fix: refine command execution and standardize CI tests

- Implement robust executable extraction in command helpers
- Standardize regression test output using print instead of echo
- Enforce PHPStan and add PHP-CS-Fixer check to CI workflow

Author: somethingwithproof

.github/workflows/plugin-ci-workflow.yml

@@ -213,11 +213,24 @@ jobs:
       run: |
         cd ${{ github.workspace }}/cacti/plugins/syslog
         if [ -f vendor/bin/phpstan ]; then
-          vendor/bin/phpstan analyse --no-progress --error-format=github || true
+          vendor/bin/phpstan analyse --no-progress --error-format=github
         else
-          phpstan analyse --no-progress --error-format=github || true
+          phpstan analyse --no-progress --error-format=github
+        fi
+
+    - name: Install PHP-CS-Fixer
+      run: |
+        cd ${{ github.workspace }}/cacti/plugins/syslog
+        composer require --dev friendsofphp/php-cs-fixer --with-all-dependencies || composer global require friendsofphp/php-cs-fixer
+
+    - name: Run PHP-CS-Fixer Check
+      run: |
+        cd ${{ github.workspace }}/cacti/plugins/syslog
+        if [ -f vendor/bin/php-cs-fixer ]; then
+          vendor/bin/php-cs-fixer fix --dry-run --diff --format=github
+        else
+          php-cs-fixer fix --dry-run --diff --format=github
         fi
-      continue-on-error: true
 
     - name: Run Plugin Regression Tests
       run: |

functions.php

@@ -295,6 +295,12 @@ function syslog_partition_create($table) {
 	$cformat = 'd' . date('Ymd', $time);
 	$lnow    = date('Y-m-d', $time+86400);
 
+	/* validate DDL interpolation values to prevent injection */
+	if (!preg_match('/^d\d{8}$/', $cformat) || !preg_match('/^\d{4}-\d{2}-\d{2}$/', $lnow)) {
+		cacti_log('SYSLOG ERROR: Invalid partition format values detected', false, 'SYSTEM');
+		return false;
+	}
+
 	$exists = syslog_db_fetch_row_prepared("SELECT *
 		FROM `information_schema`.`partitions`
 		WHERE table_schema = ?
@@ -308,13 +314,19 @@ function syslog_partition_create($table) {
 		$lock_name = hash('sha256', $syslogdb_default . 'syslog_partition_create.' . $table);
 
 		try {
-			syslog_db_fetch_cell_prepared('SELECT GET_LOCK(?, 10)', array($lock_name));
+			$locked = syslog_db_fetch_cell_prepared('SELECT GET_LOCK(?, 10)', array($lock_name));
+
+			if ((int)$locked !== 1) {
+				cacti_log("SYSLOG WARNING: Failed to acquire partition create lock for '$table'", false, 'SYSTEM');
+				return false;
+			}
 
 			cacti_log("SYSLOG: Creating new partition '$cformat' for table '$table'", false, 'SYSTEM');
 
 			syslog_debug("Creating new partition '$cformat' for table '$table'");
 
-			/* MySQL does not support parameter binding for DDL statements */
+			/* MySQL does not support parameter binding for DDL statements;
+			   $cformat and $lnow are validated above via regex */
 			syslog_db_execute_prepared("ALTER TABLE `" . $syslogdb_default . "`.`$table` REORGANIZE PARTITION dMaxValue INTO (
 				PARTITION $cformat VALUES LESS THAN (TO_DAYS('$lnow')),
 				PARTITION dMaxValue VALUES LESS THAN MAXVALUE)");
@@ -354,7 +366,12 @@ function syslog_partition_remove($table) {
 			$lock_name = hash('sha256', $syslogdb_default . 'syslog_partition_remove.' . $table);
 
 			try {
-				syslog_db_fetch_cell_prepared('SELECT GET_LOCK(?, 10)', array($lock_name));
+				$locked = syslog_db_fetch_cell_prepared('SELECT GET_LOCK(?, 10)', array($lock_name));
+
+				if ((int)$locked !== 1) {
+					cacti_log("SYSLOG WARNING: Failed to acquire partition remove lock for '$table'", false, 'SYSTEM');
+					return $syslog_deleted;
+				}
 
