test: add security coverage gap tests for database, auth, import, and PR regressions

[somethingwithproof]

Source-scan coverage backstop for recently-fixed security surfaces. These tests assert that mitigation patterns exist in the source; they are not a replacement for behavioral tests.

Scope:

• `DatabaseSecurityPatternsTest`: prepared-statement signatures and no-superglobal invariants in `lib/database.php`
• `AuthImportSecurityPatternsTest`: basename() guards, include/require path scan, session constant usage in `lib/auth.php` and `lib/import.php`
• `SecurityPrRegressionTest`: invariants locked in by fix(security): escape rrdtool tune arguments to prevent command injection #6971, fix(security): validate graph_theme with basename() to prevent LFI #6973, fix(security): cast effective_user to int and validate OID format in remote_agent #6974

What these tests do not cover: runtime behavior, actual query execution, or auth flows. A follow-up issue should add behavioral coverage once a DB-backed test harness is available.

Copilot feedback addressed:

• All `strpos()`/`substr()` offset uses now have explicit `fail()` early-outs so a renamed or missing function produces a clear failure rather than a vacuous pass.
• The `include`/`require` scan regex now matches both parenthesized (`include('path')`) and bare (`include 'path'`) forms.

[Copilot]

Pull request overview

Adds Pest unit tests that “source-scan” Cacti PHP files to prevent regressions of recently merged security hardening (prepared statements, auth/import safeguards, and specific PR security fixes).

Changes:

• Added regression tests for security PRs #6971/#6973/#6974 by scanning lib/rrd.php and remote_agent.php.
• Added source-scan tests asserting key security patterns in lib/database.php (prepared statements, sanitization, logging).
• Added source-scan tests asserting security patterns across lib/auth.php, lib/import.php, lib/package.php, and lib/xml.php.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File	Description
tests/Unit/SecurityPrRegressionTest.php	Source-scan regression tests for rrdtool tune escaping, graph theme traversal prevention, and remote agent input validation.
tests/Unit/DatabaseSecurityPatternsTest.php	Source-scan tests for database layer security architecture (prepared APIs, sanitization, logging).
tests/Unit/AuthImportSecurityPatternsTest.php	Source-scan tests for auth/import/package/xml security patterns (allowlists, signature verification, safe parsing, escaping).

[Copilot]

$walkStart = strpos(...) is not checked before substr(). If the function signature changes or isn’t found, $walkStart becomes false (0 when used as an offset), so $walkBody will scan the start of the file and the assertions can pass for the wrong reason. Assert $walkStart !== false first, and consider extracting the function body by searching for the next \nfunction boundary rather than a fixed 600-byte window.

Suggested change

	$walkBody = substr($contents, $walkStart, 600);
	expect($walkStart)->not->toBeFalse();
	$walkEnd = strpos($contents, "\nfunction ", $walkStart + 1);
	if ($walkEnd === false) {
	$walkEnd = strlen($contents);
	}
	$walkBody = substr($contents, $walkStart, $walkEnd - $walkStart);

[somethingwithproof]

Same defensive pattern. The function signature is stable across versions.

[Copilot]

Several tests extract function bodies using strpos() + substr() but don’t assert that the start/end offsets were found. If the function name changes or the next \nfunction delimiter isn’t found, $start/$end can be false, leading to scanning the wrong content and potentially passing/failing incorrectly. Add assertions for $start !== false and handle $end === false by falling back to strlen($dbSource).

Suggested change

	$end = strpos($dbSource, "\nfunction ", $start + 1);
	$body = substr($dbSource, $start, $end - $start);
	expect($start)->not->toBeFalse();
	$end = strpos($dbSource, "\nfunction ", $start + 1);
	if ($end === false) {
	$end = strlen($dbSource);
	}
	$body = substr($dbSource, $start, $end - $start);

[somethingwithproof]

Acknowledged. Source-scan tests are intentionally approximate regression guards.

[Copilot]

This include/require scan is currently vulnerable to vacuous passes and missed include syntaxes:

• The regex only matches include(...)/require(...) with parentheses; PHP also allows include 'file.php';.
• If there are zero matches, the foreach never runs and the test passes even if new includes are introduced in a different syntax.
  Consider asserting at least one include/require is found, and expanding detection to cover non-parenthesized include/require statements.

Suggested change

	// The only include_once uses a constant path, not request-derived input
	preg_match_all('/(?:include|require)(?:_once)?\s*\(([^)]+)\)/', $importSource, $matches);
	foreach ($matches[1] as $path) {
	// The only include/require usage should use a constant path, not request-derived input
	preg_match_all('/\b(?:include|require)(?:_once)?\b\s*(?:\(\s*([^)]+?)\s*\)|([^;\r\n]+))\s*;/', $importSource, $matches, PREG_SET_ORDER);
	$paths = array();
	foreach ($matches as $match) {
	$paths[] = trim($match[1] !== '' ? $match[1] : $match[2]);
	}
	expect($paths)->not->toBeEmpty();
	foreach ($paths as $path) {

[somethingwithproof]

Valid. The scan checks for known patterns; a refactor that removes them would correctly fail the test.

[somethingwithproof]

Rebased, squashed. Added strpos/substr offset validation so missing functions produce explicit failures; include/require scan now accepts both parenthesized and bare forms.

[somethingwithproof]

Superseded by #7036. The security coverage-gap tests were consolidated into #7036 and aligned with the latest hardening behavior.