hardening: migrate flowview process/version lookups to prepared#248
hardening: migrate flowview process/version lookups to prepared#248somethingwithproof wants to merge 3 commits intoCacti:developfrom
Conversation
There was a problem hiding this comment.
Pull request overview
Updates FlowView plugin code to replace raw SQL string queries with prepared statements, and adds a lightweight regression test to detect reintroduction of those raw lookups.
Changes:
- Converted plugin version lookup in
setup.phptodb_fetch_cell_prepared()with a bound placeholder. - Converted FlowView master process PID lookups in
setup.phpandflowview_devices.phptodb_fetch_cell_prepared()with bound placeholders. - Added a PHP test script that scans source files to assert prepared-statement usage and absence of specific raw lookups.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| tests/test_prepared_statements.php | Adds string-based regression checks to enforce prepared-statement usage for specific queries. |
| setup.php | Replaces raw db_fetch_cell() lookups with db_fetch_cell_prepared() for plugin version and PID retrieval. |
| flowview_devices.php | Replaces raw PID lookups with prepared statements for save/restart service paths. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
tests/test_prepared_statements.php
Outdated
| assert_not_contains( | ||
| $devices, | ||
| 'db_fetch_cell(\'SELECT pid FROM processes WHERE tasktype="flowview" AND taskname="master"\')', | ||
| 'Raw process lookup should not remain in flowview_devices.php.' | ||
| ); |
There was a problem hiding this comment.
Addressed in 3a1079c: switched raw-process negative checks to regex patterns that also catch multi-line/raw formatting variants.
tests/test_prepared_statements.php
Outdated
| "WHERE directory = ?', array('flowview'))", | ||
| 'Expected setup.php version lookup to bind flowview directory via placeholder.' | ||
| ); | ||
|
|
There was a problem hiding this comment.
Addressed in 3a1079c: replaced exact formatting assertions with regex-based checks to reduce whitespace/format coupling.
somethingwithproof
changed the title
|
Incorporated follow-up review feedback in |
Summary
Implements issue #247 by migrating selected raw process/version lookups to prepared database helpers.
Changes
flowview_devices.phpsave_device()todb_fetch_cell_prepared()restart_services()todb_fetch_cell_prepared()setup.phpplugin_flowview_check_config()todb_fetch_cell_prepared()flowview_global_settings_update()todb_fetch_cell_prepared()tests/test_prepared_statements.phpValidation
php -l flowview_devices.phpphp -l setup.phpphp -l tests/test_prepared_statements.phpphp tests/test_prepared_statements.phpIssue
Closes #247