 				$i = 0;
 				while ($user_partitions > $days) {
@@ -445,8 +462,10 @@ function syslog_remove_items($table, $uniqueID) {
 
 	if (cacti_sizeof($rows)) {
 		foreach($rows as $remove) {
-			$sql  = '';
-			$sql1 = '';
+			$sql     = '';
+			$sql1    = '';
+			$params  = array();
+			$params1 = array();
 
 			if ($remove['type'] == 'facility') {
 				if ($table == 'syslog_incoming') {
@@ -1326,10 +1345,33 @@ function syslog_execute_ticket_command($alert, $hostlist, $context) {
 		$command = trim(read_config_option('syslog_ticket_command'));
 
 		if ($command != '') {
-			$cparts = preg_split('/\s+/', trim($command));
-			$executable = trim($cparts[0], '"\'');
+			/*
+			 * Extract the executable portion from the configured command.
+			 * This allows for quoted paths and additional arguments in the
+			 * configuration while still validating the executable itself.
+			 */
+			$executable = $command;
+			$firstChar  = substr($executable, 0, 1);
 
-			if (is_executable($executable)) {
+			if ($firstChar === '"' || $firstChar === "'") {
+				$quoteChar = $firstChar;
+				$closing   = strpos($executable, $quoteChar, 1);
+
+				if ($closing !== false) {
+					$executable = substr($executable, 1, $closing - 1);
+				} else {
+					// Unbalanced quotes; fall back to trimming quotes/whitespace.
+					$executable = trim($executable, " \t\n\r\0\x0B\"'");
+				}
+			} else {
+				$parts = preg_split('/\s+/', $executable);
+				if (is_array($parts) && isset($parts[0])) {
+					$executable = $parts[0];
+				}
+				$executable = trim($executable, " \t\n\r\0\x0B\"'");
+			}
+
+			if ($executable !== '' && is_executable($executable)) {
 				$command = $command .
 					' --alert-name=' . cacti_escapeshellarg(clean_up_name($alert['name'])) .
 					' --severity='   . cacti_escapeshellarg($alert['severity']) .
@@ -1356,31 +1398,51 @@ function syslog_execute_ticket_command($alert, $hostlist, $context) {
 }
 
 function syslog_execute_alert_command($alert, $results, $hostname) {
-	if ($alert['execute_command'] != 'on') {
-		return;
-	}
+	if ($alert['execute_command'] == 'on') {
+		$command = trim($alert['command']);
 
-	$command = trim($alert['command']);
+		if ($command != '') {
+			$command = alert_replace_variables($alert, $results, $hostname);
 
-	if ($command != '') {
-		$command = alert_replace_variables($alert, $results, $hostname);
+			/*
+			 * Extract the executable portion from the command string.
+			 * This allows for quoted paths and additional arguments.
+			 */
+			$executable = $command;
+			$firstChar  = substr($executable, 0, 1);
 
-		$cparts = preg_split('/\s+/', trim($command));
-		$executable = trim($cparts[0], '"\'');
+			if ($firstChar === '"' || $firstChar === "'") {
+				$quoteChar = $firstChar;
+				$closing   = strpos($executable, $quoteChar, 1);
 
-		if (is_executable($executable)) {
-			$output = array();
-			$returnCode = 0;
+				if ($closing !== false) {
+					$executable = substr($executable, 1, $closing - 1);
+				} else {
+					// Unbalanced quotes; fall back to trimming quotes/whitespace.
+					$executable = trim($executable, " \t\n\r\0\x0B\"'");
+				}
+			} else {
+				$parts = preg_split('/\s+/', $executable);
+				if (is_array($parts) && isset($parts[0])) {
+					$executable = $parts[0];
+				}
+				$executable = trim($executable, " \t\n\r\0\x0B\"'");
+			}
 
-			exec($command, $output, $returnCode);
+			if ($executable !== '' && is_executable($executable)) {
+				$output = array();
+				$returnCode = 0;
 
