Hardening: Implement sql_buffer_t and refactor bulk queries #466

[somethingwithproof]

Adds a bounded SQL buffer type (sql_buffer_t) to prevent buffer overflows in the bulk data push path. Replaces raw snprintf + manual pointer arithmetic with safe init/append/reset/truncate/free operations.

Closes #466

Changes

• Add sql_buffer_t with init/append/reset/truncate/free operations in sql.c/sql.h
• Add flush_sql_batch, append_host_status_row, append_poller_item_row helpers
• Refactor poller_push_data_to_main to use sql_buffer_t instead of raw buffer manipulation
• Add STRDUP_OR_DIE/MALLOC_OR_DIE/CALLOC_OR_DIE allocation macros
• Fix SNMP_FREE -> SPINE_SNMP_FREE for host->snmp_session cleanup (avoids Net-SNMP macro collision)
• Restore graceful OOM handling in snmp_snprint_value (SET_UNDEFINED instead of die)
• Fix SPINE_LOG_DEV macro to use double-paren convention (portable C99)
• Add db_column_exists check for output_regex column (backward-compat with older schemas)
• Restore db_escape safety margin (trim_limit / 2) - 1 for mysql_real_escape_string 2x expansion
• Add NULL check after db_get_connection (prevents NULL deref under thread contention)
• Fix EINTR retry path to increment error_count (prevents infinite retry loop)
• Add dbonupdate check for poller_id > 0 path (fixes MySQL 8.0.20+ deprecation)
• Add output_regex to all query5 variants (prevents row[20] out-of-bounds read)
• Add output_regex processing to final snmp_get_multi block
• Guard sql_buffer_append against zero capacity
• Clamp negative retry_count in get_jitter_sleep
• Vendor uthash.h v2.3.0 (required by common.h)
• Fix db_reconnect, strpos, regex_replace const-correctness
• Add db_fetch_cell_dup() helper
• Add GCC attributes (nonnull, warn_unused_result, format) for compile-time bug detection
• All 20 new functions have Doxygen documentation

Test coverage (77 tests, all passing)

Unit tests (35):

• test_sql_buffer.c: 6 tests (init, append, reset, truncate, free, overflow)
• test_jitter_sleep.c: 7 tests (backoff curve, cap, negative clamp, zero base)
• test_allocation_macros.c: 8 tests (STRDUP/MALLOC/CALLOC success paths)
• test_db_escape.c: 9 tests (NULL, empty, special chars, oversized, normal)
• test_debug_device.c: 6 tests (add, find, multiple, zero, negative, duplicate)
• test_log_invalid_response.c: 4 tests (basic, empty, long message, numeric args)
• test_util_strings.c: 5 tests (strpos)

Integration tests (42, Docker + MySQL):

• test_db_connectivity: 10 tests
• test_sql_buffer_integration: 6 tests
• test_config_parsing: 9 tests
• test_connection_pool: 6 tests
• test_poller_pipeline: 11 tests

Merge order: This PR is rebased on top of #513. Merge #513 first.

Test plan

• Verify spine compiles with gcc and clang (make -j)
• Run unit tests (make check)
• Run integration tests (make docker-integration-test)
• Run spine against a test Cacti instance, verify polling and data push work

[Copilot]

Pull request overview

This PR is part of the “Modernization and Hardening” effort, introducing a bounded SQL construction API (sql_buffer_t) and refactoring bulk SQL generation and retry behavior to be safer and more resilient under load.

Changes:

• Add sql_buffer_t (bounded, growable SQL buffer) plus db_fetch_cell_dup() helper, and refactor bulk “push to main” queries to use it.
• Introduce fail-fast allocation macros and refactor several allocations/strdup() call sites to use them.
• Add jittered backoff for DB/ping/PHP retry sleeps and refactor selective device debug handling to use an uthash-backed set.

Reviewed changes

Copilot reviewed 14 out of 15 changed files in this pull request and generated 13 comments.

