credentials: Add missing CSRF checks

2026-03-11 08:14:52 +00:00 · 2026-03-02 20:11:56 -05:00
parent 1740599b61
commit 023cb4ff11
6 changed files with 34 additions and 14 deletions
--- a/agent/credentials.php
+++ b/agent/credentials.php
@@ -244,8 +244,8 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                                <?php if ($archived) { ?>
                                <div class="dropdown-divider"></div>
                                <button class="dropdown-item text-info"
-                                    type="submit" form="bulkActions" name="bulk_unarchive_credentials">
-                                    <i class="fas fa-fw fa-redo mr-2"></i>Unarchive
+                                    type="submit" form="bulkActions" name="bulk_restore_credentials">
+                                    <i class="fas fa-fw fa-redo mr-2"></i>Restore
                                </button>
                                <div class="dropdown-divider"></div>
                                <button class="dropdown-item text-danger text-bold"
@@ -503,18 +503,18 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli, "SELECT FOUND_ROWS()"));
                                                <?php  if (lookupUserPermission("module_credential") >= 2) { ?>
                                                    <?php if ($credential_archived_at) { ?>
                                                        <div class="dropdown-divider"></div>
-                                                        <a class="dropdown-item text-info confirm-link" href="post.php?unarchive_credential=<?php echo $credential_id; ?>">
-                                                            <i class="fas fa-fw fa-redo mr-2"></i>Unarchive
+                                                        <a class="dropdown-item text-info confirm-link" href="post.php?restore_credential=<?php echo $credential_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
+                                                            <i class="fas fa-fw fa-redo mr-2"></i>Restore
                                                        </a>
                                                        <?php if (lookupUserPermission("module_credential") >= 3) { ?>
                                                            <div class="dropdown-divider"></div>
-                                                            <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_credential=<?php echo $credential_id; ?>">
+                                                            <a class="dropdown-item text-danger text-bold confirm-link" href="post.php?delete_credential=<?php echo $credential_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                                                <i class="fas fa-fw fa-trash mr-2"></i>Delete
                                                        <?php } ?>
                                                        </a>
                                                    <?php } else { ?>
                                                        <div class="dropdown-divider"></div>
-                                                        <a class="dropdown-item text-danger confirm-link" href="post.php?archive_credential=<?php echo $credential_id; ?>">
+                                                        <a class="dropdown-item text-danger confirm-link" href="post.php?archive_credential=<?php echo $credential_id; ?>&csrf_token=<?= $_SESSION['csrf_token'] ?>">
                                                            <i class="fas fa-fw fa-archive mr-2"></i>Archive
                                                        </a>
                                                    <?php } ?>
--- a/agent/modals/credential/credential_add.php
+++ b/agent/modals/credential/credential_add.php
@@ -16,6 +16,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">

    <div class="modal-body">

--- a/agent/modals/credential/credential_edit.php
+++ b/agent/modals/credential/credential_edit.php
@@ -44,6 +44,7 @@ ob_start();
 </div>

 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="credential_id" value="<?php echo $credential_id; ?>">
    <input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
    <div class="modal-body">
--- a/agent/modals/credential/credential_export.php
+++ b/agent/modals/credential/credential_export.php
@@ -15,6 +15,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="client_id" value="<?= $client_id ?>">

    <div class="modal-body">
--- a/agent/modals/credential/credential_import.php
+++ b/agent/modals/credential/credential_import.php
@@ -15,6 +15,7 @@ ob_start();
 	</button>
 </div>
 <form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
 	<input type="hidden" name="client_id" value="<?= $client_id ?>">
 	<div class="modal-body">
 		<p><strong>Format csv file with headings & data:</strong><br>Name, Description, Username, Password, TOTP, URI</p>
--- a/agent/post/credential.php
+++ b/agent/post/credential.php
@@ -8,6 +8,8 @@ defined('FROM_POST_HANDLER') || die("Direct file access is not allowed");

 if (isset($_POST['add_credential'])) {

+    validateCSRFToken($_POST['csrf_token']);
+
    enforceUserPermission('module_credential', 2);

    require_once 'credential_model.php';
@@ -34,6 +36,8 @@ if (isset($_POST['add_credential'])) {

 if (isset($_POST['edit_credential'])) {

+    validateCSRFToken($_POST['csrf_token']);
+
    enforceUserPermission('module_credential', 2);

    require_once 'credential_model.php';
@@ -73,6 +77,8 @@ if (isset($_POST['edit_credential'])) {

 if(isset($_GET['archive_credential'])){

+    validateCSRFToken($_GET['csrf_token']);
+
    enforceUserPermission('module_credential', 2);

