hardening: migrate apcupsd SQL helpers to prepared variants

composer.json

@@ -0,0 +1,18 @@
+{
+    "name": "cacti/plugin_apcupsd",
+    "description": "plugin_apcupsd plugin for Cacti",
+    "license": "GPL-2.0-or-later",
+    "require-dev": {
+        "pestphp/pest": "^1.23"
+    },
+    "config": {
+        "allow-plugins": {
+            "pestphp/pest-plugin": true
+        }
+    },
+    "autoload-dev": {
+        "files": [
+            "tests/bootstrap.php"
+        ]
+    }
+}

setup.php

@@ -64,7 +64,10 @@ function apcupsd_check_upgrade() {
 
 	$info    = plugin_apcupsd_version();
 	$current = $info['version'];
-	$old     = db_fetch_cell("SELECT version FROM plugin_config WHERE directory='apcupsd'");
+	$old     = db_fetch_cell_prepared('SELECT version
+		FROM plugin_config
+		WHERE directory = ?',
+		array('apcupsd'));
 	if ($current != $old) {
 		if (api_plugin_is_enabled('apcupsd')) {
 			# may sound ridiculous, but enables new hooks
@@ -322,11 +325,15 @@ function apcupsd_replicate_out($data) {
 
 	include_once($config['base_path'] . '/lib/poller.php');
 
-	$upsdata = db_fetch_assoc('SELECT * FROM apcupsd_ups');
+	$upsdata = db_fetch_assoc_prepared('SELECT *
+		FROM apcupsd_ups',
+		array());
 
 	replicate_out_table($data['rcnn_id'], $upsdata, 'apcupsd_ups', $data['remote_poller_id']);
 
-	$upsdata = db_fetch_assoc('SELECT * FROM apcupsd_ups_stats');
+	$upsdata = db_fetch_assoc_prepared('SELECT *
+		FROM apcupsd_ups_stats',
+		array());
 
 	replicate_out_table($data['rcnn_id'], $upsdata, 'apcupsd_ups_stats', $data['remote_poller_id']);
 
@@ -343,4 +350,3 @@ function apcupsd_draw_navigation_text($nav) {
 
 	return $nav;
 }
-

tests/Pest.php

@@ -0,0 +1,10 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ +-------------------------------------------------------------------------+
+ | Cacti: The Complete RRDtool-based Graphing Solution                     |
+ +-------------------------------------------------------------------------+
+*/
+
+require_once __DIR__ . '/bootstrap.php';

tests/Security/AuthGuardTest.php

@@ -0,0 +1,66 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ +-------------------------------------------------------------------------+
+ | Cacti: The Complete RRDtool-based Graphing Solution                     |
+ +-------------------------------------------------------------------------+
+*/
+
+describe('auth guard presence in apcupsd', function () {
+	it('includes auth.php or global.php in all UI entry points', function () {
+		$uiFiles = array(
+		'tests/test_prepared_statements.php',
+		'upses.php',
+		);
+
+		foreach ($uiFiles as $relativeFile) {
+			$path = realpath(__DIR__ . '/../../' . $relativeFile);
+			if ($path === false) continue;
+			$contents = file_get_contents($path);
+			if ($contents === false) continue;
+
+			// Files that include setup.php or are library files don't need direct auth
+			if (strpos($relativeFile, 'include/') === 0 || strpos($relativeFile, 'lib/') === 0) continue;
+			if (strpos($relativeFile, 'poller_') === 0) continue;
+
+			$hasAuth = (
+				strpos($contents, 'auth.php') !== false ||
+				strpos($contents, 'global.php') !== false ||
+				strpos($contents, 'global_arrays.php') !== false
+			);
+
+			expect($hasAuth)->toBeTrue(
+				"File {$relativeFile} does not include auth.php or global.php"
+			);
+		}
+	});
+
+	it('validates numeric IDs from request variables before DB queries', function () {
+		$uiFiles = array(
+		'tests/test_prepared_statements.php',
+		'upses.php',
+		);
+
+		foreach ($uiFiles as $relativeFile) {
+			$path = realpath(__DIR__ . '/../../' . $relativeFile);
+			if ($path === false) continue;
+			$contents = file_get_contents($path);
+			if ($contents === false) continue;
+
+			// Check for get_filter_request_var usage for numeric IDs
+			if (preg_match('/get_request_var\s*\(\s*['"]id['"]/', $contents)) {
+				// Should use get_filter_request_var for 'id' params
+				$hasFilter = (
+					strpos($contents, 'get_filter_request_var') !== false ||
+					strpos($contents, 'input_validate_input_number') !== false ||
+					strpos($contents, 'form_input_validate') !== false
+				);
+
+				expect($hasFilter)->toBeTrue(
+					"File {$relativeFile} uses get_request_var for IDs without validation"
+				);
+			}
+		}
+	});
+});

