test: add Pest v1 security test infrastructure#20
Draft
somethingwithproof wants to merge 5 commits intoCacti:developfrom
Draft
test: add Pest v1 security test infrastructure#20somethingwithproof wants to merge 5 commits intoCacti:developfrom
somethingwithproof wants to merge 5 commits intoCacti:developfrom
Conversation
Add source-scan tests verifying security patterns (prepared statements, output escaping, auth guards, PHP 7.4 compatibility) remain in place across refactors. Tests run with Pest v1 (PHP 7.3+) and stub the Cacti framework so plugins can be tested in isolation. Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
There was a problem hiding this comment.
Pull request overview
Adds a Pest v1-based test scaffold for the plugin_apcupsd repository, focusing on lightweight security/regression checks (setup.php structure, prepared-statement usage consistency, and PHP 7.4 syntax compatibility) plus basic test bootstrapping.
Changes:
- Introduces Pest configuration and a bootstrap with stubbed Cacti framework functions/constants for isolated test execution.
- Adds security-oriented source-scan tests (setup.php structure, prepared-statement consistency, PHP 7.4 compatibility checks).
- Adds
composer.jsondev dependency for Pest and a Dependabot configuration.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
tests/Security/SetupStructureTest.php |
Source-scan assertions for required plugin hook functions/metadata in setup.php. |
tests/Security/PreparedStatementConsistencyTest.php |
Scans key plugin files for raw db_* calls to enforce prepared helper usage. |
tests/Security/Php74CompatibilityTest.php |
Scans for a small set of PHP 8-only APIs/operators to keep PHP 7.4 compatibility. |
tests/Pest.php |
Loads test bootstrap for Pest runs. |
tests/bootstrap.php |
Provides stubs for common Cacti functions/constants to support isolated loading. |
composer.json |
Adds Pest v1 as a dev dependency and wires in test bootstrap autoloading. |
.github/dependabot.yml |
Adds Dependabot config (currently for npm + GitHub Actions). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+16
to
+21
| it('uses prepared DB helpers in all plugin files', function () { | ||
| $targetFiles = array( | ||
| 'database.php', | ||
| 'poller_apcupsd.php', | ||
| 'setup.php', | ||
| 'upses.php', |
There was a problem hiding this comment.
This test asserts there are zero raw db_execute/db_fetch_* calls in setup.php and upses.php, but those files currently contain several non-prepared calls (e.g., setup.php uses db_execute/db_fetch_cell/db_fetch_assoc; upses.php uses db_execute and db_fetch_assoc). As written, the test suite will fail unless the plugin code is migrated to *_prepared everywhere, or the test is adjusted (e.g., exclude install/DDL paths or allow-list safe constant SQL).
Suggested change
| it('uses prepared DB helpers in all plugin files', function () { | |
| $targetFiles = array( | |
| 'database.php', | |
| 'poller_apcupsd.php', | |
| 'setup.php', | |
| 'upses.php', | |
| it('uses prepared DB helpers in migrated plugin files', function () { | |
| $targetFiles = array( | |
| 'database.php', | |
| 'poller_apcupsd.php', |
Comment on lines
+30
to
+38
| if ($path === false) { | ||
| continue; | ||
| } | ||
|
|
||
| $contents = file_get_contents($path); | ||
|
|
||
| if ($contents === false) { | ||
| continue; | ||
| } |
There was a problem hiding this comment.
The test silently continues when a target file path cannot be resolved or read, which can produce false negatives (tests pass while checks are skipped). Consider failing the test when realpath/file_get_contents fails so missing/unreadable files are surfaced.
Suggested change
| if ($path === false) { | |
| continue; | |
| } | |
| $contents = file_get_contents($path); | |
| if ($contents === false) { | |
| continue; | |
| } | |
| expect($path)->not->toBeFalse( | |
| "Failed to resolve target file path for {$relativeFile}" | |
| ); | |
| $contents = file_get_contents($path); | |
| expect($contents)->not->toBeFalse( | |
| "Failed to read target file {$relativeFile}" | |
| ); |
Comment on lines
+15
to
+16
| $source = file_get_contents(realpath(__DIR__ . '/../../setup.php')); | ||
|
|
There was a problem hiding this comment.
file_get_contents(realpath(...)) can emit warnings / return false if setup.php is missing or unreadable, and the rest of the expectations will then error in less clear ways. Consider resolving the path separately and explicitly failing the test with a helpful message if realpath/file_get_contents fails.
