Skip to content

fix(security): defense-in-depth hardening for plugin_audit#52

Draft
somethingwithproof wants to merge 4 commits intoCacti:developfrom
somethingwithproof:fix/defense-in-depth
Draft

fix(security): defense-in-depth hardening for plugin_audit#52
somethingwithproof wants to merge 4 commits intoCacti:developfrom
somethingwithproof:fix/defense-in-depth

Conversation

@somethingwithproof
Copy link
Copy Markdown

@somethingwithproof somethingwithproof commented Apr 9, 2026

Summary

Defense-in-depth hardening addressing 7 security audit findings.

  • XSS: Escape request variables in HTML output with html_escape_request_var()
  • SQLi: Convert string-concat queries to prepared statements
  • Deserialization: Add allowed_classes => false to unserialize()

All changes PHP 7.0+ compatible.

Test plan

  • PHP lint clean
  • Pre-push review PASS (Claude + Grok + Copilot)
  • Verify plugin functionality

Copilot AI review requested due to automatic review settings April 9, 2026 06:16
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented Apr 9, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

Copilot AI reviewed Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Defense-in-depth hardening for the Cacti audit plugin, focused on reducing attack surface (XSS mitigation in UI output) and adding repository-level security automation (CodeQL + Dependabot).

Changes:

  • Escape the page request variable before rendering it into an HTML hidden input.
  • Add a CodeQL workflow for JavaScript/TypeScript analysis.
  • Add a Dependabot configuration for GitHub Actions (and npm).

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
audit.php Escapes a request variable before embedding it into HTML output.
.github/workflows/codeql.yml Introduces CodeQL scanning workflow (JS/TS matrix).
.github/dependabot.yml Enables Dependabot updates for GitHub Actions and npm.

Comment thread .github/dependabot.yml Outdated
Comment on lines +3 to +7
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10
Copy link

Copilot AI Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Dependabot config enables the npm ecosystem at directory "/", but this repository does not contain a package.json/package-lock.json. This will cause Dependabot runs for npm to fail with "manifest file not found". Remove the npm entry, or add an npm manifest (and ensure it matches the actual JS dependency management) before enabling npm updates.

Suggested change
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
open-pull-requests-limit: 10

Copilot uses AI. Check for mistakes.
Comment thread audit.php
</tr>
</table>
<input type='hidden' id='page' value='<?php print get_request_var('page');?>'>
<input type='hidden' id='page' value='<?php print html_escape_request_var('page'); ?>'>
Copy link

Copilot AI Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description mentions converting string-concatenated SQL to prepared statements, but audit.php still builds SQL via string concatenation with request variables (e.g., in audit_export_rows() and the main audit_log() query construction). Either include those SQL changes in this PR or adjust the PR description to match the actual scope.

Copilot uses AI. Check for mistakes.
This was referenced Apr 9, 2026
Open
Open
@somethingwithproof
fix(ci): Dependabot composer ecosystem, CodeQL PHP coverage
ba0eb4f 
- Change Dependabot ecosystem from npm to composer (PHP-only repo)
- Remove PHP from CodeQL paths-ignore so security PRs get analysis
- Remove committed .omc session artifacts, add .omc/ to .gitignore

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
@somethingwithproof somethingwithproof marked this pull request as draft April 11, 2026 00:09
@somethingwithproof
Copy link
Copy Markdown
Author

somethingwithproof commented Apr 11, 2026

Converted to draft to serialize the stack in this repo. Blocked by #51; will un-draft after that merges to avoid cross-PR merge conflicts.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@somethingwithproof @github-advanced-security