tests/Security/OutputEscapingTest.php

@@ -0,0 +1,70 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ +-------------------------------------------------------------------------+
+ | Cacti: The Complete RRDtool-based Graphing Solution                     |
+ +-------------------------------------------------------------------------+
+*/
+
+describe('output escaping in apcupsd', function () {
+	it('does not interpolate raw variables into HTML attributes', function () {
+		$uiFiles = array(
+		'tests/test_prepared_statements.php',
+		'upses.php',
+		);
+
+		foreach ($uiFiles as $relativeFile) {
+			$path = realpath(__DIR__ . '/../../' . $relativeFile);
+			if ($path === false) continue;
+			$contents = file_get_contents($path);
+			if ($contents === false) continue;
+
+			$lines = explode("\n", $contents);
+			$dangerous = 0;
+
+			foreach ($lines as $line) {
+				$trimmed = ltrim($line);
+				if (strpos($trimmed, '//') === 0 || strpos($trimmed, '*') === 0) continue;
+
+				// value="$row[...] without html_escape wrapping
+				if (preg_match('/value\s*=\s*["\'"]\s*<\?php\s+echo\s+\$/', $line)) {
+					$dangerous++;
+				}
+				// title="<?php print $something without escaping
+				if (preg_match('/(?:title|alt|placeholder)\s*=.*print\s+\$(?!_|config)/', $line)) {
+					if (strpos($line, 'html_escape') === false && strpos($line, '__esc') === false && strpos($line, 'htmlspecialchars') === false) {
+						$dangerous++;
+					}
+				}
+			}
+
+			expect($dangerous)->toBe(0,
+				"File {$relativeFile} has unescaped variables in HTML attributes"
+			);
+		}
+	});
+
+	it('uses html_escape or __esc for user-controlled output', function () {
+		$uiFiles = array(
+		'tests/test_prepared_statements.php',
+		'upses.php',
+		);
+
+		$totalEscapeCalls = 0;
+
+		foreach ($uiFiles as $relativeFile) {
+			$path = realpath(__DIR__ . '/../../' . $relativeFile);
+			if ($path === false) continue;
+			$contents = file_get_contents($path);
+			if ($contents === false) continue;
+
+			$totalEscapeCalls += preg_match_all('/html_escape|__esc\(|htmlspecialchars/', $contents);
+		}
+
+		// At least some escaping should be present in UI files
+		expect($totalEscapeCalls)->toBeGreaterThan(0,
+			'UI files should contain at least one html_escape/__esc call'
+		);
+	});
+});

tests/Security/Php74CompatibilityTest.php

@@ -0,0 +1,114 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ +-------------------------------------------------------------------------+
+ | Cacti: The Complete RRDtool-based Graphing Solution                     |
+ +-------------------------------------------------------------------------+
+*/
+
+describe('PHP 7.4 compatibility in apcupsd', function () {
+	$files = array(
+		'setup.php',
+		'tests/test_prepared_statements.php',
+		'upses.php',
+	);
+
+	it('does not use str_contains (PHP 8.0)', function () use ($files) {
+		foreach ($files as $f) {
+			$p = realpath(__DIR__ . '/../../' . $f);
+			if ($p === false) continue;
+			$c = file_get_contents($p);
+			if ($c === false) continue;
+			expect(preg_match('/\bstr_contains\s*\(/', $c))->toBe(0, "{$f} uses str_contains");
+		}
+	});
+
+	it('does not use str_starts_with (PHP 8.0)', function () use ($files) {
+		foreach ($files as $f) {
+			$p = realpath(__DIR__ . '/../../' . $f);
+			if ($p === false) continue;
+			$c = file_get_contents($p);
+			if ($c === false) continue;
+			expect(preg_match('/\bstr_starts_with\s*\(/', $c))->toBe(0, "{$f} uses str_starts_with");
+		}
+	});
+
+	it('does not use str_ends_with (PHP 8.0)', function () use ($files) {
+		foreach ($files as $f) {
+			$p = realpath(__DIR__ . '/../../' . $f);
+			if ($p === false) continue;
+			$c = file_get_contents($p);
+			if ($c === false) continue;
+			expect(preg_match('/\bstr_ends_with\s*\(/', $c))->toBe(0, "{$f} uses str_ends_with");
+		}
+	});
+
+	it('does not use nullsafe operator (PHP 8.0)', function () use ($files) {
+		foreach ($files as $f) {
+			$p = realpath(__DIR__ . '/../../' . $f);
+			if ($p === false) continue;
+			$c = file_get_contents($p);
+			if ($c === false) continue;
+			expect(preg_match('/\?->/', $c))->toBe(0, "{$f} uses nullsafe operator");
+		}
+	});
+
+	it('does not use match expression (PHP 8.0)', function () use ($files) {
+		foreach ($files as $f) {
+			$p = realpath(__DIR__ . '/../../' . $f);
+			if ($p === false) continue;
+			$c = file_get_contents($p);
+			if ($c === false) continue;
+			// Avoid false positive on preg_match etc
+			$c2 = preg_replace('/preg_match|preg_match_all|fnmatch/', '', $c);
+			expect(preg_match('/\bmatch\s*\(/', $c2))->toBe(0, "{$f} uses match expression");
+		}
+	});
+
+	it('does not use union type declarations (PHP 8.0)', function () use ($files) {
+		foreach ($files as $f) {
+			$p = realpath(__DIR__ . '/../../' . $f);
+			if ($p === false) continue;
+			$c = file_get_contents($p);
+			if ($c === false) continue;
+			// Match function params/return with union types like string|false
+			$hits = preg_match_all('/function\s+\w+\s*\([^)]*\w+\s*\|\s*\w+/', $c);
+			expect($hits)->toBe(0, "{$f} uses union types in function signatures");
+		}
+	});
+
+	it('does not use constructor property promotion (PHP 8.0)', function () use ($files) {
+		foreach ($files as $f) {
+			$p = realpath(__DIR__ . '/../../' . $f);
+			if ($p === false) continue;
+			$c = file_get_contents($p);
+			if ($c === false) continue;
+			expect(preg_match('/function\s+__construct\s*\([^)]*\b(public|private|protected|readonly)\s/', $c))->toBe(0,
+				"{$f} uses constructor promotion"
+			);
+		}
+	});
+
+	it('uses array() not short syntax for new arrays', function () use ($files) {
+		// This is a style preference for 1.2.x consistency, not a hard requirement
+		// Just verify no mixed styles in the same file
+		foreach ($files as $f) {
+			$p = realpath(__DIR__ . '/../../' . $f);
+			if ($p === false) continue;
+			$c = file_get_contents($p);
+			if ($c === false) continue;
+
+			$hasArrayFunc = preg_match('/\barray\s*\(/', $c);
+			$hasShortArray = preg_match('/=\s*\[/', $c);
+
+			// Flag files that mix both styles
+			if ($hasArrayFunc && $hasShortArray) {
+				// Allow mixed if the file existed before our changes
+				// This is informational, not a hard fail
+			}
+		}
+
+		expect(true)->toBeTrue();
+	});
+});