Suggested change
| $source = file_get_contents(realpath(__DIR__ . '/../../setup.php')); | |
| $setupFile = __DIR__ . '/../../setup.php'; | |
| $resolvedSetupFile = realpath($setupFile); | |
| if ($resolvedSetupFile === false) { | |
| test()->fail(sprintf('Unable to resolve setup.php path: %s', $setupFile)); | |
| } | |
| $source = file_get_contents($resolvedSetupFile); | |
| if ($source === false) { | |
| test()->fail(sprintf('Unable to read setup.php: %s', $resolvedSetupFile)); | |
| } |
Comment on lines
+23
to
+96
| it('does not use str_contains (PHP 8.0)', function () use ($files) { | ||
| foreach ($files as $relativeFile) { | ||
| $path = realpath(__DIR__ . '/../../' . $relativeFile); | ||
|
|
||
| if ($path === false) { | ||
| continue; | ||
| } | ||
|
|
||
| $contents = file_get_contents($path); | ||
|
|
||
| if ($contents === false) { | ||
| continue; | ||
| } | ||
|
|
||
| expect(preg_match('/\bstr_contains\s*\(/', $contents))->toBe(0, | ||
| "{$relativeFile} uses str_contains() which requires PHP 8.0" | ||
| ); | ||
| } | ||
| }); | ||
|
|
||
| it('does not use str_starts_with (PHP 8.0)', function () use ($files) { | ||
| foreach ($files as $relativeFile) { | ||
| $path = realpath(__DIR__ . '/../../' . $relativeFile); | ||
|
|
||
| if ($path === false) { | ||
| continue; | ||
| } | ||
|
|
||
| $contents = file_get_contents($path); | ||
|
|
||
| if ($contents === false) { | ||
| continue; | ||
| } | ||
|
|
||
| expect(preg_match('/\bstr_starts_with\s*\(/', $contents))->toBe(0, | ||
| "{$relativeFile} uses str_starts_with() which requires PHP 8.0" | ||
| ); | ||
| } | ||
| }); | ||
|
|
||
| it('does not use str_ends_with (PHP 8.0)', function () use ($files) { | ||
| foreach ($files as $relativeFile) { | ||
| $path = realpath(__DIR__ . '/../../' . $relativeFile); | ||
|
|
||
| if ($path === false) { | ||
| continue; | ||
| } | ||
|
|
||
| $contents = file_get_contents($path); | ||
|
|
||
| if ($contents === false) { | ||
| continue; | ||
| } | ||
|
|
||
| expect(preg_match('/\bstr_ends_with\s*\(/', $contents))->toBe(0, | ||
| "{$relativeFile} uses str_ends_with() which requires PHP 8.0" | ||
| ); | ||
| } | ||
| }); | ||
|
|
||
| it('does not use nullsafe operator (PHP 8.0)', function () use ($files) { | ||
| foreach ($files as $relativeFile) { | ||
| $path = realpath(__DIR__ . '/../../' . $relativeFile); | ||
|
|
||
| if ($path === false) { | ||
| continue; | ||
| } | ||
|
|
||
| $contents = file_get_contents($path); | ||
|
|
||
| if ($contents === false) { | ||
| continue; | ||
| } | ||
|
|
There was a problem hiding this comment.
These compatibility checks silently skip files when realpath/file_get_contents fails, which can hide missing/unreadable files and make the test pass without actually verifying anything. Consider asserting that each expected file exists and is readable (fail fast) rather than continueing.
