hardening: prepared statements, PHP 7.4 idioms, and security fixes (#324)

* refactor(php74): use null coalescing (??) and ??= operators

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>

* security: fix SQLi, XSS, credential exposure, and insecure deserialization

Replace bare unserialize() with cacti_unserialize() plus array
validation in mactrack_view_macs.php. The original call allowed
PHP object injection on a guest-accessible page.

Strip 9 SNMP credential columns (community strings, SNMPv3
usernames, passwords, auth/priv protocols, passphrases) from the
guest-accessible CSV export in mactrack_view_devices.php. Any
user with Viewer realm could download all network device SNMP
credentials. Addresses GHSA-9829-w9mx-2cgm.

Replace all 27 unsafe LIKE string interpolation sites across 9
files with db_qstr() quoting. Also fix mactrack_create_sql_filter()
in lib/mactrack_functions.php. Six of the affected files are
guest-accessible, making filter SQLi pre-authentication.

Replace raw db_qstr()-less CSV value interpolation in the import
processors of mactrack_devices.php and mactrack_device_types.php.
CSV cell values were concatenated directly into INSERT VALUES and
WHERE clauses with only single-quote stripping (bypassable via
backslash escaping).

Replace get_request_var('filter') with html_escape_request_var()
in 11 HTML input value attributes to prevent reflected XSS.

Wrap 4 SNMP response variables with html_escape() in
mactrack_devices.php to prevent stored XSS via rogue SNMP agents.

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>

* refactor: extract plugin_get_rows_per_page helper to DRY filter boilerplate

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>

* chore: add copilot instructions and CI workflow

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>

* fix(security): escape filter option labels

* qa: Fixing php-cs-fixer issues

---------

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
Co-authored-by: TheWitness <thewitness@cacti.net>

Author: somethingwithproof

.github/copilot-instructions.md

@@ -0,0 +1,23 @@
+# Cacti mactrack Plugin AI Instructions
+
+## Project Overview
+This is a Cacti plugin. It integrates with the Cacti monitoring platform via the plugin hook architecture.
+
+## Technology Stack
+- PHP 7.4+ (targeting Cacti 1.2.x compatibility)
+- MySQL/MariaDB via Cacti's DB abstraction layer
+- PSR-12 coding standards
+
+## Key Rules
+- Use prepared statements (db_execute_prepared, db_fetch_row_prepared, etc.) for ALL queries with variables
+- Use get_request_var() / get_filter_request_var() for ALL user input, never raw $_REQUEST/$_GET/$_POST
+- Use html_escape() / htmlspecialchars() for ALL output of DB/user values in HTML context
+- Use cacti_escapeshellarg() for ALL shell command arguments
+- No PHP 8.0+ features (str_contains, match, union types, named args) - target PHP 7.4
+- Use ?? and ??= operators (PHP 7.4) instead of isset() ternary patterns
+- All unserialize() calls must use allowed_classes => false
+
+## Testing
+- Tests in tests/ directory
+- Use Pest PHP or PHPUnit
+- php -l lint check required before commit