    $credential_id = intval($_GET['archive_credential']);
@@ -93,11 +99,13 @@ if(isset($_GET['archive_credential'])){

 }

-if(isset($_GET['unarchive_credential'])){
+if(isset($_GET['restore_credential'])){
+
+    validateCSRFToken($_GET['csrf_token']);

    enforceUserPermission('module_credential', 2);

-    $credential_id = intval($_GET['unarchive_credential']);
+    $credential_id = intval($_GET['restore_credential']);

    // Get Name and Client ID for logging and alert message
    $sql = mysqli_query($mysqli,"SELECT credential_name, credential_client_id FROM credentials WHERE credential_id = $credential_id");
@@ -107,7 +115,7 @@ if(isset($_GET['unarchive_credential'])){

    mysqli_query($mysqli,"UPDATE credentials SET credential_archived_at = NULL WHERE credential_id = $credential_id");

-    logAction("Credential", "Unarchive", "$session_name unarchived credential $credential_name", $client_id, $credential_id);
+    logAction("Credential", "Restore", "$session_name restored credential $credential_name", $client_id, $credential_id);

    flash_alert("Credential <strong>$credential_name</strong> restored");

@@ -117,6 +125,8 @@ if(isset($_GET['unarchive_credential'])){

 if (isset($_GET['delete_credential'])) {

+    validateCSRFToken($_GET['csrf_token']);
+
    enforceUserPermission('module_credential', 3);

    $credential_id = intval($_GET['delete_credential']);
@@ -139,6 +149,8 @@ if (isset($_GET['delete_credential'])) {

 if (isset($_POST['bulk_assign_credential_tags'])) {

+    validateCSRFToken($_POST['csrf_token']);
+
    enforceUserPermission('module_credential', 2);

    // Assign tags to Selected Credentials
@@ -296,7 +308,7 @@ if (isset($_POST['bulk_archive_credentials'])) {

 }

-if (isset($_POST['bulk_unarchive_credentials'])) {
+if (isset($_POST['bulk_restore_credentials'])) {

    validateCSRFToken($_POST['csrf_token']);

@@ -307,7 +319,7 @@ if (isset($_POST['bulk_unarchive_credentials'])) {
        // Get Selected Credential Count
        $count = count($_POST['credential_ids']);

-        // Cycle through array and unarchive
+        // Cycle through array and restore
        foreach ($_POST['credential_ids'] as $credential_id) {

            $credential_id = intval($credential_id);
@@ -320,13 +332,13 @@ if (isset($_POST['bulk_unarchive_credentials'])) {

            mysqli_query($mysqli,"UPDATE credentials SET credential_archived_at = NULL WHERE credential_id = $credential_id");

-            logAction("Credential", "Unarchive", "$session_name unarchived credential $credential_name", $client_id, $credential_id);
+            logAction("Credential", "Restore", "$session_name restored credential $credential_name", $client_id, $credential_id);

        }

-        logAction("Credential", "Bulk Unarchive", "$session_name unarchived $count credential(s)", $client_id);
+        logAction("Credential", "Bulk Restore", "$session_name restored $count credential(s)", $client_id);

-        flash_alert("Unarchived <strong>$count</strong> credential(s)");
+        flash_alert("Restored <strong>$count</strong> credential(s)");

    }

@@ -374,6 +386,8 @@ if (isset($_POST['bulk_delete_credentials'])) {

 if (isset($_POST['export_credentials_csv'])) {

+    validateCSRFToken($_POST['csrf_token']);
+
    enforceUserPermission('module_credential');

    if ($_POST['client_id']) {
@@ -431,6 +445,8 @@ if (isset($_POST['export_credentials_csv'])) {

 if (isset($_POST["import_credentials_csv"])) {

+    validateCSRFToken($_POST['csrf_token']);
+
    enforceUserPermission('module_credential', 2);

    $client_id = intval($_POST['client_id']);