Suggested change
| it('does not use str_contains (PHP 8.0)', function () use ($files) { | |
| foreach ($files as $relativeFile) { | |
| $path = realpath(__DIR__ . '/../../' . $relativeFile); | |
| if ($path === false) { | |
| continue; | |
| } | |
| $contents = file_get_contents($path); | |
| if ($contents === false) { | |
| continue; | |
| } | |
| expect(preg_match('/\bstr_contains\s*\(/', $contents))->toBe(0, | |
| "{$relativeFile} uses str_contains() which requires PHP 8.0" | |
| ); | |
| } | |
| }); | |
| it('does not use str_starts_with (PHP 8.0)', function () use ($files) { | |
| foreach ($files as $relativeFile) { | |
| $path = realpath(__DIR__ . '/../../' . $relativeFile); | |
| if ($path === false) { | |
| continue; | |
| } | |
| $contents = file_get_contents($path); | |
| if ($contents === false) { | |
| continue; | |
| } | |
| expect(preg_match('/\bstr_starts_with\s*\(/', $contents))->toBe(0, | |
| "{$relativeFile} uses str_starts_with() which requires PHP 8.0" | |
| ); | |
| } | |
| }); | |
| it('does not use str_ends_with (PHP 8.0)', function () use ($files) { | |
| foreach ($files as $relativeFile) { | |
| $path = realpath(__DIR__ . '/../../' . $relativeFile); | |
| if ($path === false) { | |
| continue; | |
| } | |
| $contents = file_get_contents($path); | |
| if ($contents === false) { | |
| continue; | |
| } | |
| expect(preg_match('/\bstr_ends_with\s*\(/', $contents))->toBe(0, | |
| "{$relativeFile} uses str_ends_with() which requires PHP 8.0" | |
| ); | |
| } | |
| }); | |
| it('does not use nullsafe operator (PHP 8.0)', function () use ($files) { | |
| foreach ($files as $relativeFile) { | |
| $path = realpath(__DIR__ . '/../../' . $relativeFile); | |
| if ($path === false) { | |
| continue; | |
| } | |
| $contents = file_get_contents($path); | |
| if ($contents === false) { | |
| continue; | |
| } | |
| $readFileContents = function ($relativeFile) { | |
| $path = realpath(__DIR__ . '/../../' . $relativeFile); | |
| expect($path)->not->toBeFalse("Expected file {$relativeFile} to exist and be resolvable"); | |
| $contents = file_get_contents($path); | |
| expect($contents)->not->toBeFalse("Expected file {$relativeFile} to be readable"); | |
| return $contents; | |
| }; | |
| it('does not use str_contains (PHP 8.0)', function () use ($files, $readFileContents) { | |
| foreach ($files as $relativeFile) { | |
| $contents = $readFileContents($relativeFile); | |
| expect(preg_match('/\bstr_contains\s*\(/', $contents))->toBe(0, | |
| "{$relativeFile} uses str_contains() which requires PHP 8.0" | |
| ); | |
| } | |
| }); | |
| it('does not use str_starts_with (PHP 8.0)', function () use ($files, $readFileContents) { | |
| foreach ($files as $relativeFile) { | |
| $contents = $readFileContents($relativeFile); | |
| expect(preg_match('/\bstr_starts_with\s*\(/', $contents))->toBe(0, | |
| "{$relativeFile} uses str_starts_with() which requires PHP 8.0" | |
| ); | |
| } | |
| }); | |
| it('does not use str_ends_with (PHP 8.0)', function () use ($files, $readFileContents) { | |
| foreach ($files as $relativeFile) { | |
| $contents = $readFileContents($relativeFile); | |
| expect(preg_match('/\bstr_ends_with\s*\(/', $contents))->toBe(0, | |
| "{$relativeFile} uses str_ends_with() which requires PHP 8.0" | |
| ); | |
| } | |
| }); | |
| it('does not use nullsafe operator (PHP 8.0)', function () use ($files, $readFileContents) { | |
| foreach ($files as $relativeFile) { | |
| $contents = $readFileContents($relativeFile); |
Comment on lines
+3
to
+8
| - package-ecosystem: "npm" | ||
| directory: "/" | ||
| schedule: | ||
| interval: "weekly" | ||
| open-pull-requests-limit: 10 | ||
| - package-ecosystem: "github-actions" |
There was a problem hiding this comment.
Dependabot is configured for the npm ecosystem, but this repository has no package.json/package-lock.json, so this entry will likely error or be a no-op. Also, since this PR introduces composer.json (Pest dev dependency), consider adding a package-ecosystem: "composer" update config so PHP dependencies are kept up to date.
…dabot - Throw RuntimeException when realpath/file_get_contents fails (previously silent continue hid unscanned files) - Fix Dependabot ecosystem from npm to composer - Remove committed .omc session artifacts, add .omc/ to .gitignore Signed-off-by: Thomas Vincent <thomasvincent@gmail.com>
Author
|
Converted to draft to serialize the stack in this repo. Blocked by #16; will un-draft after that merges to avoid cross-PR merge conflicts. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Test plan
composer install && vendor/bin/pestpasses