hardening: prepared statements, XSS fixes, CSRF protection, and CI

SQL injection hardening:
- Migrate all query construction to prepared statements throughout
- Centralize match filter building in syslog_build_match_filter()
- Add lock result validation for partition create/remove operations
- Move partition count query inside lock for atomicity

XSS and CSRF:
- Replace form_selectable_cell with form_selectable_ecell for output escaping
- Add html_escape on user-visible output
- Add CSRF token validation on purge action
- Remove eval() in JS autocomplete, use jQuery .text() for DOM safety

Poller safety:
- Replace max_seq with uniqueID (rand 1-127) for concurrent poller safety
- Add syslog_execute_ticket_command/syslog_execute_alert_command helpers
- DRY refactor of bulk action confirm dialogs

Tests and CI:
- Add SyslogMatchFilter, SyslogPreprocess, SyslogPartition unit tests
- Add integration test CI workflow with MySQL
- Add domain stripping and partitioning integration tests

Signed-off-by: Thomas Vincent <[email protected]>

Author: somethingwithproof

.github/workflows/plugin-ci-workflow.yml

@@ -32,65 +32,7 @@ on:
       - develop
 
 jobs:
-  quality-checks:
-    name: PHP Quality (Lint, Stan, CS)
-    runs-on: ubuntu-latest
-    steps:
-    - name: Checkout Cacti
-      uses: actions/checkout@v4
-      with:
-        repository: Cacti/cacti
-        path: cacti
-    
-    - name: Checkout Syslog Plugin
-      uses: actions/checkout@v4
-      with:
-        path: cacti/plugins/syslog
-    
-    - name: Setup PHP 8.3
-      uses: shivammathur/setup-php@v2
-      with:
-        php-version: '8.3'
-        extensions: intl, mysql, gd, ldap, gmp, xml, curl, json, mbstring
-        tools: php-cs-fixer, phpstan
-
-    - name: Check PHP Syntax (Lint)
-      run: |
-        cd cacti/plugins/syslog
-        if find . -name '*.php' -not -path './vendor/*' -exec php -l {} 2>&1 \; | grep -iv 'no syntax errors detected'; then
-          print "Syntax errors found!"
-          exit 1
-        fi
-
-    - name: Run PHP CS Fixer (Dry Run)
-      run: |
-        cd cacti/plugins/syslog
-        php-cs-fixer fix --dry-run --diff --ansi --config=../../../.php-cs-fixer.php . || true
-
-    - name: Create PHPStan config
-      run: |
-        cd cacti/plugins/syslog
-        cat > phpstan.neon << 'EOF'
-        parameters:
-          level: 5
-          paths:
-            - .
-          excludePaths:
-            - vendor/
-            - locales/
-          ignoreErrors:
-            - '#has invalid return type the\.#'
-          bootstrapFiles:
-            - ../../include/global.php
-        EOF
-
-    - name: Run PHPStan Analysis
-      run: |
-        cd cacti/plugins/syslog
-        phpstan analyse --no-progress --error-format=github || true
-
   integration-test:
-    needs: quality-checks
     runs-on: ${{ matrix.os }}
 
     strategy:
@@ -110,7 +52,7 @@ jobs:
         ports:
           - 3306:3306
         options: >-
-          --health-cmd="mysqladmin ping"
+          --health-cmd="mysqladmin ping -h 127.0.0.1 -uroot -pcactiroot"
           --health-interval=10s
           --health-timeout=5s
           --health-retries=3
@@ -205,7 +147,7 @@ jobs:
         sed -i "s/'cacti'/'cacti'/g" ${{ github.workspace }}/cacti/plugins/syslog/config.php
         sed -i "s/'cactiuser'/'cactiuser'/g" ${{ github.workspace }}/cacti/plugins/syslog/config.php
         sed -i 's/\/\/\$/\$/g' ${{ github.workspace }}/cacti/plugins/syslog/config.php
-        sudo chmod 664 ${{ github.workspace }}/cacti/include/config.php
+        sudo chmod 664 ${{ github.workspace }}/cacti/plugins/syslog/config.php
     
     - name: Configure Apache
       run: |
@@ -236,6 +178,59 @@ jobs:
       run: |
         cd ${{ github.workspace }}/cacti
         sudo php cli/plugin_manage.php --plugin=syslog --install --enable
+    
+    - name: Check PHP Syntax for Plugin
+      run: |
+        cd ${{ github.workspace }}/cacti/plugins/syslog
+        if find . -name '*.php' -exec php -l {} 2>&1 \; | grep -iv 'no syntax errors detected'; then
+          echo "Syntax errors found!"
+          exit 1
+        fi
+
+    - name: Create PHPStan config
+      run: |
+        cd ${{ github.workspace }}/cacti/plugins/syslog
+        cat > phpstan.neon << 'EOF'
+        parameters:
+          level: 5
+          paths:
+            - .
+          excludePaths:
+            - vendor/
+            - locales/
+          ignoreErrors:
+            - '#has invalid return type the\.#'
+          bootstrapFiles:
+            - ../../include/global.php
+        EOF
+
+    - name: Install PHPStan
+      run: |
+        cd ${{ github.workspace }}/cacti/plugins/syslog
+        composer require --dev phpstan/phpstan --with-all-dependencies || composer global require phpstan/phpstan
+
+    - name: Run PHPStan Analysis
+      run: |
+        cd ${{ github.workspace }}/cacti/plugins/syslog
+        if [ -f vendor/bin/phpstan ]; then
+          vendor/bin/phpstan analyse --no-progress --error-format=github
+        else
+          phpstan analyse --no-progress --error-format=github
+        fi
+
+    - name: Install PHP-CS-Fixer
+      run: |
+        cd ${{ github.workspace }}/cacti/plugins/syslog
+        composer require --dev friendsofphp/php-cs-fixer --with-all-dependencies || composer global require friendsofphp/php-cs-fixer
+
+    - name: Run PHP-CS-Fixer Check
+      run: |
+        cd ${{ github.workspace }}/cacti/plugins/syslog
+        if [ -f vendor/bin/php-cs-fixer ]; then
+          vendor/bin/php-cs-fixer fix --dry-run --diff --format=github
+        else
+          php-cs-fixer fix --dry-run --diff --format=github
+        fi
 
