Cacti
diff --git a/‎composer.json‎
Lines changed: 2 additions & 1 deletion b/‎composer.json‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎docs/security/settings-validation.md‎
Lines changed: 101 additions & 0 deletions b/‎docs/security/settings-validation.md‎
Lines changed: 101 additions & 0 deletions
diff --git a/‎include/global_settings.php‎
Lines changed: 55 additions & 8 deletions b/‎include/global_settings.php‎
Lines changed: 55 additions & 8 deletions
@@ -55,7 +55,8 @@
         "phpseclib/phpseclib": "^3.0",
         "slim/slim": "^4.14",
         "stevenmaguire/oauth2-keycloak": "^6.1.0",
-        "stevenmaguire/oauth2-microsoft": "^2.2"
+        "stevenmaguire/oauth2-microsoft": "^2.2",
+        "symfony/validator": "^6.4"
     },
     "require-dev": {
         "friendsofphp/php-cs-fixer": "^3.86",
 
@@ -0,0 +1,101 @@
+# Settings Validation
+
+## Why this exists
+
+Cacti settings are written from several places: the web UI (`settings.php`),
+CLI utilities under `cli/`, and (planned) JSON-RPC endpoints. Each of those
+paths previously carried its own ad-hoc checks for the same setting, and the
+checks drifted apart as code was added. The intent of `CactiSettings::validate()`
+is to put the constraint definition next to the setting itself so every write
+path uses the same rules.
+
+A setting in `include/global_settings.php` declares its constraints alongside
+the existing keys (`method`, `default`, `max_length`, ...). The validator runs
+the entire posted set in one pass and returns a `{name => message}` map. An
+empty map means the input is valid.
+
+## How `CactiSettings::validate` is used in `settings.php`
+
+`save_settings()` calls the validator before writing any rows:
+
+```php
+require_once(CACTI_PATH_LIBRARY . '/CactiSettings.php');
+
+$violations = CactiSettings::validate($_POST, $settings);
+
+if (cacti_sizeof($violations) > 0) {
+    foreach ($violations as $name => $message) {
+        $_SESSION['sess_error_fields'][$name] = $name;
+        $_SESSION['sess_field_values'][$name] = $_POST[$name] ?? '';
+        raise_message('cacti_settings_' . $name, ..., MESSAGE_LEVEL_ERROR);
+    }
+    header('Location: settings.php?tab=...');
+    exit;
+}
+```
+
+When violations are present the request is rejected before any `REPLACE INTO settings`
+runs. The user is redirected back to the same tab with the error highlighted.
+
+## How to add constraints to a setting
+
+1. Open `include/global_settings.php` and find the setting definition.
+2. Add a `'constraints'` key holding an array of Symfony constraint instances.
+3. The `use Symfony\Component\Validator\Constraints as Assert;` alias is
+   already imported at the top of the file, so constraints read as
+   `new Assert\Range(...)`.
+
+Example:
+
+```php
+'snmp_timeout' => [
+    'friendly_name' => __('Timeout'),
+    'method'        => 'textbox',
+    'default'       => '500',
+    'max_length'    => '10',
+    'constraints'   => [
+        new Assert\Regex(pattern: '/^\d+$/'),
+        new Assert\Range(min: 1, max: 600000),
+    ],
+],
+```
+
+## Constraint types used in the pilot
+
+See the [Symfony Validator reference](https://symfony.com/doc/6.4/validation.html)
+for the full catalog. The pilot uses:
+
+- `Assert\NotBlank` -- value is present and non-empty.
+- `Assert\Length` -- string length within `min`/`max`.
+- `Assert\Range` -- numeric value within `min`/`max`.
+- `Assert\Choice` -- value is one of an enumerated list. Use this for any
+  setting that is rendered as a `drop_array`.
+- `Assert\Regex` -- value matches a pattern. Useful for "is this an integer
+  string" since `$_POST` values arrive as strings.
+- `Assert\Positive` -- value is strictly greater than zero.
+
+## Migration template for the next batch
+
+For each setting you want to constrain:
+
+1. Identify the setting's existing implicit rule (e.g. `method` is `drop_array`
+   with a fixed key set, or `max_length` is `'255'`).
+2. Translate that rule to a constraint object. `drop_array` becomes
+   `Assert\Choice` over the array keys. `max_length` becomes `Assert\Length`.
+   Numeric textboxes typically need `Assert\Regex` plus `Assert\Range`.
+3. Add a unit test in `tests/Unit/CactiSettingsTest.php` that exercises the
+   new constraint with a synthetic definition (do not depend on
+   `include/global_settings.php` from the test).
+4. Run `composer test` and confirm the new case passes.
+
+## Defense in depth
+
+The constraint layer supplements existing checks rather than replacing them.
+
+- The form-render method (`drop_array`, `dirpath`, `filepath`, `textbox_password`)
+  still enforces its implicit rules in `save_settings()`. For example,
+  `dirpath` continues to verify the directory exists before storing.
+- Any post-save handler (cache-clear, poller restart, log rotation) keeps
+  whatever validation it already performs.
+- The constraint check runs first and short-circuits the write, so downstream
+  handlers see only values that already cleared the declared rules.
@@ -22,6 +22,8 @@
  +-------------------------------------------------------------------------+
 */
 
+use Symfony\Component\Validator\Constraints as Assert;
+
 $dir = dir(CACTI_PATH_INCLUDE . '/themes/');
 
