Security Fixes

Author: monta990

CHANGELOG.md

@@ -3,6 +3,18 @@
 All notable changes to this project will be documented in this file.
 Format follows [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
+## [1.3.7] — 2026-05-03
+
+### Security
+- **Credential redaction in debug logs** — GWN OAuth token request URL and token response are no longer logged verbatim. Debug output now shows only `appID` and `expires_in`, preventing `client_secret` and `access_token` from appearing in `files/_log/gdmsintegration.log` even when verbose mode is enabled. (OWASP A02/A09)
+- **Advisory lock queries use escaped identifiers** — `GET_LOCK`/`RELEASE_LOCK` raw SQL queries in the sync engine now call `$DB->escape()` on the lock name, following defense-in-depth for all raw query parameters. (OWASP A03)
+- **Webhook signature mismatch returns 204** — failed HMAC verification no longer returns HTTP 403 (which confirmed the endpoint existed and the signature was checked). Now returns `204 No Content`, removing the oracle useful for probing or brute-forcing. (OWASP A07)
+- **Webhook GET handler removed** — the unauthenticated `GET` health-check response that disclosed plugin name and endpoint path has been removed. Non-POST requests now receive `405` with no body. (OWASP A05)
+- **Webhook payload logging scoped** — log line now records only `entity`, `mac`, and `status` rather than up to 500 chars of raw JSON payload. (OWASP A09)
+- **Firmware endpoint requires READ right** — `firmware.ajax.php` read actions (`check`, `check_all`) now require `Session::checkRight('config', READ)` instead of a plain session check, preventing any authenticated GLPI user from querying firmware status of all devices. (OWASP A01)
+
+---
+
 ## [1.3.6] — 2026-04-29
 
 ### Added

LICENSE

@@ -652,7 +652,7 @@ Also add information on how to contact you by electronic and paper mail.
   If the program does terminal interaction, make it output a short
 notice like this when it starts in an interactive mode:
 
-    <program>  Copyright (C) <year>  <name of author>
+    GDMSIntegration  Copyright (C) 2026  Edwin Elias (monta990)
     This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
     This is free software, and you are welcome to redistribute it
     under certain conditions; type `show c' for details.

front/firmware.ajax.php

@@ -24,7 +24,7 @@
 if (in_array($_action_early, ['upgrade', 'upgrade_gdms'], true)) {
     Session::checkRight('config', UPDATE);
 } else {
-    Session::checkLoginUser();
+    Session::checkRight('config', READ);
 }
 header('Content-Type: application/json');
 

front/webhook.php

@@ -3,21 +3,21 @@
  * GDMS Integration — Webhook receiver
  * Registered as stateless — called by GDMS Cloud without browser session.
  * Uses correct Symfony exception namespaces for GLPI 11.
+ *
+ * Note: GDMS Cloud does not support configurable webhook secrets/signatures.
+ * The HMAC check runs only when webhook_secret is configured (e.g. for custom
+ * integrations or future GDMS support). Without a secret this endpoint is
+ * open to any POST — restrict access at the network/firewall level.
  */
 
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 use Symfony\Component\HttpKernel\Exception\MethodNotAllowedHttpException;
 use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
 
-// Allow GET for health check / manual testing
-if ($_SERVER['REQUEST_METHOD'] === 'GET') {
-    header('Content-Type: application/json');
-    echo json_encode(['status' => 'ok', 'plugin' => 'gdmsintegration', 'endpoint' => 'webhook']);
-    return;
-}
-
 if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
-    throw new MethodNotAllowedHttpException(['POST'], 'Only POST requests are accepted');
+    // Silently reject non-POST — no plugin fingerprint disclosed
+    http_response_code(405);
+    exit;
 }
 
 $raw    = file_get_contents('php://input');
@@ -32,8 +32,9 @@
     $sig_header = $_SERVER['HTTP_X_GDMS_SIGNATURE'] ?? '';
     $expected   = 'sha256=' . hash_hmac('sha256', $raw, $secret);
     if (!hash_equals($expected, $sig_header)) {
-        PluginGdmsintegrationUtils::log("Webhook: signature mismatch from " . ($_SERVER['REMOTE_ADDR'] ?? ''));
-        throw new AccessDeniedHttpException('Invalid webhook signature');
+        // Return 204 — don't confirm endpoint or leak that signature was checked
+        http_response_code(204);
+        exit;
     }
 }
 
@@ -42,26 +43,18 @@
     throw new BadRequestHttpException('Invalid JSON payload');
 }
 
-PluginGdmsintegrationUtils::log(
-    "Webhook received — entity:{$entity} | payload:" . substr(json_encode($payload), 0, 500)
-);
-
-// Process device status change from GDMS cloud
-$mac    = strtolower(trim($payload['mac'] ?? $payload['device_mac'] ?? $payload['deviceMac'] ?? ''));
+$mac       = strtolower(trim($payload['mac'] ?? $payload['device_mac'] ?? $payload['deviceMac'] ?? ''));
 $rawStatus = strtolower($payload['status'] ?? $payload['deviceStatus'] ?? $payload['event'] ?? '');
-$status = in_array($rawStatus, ['offline', 'disconnect', 'down', '0']) ? 'offline' : 'online';
+$status    = in_array($rawStatus, ['offline', 'disconnect', 'down', '0']) ? 'offline' : 'online';
 
