From 39530d8717065a216ba9e1a2e099acfb53616f4c Mon Sep 17 00:00:00 2001
From: Thomas Vincent <thomasvincent@gmail.com>
Date: Sat, 11 Apr 2026 16:02:48 -0700
Subject: [PATCH] test: add Pest v1 security test infrastructure

---
 .../test_monitor_request_output_wiring.php    | 41 +++++++++++++++++++
 .../e2e/test_monitor_no_raw_request_reuse.php | 40 ++++++++++++++++++
 tests/unit/test_request_output_escaping.php   | 19 +++++++++
 3 files changed, 100 insertions(+)
 create mode 100644 tests/Integration/test_monitor_request_output_wiring.php
 create mode 100644 tests/e2e/test_monitor_no_raw_request_reuse.php
 create mode 100644 tests/unit/test_request_output_escaping.php

diff --git a/tests/Integration/test_monitor_request_output_wiring.php b/tests/Integration/test_monitor_request_output_wiring.php
new file mode 100644
index 0000000..6394479
--- /dev/null
+++ b/tests/Integration/test_monitor_request_output_wiring.php
@@ -0,0 +1,41 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ +-------------------------------------------------------------------------+
+ | Cacti: The Complete RRDTool-based Graphing Solution                     |
+ +-------------------------------------------------------------------------+
+*/
+
+$checks = array(
+	__DIR__ . '/../../monitor_controller.php' => array(
+		"html_escape(get_request_var('downhosts'))",
+		"html_escape(get_request_var('mute'))",
+		"html_escape(get_request_var('tree'))",
+		"html_escape(get_request_var('site'))",
+		"html_escape(get_request_var('template'))",
+		"html_escape(get_request_var('size'))",
+		"html_escape(get_request_var('trim'))",
+	),
+	__DIR__ . '/../../monitor_render.php' => array(
+		"rawurlencode(get_request_var('rfilter'))",
+	),
+);
+
+foreach ($checks as $path => $patterns) {
+	$contents = file_get_contents($path);
+
+	if ($contents === false) {
+		fwrite(STDERR, "Unable to read {$path}\n");
+		exit(1);
+	}
+
+	foreach ($patterns as $pattern) {
+		if (strpos($contents, $pattern) === false) {
+			fwrite(STDERR, "Missing expected output hardening: {$pattern}\n");
+			exit(1);
+		}
+	}
+}
+
+print "OK\n";
diff --git a/tests/e2e/test_monitor_no_raw_request_reuse.php b/tests/e2e/test_monitor_no_raw_request_reuse.php
new file mode 100644
index 0000000..f9c7ce6
--- /dev/null
+++ b/tests/e2e/test_monitor_no_raw_request_reuse.php
@@ -0,0 +1,40 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ +-------------------------------------------------------------------------+
+ | Cacti: The Complete RRDTool-based Graphing Solution                     |
+ +-------------------------------------------------------------------------+
+*/
+
+$checks = array(
+	__DIR__ . '/../../monitor_controller.php' => array(
+		"get_request_var('downhosts') . '\"><input id=\"mute\" type=\"hidden\" value=\"' . get_request_var('mute')",
+		"get_request_var('tree') . '\"></td>'",
+		"get_request_var('site') . '\"></td>'",
+		"get_request_var('template') . '\"></td>'",
+		"get_request_var('size') . '\"></td>'",
+		"get_request_var('trim') . '\"></td>'",
+	),
+	__DIR__ . '/../../monitor_render.php' => array(
+		"monitor.php?rfilter=' . get_request_var('rfilter')",
+	),
+);
+
+foreach ($checks as $path => $patterns) {
+	$contents = file_get_contents($path);
+
+	if ($contents === false) {
+		fwrite(STDERR, "Unable to read {$path}\n");
+		exit(1);
+	}
+
+	foreach ($patterns as $pattern) {
+		if (strpos($contents, $pattern) !== false) {
+			fwrite(STDERR, "Raw request reuse remains: {$pattern}\n");
+			exit(1);
+		}
+	}
+}
+
+print "OK\n";
diff --git a/tests/unit/test_request_output_escaping.php b/tests/unit/test_request_output_escaping.php
new file mode 100644
index 0000000..af07b0a
--- /dev/null
+++ b/tests/unit/test_request_output_escaping.php
@@ -0,0 +1,19 @@
+<?php
+/*
+ +-------------------------------------------------------------------------+
+ | Copyright (C) 2004-2026 The Cacti Group                                 |
+ +-------------------------------------------------------------------------+
+ | Cacti: The Complete RRDTool-based Graphing Solution                     |
+ +-------------------------------------------------------------------------+
+*/
+
+$payload = "\" autofocus onfocus=\"alert(1)";
+$escaped = htmlspecialchars($payload, ENT_QUOTES, 'UTF-8');
+
+if (strpos($escaped, '"') === false && strpos($escaped, '&quot;') !== false) {
+	print "OK\n";
+	exit(0);
+}
+
+fwrite(STDERR, "Expected request values to be escaped for hidden inputs\n");
+exit(1);