Skip to content

hardening: migrate RLIKE to db_qstr and improve input handling#762

Open
somethingwithproof wants to merge 1 commit intoCacti:developfrom
somethingwithproof:fix/hardening-prepared-statements
Open

hardening: migrate RLIKE to db_qstr and improve input handling#762
somethingwithproof wants to merge 1 commit intoCacti:developfrom
somethingwithproof:fix/hardening-prepared-statements

Conversation

@somethingwithproof
Copy link

@somethingwithproof somethingwithproof commented Mar 20, 2026
edited
Loading

Summary

Hardening

  • Convert all RLIKE string interpolation to db_qstr() (11 locations)
  • Migrate notify_lists.php bulk operations from db_execute with string
    concatenation to db_execute_prepared with parameter binding
  • Convert DELETE plugin_thold_threshold_contact to prepared statement
  • Add intval() guards to get_request_var() values concatenated into
    WHERE clauses in thold.php and thold_graph.php (data_template_id,
    thold_template_id, site_id, host_id)
  • Use sanitize_unserialize_selected_items for form data deserialization
  • Apply html_escape to drp_action hidden form fields

CI

  • Convert test stub indentation from spaces to tabs (php-cs-fixer)
  • Drop unreachable --min=80 coverage threshold (plugin source files
    cannot be loaded without the Cacti framework)

No behavioral changes. Defense-in-depth hardening only.

TheWitness
TheWitness previously approved these changes Mar 23, 2026
View reviewed changes
@TheWitness
Copy link
Member

TheWitness commented Mar 23, 2026

@somethingwithproof, please fix the automation and this is ready to merge.

@somethingwithproof
Copy link
Author

somethingwithproof commented Mar 24, 2026

Ran local pre-commit checks with PHP 8.4:

  • PHP lint: All files pass
  • PHPStan: 0 production code errors (27 test-only findings: missing iterable type specs in stubs, Pest todo() method)

@somethingwithproof
hardening: migrate to prepared statements and add input validation
f17c7d1 
SQL hardening:
- Convert all db_execute with $selected_items concatenation to db_execute_prepared
- Migrate RLIKE filter values from raw interpolation to db_qstr()
- Add intval() guards on integer interpolations in thold.php and thold_graph.php
- Replace cacti_unserialize(stripslashes()) with sanitize_unserialize_selected_items()
- Fix indentation in notify_lists.php form_actions block
- Pin shivammathur/setup-php to full commit SHA in CI

Tests and tooling:
- Add Pest test framework with PHPStan level 6
- Add XSS output escaping tests
- Add prepared statement source-verification tests
- Add security audit documentation (SECURITY-AUDIT.md, BACKLOG.md)

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
@somethingwithproof somethingwithproof force-pushed the fix/hardening-prepared-statements branch from ae36a9a to f17c7d1 Compare March 25, 2026 02:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@TheWitness TheWitness TheWitness left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@somethingwithproof @TheWitness