Issues in PluginState.php (master) - Issues in master - ARCANEDEV/Composer - Measure and Improve Code Quality continuously with Scrutinizer

Issues (5)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Entities/PluginState.php (1 issue)

Labels

Bug 1

Severity

Major 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php namespace Arcanedev\Composer\Entities;

use Composer\Composer;

/**
 * Class     PluginState
 *
 * @package  Arcanedev\Composer\Entities
 * @author   ARCANEDEV <[email protected]>
 */
class PluginState
{
    /* -----------------------------------------------------------------
     |  Properties
     | -----------------------------------------------------------------
     */

    /** @var \Composer\Composer */
    protected $composer;

    /** @var array */
    protected $includes = [];

    /** @var array */
    protected $requires = [];

    /** @var array */
    protected $duplicateLinks = [];

    /** @var bool */
    protected $devMode = false;

    /** @var bool */
    protected $recurse = true;

    /** @var bool */
    protected $replace = false;

    /** @var bool $ignore */
    protected $ignore = false;

    /**
     * Whether to merge the -dev sections.
     *
     * @var bool
     */
    protected $mergeDev = true;

    /**
     * Whether to merge the extra section.
     *
     * By default, the extra section is not merged and there will be many cases where
     * the merge of the extra section is performed too late to be of use to other plugins.
     * When enabled, merging uses one of two strategies - either 'first wins' or 'last wins'.
     * When enabled, 'first wins' is the default behaviour. If Replace mode is activated
     * then 'last wins' is used.
     *
     * @var bool
     */
    protected $mergeExtra = false;

    /**
     * Whether to merge the scripts section.
     *
     * @var bool $mergeScripts
     */
    protected $mergeScripts = false;

    /**
     * Whether to merge the extra section in a deep / recursive way.
     *
     * By default the extra section is merged with array_merge() and duplicate keys are ignored.
     * When enabled this allows to merge the arrays recursively using the following rule:
     *   Integer keys are merged, while array values are replaced where the later values overwrite the former.
     *
     * This is useful especially for the extra section when plugins use larger structures like a 'patches' key with
     * the packages as sub-keys and the patches as values.
     *
     * When 'replace' mode is activated the order of array merges is exchanged.
     *
     * @var bool
     */
    protected $mergeExtraDeep = false;

    /** @var bool */
    protected $firstInstall = false;

    /** @var bool */
    protected $locked = false;

    /** @var bool */
    protected $dumpAutoloader = false;

    /** @var bool */
    protected $optimizeAutoloader = false;

    /* -----------------------------------------------------------------
     |  Constructor
     | -----------------------------------------------------------------
     */

    /**
     * Make PluginState instance.
     *
     * @param  \Composer\Composer  $composer
     */
    public function __construct(Composer $composer)
    {
        $this->composer = $composer;
    }

    /* -----------------------------------------------------------------
     |  Getters & Setters
     | -----------------------------------------------------------------
     */

    /**
     * Get list of filenames and/or glob patterns to include.
     *
     * @return array
     */
    public function getIncludes()
    {
        return $this->includes;
    }

    /**
     * Set the first install flag.
     *
     * @param  bool  $flag
     *
     * @return self
     */
    public function setFirstInstall($flag)
    {
        $this->firstInstall = (bool) $flag;

        return $this;
    }

    /**
     * Is this the first time that the plugin has been installed ?
     *
     * @return bool
     */
    public function isFirstInstall()
    {
        return $this->firstInstall;
    }

    /**
     * Set the locked flag.
     *
     * @param  bool  $flag
     *
     * @return self
     */
    public function setLocked($flag)
    {
        $this->locked = (bool) $flag;

        return $this;
    }

    /**
     * Was a lockfile present when the plugin was installed ?
     *
     * @return bool
     */
    public function isLocked()
    {
        return $this->locked;
    }

    /**
     * Should an update be forced ?
     *
     * @return bool
     */
    public function forceUpdate()
    {
        return ! $this->isLocked();
    }

    /**
     * Set the devMode flag.
     *
     * @param  bool  $flag
     *
     * @return self
     */
    public function setDevMode($flag)
    {
        $this->devMode = (bool) $flag;

        return $this;
    }

    /**
     * Should devMode settings be processed ?
     *
     * @return bool
     */
    public function isDevMode()
    {
        return $this->shouldMergeDev() && $this->devMode;
    }