.github/workflows/plugin-ci-workflow.yml

@@ -0,0 +1,225 @@
+# +-------------------------------------------------------------------------+
+# | Copyright (C) 2004-2026 The Cacti Group                                 |
+# |                                                                         |
+# | This program is free software; you can redistribute it and/or           |
+# | modify it under the terms of the GNU General Public License             |
+# | as published by the Free Software Foundation; either version 2          |
+# | of the License, or (at your option) any later version.                  |
+# |                                                                         |
+# | This program is distributed in the hope that it will be useful,         |
+# | but WITHOUT ANY WARRANTY; without even the implied warranty of          |
+# | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the           |
+# | GNU General Public License for more details.                            |
+# +-------------------------------------------------------------------------+
+# | Cacti: The Complete RRDtool-based Graphing Solution                     |
+# +-------------------------------------------------------------------------+
+# | This code is designed, written, and maintained by the Cacti Group. See  |
+# | about.php and/or the AUTHORS file for specific developer information.   |
+# +-------------------------------------------------------------------------+
+# | http://www.cacti.net/                                                   |
+# +-------------------------------------------------------------------------+
+
+name: Plugin Integration Tests
+
+on:
+  push:
+    branches:
+      - main
+      - develop
+  pull_request:
+    branches:
+      - main
+      - develop
+
+jobs:
+  integration-test:
+    runs-on: ${{ matrix.os }}
+    
+    strategy:
+      fail-fast: false
+      matrix:
+        php: ['8.1', '8.2', '8.3', '8.4']
+        os: [ubuntu-latest]
+    
+    services:
+      mariadb:
+        image: mariadb:10.6
+        env:
+          MYSQL_ROOT_PASSWORD: cactiroot
+          MYSQL_DATABASE: cacti
+          MYSQL_USER: cactiuser
+          MYSQL_PASSWORD: cactiuser
+        ports:
+          - 3306:3306
+        options: >-
+          --health-cmd="mysqladmin ping"
+          --health-interval=10s
+          --health-timeout=5s
+          --health-retries=3
+    
+    name: PHP ${{ matrix.php }} Integration Test on ${{ matrix.os }}
+    
+    steps:
+    - name: Checkout Cacti
+      uses: actions/checkout@v4
+      with:
+        repository: Cacti/cacti
+        path: cacti
+    
+    - name: Checkout mactrack Plugin
+      uses: actions/checkout@v4
+      with:
+        path: cacti/plugins/mactrack
+    
+    - name: Install PHP ${{ matrix.php }}
+      uses: shivammathur/setup-php@v2
+      with:
+        php-version: ${{ matrix.php }}
+        extensions: intl, mysql, gd, ldap, gmp, xml, curl, json, mbstring
+        ini-values: "post_max_size=256M, max_execution_time=60, date.timezone=America/New_York"
+    
+    - name: Check PHP version
+      run: php -v
+    
+    - name: Run apt-get update
+      run: sudo apt-get update
+    
+    - name: Install System Dependencies
+      run: sudo apt-get install -y apache2 snmp snmpd rrdtool fping libapache2-mod-php${{ matrix.php }}
+    
+    - name: Start SNMPD Agent and Test
+      run: |
+        sudo systemctl start snmpd
+        sudo snmpwalk -c public -v2c -On localhost .1.3.6.1.2.1.1
+    
+    - name: Setup Permissions
+      run: |
+        sudo chown -R www-data:runner ${{ github.workspace }}/cacti
+        sudo find ${{ github.workspace }}/cacti -type d -exec chmod 775 {} \;
+        sudo find ${{ github.workspace }}/cacti -type f -exec chmod 664 {} \;
+        sudo chmod +x ${{ github.workspace }}/cacti/cmd.php
+        sudo chmod +x ${{ github.workspace }}/cacti/poller.php
+    
+    - name: Create MySQL Config
+      run: |
+        echo -e "[client]\nuser = root\npassword = cactiroot\nhost = 127.0.0.1\n" > ~/.my.cnf
+        cat ~/.my.cnf
+    
+    - name: Initialize Cacti Database
+      env:
+        MYSQL_AUTH_USR: '--defaults-file=~/.my.cnf'
+      run: |
+        mysql $MYSQL_AUTH_USR -e 'CREATE DATABASE IF NOT EXISTS cacti;'
+        mysql $MYSQL_AUTH_USR -e "CREATE USER IF NOT EXISTS 'cactiuser'@'localhost' IDENTIFIED BY 'cactiuser';"
+        mysql $MYSQL_AUTH_USR -e "GRANT ALL PRIVILEGES ON cacti.* TO 'cactiuser'@'localhost';"
