Consolidated hardening, bug fixes, and CI improvements

[somethingwithproof]

Backport of fixes and improvements from develop to main.

Bug fixes

• Persist custom date filter across syslog page navigation (fix: persist custom date filter across syslog page navigation #251)
• Correct host/program alert status placeholders (fix: correct host/program alert status placeholders #266)
• Execute replication CREATE TABLE SQL from SHOW CREATE output (fix: execute replication CREATE TABLE SQL from SHOW CREATE output #267)
• Scope partition maintenance to target table and lock create path (bugfix: scope partition maintenance to target table and lock create path #271)
• Use strict MariaDB detection in install advisor (bugfix: use strict MariaDB detection in install advisor #273)
• Trim XML import payload value before emptiness check (bugfix: trim xml import payload value before emptiness check #272)

Hardening

• Extract executable from ticket command before is_executable() check
• Check GET_LOCK() return value before ALTER TABLE; return early on failure
• Apply db_qstr() to all raw string concatenation in syslog_manage_items()
• Add intval() cast to host_id array before IN() clause
• Convert DELETE syslog_incoming to prepared statement with parameter binding
• Centralize XML import payload loading with structure validation (refactor: centralize XML import payload loading #280)

Refactoring

• Deduplicate selected-item bulk action dispatch (refactor: deduplicate selected-item bulk action dispatch #279)
• Extract duplicated alert command execution paths (refactor: extract duplicated alert command execution paths #281)
• Replace legacy random uniqueID with sequence-based processing (Refactor: replace legacy random uniqueID with sequence-based processing #289)

CI and testing

• Move lint/PHPStan/CS-Fixer before integration tests in CI workflow
• Remove redundant || true from PHPStan step (continue-on-error suffices)
• Standardize regression test output from echo to print
• Add Pest unit tests for XML import payload helper
• Add integration tests for partitioning and domain stripping

Locales

• Global integrity and coverage synchronization (fix(i18n): sync locale fixes and no-wrap reformat #297)
• Fix zh-TW full-width percent sign syntax errors (Locales: Fix zh-TW full-width percent sign syntax #292)
• Fix ja-JP System Logs copy-paste error (Locales: Fix ja-JP System Logs translation #293)
• Cleanup Portuguese PT/BR and resolve fuzzy strings (Locales: Portuguese (PT & BR) cleanup and fuzzy resolution #294)
• Resolve fuzzy strings in Russian and Turkish (Locales: Russian & Turkish fuzzy resolution #295)
• Swedish translation updates

[TheWitness]

Some comments and some additional questions. The json_encode on the title I'd like more background on before merging this one. Also, the change of the config.php in the plugins directory was done for a reason as there is a mandatory config.php for both syslog and flowview now.

[TheWitness]

I'm saying request changes here, but just validate. If we are doing a process interlock using the register_process function, we can get rid of all these locks. Also, I had asked Sean that the reorganization of the partition should happen an hour or so before the time of the rotation to avoid overloading the max date partition that I have seen happen in my own instance. I'm not sure if that happened or not. Lost track.

[TheWitness]

Some fixes here @somethingwithproof , but now a merge conflict 🥇

[somethingwithproof]

Re: json_encode on title and config.php:

json_encode: The setup.php dialog titles were using __esc() inside a JavaScript string literal. __esc() is an HTML-context escaper, so a translated string containing an apostrophe (e.g. French "l'alerte") would break the JS. json_encode() produces correctly quoted/escaped values for JS contexts. Same pattern used in cacti core's auth_changepassword.php after the JS hardening PR.

config.php: Understood, will revert that removal. I wasn't aware it was mandatory for syslog and flowview. It stays.

[somethingwithproof]

Re: register_process interlock and partition timing:

Addressed inline on the lock comment. Short version: keeping the lock for now as a safety net, will remove it once a proper pcntl_signal handler is added to clear registration on forced shutdown.

On the partition rotation timing: I'll check whether Sean implemented the early rotation (rotating an hour before the actual rollover). If not, that's a follow-up item.

[somethingwithproof]

Merge conflict resolved. Rebased onto develop.

[TheWitness]

@somethingwithproof, is this still in process, or are we going to wait?

[somethingwithproof]

All review feedback has been addressed. The lock timeout and signal handler items are tracked in #298 as follow-up. This PR is ready for merge.