     - name: Run Plugin Regression Tests
       run: |
@@ -246,40 +241,39 @@ jobs:
             php "$test"
           done
         fi
-    
-    
+
     - name: Run Cacti Poller
       run: |
         cd ${{ github.workspace }}/cacti
         sudo php poller.php --poller=1 --force --debug
         if ! grep -q "SYSTEM STATS" log/cacti.log; then
-          print "Cacti poller did not finish successfully"
+          echo "Cacti poller did not finish successfully"
           cat log/cacti.log
           exit 1
         fi
-    
+
     - name: Populate Syslog Test Data
       run: |
         sudo chmod +x ${{ github.workspace }}/cacti/plugins/syslog/.github/workflows/populate_syslog_incoming.sh
         cd ${{ github.workspace }}/cacti/plugins/syslog/.github/workflows
         sudo ./populate_syslog_incoming.sh
 
-
     - name: force Syslog Plugin Poller
       run: |
         cd ${{ github.workspace }}/cacti
         sudo php plugins/syslog/syslog_process.php  --debug
         if ! grep -q "SYSTEM SYSLOG STATS" log/cacti.log; then
-          print "Syslog plugin poller did not finish successfully"
+          echo "Syslog plugin poller did not finish successfully"
           cat log/cacti.log
           exit 1
         fi
 
-    
     - name: View Cacti Logs
       if: always()
       run: |
         if [ -f ${{ github.workspace }}/cacti/log/cacti.log ]; then
-          print "=== Cacti Log ==="
+          echo "=== Cacti Log ==="
           sudo cat ${{ github.workspace }}/cacti/log/cacti.log
         fi
+
+

.github/workflows/populate_syslog_incoming.sh

@@ -5,10 +5,10 @@
 ITERATIONS=100
 
 
-SQL_ALERT_RULE_INSERT="INSERT INTO syslog_alert (id,hash,name,severity,method,level,num,type,enabled,repeat_alert,open_ticket,message,body,user,date,email,notify,command,notes)
+SQL_ALERT_RULE_INSERT="REPLACE INTO syslog_alert (id,hash,name,severity,method,level,num,type,enabled,repeat_alert,open_ticket,message,body,user,date,email,notify,command,notes)
                         VALUES (1,'8f440030d3425e37cb66e5df54902bb0','interface down alert',1,0,1,1,'messageb','on',0,'','interface down','admin',1767376990,NULL,0,NULL,NULL);"
 
-SQL_REMOVAL_RULE_INSERT="INSERT INTO syslog_remove (id,hash,name,type,enabled,method,message,user,date,notes)
+SQL_REMOVAL_RULE_INSERT="REPLACE INTO syslog_remove (id,hash,name,type,enabled,method,message,user,date,notes)
                           VALUES (1,'0faf589f7b6b7da1bcec40b92340487d','exploded','messageb','on','del',
                           'the box exploded','admin',1767376604,NULL);"
 

CHANGELOG.md

@@ -3,9 +3,7 @@
 --- develop ---
 
 * issue#250: Fix date filter persistence by validating before shift_span detection
-* issue#258: Execute CREATE TABLE SQL correctly during replication sync
-* issue#278: Extract duplicated alert command execution paths in syslog_process_alerts
-* issue#278: Extract alert command execution into shared helper in functions.php; command tokenization now uses preg_split (handles tabs and consecutive spaces); /bin/sh fallback for non-executable command templates removed (use absolute paths with execute bit set)
+* issue#260: Replace eval-based callback execution in autocomplete handling
 * issue: Making changes to support Cacti 1.3
 * issue: Don't use MyISAM for non-analytical tables
 * issue: The install advisor for Syslog was broken in current Cacti releases

LICENSE

@@ -277,7 +277,4 @@ YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
 PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
 POSSIBILITY OF SUCH DAMAGES.
 
-<<<<<<< Updated upstream
-=======
                      END OF TERMS AND CONDITIONS
->>>>>>> Stashed changes

README.md

@@ -86,9 +86,9 @@ To use a dedicated DB first create a database in mysql and assign a user you wil
 $use_cacti_db = true; 
 ```
 
-to 
+to
 
-``console
+```console
 $use_cacti_db = false;
 ```
 

composer.json

@@ -0,0 +1,10 @@
+{
+    "require-dev": {
+        "pestphp/pest": "^4.4"
+    },
+    "config": {
+        "allow-plugins": {
+            "pestphp/pest-plugin": true
+        }
+    }
+}