Skip to content

Refactor NAS Management: Enforce strict validation and update NAS types list #674

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
retho-p wants to merge 2 commits into
base: master
Choose a base branch
from
+79 −25
Open

Refactor NAS Management: Enforce strict validation and update NAS types list #674

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
eb098e6
refactor(nas): enforce strict validation and update NAS types list
retho-p May 1, 2026
031646c
fix(nas-edit): preserve legacy NAS type on edit to prevent silent ove…
retho-p May 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions app/common/includes/validation.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,8 +133,10 @@

// values taken from an instance of freeradius 3.0.21
$valid_nastypes = array(
"other", "cisco", "computone", "livingston", "juniper", "max40xx", "multitech",
"netserver", "pathras", "patton", "portslave", "tc", "usrhiper"
"livingston", "cisco", "cvx", "juniper", "multitech", "computone", "max40xx",
"ascend", "portslave", "tc", "pathras", "pr3000", "pr4000", "patton", "digitro",
"usrhiper", "netserver", "versanet", "bay", "cisco_l2tp", "mikrotik", "mikrotik_snmp",
"redback", "dot1x", "other"
);

// accounting custom-query options list
Expand Down
10 changes: 7 additions & 3 deletions app/operators/lang/en.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1360,11 +1360,15 @@
. $l['helpPage']['mngradippooledit'] . $l['helpPage']['mngradippooldel'];

// nas help pages
$l['helpPage']['mngradnas'] = "";
$l['helpPage']['mngradnas'] = <<<EOF
<h1 class="fs-5">NAS Management</h1>
<p>A Network Access Server (NAS) acts as a gateway to guard access to a network. In a FreeRADIUS environment, the NAS is the physical or virtual device (such as a router, switch, VPN gateway, or wireless access point) that sends RADIUS authentication, authorization, and accounting requests to the RADIUS server.</p>
<p>Managing NAS entries is a critical security requirement. FreeRADIUS must be explicitly configured with the IP address (or hostname) and a shared secret for each NAS device. Without this configuration, the RADIUS server will silently ignore any incoming requests from that device.</p>
EOF;
$l['helpPage']['mngradnasdel'] = "To remove a nas ip/host entry from the database you must provide the ip/host of the account";
$l['helpPage']['mngradnasnew'] = "";
$l['helpPage']['mngradnasnew'] = "You may fill below details for a new NAS device addition to the database.";
$l['helpPage']['mngradnaslist'] = "";
$l['helpPage']['mngradnasedit'] = "";
$l['helpPage']['mngradnasedit'] = "You may edit below details for the NAS device.";

// huntgroup help pages
$l['helpPage']['mngradhunt'] = <<<EOF
Expand Down
61 changes: 51 additions & 10 deletions app/operators/mng-rad-nas-edit.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,8 +69,25 @@
$secret = (array_key_exists('secret', $_POST) && !empty(str_replace("%", "", trim($_POST['secret']))))
? str_replace("%", "", trim($_POST['secret'])) : "";

// allow the current DB type to pass validation even if it is a
// legacy/custom value not present in $valid_nastypes, so that
// re-submitting the edit form does not silently overwrite it
$allowed_types = $valid_nastypes;
if (!empty($nasname)) {
$sql_cur = sprintf("SELECT type FROM %s WHERE nasname='%s' LIMIT 1",
$configValues['CONFIG_DB_TBL_RADNAS'],
$dbSocket->escapeSimple($nasname));
$res_cur = $dbSocket->query($sql_cur);
$logDebugSQL .= "$sql_cur;\n";
$row_cur = $res_cur->fetchrow();
if ($row_cur && !empty($row_cur[0])) {
$allowed_types[] = $row_cur[0];
$allowed_types = array_unique($allowed_types);
}
}

$type = (array_key_exists('type', $_POST) && isset($_POST['type']) &&
in_array($_POST['type'], $valid_nastypes)) ? $_POST['type'] : $valid_nastypes[0];
in_array($_POST['type'], $allowed_types)) ? $_POST['type'] : "other";

$shortname = (array_key_exists('shortname', $_POST) && !empty(str_replace("%", "", trim($_POST['shortname']))))
? str_replace("%", "", trim($_POST['shortname'])) : "";
Expand Down Expand Up @@ -171,29 +188,50 @@
"caption" => t('all','NasIPHost'),
"type" => "text",
"value" => ((isset($nasname)) ? $nasname : ""),
"disabled" => true
"disabled" => true,
"tooltipText" => "Enter the IP address or hostname of the NAS device."
);

$input_descriptors0[] = array(
"name" => "secret",
"caption" => t('all','NasSecret'),
"type" => "text",
"value" => ((isset($secret)) ? $secret : "")
"value" => ((isset($secret)) ? $secret : ""),
"tooltipText" => "Enter the shared secret used for RADIUS communication."
);

// preserve legacy/custom NAS type values loaded from DB
$nastype_options = $valid_nastypes;
$nastype_selected = (isset($type) && $type !== "") ? $type : "other";
$nastype_tooltip = "Select the NAS vendor type from the predefined list.";

if ($nastype_selected !== "other" && !in_array($nastype_selected, $valid_nastypes)) {
// DB contains a type not in the standard list — build an associative
// options map so the legacy value is shown and stays selected
$nastype_options = array();
$nastype_options[$nastype_selected] = $nastype_selected . " (legacy)";
foreach ($valid_nastypes as $nt) {
$nastype_options[$nt] = $nt;
}
$nastype_tooltip = "The current type is not in the standard list. "
. "It will be preserved unless you select a different value.";
}