[TheWitness]

You still have it marked Draft. I'll attempt to take out of Draft and review.

[TheWitness]

@somethingwithproof, please address the failed check. Thanks!

[Copilot]

Pull request overview

Backport focused on tightening security/escaping in the Syslog plugin UI, hardening certain unsafe behaviors (JS callback execution, CSRF flow), and updating CI/regression tests to catch these regressions earlier.

Changes:

• Adds/standardizes multiple regression tests and a new Pest unit test to enforce security hardening (XSS escaping, CSRF, removal of eval, parameterized queries).
• Hardens UI output and utilities actions (HTML escaping in various outputs; POST+CSRF requirements for purge action).
• Updates CI workflow execution order/steps and adjusts some scripts/docs/locale strings.

Reviewed changes

Copilot reviewed 22 out of 22 changed files in this pull request and generated 15 comments.

Show a summary per file

File	Description
tests/regression/issue261_domain_strip_parameterized_test.php	New regression test asserting parameterized domain-strip update query.
tests/regression/issue260_remove_eval_callback_test.php	New regression test asserting eval() removal for autocomplete callbacks.
tests/regression/issue259_csrf_purge_test.php	New regression test asserting purge action is POST+CSRF protected and JS strings are safely encoded.
tests/regression/issue252_xss_output_test.php	New regression test asserting HTML escaping and DOM-safe option rendering.
tests/Unit/SyslogImportPayloadTest.php	New Pest test targeting XML import payload helper.
tests/Integration/SyslogPartitioningIntegrationTest.php	Integration tests around partition allowlist/locking behavior.
tests/Integration/SyslogDomainIntegrationTest.php	Integration test asserting parameter binding for domain-strip update.
tests/Helpers/GlobalStubs.php	Adds DB/config stubs to enable integration testing of functions.php logic.
syslog_reports.php	Escapes report list content to prevent XSS.
syslog_removal.php	Escapes removal list content to prevent XSS.
syslog_batch_transfer.php	Replaces echo with print in CLI output.
syslog.php	Escapes multiple output paths (stats table + select options) to prevent XSS.
setup.php	Adds POST+CSRF enforcement for purge action and replaces GET link with a dialog-driven POST flow.
locales/po/es-ES.po	Fixes Spanish translation typos/wording.
locales/build_gettext.sh	Modifies sed -i usage for POT header cleanup.
js/functions.js	Removes eval() callback execution; switches to DOM-safe option construction; fixes minor JS issues.
functions.php	Large refactor touching partitioning, removal rules, alert command execution, and incoming-record preprocessing semantics.
README.md	Fixes markdown formatting.
LICENSE	Removes merge-conflict artifacts around end of license text.
CHANGELOG.md	Adjusts changelog entries for backported changes.
.github/workflows/populate_syslog_incoming.sh	Uses REPLACE INTO for test data seeding.
.github/workflows/plugin-ci-workflow.yml	Reorders/changes CI steps; adds plugin lint + PHPStan steps before running regression + poller.

[Copilot]

This block uses is_executable($command) on the full command string. If the configured command includes arguments or a quoted path, is_executable() will always fail and the ticket/alert command won’t run. The repo’s regression tests expect extracting the executable (with surrounding-quote stripping) and checking is_executable($executable) instead.

Suggested change

	$command = read_config_option('syslog_ticket_command');
	if ($command != '') {
	$command = trim($command);
	}
	if ($alert['open_ticket'] == 'on' && $command != '') {
	if (is_executable($command)) {
	$command = $command .
	' --alert-name=' . cacti_escapeshellarg(clean_up_name($alert['name'])) .
	' --severity=' . cacti_escapeshellarg($alert['severity']) .
	' --hostlist=' . cacti_escapeshellarg(implode(',',$hostlist)) .
	$command = read_config_option('syslog_ticket_command');
	if ($command != '') {
	$command = trim($command);
	}
	if ($alert['open_ticket'] == 'on' && $command != '') {
	/*
	* Extract the executable portion from the configured command.
	* This allows for quoted paths and additional arguments in the
	* configuration while still validating the executable itself.
	*/
	$executable = $command;
	$firstChar = substr($executable, 0, 1);
	if ($firstChar === '"' || $firstChar === "'") {
	$quoteChar = $firstChar;
	$closing = strpos($executable, $quoteChar, 1);
	if ($closing !== false) {
	$executable = substr($executable, 1, $closing - 1);
	} else {
	// Unbalanced quotes; fall back to trimming quotes/whitespace.
	$executable = trim($executable, " \t\n\r\0\x0B\"'");
	}
	} else {
	$parts = preg_split('/\s+/', $executable);
	if (is_array($parts) && isset($parts[0])) {
	$executable = $parts[0];
	}
	$executable = trim($executable, " \t\n\r\0\x0B\"'");
	}
	if ($executable !== '' && is_executable($executable)) {
	$command = $command .
	' --alert-name=' . cacti_escapeshellarg(clean_up_name($alert['name'])) .
	' --severity=' . cacti_escapeshellarg($alert['severity']) .
	' --hostlist=' . cacti_escapeshellarg(implode(',', $hostlist)) .

