+// Log message must name the specific failure reason for incident response
+if (strpos($setup, 'CSRF validation unavailable') === false) {
+	fwrite(STDERR, "Log message must specify 'CSRF validation unavailable' for operational clarity.\n");
+	exit(1);
+}
+
+// Verify JS confirm() uses json_encode, not __esc() inside JS string
+if (preg_match("/confirm\(\s*'/", $setup)) {
+	fwrite(STDERR, "JS confirm() must use json_encode() for safe encoding, not __esc() in a quoted string.\n");
+	exit(1);
+}
+
+if (strpos($setup, 'json_encode(__(') === false) {
+	fwrite(STDERR, "Expected json_encode(__(...)) for JS-safe encoding of confirm message.\n");
+	exit(1);
+}
+
+// Verify json_encode uses JSON_HEX_TAG to prevent </script> breakout in HTML script context
+if (strpos($setup, 'JSON_HEX_TAG') === false) {
+	fwrite(STDERR, "json_encode() must use JSON_HEX_TAG to prevent script-context breakout.\n");
+	exit(1);
+}
+
+if (strpos($setup, 'JSON_HEX_AMP') === false) {
+	fwrite(STDERR, "json_encode() must use JSON_HEX_AMP to escape ampersands in script context.\n");
+	exit(1);
+}
+
+if (strpos($setup, 'JSON_HEX_APOS') === false) {
+	fwrite(STDERR, "json_encode() must use JSON_HEX_APOS.\n");
+	exit(1);
+}
+
+if (strpos($setup, 'JSON_HEX_QUOT') === false) {
+	fwrite(STDERR, "json_encode() must use JSON_HEX_QUOT.\n");
+	exit(1);
+}
+
+// Verify user-facing message does not expose CSRF internals (log message may use "CSRF")
+if (strpos($setup, "raise_message('syslog_error', __('CSRF") !== false) {
+	fwrite(STDERR, "User-facing raise_message must not expose CSRF internals to end users.\n");
+	exit(1);
+}
+
+// Verify generic user-facing message is present
+if (strpos($setup, "Invalid request. Please try again.") === false) {
+	fwrite(STDERR, "Fail-closed branch must use generic 'Invalid request. Please try again.' message.\n");
+	exit(1);
+}
+
+// Verify fail-closed raise_message uses MESSAGE_LEVEL_ERROR severity
+if (strpos($setup, "raise_message('syslog_error', __('Invalid request. Please try again.', 'syslog'), MESSAGE_LEVEL_ERROR)") === false) {
+	fwrite(STDERR, "Fail-closed branch raise_message must use MESSAGE_LEVEL_ERROR severity.\n");
+	exit(1);
+}
+
+// Verify log message does not expose internal function name
+if (strpos($setup, 'csrf_check() unavailable') !== false) {
+	fwrite(STDERR, "Log message must not name internal validation function.\n");
+	exit(1);
+}
+
+echo "issue259_csrf_purge_test passed\n";