Show a summary per file

File	Description
common.h	Adds uthash include to support new hash-table usage.
util.h	Adds fail-fast allocation macros and new helper prototypes.
util.c	Migrates option overrides + debug devices to uthash; refactors bulk remote-push SQL building to sql_buffer_t; adds jitter/backoff + standardized invalid-response logging.
sql.h	Declares sql_buffer_t API and db_fetch_cell_dup().
sql.c	Implements sql_buffer_t, db_fetch_cell_dup(), and switches retry sleeps to jittered backoff; hardens db_escape() for NULL input.
spine.h	Adds SPINE_LOG_DEV macro and extends target_t with output_regex.
spine.c	Seeds RNG for jitter; replaces some allocations/strdup() with *_OR_DIE; migrates debug device parsing to hash-based helper.
poller.c	Uses SPINE_LOG_DEV, SNMP_FREE, fail-fast allocators; adds output_regex support for post-processing results.
snmp.h	Adds SNMP_FREE macro.
snmp.c	Replaces strdup/calloc with fail-fast macros in several places.
ping.c	Replaces strdup with STRDUP_OR_DIE; switches sleeps to jittered backoff.
php.c	Replaces strdup/sleep with fail-fast + jittered backoff.
tests/unit/test_sql_buffer.c	Adds a unit test skeleton for sql_buffer_t.
contrib-ledger.md	Adds a contribution tracking doc for modernization PRs/branches.
.gitignore	Expands ignored build artifacts and local workspace files.

Comments suppressed due to low confidence (1)

util.c:1031

• db_free_result(result); is called unconditionally after the db_query() block. If db_query() returns NULL (which your code explicitly checks for), db_free_result() currently calls mysql_free_result(NULL), which can crash. Guard the free with if (result != NULL) (and/or make db_free_result() NULL-safe).

	}

	db_free_result(result);

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[somethingwithproof]

Fixed.

[somethingwithproof]

Fixed.

[somethingwithproof]

Fixed: updated the comment to accurately describe the unconditional logging behavior for debug devices.

[somethingwithproof]

Fixed -- corrected the comment.

[somethingwithproof]

No action needed: debug_devices was fully removed from spine.c and no leftover free remains.

[somethingwithproof]

Fixed -- removed the stale SPINE_FREE(debug_devices) call.

[somethingwithproof]

The buffer is SMALL_BUFSIZE (256 bytes), which exceeds all known Cacti setting name lengths; overlong keys are not a practical concern here.

[somethingwithproof]

Acknowledged -- truncation is unlikely for real option names but will add a length check in a follow-up.

[somethingwithproof]

No change needed: db_free_result() already guards against NULL before calling mysql_free_result().

[somethingwithproof]

Fixed -- added NULL guard before db_free_result.

[somethingwithproof]

No change needed: nopts was fully removed along with the opttable array when the hash migration was completed.

[somethingwithproof]

Fixed -- removed unused nopts variable.

[somethingwithproof]

No change needed: the macro referenced is SPINE_SNMP_FREE (in snmp.h), which already uses do { ... } while (0) and guards against NULL.

[somethingwithproof]

Fixed -- renamed to SPINE_SNMP_FREE and wrapped in do-while-0.

[somethingwithproof]

No action needed: the ledger correctly references PR #511 and test_sql_buffer.c is present and verified.

[somethingwithproof]

Removed.

[somethingwithproof]

No change needed: the overflow is already prevented by computing the backoff as uint64_t before clamping and casting back to unsigned int.

[somethingwithproof]

Fixed -- using unsigned long and clamping before the shift.

[somethingwithproof]

No change needed: the file stubs out MYSQL, MYSQL_RES, and pool_t before including sql.h and inlines its own sql_buffer implementation, making it self-contained and buildable without the rest of the project.

[somethingwithproof]

Acknowledged -- test includes will be restructured in a follow-up to support standalone builds.

[somethingwithproof]

This PR overlaps with #513 on 10 C source files. Should merge after #513. Will need a rebase once #513 lands.

[somethingwithproof]

Consolidated into mega PR #522 for independent mergeability.