Skip to content

hardening: migrate maint SQL helpers to prepared variants#48

Open
somethingwithproof wants to merge 3 commits intoCacti:developfrom
somethingwithproof:fix/prepared-sql-47
Open

hardening: migrate maint SQL helpers to prepared variants#48
somethingwithproof wants to merge 3 commits intoCacti:developfrom
somethingwithproof:fix/prepared-sql-47

Conversation

@somethingwithproof
Copy link

@somethingwithproof somethingwithproof commented Mar 15, 2026

Summary

  • migrate selected plugin_maint read query call sites to prepared helper variants
  • convert schedules query in setup.php to db_fetch_assoc_prepared
  • convert schedules/site/poller list queries in maint.php to db_fetch_assoc_prepared
  • preserve behavior while removing remaining raw db_fetch_assoc usage in these files

Tests

  • php -l setup.php
  • php -l maint.php
  • php -l tests/test_prepared_statements.php
  • php tests/test_prepared_statements.php

Closes #47

Copilot AI review requested due to automatic review settings March 15, 2026 23:07
Copilot AI reviewed Mar 15, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR reduces SQL injection risk in the maint plugin by migrating remaining read-only db_fetch_assoc call sites in setup.php/maint.php to prepared-statement helper variants, and adds a small regression script to ensure those raw helper calls don’t reappear.

Changes:

  • Convert the schedules query in setup.php to db_fetch_assoc_prepared.
  • Convert schedules/site/poller list queries in maint.php to db_fetch_assoc_prepared.
  • Add tests/test_prepared_statements.php to regression-check the prepared helper usage and absence of raw db_fetch_assoc.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.

File Description
tests/test_prepared_statements.php Adds a regression script to detect raw db_fetch_assoc usage and confirm prepared helper usage in touched files.
setup.php Migrates the schedules list query used by device actions to db_fetch_assoc_prepared.
maint.php Migrates schedule and filter list queries to db_fetch_assoc_prepared.

You can also share your feedback on Copilot code review. Take the survey.

tests/test_prepared_statements.php
Comment on lines +30 to +49
assert_true(
'setup.php uses prepared schedules query',
preg_match('/db_fetch_assoc_prepared\s*\(\s*\'SELECT id,\s*name,\s*enabled,\s*mtype,\s*stime,\s*etime,\s*minterval/s', $setup_contents) === 1
);
assert_true(
'setup.php has no raw db_fetch_assoc calls',
preg_match('/\bdb_fetch_assoc\s*\(/', $setup_contents) === 0
);
assert_true(
'maint.php uses prepared schedule list query',
preg_match('/db_fetch_assoc_prepared\s*\(\s*\'SELECT \*\s+FROM plugin_maint_schedules/s', $maint_contents) === 1
);
assert_true(
'maint.php uses prepared site list query',
preg_match('/db_fetch_assoc_prepared\s*\(\s*\'SELECT id,\s*name\s+FROM sites/s', $maint_contents) === 1
);
assert_true(
'maint.php uses prepared poller list query',
preg_match('/db_fetch_assoc_prepared\s*\(\s*\'SELECT id,\s*name\s+FROM poller/s', $maint_contents) === 1
);
Copy link
Author

@somethingwithproof somethingwithproof Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated in 80dd247: de-brittled prepared-statement tests to assert helper usage + key table tokens instead of exact SQL formatting/quoting.

setup.php Outdated
FROM plugin_maint_schedules
ORDER BY name');
ORDER BY name',
array());
Copy link
Author

@somethingwithproof somethingwithproof Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 80dd247: replaced the new empty array() params with short [] for consistency with file style.

maint.php Outdated
FROM plugin_maint_schedules
ORDER BY name');
ORDER BY name',
array());
Copy link
Author

@somethingwithproof somethingwithproof Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 80dd247: replaced the new empty array() params with short [] for consistency with file style.

maint.php Outdated
WHERE id IN (SELECT site_id FROM host)
ORDER BY name');
ORDER BY name',
array());
Copy link
Author

@somethingwithproof somethingwithproof Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 80dd247: replaced the new empty array() params with short [] for consistency with file style.

maint.php Outdated
Comment on lines +1163 to +1166
$pollers = db_fetch_assoc_prepared('SELECT id, name
FROM poller
ORDER BY name');
ORDER BY name',
array());
Copy link
Author

@somethingwithproof somethingwithproof Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed in 80dd247: replaced the new empty array() params with short [] for consistency with file style.

tests/test_prepared_statements.php
Comment on lines +27 to +33
$setup_contents = file_get_contents(__DIR__ . '/../setup.php');
$maint_contents = file_get_contents(__DIR__ . '/../maint.php');

assert_true(
'setup.php uses prepared schedules query',
preg_match('/db_fetch_assoc_prepared\s*\(\s*\'SELECT id,\s*name,\s*enabled,\s*mtype,\s*stime,\s*etime,\s*minterval/s', $setup_contents) === 1
);
Copy link
Author

@somethingwithproof somethingwithproof Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Addressed in 80dd247: added explicit readability assertions for setup.php and maint.php before regex checks.

@somethingwithproof somethingwithproof changed the title security: migrate maint SQL helpers to prepared variants hardening: migrate maint SQL helpers to prepared variants Mar 15, 2026
@somethingwithproof
Copy link
Author

somethingwithproof commented Mar 16, 2026
edited
Loading

Incorporated follow-up review feedback in 3f8f963. Added follow-up coverage for prepared host-description lookup and no-raw-fetch-row regression guard.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

hardening: migrate maint SQL helpers to prepared variants

2 participants

@somethingwithproof