    /**
     * Should devMode settings be merged?
     *
     * @return bool
     */
    public function shouldMergeDev()
    {
        return $this->mergeDev;
    }

    /**
     * Set the dumpAutoloader flag.
     *
     * @param  bool  $flag
     *
     * @return self
     */
    public function setDumpAutoloader($flag)
    {
        $this->dumpAutoloader = (bool) $flag;

        return $this;
    }

    /**
     * Is the autoloader file supposed to be written out ?
     *
     * @return bool
     */
    public function shouldDumpAutoloader()
    {
        return $this->dumpAutoloader;
    }

    /**
     * Set the optimizeAutoloader flag.
     *
     * @param  bool  $flag
     *
     * @return self
     */
    public function setOptimizeAutoloader($flag)
    {
        $this->optimizeAutoloader = (bool) $flag;

        return $this;
    }

    /**
     * Should the autoloader be optimized ?
     *
     * @return bool
     */
    public function shouldOptimizeAutoloader()
    {
        return $this->optimizeAutoloader;
    }

    /**
     * Add duplicate packages.
     *
     * @param  string  $type
     * @param  array   $packages
     *
     * @return self
     */
    public function addDuplicateLinks($type, array $packages)
    {
        if ( ! isset($this->duplicateLinks[$type])) {
            $this->duplicateLinks[$type] = [];
        }

        $this->duplicateLinks[$type] = array_merge(
            $this->duplicateLinks[$type],
            $packages
        );

        return $this;
    }

    /**
     * Should includes be recursively processed ?
     *
     * @return bool
     */
    public function recurseIncludes()
    {
        return $this->recurse;
    }

    /**
     * Get list of filenames and/or glob patterns to require
     *
     * @return array
     */
    public function getRequires()
    {
        return $this->requires;
    }

    /**
     * Get duplicate packages.
     *
     * @param  string  $type
     *
     * @return array
     */
    public function getDuplicateLinks($type)
    {
        return $this->duplicateLinks[$type] ?? [];
    }

    /**
     * Should duplicate links be replaced in a 'last definition wins' order ?
     *
     * @return bool
     */
    public function replaceDuplicateLinks()
    {
        return $this->replace;
    }

    /**
     * Should duplicate links be ignored?
     *
     * @return bool
     */
    public function ignoreDuplicateLinks()
    {
        return $this->ignore;
    }

    /**
     * Should the extra section be merged ?
     *
     * By default, the extra section is not merged and there will be many cases where
     * the merge of the extra section is performed too late to be of use to other plugins.
     * When enabled, merging uses one of two strategies - either 'first wins' or 'last wins'.
     * When enabled, 'first wins' is the default behaviour. If Replace mode is activated
     * then 'last wins' is used.
     *
     * @return bool
     */
    public function shouldMergeExtra()
    {
        return $this->mergeExtra;
    }

    /**
     * Should the extra section be merged deep / recursively?
     *
     * @return bool
     */
    public function shouldMergeExtraDeep()
    {
        return $this->mergeExtraDeep;
    }

    /**
     * Should the scripts section be merged?
     *
     * @return bool
     */
    public function shouldMergeScripts()
    {
        return $this->mergeScripts;
    }

    /* ------------------------------------------------------------------------------------------------
     |  Main Functions
     | ------------------------------------------------------------------------------------------------
     */
    /**
     * Load plugin settings.
     */
    public function loadSettings()
    {
        $extra                = $this->composer->getPackage()->getExtra();
        $config               = static::mergeConfig($extra);
class YourClass
{
    private static function getTemperature() {
        return "3422 °C";
}

public static function getSomeVariable()
{
    return static::getTemperature();
}
        $this->includes       = is_array($config['include']) ? $config['include'] : [$config['include']];
        $this->requires       = is_array($config['require']) ? $config['require'] : [$config['require']];
        $this->recurse        = (bool) $config['recurse'];
        $this->replace        = (bool) $config['replace'];
        $this->ignore         = (bool) $config['ignore-duplicates'];
        $this->mergeDev       = (bool) $config['merge-dev'];
        $this->mergeExtra     = (bool) $config['merge-extra'];
        $this->mergeExtraDeep = (bool) $config['merge-extra-deep'];
        $this->mergeScripts   = (bool) $config['merge-scripts'];
    }

