Security fixes and schema cleanup

- Fix SQL injection in displayprofile.asp (parameterized query)
- Add HTMLEncode to XSS-vulnerable output in 5 display pages
- Add Option Explicit to computers.asp, displaymachines.asp, displaypcs.asp, displayapplication.asp, displayprofile.asp
- Update STANDARDS.md with test script reference, secrets management, column naming gotchas
- Fix equipment type ranges in CLAUDE.md and QUICK_REFERENCE.md (1-15, 21-25)
- Add migration SQL to cleanup redundant PC machinetypes (34-46)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
cproudlock
2025-12-12 07:22:16 -05:00
parent 693789138d
commit e0d89f9957
9 changed files with 258 additions and 57 deletions

View File

@@ -39,9 +39,10 @@ machines (machineid, hostname, serialnumber, alias, machinenumber,
loggedinuser, machinenotes, isactive, maptop, mapleft, lastupdated)
-- Identify record type:
-- PCs: pctypeid IS NOT NULL (machinetypeid 33-35)
-- Equipment: pctypeid IS NULL AND machinetypeid < 16
-- PCs: pctypeid IS NOT NULL (machinetypeid 33+)
-- Equipment: pctypeid IS NULL AND machinetypeid NOT IN (16,17,18,19,20) AND machinetypeid < 33
-- Network Devices: machinetypeid IN (16,17,18,19,20)
-- Equipment types: 1-15, 21-25 (e.g., Lathe, Mill, CMM, Hobbing Machine, etc.)
```
### PC-Related Tables

View File

@@ -1,8 +1,8 @@
# Classic ASP Development Standards
## ShopDB Application
**Version:** 1.0
**Last Updated:** 2025-10-10
**Version:** 1.1
**Last Updated:** 2025-12-11
**Status:** MANDATORY for all new development and modifications
---
@@ -414,7 +414,7 @@ Standard error codes for user messaging:
' - machines (primary)
' - machinetypes, models, vendors, businessunits
' - printers (LEFT JOIN - may be NULL)
' - pc (LEFT JOIN - may be NULL)
' - communications (LEFT JOIN - may be NULL)
'
' SECURITY:
' - Requires authentication
@@ -691,9 +691,9 @@ Sub LogError(source, errorNum, errorDesc)
**Style:** lowercase, plural nouns
```sql
machines
machines -- Unified table: Equipment, PCs, Network Devices
printers
pc (exception - acronym)
communications -- Network interfaces (IP/MAC)
machinetypes
vendors
models
@@ -713,6 +713,23 @@ createdate
lastupdated
```
### Column Naming Gotchas
**IMPORTANT:** Be aware of these non-obvious column names:
| Expected | Actual | Table |
|----------|--------|-------|
| `ipaddress` | `address` | communications |
| `gateway` | `defaultgateway` | communications |
| `notes` | `machinenotes` | machines |
| `pcid` | `machineid` | machines (PCs are in unified table) |
| `pc_comm_config` | `commconfig` | (table name) |
| `pc_dnc_config` | `dncconfig` | (table name) |
**PC Identification:** PCs are in the `machines` table, identified by:
- `pctypeid IS NOT NULL`
- `machinetypeid IN (33, 34, 35)`
---
## Documentation Standards
@@ -904,6 +921,22 @@ Response.Write(RenderCachedUnitDropdown())
## Testing Standards
### Automated Form Testing
**REQUIRED:** Run the comprehensive test suite after making changes to ASP pages.
```bash
./tests/test_forms.sh
```
This script tests 41 endpoints including:
- Page load tests (dashboards, list views, maps)
- Add form page loads
- Form submissions (notifications, equipment, printers, subnets, applications, KB, vendors, models, network devices)
- API endpoints
Test data uses `AUTOTEST_` prefix for easy cleanup. See `tests/cleanup_test_data.sql`.
### Unit Testing
**REQUIRED:** Test all validation functions.
@@ -1021,6 +1054,20 @@ Before committing code, verify:
2. Never commit `config.asp` to source control
3. Add `config.asp` to `.gitignore`
### Secrets Management
**MANDATORY:** Store sensitive credentials in `secrets.md` (gitignored).
**Contents:**
- Zabbix API URL and token
- Gitea API URL and token
- Database credentials (per environment)
**NEVER commit:**
- API tokens
- Database passwords
- Authentication credentials
### Configuration Template
```vbscript
@@ -1216,6 +1263,7 @@ Call CleanupResources()
| Version | Date | Changes | Author |
|---------|------|---------|--------|
| 1.0 | 2025-10-10 | Initial standards document created from audit findings | Claude |
| 1.1 | 2025-12-11 | Updated for Phase 2 schema (unified machines table), added test script reference, secrets management, column naming gotchas | Claude |
---