+        mysql $MYSQL_AUTH_USR -e "GRANT SELECT ON mysql.time_zone_name TO 'cactiuser'@'localhost';"
+        mysql $MYSQL_AUTH_USR -e "FLUSH PRIVILEGES;"
+        mysql $MYSQL_AUTH_USR cacti < ${{ github.workspace }}/cacti/cacti.sql
+        mysql $MYSQL_AUTH_USR -e "INSERT INTO settings (name, value) VALUES ('path_php_binary', '/usr/bin/php')" cacti
+    
+    - name: Validate composer files
+      run: |
+        cd ${{ github.workspace }}/cacti
+        if [ -f composer.json ]; then
+          composer validate --strict || true
+        fi
+    
+    - name: Install Composer Dependencies
+      run: |
+        cd ${{ github.workspace }}/cacti
+        if [ -f composer.json ]; then
+          sudo composer install --prefer-dist --no-progress
+        fi
+    
+    - name: Create Cacti config.php
+      run: |
+        cat ${{ github.workspace }}/cacti/include/config.php.dist | \
+        sed -r "s/localhost/127.0.0.1/g" | \
+        sed -r "s/'cacti'/'cacti'/g" | \
+        sed -r "s/'cactiuser'/'cactiuser'/g" | \
+        sed -r "s/'cactiuser'/'cactiuser'/g" > ${{ github.workspace }}/cacti/include/config.php
+        sudo chmod 664 ${{ github.workspace }}/cacti/include/config.php
+    
+    - name: Configure Apache
+      run: |
+        cat << 'EOF' | sed 's#GITHUB_WORKSPACE#${{ github.workspace }}#g' > /tmp/cacti.conf
+        <VirtualHost *:80>
+          ServerAdmin webmaster@localhost
+          DocumentRoot GITHUB_WORKSPACE/cacti
+          
+          <Directory GITHUB_WORKSPACE/cacti>
+            Options Indexes FollowSymLinks
+            AllowOverride All
+            Require all granted
+          </Directory>
+          
+          ErrorLog ${APACHE_LOG_DIR}/error.log
+          CustomLog ${APACHE_LOG_DIR}/access.log combined
+        </VirtualHost>
+        EOF
+        sudo cp /tmp/cacti.conf /etc/apache2/sites-available/000-default.conf
+        sudo systemctl restart apache2
+    
+    - name: Install Cacti via CLI
+      run: |
+        cd ${{ github.workspace }}/cacti
+        sudo php cli/install_cacti.php --accept-eula --install --force
+    
+    - name: Install mactrack Plugin
+      run: |
+        cd ${{ github.workspace }}/cacti
+        sudo php cli/plugin_manage.php --plugin=mactrack --install --enable
+
+#    - name: import mactrack Plugin Sample Data
+#      run: |
+#        cd ${{ github.workspace }}/cacti/plugins/mactrack
+#        sudo php cli_import.php --filename=.github/workflows/mactrack_sample_data.xml
+#        if [ $? -ne 0 ]; then
+#          echo "Failed to import Thold sample data"
+#          exit 1
+#        fi
+    
+    - name: Check PHP Syntax for Plugin
+      run: |
+        cd ${{ github.workspace }}/cacti/plugins/mactrack
+        if find . -name '*.php' -exec php -l {} 2>&1 \; | grep -iv 'no syntax errors detected'; then
+          echo "Syntax errors found!"
+          exit 1
+        fi
+    
+    - name: Remove the plugins directory exclusion from the .phpstan.neon
+      run: sed '/plugins/d' -i .phpstan.neon
+      working-directory: ${{ github.workspace }}/cacti
+
+    - name: Mark composer scripts executable
+      run: sudo chmod +x ${{ github.workspace }}/cacti/include/vendor/bin/*
+
+    - name: Run Linter on base code
+      run: composer run-script lint ${{ github.workspace }}/cacti/plugins/mactrack
+      working-directory: ${{ github.workspace }}/cacti
+
+    - name: Checking coding standards on base code
+      run: composer run-script phpcsfixer ${{ github.workspace }}/cacti/plugins/mactrack
+      working-directory: ${{ github.workspace }}/cacti
+
+#    - name: Run PHPStan at Level 6 on base code outside of Composer due to technical issues
+#      run: ./include/vendor/bin/phpstan analyze --level 6 ${{ github.workspace }}/cacti/plugins/mactrack
+#      working-directory: ${{ github.workspace }}/cacti
+    
+    - name: Run Cacti Poller
+      run: |
+        cd ${{ github.workspace }}/cacti
+        sudo php poller.php --poller=1 --force --debug
+        if ! grep -q "SYSTEM STATS" log/cacti.log; then
+          echo "Cacti poller did not finish successfully"
+          cat log/cacti.log
+          exit 1
+        fi
+    
+    - name: View Cacti Logs
+      if: always()
+      run: |
+        if [ -f ${{ github.workspace }}/cacti/log/cacti.log ]; then
+          echo "=== Cacti Log ==="
+          sudo cat ${{ github.workspace }}/cacti/log/cacti.log
+        fi