    /* -----------------------------------------------------------------
     |  Other Methods
     | -----------------------------------------------------------------
     */

    /**
     * Merge config.
     *
     * @param  array  $extra
     *
     * @return array
     */
    private static function mergeConfig(array $extra)
    {
        return array_merge([
            'include'              => [],
            'require'              => [],
            'recurse'              => true,
            'replace'              => false,
            'ignore-duplicates'    => false,
            'prepend-repositories' => false,
            'merge-dev'            => true,
            'merge-extra'          => false,
            'merge-extra-deep'     => false,
            'merge-scripts'        => false,
        ], $extra['merge-plugin'] ?? []);
    }
}


1		<?php namespace Arcanedev\Composer\Entities;
2
3		use Composer\Composer;
4
5		/**
6		* Class PluginState
7		*
8		* @package Arcanedev\Composer\Entities
9		* @author ARCANEDEV <[email protected]>
10		*/
11		class PluginState
12		{
13		/* -----------------------------------------------------------------
14		\| Properties
15		\| -----------------------------------------------------------------
16		*/
17
18		/** @var \Composer\Composer */
19		protected $composer;
20
21		/** @var array */
22		protected $includes = [];
23
24		/** @var array */
25		protected $requires = [];
26
27		/** @var array */
28		protected $duplicateLinks = [];
29
30		/** @var bool */
31		protected $devMode = false;
32
33		/** @var bool */
34		protected $recurse = true;
35
36		/** @var bool */
37		protected $replace = false;
38
39		/** @var bool $ignore */
40		protected $ignore = false;
41
42		/**
43		* Whether to merge the -dev sections.
44		*
45		* @var bool
46		*/
47		protected $mergeDev = true;
48
49		/**
50		* Whether to merge the extra section.
51		*
52		* By default, the extra section is not merged and there will be many cases where
53		* the merge of the extra section is performed too late to be of use to other plugins.
54		* When enabled, merging uses one of two strategies - either 'first wins' or 'last wins'.
55		* When enabled, 'first wins' is the default behaviour. If Replace mode is activated
56		* then 'last wins' is used.
57		*
58		* @var bool
59		*/
60		protected $mergeExtra = false;
61
62		/**
63		* Whether to merge the scripts section.
64		*
65		* @var bool $mergeScripts
66		*/
67		protected $mergeScripts = false;
68
69		/**
70		* Whether to merge the extra section in a deep / recursive way.
71		*
72		* By default the extra section is merged with array_merge() and duplicate keys are ignored.
73		* When enabled this allows to merge the arrays recursively using the following rule:
74		* Integer keys are merged, while array values are replaced where the later values overwrite the former.
75		*
76		* This is useful especially for the extra section when plugins use larger structures like a 'patches' key with
77		* the packages as sub-keys and the patches as values.
78		*
79		* When 'replace' mode is activated the order of array merges is exchanged.
80		*
81		* @var bool
82		*/
83		protected $mergeExtraDeep = false;
84
85		/** @var bool */
86		protected $firstInstall = false;
87
88		/** @var bool */
89		protected $locked = false;
90
91		/** @var bool */
92		protected $dumpAutoloader = false;
93
94		/** @var bool */
95		protected $optimizeAutoloader = false;
96
97		/* -----------------------------------------------------------------
98		\| Constructor
99		\| -----------------------------------------------------------------
100		*/
101
102		/**
103		* Make PluginState instance.
104		*
105		* @param \Composer\Composer $composer
106		*/
107	123	public function __construct(Composer $composer)
108		{
109	123	$this->composer = $composer;
110	123	}
111
112		/* -----------------------------------------------------------------
113		\| Getters & Setters
114		\| -----------------------------------------------------------------
115		*/
116
117		/**
118		* Get list of filenames and/or glob patterns to include.