-PluginGdmsintegrationUtils::log("Webhook: {$mac} → {$status} (raw: {$rawStatus})");
+PluginGdmsintegrationUtils::log("Webhook: entity:{$entity} mac:{$mac} status:{$status}");
 
 if (!empty($mac)) {
-    // Update state immediately so dashboard reflects it
-    $state = new PluginGdmsintegrationDevice();
+    $state      = new PluginGdmsintegrationDevice();
     $prevStatus = $state->getState($mac);
     $state->saveStateWithNetwork($mac, $status);
 
-    // Fire ticket logic on status transition
     if ($prevStatus !== $status) {
-        // Load asset info for ticket creation
         $assetInfo = null;
         foreach (['NetworkEquipment', 'Phone'] as $itemtype) {
             $obj  = new $itemtype();
@@ -76,9 +69,9 @@
             $deviceRow = $state->find(['mac' => $mac]);
             $dr        = !empty($deviceRow) ? reset($deviceRow) : [];
             PluginGdmsintegrationSync::triggerOfflineTicket(
-                $assetInfo['name']       ?? $mac,
+                $assetInfo['name']        ?? $mac,
                 $mac,
-                $assetInfo['serial']     ?? '',
+                $assetInfo['serial']      ?? '',
                 $assetInfo['entities_id'] ?? $entity,
                 $assetInfo['_itemtype'],
                 (int)$assetInfo['id'],

inc/api.class.php

@@ -290,9 +290,9 @@ public static function gwnGetToken(array $config): string|false {
             'client_id'     => $config['gwn_client_id'],
             'client_secret' => $config['gwn_client_secret'],
         ]);
-        PluginGdmsintegrationUtils::debug("GWN token request URL: {$url}");
+        PluginGdmsintegrationUtils::debug("GWN token request — appID:{$config['gwn_client_id']} [credentials redacted]");
         $data = self::curl($url);
-        PluginGdmsintegrationUtils::debug("GWN token response: " . json_encode($data));
+        PluginGdmsintegrationUtils::debug("GWN token response — expires_in:" . ($data['expires_in'] ?? '?'));
         if ($data === false || empty($data['access_token'])) {
             PluginGdmsintegrationUtils::log("GWN token ERROR — appID:{$config['gwn_client_id']}");
             return false;

inc/sync.class.php

@@ -761,7 +761,7 @@ private static function createWanDownTicket(
         // attempt to open a WAN ticket for the same port at the same time.
         $lock_name = 'gdmsinteg_' . substr(md5("wan_{$reason}_{$itemtype}_{$glpi_id}_{$portSilk}"), 0, 24);
         $locked    = 0;
-        $lk_res = $DB->doQuery("SELECT GET_LOCK('{$lock_name}', 5) AS lk");
+        $lk_res = $DB->doQuery("SELECT GET_LOCK('" . $DB->escape($lock_name) . "', 5) AS lk");
         if ($lk_res) {
             $lk_row = $DB->fetchAssoc($lk_res);
             $locked = (int)($lk_row['lk'] ?? 0);
@@ -854,7 +854,7 @@ private static function createWanDownTicket(
             PluginGdmsintegrationUtils::log("GDMS: WAN ticket #{$ticket_id} → {$deviceName} port {$portSilk} | entity={$entities_id}{$tech_info}");
         }
         } finally {
-            $DB->doQuery("SELECT RELEASE_LOCK('{$lock_name}')");
+            $DB->doQuery("SELECT RELEASE_LOCK('" . $DB->escape($lock_name) . "')");
         }
     }
 
@@ -919,7 +919,7 @@ private static function createOfflineTicket(
         //    same time) both pass the open-ticket check simultaneously. ──────
         $lock_name = 'gdmsinteg_' . substr(md5("offline_{$itemtype}_{$glpi_id}"), 0, 24);
         $locked    = 0;
-        $lk_res = $DB->doQuery("SELECT GET_LOCK('{$lock_name}', 5) AS lk");
+        $lk_res = $DB->doQuery("SELECT GET_LOCK('" . $DB->escape($lock_name) . "', 5) AS lk");
         if ($lk_res) {
             $lk_row = $DB->fetchAssoc($lk_res);
             $locked = (int)($lk_row['lk'] ?? 0);
@@ -1059,7 +1059,7 @@ private static function createOfflineTicket(
             }
         } finally {
             // Always release the advisory lock, even if an exception was thrown
-            $DB->doQuery("SELECT RELEASE_LOCK('{$lock_name}')");
+            $DB->doQuery("SELECT RELEASE_LOCK('" . $DB->escape($lock_name) . "')");
         }
     }
 

plugin.xml

@@ -23,9 +23,9 @@
    </authors>
       <versions>
       <version>
-         <num>1.3.6</num>
-         <compatibility>~11.0.0</compatibility>
-         <download_url>https://github.com/monta990/gdmsintegration/releases/download/v1.3.6/gdmsintegration-1.3.6.zip</download_url>
+         <num>1.3.7</num>
+         <compatibility>~11.0</compatibility>
+         <download_url>https://github.com/monta990/gdmsintegration/releases/download/v1.3.7/gdmsintegration-1.3.7.zip</download_url>
       </version>
    </versions>
    <langs>

setup.php

@@ -8,7 +8,7 @@
  * License: GPL v3+
  */
 
-define('PLUGIN_GDMSINTEGRATION_VERSION', '1.3.6');
+define('PLUGIN_GDMSINTEGRATION_VERSION', '1.3.7');
 define('PLUGIN_GDMSINTEGRATION_MIN_GLPI',  '11.0');
 define('PLUGIN_GDMSINTEGRATION_MAX_GLPI',  '11.99');