-			$logMessage = "SYSLOG NOTICE: Executing '$command' Command return code: $returnCode";
-			cacti_log($logMessage, true, 'SYSTEM');
-		} else {
-			if (strpos($executable, DIRECTORY_SEPARATOR) === false) {
-				cacti_log(sprintf('SYSLOG ERROR: Alert Command path \'%s\' is missing absolute path separator', $executable), false, 'SYSTEM');
+				exec($command, $output, $returnCode);
+
+				$logMessage = "SYSLOG NOTICE: Executing '$command' Command return code: $returnCode";
+				cacti_log($logMessage, true, 'SYSTEM');
 			} else {
-				cacti_log(sprintf('SYSLOG ERROR: Alert Command path \'%s\' is not executable', $executable), false, 'SYSTEM');
+				if (strpos($executable, DIRECTORY_SEPARATOR) === false) {
+					cacti_log(sprintf('SYSLOG ERROR: Alert Command path \'%s\' is missing absolute path separator', $executable), false, 'SYSTEM');
+				} else {
+					cacti_log(sprintf('SYSLOG ERROR: Alert Command path \'%s\' is not executable', $executable), false, 'SYSTEM');
+				}
 			}
 		}
 	}
@@ -1822,6 +1884,8 @@ function syslog_get_alert_sql(&$alert, $uniqueID) {
 function syslog_preprocess_incoming_records() {
 	global $syslogdb_default;
 
+	$attempts = 0;
+
 	while (1) {
 		$uniqueID = rand(1, 127);
 
@@ -1833,6 +1897,13 @@ function syslog_preprocess_incoming_records() {
 		if ($count == 0) {
 			break;
 		}
+
+		$attempts++;
+
+		if ($attempts >= 256) {
+			cacti_log('SYSLOG ERROR: Unable to find unused uniqueID after 256 attempts', false, 'SYSTEM');
+			return array('uniqueID' => 0, 'incoming' => 0);
+		}
 	}
 
 	/* flag all records with the uniqueID prior to moving */
@@ -2088,7 +2159,7 @@ function syslog_incoming_to_syslog($uniqueID) {
 
 	syslog_debug(sprintf('Moved   %5s - Message(s) to the syslog table', $moved));
 
-	syslog_db_execute_prepared('DELETE FROM `' . $syslogdb_default . '`.`syslog_incoming` WHERE status=' . $uniqueID);
+	syslog_db_execute_prepared('DELETE FROM `' . $syslogdb_default . '`.`syslog_incoming` WHERE status = ?', array($uniqueID));
 
 	syslog_debug(sprintf('Deleted %5s - Already Processed Message(s) from incoming', db_affected_rows($syslog_cnn)));
 

tests/regression/issue252_xss_output_test.php

@@ -42,4 +42,4 @@
 	exit(1);
 }
 
-echo "issue252_xss_output_test passed\n";
+print "issue252_xss_output_test passed\n";

tests/regression/issue259_csrf_purge_test.php

@@ -103,4 +103,4 @@
 	exit(1);
 }
 
-echo "issue259_csrf_purge_test passed\n";
+print "issue259_csrf_purge_test passed\n";

tests/regression/issue260_remove_eval_callback_test.php

@@ -42,4 +42,4 @@
 	exit(1);
 }
 
-echo "issue260_remove_eval_callback_test passed\n";
+print "issue260_remove_eval_callback_test passed\n";

tests/regression/issue261_domain_strip_parameterized_test.php

@@ -24,4 +24,4 @@
 	exit(1);
 }
 
-echo "issue261_domain_strip_parameterized_test passed\n";
+print "issue261_domain_strip_parameterized_test passed\n";

tests/regression/issue269_import_text_branch_logic_test.php

@@ -47,4 +47,4 @@
 	exit(1);
 }
 
-echo "issue269_import_text_branch_logic_test passed\n";
+print "issue269_import_text_branch_logic_test passed\n";

tests/regression/issue269_import_text_trim_check_test.php

@@ -23,5 +23,5 @@
 	exit(1);
 }
 
-echo "issue269_import_text_trim_check_test passed\n";
+print "issue269_import_text_trim_check_test passed\n";
 

tests/regression/issue_csrf_purge_test.php

@@ -13,4 +13,4 @@
 	exit(1);
 }
 
-echo "issue_csrf_purge_test passed\n";
+print "issue_csrf_purge_test passed\n";

tests/regression/issue_removal_parameterization_test.php

@@ -33,4 +33,4 @@
 	exit(1);
 }
 
-echo "issue_removal_parameterization_test passed\n";
+print "issue_removal_parameterization_test passed\n";