 // Work around issue where phpstan is not detecting globals
@@ -184,14 +186,20 @@
 		'description'   => __('The path to your snmpwalk binary.'),
 		'method'        => 'filepath',
 		'file_type'     => 'binary',
-		'max_length'    => '255'
+		'max_length'    => '255',
+		'constraints'   => [
+			new Assert\Length(min: 1, max: 255),
+		],
 	],
 	'path_snmpget' => [
 		'friendly_name' => __('snmpget Binary Path'),
 		'description'   => __('The path to your snmpget binary.'),
 		'method'        => 'filepath',
 		'file_type'     => 'binary',
-		'max_length'    => '255'
+		'max_length'    => '255',
+		'constraints'   => [
+			new Assert\Length(min: 1, max: 255),
+		],
 	],
 	'path_snmpbulkwalk' => [
 		'friendly_name' => __('snmpbulkwalk Binary Path'),
@@ -219,14 +227,22 @@
 		'description'   => __('The path to the rrdtool binary.'),
 		'method'        => 'filepath',
 		'file_type'     => 'binary',
-		'max_length'    => '255'
+		'max_length'    => '255',
+		'constraints'   => [
+			new Assert\NotBlank(),
+			new Assert\Length(min: 1, max: 255),
+		],
 	],
 	'path_php_binary' => [
 		'friendly_name' => __('PHP Binary Path'),
 		'description'   => __('The path to your PHP binary file (may require a php recompile to get this file).'),
 		'method'        => 'filepath',
 		'file_type'     => 'binary',
-		'max_length'    => '255'
+		'max_length'    => '255',
+		'constraints'   => [
+			new Assert\NotBlank(),
+			new Assert\Length(min: 1, max: 255),
+		],
 	],
 	'path_fping' => [
 		'friendly_name' => __('FPing Binary Path'),
@@ -1001,15 +1017,23 @@
 		'method'        => 'textbox',
 		'default'       => '500',
 		'max_length'    => '10',
-		'size'          => '5'
+		'size'          => '5',
+		'constraints'   => [
+			new Assert\Regex(pattern: '/^\d+$/', message: 'must be a positive integer (milliseconds).'),
+			new Assert\Range(min: 1, max: 600000),
+		],
 	],
 	'snmp_retries' => [
 		'friendly_name' => __('Retries'),
 		'description'   => __('Default SNMP retries for all new Devices.'),
 		'method'        => 'textbox',
 		'default'       => '3',
 		'max_length'    => '10',
-		'size'          => '5'
+		'size'          => '5',
+		'constraints'   => [
+			new Assert\Regex(pattern: '/^\d+$/', message: 'must be a non-negative integer.'),
+			new Assert\Range(min: 0, max: 100),
+		],
 	],
 	'snmp_bulk_walk_size' => [
 		'friendly_name' => __('Bulkwalk Fetch Size'),
@@ -1388,6 +1412,11 @@
 		'default'       => CACTI_PATH_CACHE . '/realtime/',
 		'max_length'    => 255,
 		'size'          => 40,
+		'constraints'   => [
+			new Assert\NotBlank(),
+			new Assert\Regex(pattern: '#^([A-Za-z]:\\\\|/)#', message: 'must be an absolute path.'),
+			new Assert\Length(max: 255),
+		],
 	],
 	'rrdtool_header' => [
 		'friendly_name' => __('RRDtool Graph Options'),
@@ -1527,13 +1556,19 @@
 		'method'        => 'drop_array',
 		'default'       => 300,
 		'array'         => $poller_intervals,
+		'constraints'   => [
+			new Assert\Choice(choices: ['10', '15', '20', '30', '60', '300', 10, 15, 20, 30, 60, 300]),
+		],
 	],
 	'cron_interval' => [
 		'friendly_name' => __('Cron/Daemon Interval'),
 		'description'   => __('The frequency that the Cacti data collector will be started.  You can use either crontab, a scheduled task (for windows), or the cactid systemd service to control launching the Cacti data collector.  For instructions on using the cactid daemon, review the README.md file in the service directory.'),
 		'method'        => 'drop_array',
 		'default'       => 300,
 		'array'         => $cron_intervals,
+		'constraints'   => [
+			new Assert\Choice(choices: ['60', '300', 60, 300]),
+		],
 	],
 	'process_leveling' => [
 		'friendly_name' => __('Balance Process Load'),
@@ -2268,14 +2303,22 @@
 		'method'        => 'textbox',
 		'default'       => 'localhost',
 		'max_length'    => 255,
+		'constraints'   => [
+			new Assert\NotBlank(),
+			new Assert\Length(max: 255),
+		],
 	],
 	'settings_smtp_port' => [
 		'friendly_name' => __('SMTP Port'),
 		'description'   => __('The port on the SMTP Server to use.'),
 		'method'        => 'textbox',
 		'max_length'    => 255,
 		'default'       => 25,
-		'size'          => 5
+		'size'          => 5,
+		'constraints'   => [
+			new Assert\Regex(pattern: '/^\d+$/', message: 'must be a positive integer.'),
+			new Assert\Range(min: 1, max: 65535),
+		],
 	],
 	'settings_smtp_username' => [
 		'friendly_name' => __('SMTP Username'),
@@ -3130,7 +3173,11 @@
 			'description'   => __('The default RRA to use in rare occasions.'),
 			'method'        => 'drop_sql',
 			'sql'           => 'SELECT id, name FROM data_source_profiles_rra ORDER BY steps',
-			'default'       => '1'
+			'default'       => '1',
+			'constraints'   => [
+				new Assert\Regex(pattern: '/^\d+$/', message: 'must be a positive integer id.'),
+				new Assert\Positive(),
+			],
 		],
 		'default_timespan' => [
 			'friendly_name' => __('Default Timespan'),