tests/Security/PreparedStatementConsistencyTest.php

@@ -0,0 +1,77 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ +-------------------------------------------------------------------------+
+ | Cacti: The Complete RRDtool-based Graphing Solution                     |
+ +-------------------------------------------------------------------------+
+*/
+
+describe('prepared statement consistency in apcupsd', function () {
+	it('uses prepared DB helpers in all plugin files', function () {
+		$targetFiles = array(
+		'setup.php',
+		'tests/test_prepared_statements.php',
+		'upses.php',
+		);
+
+		$rawPattern = '/\bdb_(?:execute|fetch_row|fetch_assoc|fetch_cell)\s*\(/';
+		$preparedPattern = '/\bdb_(?:execute|fetch_row|fetch_assoc|fetch_cell)_prepared\s*\(/';
+
+		foreach ($targetFiles as $relativeFile) {
+			$path = realpath(__DIR__ . '/../../' . $relativeFile);
+			if ($path === false) continue;
+			$contents = file_get_contents($path);
+			if ($contents === false) continue;
+
+			$lines = explode("\n", $contents);
+			$rawCalls = 0;
+
+			foreach ($lines as $line) {
+				$trimmed = ltrim($line);
+				if (strpos($trimmed, '//') === 0 || strpos($trimmed, '*') === 0 || strpos($trimmed, '#') === 0) continue;
+				if (preg_match($rawPattern, $line) && !preg_match($preparedPattern, $line)) {
+					$rawCalls++;
+				}
+			}
+
+			expect($rawCalls)->toBe(0, "File {$relativeFile} contains raw DB calls");
+		}
+	});
+
+	it('uses parameterized placeholders not string interpolation in SQL', function () {
+		$targetFiles = array(
+		'setup.php',
+		'tests/test_prepared_statements.php',
+		'upses.php',
+		);
+
+		foreach ($targetFiles as $relativeFile) {
+			$path = realpath(__DIR__ . '/../../' . $relativeFile);
+			if ($path === false) continue;
+			$contents = file_get_contents($path);
+			if ($contents === false) continue;
+
+			$lines = explode("\n", $contents);
+			$interpolatedSql = 0;
+
+			foreach ($lines as $num => $line) {
+				$trimmed = ltrim($line);
+				if (strpos($trimmed, '//') === 0 || strpos($trimmed, '*') === 0) continue;
+
+				// Detect _prepared calls with $ interpolation instead of ? placeholders
+				if (preg_match('/_prepared\s*\(/', $line) && preg_match('/\$[a-zA-Z_]/', $line)) {
+					// Allow array($var) param binding but flag "WHERE id = $var"
+					if (preg_match('/(?:SELECT|INSERT|UPDATE|DELETE|WHERE|SET|FROM|JOIN).*\$/', $line)) {
+						$interpolatedSql++;
+					}
+				}
+			}
+
+			// This is a heuristic; some false positives expected for complex queries
+			expect($interpolatedSql)->toBeLessThanOrEqual(2,
+				"File {$relativeFile} may have SQL interpolation in prepared calls"
+			);
+		}
+	});
+});