119		*
120		* @return array
121		*/
122	102	public function getIncludes()
123		{
124	102	return $this->includes;
125		}
126
127		/**
128		* Set the first install flag.
129		*
130		* @param bool $flag
131		*
132		* @return self
133		*/
134	6	public function setFirstInstall($flag)
135		{
136	6	$this->firstInstall = (bool) $flag;
137
138	6	return $this;
139		}
140
141		/**
142		* Is this the first time that the plugin has been installed ?
143		*
144		* @return bool
145		*/
146	108	public function isFirstInstall()
147		{
148	108	return $this->firstInstall;
149		}
150
151		/**
152		* Set the locked flag.
153		*
154		* @param bool $flag
155		*
156		* @return self
157		*/
158	9	public function setLocked($flag)
159		{
160	9	$this->locked = (bool) $flag;
161
162	9	return $this;
163		}
164
165		/**
166		* Was a lockfile present when the plugin was installed ?
167		*
168		* @return bool
169		*/
170	12	public function isLocked()
171		{
172	12	return $this->locked;
173		}
174
175		/**
176		* Should an update be forced ?
177		*
178		* @return bool
179		*/
180	3	public function forceUpdate()
181		{
182	3	return ! $this->isLocked();
183		}
184
185		/**
186		* Set the devMode flag.
187		*
188		* @param bool $flag
189		*
190		* @return self
191		*/
192	102	public function setDevMode($flag)
193		{
194	102	$this->devMode = (bool) $flag;
195
196	102	return $this;
197		}
198
199		/**
200		* Should devMode settings be processed ?
201		*
202		* @return bool
203		*/
204	99	public function isDevMode()
205		{
206	99	return $this->shouldMergeDev() && $this->devMode;
207		}
208
209		/**
210		* Should devMode settings be merged?
211		*
212		* @return bool
213		*/
214	99	public function shouldMergeDev()
215		{
216	99	return $this->mergeDev;
217		}
218
219		/**
220		* Set the dumpAutoloader flag.
221		*
222		* @param bool $flag
223		*
224		* @return self
225		*/
226	102	public function setDumpAutoloader($flag)
227		{
228	102	$this->dumpAutoloader = (bool) $flag;
229
230	102	return $this;
231		}
232
233		/**
234		* Is the autoloader file supposed to be written out ?
235		*
236		* @return bool
237		*/
238	3	public function shouldDumpAutoloader()
239		{
240	3	return $this->dumpAutoloader;
241		}
242
243		/**
244		* Set the optimizeAutoloader flag.
245		*
246		* @param bool $flag
247		*
248		* @return self
249		*/
250	102	public function setOptimizeAutoloader($flag)
251		{
252	102	$this->optimizeAutoloader = (bool) $flag;
253
254	102	return $this;
255		}
256
257		/**
258		* Should the autoloader be optimized ?
259		*
260		* @return bool
261		*/
262	3	public function shouldOptimizeAutoloader()
263		{
264	3	return $this->optimizeAutoloader;
265		}
266
267		/**
268		* Add duplicate packages.
269		*
270		* @param string $type
271		* @param array $packages
272		*
273		* @return self
274		*/
275	54	public function addDuplicateLinks($type, array $packages)
276		{
277	54	if ( ! isset($this->duplicateLinks[$type])) {
278	54	$this->duplicateLinks[$type] = [];
279		}
280
281	54	$this->duplicateLinks[$type] = array_merge(
282	54	$this->duplicateLinks[$type],
283	36	$packages
284		);
285
286	54	return $this;
287		}
288
289		/**
290		* Should includes be recursively processed ?
291		*
292		* @return bool
293		*/
294	99	public function recurseIncludes()
295		{
296	99	return $this->recurse;
297		}
298
299		/**
300		* Get list of filenames and/or glob patterns to require
301		*
302		* @return array
303		*/
304	102	public function getRequires()
305		{
306	102	return $this->requires;
307		}
308
309		/**
310		* Get duplicate packages.
311		*
312		* @param string $type
313		*
314		* @return array
315		*/
316	99	public function getDuplicateLinks($type)
317		{
318	99	return $this->duplicateLinks[$type] ?? [];
319		}
320
321		/**
322		* Should duplicate links be replaced in a 'last definition wins' order ?
323		*
324		* @return bool
325		*/
326	51	public function replaceDuplicateLinks()
327		{
328	51	return $this->replace;
329		}
330
331		/**
332		* Should duplicate links be ignored?
333		*
334		* @return bool
335		*/
336	54	public function ignoreDuplicateLinks()
337		{
338	54	return $this->ignore;