lib/mactrack_3com.php

@@ -23,9 +23,7 @@
 */
 
 // register this functions scanning functions
-if (!isset($mactrack_scanning_functions)) {
-	$mactrack_scanning_functions = [];
-}
+$mactrack_scanning_functions ??= [];
 array_push($mactrack_scanning_functions, 'get_3Com_dot1dTpFdbEntry_ports');
 
 /* complete_3com_ifName
@@ -210,7 +208,7 @@ function get_3Com_base_dot1dTpFdbEntry_ports($site, &$device, &$ifInterfaces, $s
 					if (isset($bridgePortIfIndexes[$port_key['port_number']])) {
 						$brPortIfIndex = mactrack_arr_key($bridgePortIfIndexes, $port_key['port_number']);
 					} else {
-						$brPortIfIndex = isset($port_key['port_number']) ? $port_key['port_number'] : '';
+						$brPortIfIndex = $port_key['port_number'] ?? '';
 					}
 					$brPortIfType = isset($ifInterfaces[$brPortIfIndex]['ifType']) ? $ifInterfaces[$brPortIfIndex]['ifType'] : '';
 				} else {

lib/mactrack_aruba_oscx.php

@@ -23,14 +23,10 @@
 */
 
 // register this functions scanning functions
-if (!isset($mactrack_scanning_functions)) {
-	$mactrack_scanning_functions = [];
-}
+$mactrack_scanning_functions ??= [];
 array_push($mactrack_scanning_functions, 'get_aruba_oscx_switch_ports');
 
-if (!isset($mactrack_scanning_functions_ip)) {
-	$mactrack_scanning_functions_ip = [];
-}
+$mactrack_scanning_functions_ip ??= [];
 array_push($mactrack_scanning_functions_ip, 'get_aruba_oscx_arp_table');
 
 function oscx_mac($mac) {
@@ -375,7 +371,7 @@ function get_aruba_oscx_dot1dTpFdbEntry_ports($site, &$device, &$ifInterfaces, $
 
 					// now set the real data
 					$new_port_key_array[$i]['key']         = mactrack_arr_key($port_key, 'key');
-					$new_port_key_array[$i]['port_number'] = isset($brPortIfIndex) ? $brPortIfIndex : '';
+					$new_port_key_array[$i]['port_number'] = $brPortIfIndex ?? '';
 					$new_port_key_array[$i]['port_name']   = mactrack_arr_key($ifInterfaces, $port_key['port_number']);
 					$new_port_key_array[$i]['mac_address'] = oscx_mac($port_key['key']);
 					$new_port_key_array[$i]['vlan_id']     = mactrack_arr_key($port_vlan_data, $brPortIfIndex);

lib/mactrack_cabletron.php

@@ -23,9 +23,7 @@
 */
 
 // register this functions scanning functions
-if (!isset($mactrack_scanning_functions)) {
-	$mactrack_scanning_functions = [];
-}
+$mactrack_scanning_functions ??= [];
 array_push($mactrack_scanning_functions, 'get_cabletron_switch_ports');
 array_push($mactrack_scanning_functions, 'get_repeater_rev4_ports');
 

lib/mactrack_cisco.php

@@ -23,21 +23,15 @@
 */
 
 // register this functions scanning functions
-if (!isset($mactrack_scanning_functions)) {
-	$mactrack_scanning_functions = [];
-}
+$mactrack_scanning_functions ??= [];
 array_push($mactrack_scanning_functions, 'get_catalyst_dot1dTpFdbEntry_ports');
 array_push($mactrack_scanning_functions, 'get_IOS_dot1dTpFdbEntry_ports');
 
