Skip to content

feat(security): add CactiValidator helpers#7125

Closed
somethingwithproof wants to merge 5 commits into
Cacti:developfrom
somethingwithproof:feat/cacti-validator
Closed

feat(security): add CactiValidator helpers#7125
somethingwithproof wants to merge 5 commits into
Cacti:developfrom
somethingwithproof:feat/cacti-validator

Conversation

@somethingwithproof
Copy link
Copy Markdown
Contributor

@somethingwithproof somethingwithproof commented May 8, 2026
edited
Loading

Part B of six PRs splitting #7123. Depends on #7124.

Adds lib/CactiValidator.php with helpers wrapping Symfony Validator
for host IDs, RRD paths, IP addresses, emails, and SNMP community
strings. RRD path validation defends against traversal and (when an
rraRoot is supplied) symlink-based escapes.

Restructured to use the flat un-namespaced lib/CactiX.php convention
to align with #7088 / #7073 / #7077 / #7075. The class is loaded via
require_once from the test, not via PSR-4 autoload.

symfony/validator itself is added by #7077 (CactiSettings) and is
not duplicated in this PR's composer.json.

@somethingwithproof
feat(security): add Cacti\Security\CactiValidator helpers
d3517f2 
Wraps symfony/validator with a lazy singleton for the small number
of validation call sites that need a constraint-list API, plus a
relative-path validator that rejects null bytes, traversal, and
absolute paths and (when given an rraRoot) confirms realpath()
stays inside the root.

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
Copilot AI review requested due to automatic review settings May 8, 2026 07:15
Copilot AI reviewed May 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a new Cacti\Security\CactiValidator helper intended to centralize common validation (Host ID, RRD relative-path traversal hardening, IP, email, SNMP community) behind a thin Symfony Validator wrapper, along with a new Pest unit test covering the helper’s expected behavior.

Changes:

  • Introduces Cacti\Security\CactiValidator with cached Symfony validator instance and several domain-specific convenience validators.
  • Adds unit tests for host-id, RRD path safety (including optional root containment), IP/email/SNMP community validation, and custom-constraint validation.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File Description
lib/Security/CactiValidator.php New validator wrapper and RRD-path safety checks (incl. optional realpath containment).
tests/Unit/CactiValidatorTest.php New unit tests exercising the helper API and the traversal/containment behavior.

Comment thread lib/Security/CactiValidator.php Outdated
Comment thread tests/Unit/CactiValidatorTest.php
Comment thread tests/Unit/CactiValidatorTest.php Outdated
@somethingwithproof somethingwithproof mentioned this pull request May 8, 2026
Closed
@somethingwithproof
chore(phpstan): catch up baseline with 11 upstream-detected entries
d0aeda4 
Same as PR-A: appends 11 PHPStan ignoreErrors entries that exist on
upstream develop but are not yet baselined, so this branch's CI does
not regress on phpstan analyse --level 6.

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
@somethingwithproof
fix(test): apply Copilot review feedback for CactiValidator test
421477d 
Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
@somethingwithproof
refactor: flatten CactiValidator to global namespace
04b1a94 
Match the un-namespaced lib/CactiX.php convention used by canonical PRs
(Cacti#7088 CactiProcess, Cacti#7073 CactiMime, Cacti#7077 CactiSettings, Cacti#7075
CactiApplication/CactiCommand). The previous nested PSR-4 namespace
required composer autoload changes that conflicted with those PRs.

Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
@somethingwithproof somethingwithproof mentioned this pull request May 8, 2026
Merged
@somethingwithproof somethingwithproof changed the title feat(security): add Cacti\Security\CactiValidator helpers feat(security): add CactiValidator helpers May 8, 2026
@somethingwithproof
Copy link
Copy Markdown
Contributor Author

somethingwithproof commented May 8, 2026

Restructured to use flat lib/CactiX.php convention to align with #7088, #7073, #7077, #7075.

@somethingwithproof somethingwithproof mentioned this pull request May 11, 2026
Closed
@somethingwithproof
Copy link
Copy Markdown
Contributor Author

somethingwithproof commented May 11, 2026

Queue note: treating this as the base validator helper PR. Intended order is this PR first, then #7077 rebased onto it as the settings validation pilot.

@somethingwithproof
Copy link
Copy Markdown
Contributor Author

somethingwithproof commented May 11, 2026

Closing as superseded by #7077. The CactiValidator helper has been folded into the settings validation pilot so reviewers can evaluate the helper and first consumer in one PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@somethingwithproof