339		}
340
341		/**
342		* Should the extra section be merged ?
343		*
344		* By default, the extra section is not merged and there will be many cases where
345		* the merge of the extra section is performed too late to be of use to other plugins.
346		* When enabled, merging uses one of two strategies - either 'first wins' or 'last wins'.
347		* When enabled, 'first wins' is the default behaviour. If Replace mode is activated
348		* then 'last wins' is used.
349		*
350		* @return bool
351		*/
352	99	public function shouldMergeExtra()
353		{
354	99	return $this->mergeExtra;
355		}
356
357		/**
358		* Should the extra section be merged deep / recursively?
359		*
360		* @return bool
361		*/
362	18	public function shouldMergeExtraDeep()
363		{
364	18	return $this->mergeExtraDeep;
365		}
366
367		/**
368		* Should the scripts section be merged?
369		*
370		* @return bool
371		*/
372	99	public function shouldMergeScripts()
373		{
374	99	return $this->mergeScripts;
375		}
376
377		/* ------------------------------------------------------------------------------------------------
378		\| Main Functions
379		\| ------------------------------------------------------------------------------------------------
380		*/
381		/**
382		* Load plugin settings.
383		*/
384	102	public function loadSettings()
385		{
386	102	$extra = $this->composer->getPackage()->getExtra();
387	102	$config = static::mergeConfig($extra);
		0 ignored issues – show Bug introduced 2019-02-19 15:02 UTC by Report Bug Copy Issue Report Show Similar Issues like this Since `mergeConfig()` is declared private, calling it with `static` will lead to errors in possible sub-classes. You can either use `self`, or increase the visibility of `mergeConfig()` to at least protected. Let’s assume you have a class which uses late-static binding: class YourClass { private static function getTemperature() { return "3422 °C"; } public static function getSomeVariable() { return static::getTemperature(); } } The code above will run fine in your PHP runtime. However, if you now create a sub-class and call the `getSomeVariable()` on that sub-class, you will receive a runtime error: class YourSubClass extends YourClass { private static function getTemperature() { return "-182 °C"; } } print YourSubClass::getSomeVariable(); // Will cause an access error. In the case above, it makes sense to update `SomeClass` to use `self` instead: class YourClass { private static function getTemperature() { return "3422 °C"; } public static function getSomeVariable() { return self::getTemperature(); } } Loading history...
388	102	$this->includes = is_array($config['include']) ? $config['include'] : [$config['include']];
389	102	$this->requires = is_array($config['require']) ? $config['require'] : [$config['require']];
390	102	$this->recurse = (bool) $config['recurse'];
391	102	$this->replace = (bool) $config['replace'];
392	102	$this->ignore = (bool) $config['ignore-duplicates'];
393	102	$this->mergeDev = (bool) $config['merge-dev'];
394	102	$this->mergeExtra = (bool) $config['merge-extra'];
395	102	$this->mergeExtraDeep = (bool) $config['merge-extra-deep'];
396	102	$this->mergeScripts = (bool) $config['merge-scripts'];
397	102	}
398
399		/* -----------------------------------------------------------------
400		\| Other Methods
401		\| -----------------------------------------------------------------
402		*/
403
404		/**
405		* Merge config.
406		*
407		* @param array $extra
408		*
409		* @return array
410		*/
411	102	private static function mergeConfig(array $extra)
412		{
413	102	return array_merge([
414	102	'include' => [],
415		'require' => [],
416		'recurse' => true,
417		'replace' => false,
418		'ignore-duplicates' => false,
419		'prepend-repositories' => false,
420		'merge-dev' => true,
421		'merge-extra' => false,
422		'merge-extra-deep' => false,
423		'merge-scripts' => false,
424	102	], $extra['merge-plugin'] ?? []);
425		}
426		}
427

ARCANEDEV / Composer

Issues (5)

Security Analysis no request data

src/Entities/PluginState.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like