-if (!isset($mactrack_scanning_functions_ip)) {
-	$mactrack_scanning_functions_ip = [];
-}
+$mactrack_scanning_functions_ip ??= [];
 array_push($mactrack_scanning_functions_ip, 'get_cisco_dhcpsnooping_table');
 array_push($mactrack_scanning_functions_ip, 'get_cisco_vrf_arp_table');
 
-if (!isset($mactrack_scanning_functions_dot1x)) {
-	$mactrack_scanning_functions_dot1x = [];
-}
+$mactrack_scanning_functions_dot1x ??= [];
 array_push($mactrack_scanning_functions_dot1x, 'get_cisco_dot1x_table');
 
 /* get_catalyst_doet1dTpFdbEntry_ports

lib/mactrack_dell.php

@@ -23,9 +23,7 @@
 */
 
 // register this functions scanning functions
-if (!isset($mactrack_scanning_functions)) {
-	$mactrack_scanning_functions = [];
-}
+$mactrack_scanning_functions ??= [];
 array_push($mactrack_scanning_functions, 'get_dell_dot1q_switch_ports');
 
 /*	get_dell_dot1q_switch_ports - This is a basic function that will scan the dot1d

lib/mactrack_dlink.php

@@ -24,14 +24,10 @@
 */
 
 // register this functions scanning functions
-if (!isset($mactrack_scanning_functions)) {
-	$mactrack_scanning_functions = [];
-}
+$mactrack_scanning_functions ??= [];
 array_push($mactrack_scanning_functions, 'get_dlink_l2_switch_ports');
 
-if (!isset($mactrack_scanning_functions)) {
-	$mactrack_scanning_functions = [];
-}
+$mactrack_scanning_functions ??= [];
 array_push($mactrack_scanning_functions, 'get_dlink_l2_dot1dTpFdbEntry_ports');
 
 /*	get_generic_switch_ports - This is a basic function that will scan the dot1d

lib/mactrack_enterasys.php

@@ -24,9 +24,7 @@
 */
 
 // register this functions scanning functions
-if (!isset($mactrack_scanning_functions)) {
-	$mactrack_scanning_functions = [];
-}
+$mactrack_scanning_functions ??= [];
 array_push($mactrack_scanning_functions, 'get_enterasys_switch_ports');
 
 function get_enterasys_switch_ports($site, &$device, $lowPort = 0, $highPort = 0) {

lib/mactrack_enterasys_N7.php

@@ -23,14 +23,10 @@
 */
 
 // register this functions scanning functions
-if (!isset($mactrack_scanning_functions)) {
-	$mactrack_scanning_functions = [];
-}
+$mactrack_scanning_functions ??= [];
 array_push($mactrack_scanning_functions, 'get_enterasys_N7_switch_ports');
 
-if (!isset($mactrack_scanning_functions_ip)) {
-	$mactrack_scanning_functions_ip = [];
-}
+$mactrack_scanning_functions_ip ??= [];
 array_push($mactrack_scanning_functions_ip, 'get_CTAlias_table');
 
 /*	get_generic_switch_ports - This is a basic function that will scan the dot1d
@@ -298,7 +294,7 @@ function get_enterasys_N7_dot1dTpFdbEntry_ports($site, &$device, &$ifInterfaces,
 
 					// now set the real data
 					$new_port_key_array[$i]['key']         = mactrack_arr_key($port_key, 'key');
-					$new_port_key_array[$i]['port_number'] = isset($brPortIfIndex) ? $brPortIfIndex : '';
+					$new_port_key_array[$i]['port_number'] = $brPortIfIndex ?? '';
 					$new_port_key_array[$i]['vlan_id']     = mactrack_arr_key($vlan_ids, $port_key['key']);
 					// print_r($new_port_key_array[$i]);
 					$i++;