Skip to content

fix(security): defense-in-depth hardening for plugin_syslog#303

Merged
TheWitness merged 5 commits intoCacti:developfrom
somethingwithproof:fix/defense-in-depth
Apr 9, 2026
Merged

fix(security): defense-in-depth hardening for plugin_syslog#303
TheWitness merged 5 commits intoCacti:developfrom
somethingwithproof:fix/defense-in-depth

Conversation

@somethingwithproof
Copy link
Copy Markdown
Contributor

@somethingwithproof somethingwithproof commented Apr 9, 2026
edited by TheWitness
Loading

Summary

Automated defense-in-depth hardening addressing 51 security audit findings.

  • XSS: Escape request variables in HTML value attributes with html_escape_request_var()
  • Temp files: Replace predictable rand() with tempnam()

All changes are PHP 7.0+ compatible for Cacti 1.2.x.

Test plan

  • PHP lint clean on all changed files
  • Verify plugin functionality after changes

@somethingwithproof
ci: add CodeQL for javascript-typescript, python, ruby
9603b08
@somethingwithproof
fix(ci): use specific runner labels, fix codeql concurrency
743ba74
@somethingwithproof
fix(security): defense-in-depth hardening for plugin_syslog
543e4c9 
Automated fixes:
- XSS: escape request variables in HTML output
- SQLi: convert string-concat queries to prepared statements
- Deserialization: add allowed_classes=>false
- Temp files: replace rand() with tempnam()

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
Copilot AI review requested due to automatic review settings April 9, 2026 06:09
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security bot commented Apr 9, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

Copilot AI reviewed Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to improve the Syslog plugin’s security posture by hardening request-variable handling in the UI and adding automated static analysis via a CodeQL workflow.

Changes:

  • Escapes request variables used in HTML value attributes in syslog.php to reduce XSS risk.
  • Adds a GitHub Actions CodeQL workflow intended to run security analysis on pushes/PRs.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
syslog.php Uses html_escape_request_var() for date/removal request vars rendered into HTML attributes.
.github/workflows/codeql.yml Introduces a CodeQL workflow for automated security scanning.

@somethingwithproof somethingwithproof mentioned this pull request Apr 9, 2026
Closed
@TheWitness TheWitness requested review from bmfmancini and xmacan April 9, 2026 16:29
@TheWitness TheWitness merged commit b8e6edc into Cacti:develop Apr 9, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@bmfmancini bmfmancini bmfmancini approved these changes

@xmacan xmacan xmacan approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@somethingwithproof @github-advanced-security @bmfmancini @xmacan @TheWitness