Skip to content

fix(security): consolidated hardening — SQL injection, XSS, unserialize, trigger_cmd #773

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
somethingwithproof wants to merge 19 commits into
base: develop
Choose a base branch
from
Open

fix(security): consolidated hardening — SQL injection, XSS, unserialize, trigger_cmd #773

Show file tree
Hide file tree
Changes from 9 commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
00688e8
fix(security): RLIKE injection, XSS, unserialize, and trigger_cmd har…
somethingwithproof May 17, 2026
232cf17
test: add Pest v1 security regression suite
somethingwithproof May 17, 2026
3c6f4f9
test(security): strengthen TriggerCmd and RlikeInjection coverage
somethingwithproof May 17, 2026
15fc4eb
fix(security): replace raw SQL concatenation with prepared statements
somethingwithproof May 17, 2026
a80884d
fix(security): wrap AJAX URL params with encodeURIComponent
somethingwithproof May 17, 2026
f8ca477
test(security): add encodeURIComponent regression tests for AJAX filters
somethingwithproof May 17, 2026
4253b17
fix(compat): replace str_starts_with with strncmp for PHP 7.4
somethingwithproof May 17, 2026
9eee922
fix(guard): cast drp_action valid-actions to strings for strict in_array
somethingwithproof May 17, 2026
9cbd266
fix(validation): add gfrv() calls for id and action fields in bulk ha…
somethingwithproof May 17, 2026
a21d6d0
test(security): add PreparedStatementConsistencyTest from #769
somethingwithproof May 17, 2026
3dea5bd
docs(api): document get_total_row_data third-arg contract at call sites
somethingwithproof May 17, 2026
732c3b7
fix(atomicity): wrap bulk notify-list writes in transactions
somethingwithproof May 17, 2026
dbcf41f
fix(atomicity): rollback on db_execute_prepared failure in bulk handlers
somethingwithproof May 17, 2026
1229ea0
fix(atomicity): break on failure in loops; move template cascade afte…
somethingwithproof May 17, 2026
246c61b
docs(changelog): document security hardening entries for develop
somethingwithproof May 17, 2026
d987beb
fix(thold): quote PHP_BINARY in lint test, add putenv/bootstrap sync …
somethingwithproof May 17, 2026
0e80bdc
fix(thold): clarify RLIKE test assertions and document sql_params con…
somethingwithproof May 17, 2026
7a4ded8
fix(test): use nowdoc for RLIKE vulnerable-pattern strings
somethingwithproof May 17, 2026
8a38efb
fix(test): replace nested-paren-hostile regex with substr_count; shor…
somethingwithproof May 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 17 additions & 0 deletions composer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
{
"name": "cacti/plugin-thold",
"description": "Thold Plugin for Cacti",
"type": "project",
"require-dev": {
"pestphp/pest": "^1.23"
},
"autoload": {
"psr-4": {}
},
"scripts": {
"test": "vendor/bin/pest tests/Security"
},
"config": {
"vendor-dir": "vendor"
}
}
Loading
Loading