[somethingwithproof]

Fixed.

[Copilot]

syslog_partition_create() acquires a named lock via GET_LOCK(...) but ignores the return value. If the lock can’t be acquired (contention/error), the code will still run ALTER TABLE, which defeats the concurrency control. Please check the GET_LOCK result (1/0/NULL) and return early (and log) when the lock is not acquired.

[somethingwithproof]

Fixed.

[Copilot]

These regression tests print their pass message using echo, but the PR description mentions standardizing CLI scripts to use print (php-cs-fixer rule). Please switch this to print for consistency with the rest of the regression suite.

Suggested change

	echo "issue252_xss_output_test passed\n";
	print "issue252_xss_output_test passed\n";

[somethingwithproof]

Fixed.

[Copilot]

The PR description says CI should run lint/PHPStan/CS-Fixer before integration tests. In this workflow, PHPStan is marked continue-on-error: true (so it won’t fail the job) and there is no CS-Fixer step. Either update the workflow to match the stated enforcement/order, or adjust the PR description to reflect the actual behavior.

[somethingwithproof]

Removed redundant || true; continue-on-error handles non-blocking.

[Copilot]

This DELETE concatenates $uniqueID directly into the SQL while calling syslog_db_execute_prepared(). For consistency (and to avoid edge cases if the value isn’t an int), use a placeholder and pass $uniqueID via the params array.

Suggested change

	syslog_db_execute_prepared('DELETE FROM `' . $syslogdb_default . '`.`syslog_incoming` WHERE status=' . $uniqueID);
	syslog_db_execute_prepared(
	'DELETE FROM `' . $syslogdb_default . '`.`syslog_incoming` WHERE status = ?',
	[$uniqueID]
	);

[somethingwithproof]

Fixed.

[Copilot]

The shared helpers syslog_execute_ticket_command() / syslog_execute_alert_command() appear to have been removed, and the logic is now duplicated inline. This reintroduces behaviors the repo’s regression tests explicitly forbid (e.g., /bin/sh fallback execution and naive tokenization), and will fail tests/regression/issue278_command_execution_refactor_test.php. Please restore the shared helpers and call them from here, keeping the hardened executable parsing/tokenization and without any shell-fallback path.

[Copilot]

$output and $returnCode are used in the command execution path without being initialized in this scope, which can emit notices and also risks leaking prior values from earlier exec calls. Initialize/reset these variables before calling exec(), and prefer the shared helper that encapsulates this safely.

[Copilot]

These regression tests print their pass message using echo, but the PR description mentions standardizing CLI scripts to use print (php-cs-fixer rule). Please switch this to print for consistency with the rest of the regression suite.

Suggested change

	echo "issue259_csrf_purge_test passed\n";
	print "issue259_csrf_purge_test passed\n";

[Copilot]

syslog_preprocess_incoming_records() now returns ['uniqueID' => ...] and no longer returns max_seq. Existing callers (e.g. syslog_process.php) still expect max_seq, which will cause undefined-index errors and break the poller. Either keep returning max_seq for backward compatibility or update all call sites in this backport to use the new key consistently.

[Copilot]

The new uniqueID-based status marking (UPDATE ... SET status = ? WHERE status = 0) can strand records if the poller crashes after marking but before moving/deleting: those rows will never be picked up again (since subsequent runs only process status=0) and may be silently purged by the 1-hour cleanup. The previous max_seq approach was crash-recoverable. Consider either reverting to the max_seq+seq<=max_seq scheme, or adding recovery logic to reprocess non-zero statuses that were not completed (e.g., by age / last-run marker).