$input_descriptors0[] = array(
"name" => "type",
"caption" => t('all','NasType'),
"type" => "text",
"datalist" => $valid_nastypes,
"value" => ((isset($type)) ? $type : $valid_nastypes[0])
"type" => "select",
"options" => $nastype_options,
"selected_value" => $nastype_selected,
"tooltipText" => $nastype_tooltip
);

$input_descriptors0[] = array(
"name" => "shortname",
"caption" => t('all','NasShortname'),
"type" => "text",
"value" => ((isset($shortname)) ? $shortname : "")
"value" => ((isset($shortname)) ? $shortname : ""),
"tooltipText" => "A friendly short name to identify this NAS."
);


Expand All @@ -213,21 +251,24 @@
"name" => "community",
"caption" => t('all','NasCommunity'),
"type" => "text",
"value" => ((isset($community)) ? $community : "")
"value" => ((isset($community)) ? $community : ""),
"tooltipText" => "SNMP community string for querying the NAS (optional)."
);

$input_descriptors1[] = array(
"name" => "server",
"caption" => t('all','NasVirtualServer'),
"type" => "text",
"value" => ((isset($server)) ? $server : "")
"value" => ((isset($server)) ? $server : ""),
"tooltipText" => "FreeRADIUS virtual server to process requests from this NAS (optional)."
);

$input_descriptors1[] = array(
"name" => "description",
"caption" => t('all','NasDescription'),
"type" => "textarea",
"content" => ((isset($description)) ? $description : "")
"content" => ((isset($description)) ? $description : ""),
"tooltipText" => "Additional details or notes about this NAS device."
);

$input_descriptors2 = array();
Expand Down
27 changes: 17 additions & 10 deletions app/operators/mng-rad-nas-new.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@
$nasname_enc = (!empty($nasname)) ? htmlspecialchars($nasname, ENT_QUOTES, 'UTF-8') : "";

$nastype = (array_key_exists('nastype', $_POST) && isset($_POST['nastype']) &&
in_array($_POST['nastype'], $valid_nastypes)) ? $_POST['nastype'] : $valid_nastypes[0];
in_array($_POST['nastype'], $valid_nastypes)) ? $_POST['nastype'] : "other";

$shortname = (array_key_exists('shortname', $_POST) && !empty(str_replace("%", "", trim($_POST['shortname']))))
? str_replace("%", "", trim($_POST['shortname'])) : "";
Expand Down Expand Up @@ -132,29 +132,33 @@
"name" => "nasname",
"caption" => t('all','NasIPHost'),
"type" => "text",
"value" => ((isset($nasname)) ? $nasname : "")
"value" => ((isset($nasname)) ? $nasname : ""),
"tooltipText" => "Enter the IP address or hostname of the NAS device."
);

$input_descriptors0[] = array(
"name" => "nassecret",
"caption" => t('all','NasSecret'),
"type" => "text",
"value" => ((isset($nassecret)) ? $nassecret : "")
"value" => ((isset($nassecret)) ? $nassecret : ""),
"tooltipText" => "Enter the shared secret used for RADIUS communication."
);

$input_descriptors0[] = array(
"name" => "nastype",
"caption" => t('all','NasType'),
"type" => "text",
"datalist" => $valid_nastypes,
"value" => ((isset($nastype)) ? $nastype : $valid_nastypes[0])
"type" => "select",
"options" => $valid_nastypes,
"selected_value" => ((isset($nastype)) ? $nastype : "other"),
"tooltipText" => "Select the NAS vendor type from the predefined list."
);

$input_descriptors0[] = array(
"name" => "shortname",
"caption" => t('all','NasShortname'),
"type" => "text",
"value" => ((isset($shortname)) ? $shortname : "")
"value" => ((isset($shortname)) ? $shortname : ""),
"tooltipText" => "A friendly short name to identify this NAS."
);


Expand All @@ -174,21 +178,24 @@
"name" => "nascommunity",
"caption" => t('all','NasCommunity'),
"type" => "text",
"value" => ((isset($nascommunity)) ? $nascommunity : "")
"value" => ((isset($nascommunity)) ? $nascommunity : ""),
"tooltipText" => "SNMP community string for querying the NAS (optional)."
);

$input_descriptors1[] = array(
"name" => "nasvirtualserver",
"caption" => t('all','NasVirtualServer'),
"type" => "text",
"value" => ((isset($nasvirtualserver)) ? $nasvirtualserver : "")
"value" => ((isset($nasvirtualserver)) ? $nasvirtualserver : ""),
"tooltipText" => "FreeRADIUS virtual server to process requests from this NAS (optional)."
);

$input_descriptors1[] = array(
"name" => "nasdescription",
"caption" => t('all','NasDescription'),
"type" => "textarea",
"content" => ((isset($nasdescription)) ? $nasdescription : "")
"content" => ((isset($nasdescription)) ? $nasdescription : ""),
"tooltipText" => "Additional details or notes about this NAS device."
);

$input_descriptors2 = array();
Expand Down