Skip to content

fix(security): defense-in-depth hardening for plugin_maint#50

Draft
somethingwithproof wants to merge 5 commits into
Cacti:developfrom
somethingwithproof:fix/defense-in-depth
Draft

fix(security): defense-in-depth hardening for plugin_maint#50
somethingwithproof wants to merge 5 commits into
Cacti:developfrom
somethingwithproof:fix/defense-in-depth

Conversation

@somethingwithproof
Copy link
Copy Markdown

@somethingwithproof somethingwithproof commented Apr 9, 2026

Summary

Defense-in-depth hardening addressing 24 security audit findings.

  • XSS: Escape request variables in HTML output with html_escape_request_var()
  • SQLi: Convert string-concat queries to prepared statements
  • Deserialization: Add allowed_classes => false to unserialize()

All changes PHP 7.0+ compatible.

Test plan

  • PHP lint clean
  • Pre-push review PASS (Claude + Grok + Copilot)
  • Verify plugin functionality

@somethingwithproof
ci: add dependabot config with npm and github-actions
8e57ecd
@somethingwithproof
ci: add CodeQL (JS/TS, excludes PHP) with workflow_dispatch
4a29c58
@somethingwithproof
ci: remove CodeQL JS/TS workflow (no JavaScript in this repo)
e40f625
@somethingwithproof
fix(security): defense-in-depth hardening for plugin_maint
def441c 
Automated fixes:
- XSS: escape request variables in HTML value attributes
- SQLi: convert string-concat queries to prepared statements
- Deserialization: add allowed_classes=>false
- Temp files: replace rand() with tempnam()

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
Copilot AI review requested due to automatic review settings April 9, 2026 06:16
Copilot AI reviewed Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Defense-in-depth hardening for the maint Cacti plugin by reducing XSS risk in UI-generated forms and adding automated dependency update configuration.

Changes:

  • Escapes page/id request variables before rendering them into hidden form inputs in maint.php.
  • Adds a Dependabot configuration to check for npm and GitHub Actions updates weekly.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
maint.php Escapes request vars when output in hidden inputs to reduce XSS risk.
.github/dependabot.yml Introduces Dependabot update schedules for npm and GitHub Actions.

Comment thread .github/dependabot.yml Outdated
Comment on lines +3 to +7
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
Copy link

Copilot AI Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The config enables the npm ecosystem at /, but the repository does not contain a package.json (or lockfile) in that directory. This will cause Dependabot update jobs to fail/no-op. Either remove the npm entry or point it at the directory that actually contains the npm manifests (and add them if intended).

Suggested change
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10

Copilot uses AI. Check for mistakes.
@somethingwithproof somethingwithproof mentioned this pull request Apr 9, 2026
Open
@somethingwithproof
fix(ci): Dependabot composer ecosystem, CodeQL PHP coverage
952b91c 
- Change Dependabot ecosystem from npm to composer (PHP-only repo)
- Remove PHP from CodeQL paths-ignore so security PRs get analysis
- Remove committed .omc session artifacts, add .omc/ to .gitignore

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
@somethingwithproof somethingwithproof marked this pull request as draft April 11, 2026 00:09
@somethingwithproof
Copy link
Copy Markdown
Author

somethingwithproof commented Apr 11, 2026

Converted to draft to serialize the stack in this repo. Blocked by #49; will un-draft after that merges to avoid cross-PR merge conflicts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@somethingwithproof