Issues in vp-scanner.php (master) - Issues in master - Automattic/jetpack - Measure and Improve Code Quality continuously with Scrutinizer

Issues (3867)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

projects/plugins/vaultpress/vp-scanner.php (7 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
// don't call the file directly
defined( 'ABSPATH' ) or die();

class VP_FileScan {
	var $path;
	var $last_dir = null;
	var $offset = 0;
	var $ignore_symlinks = false;

	function __construct( $path, $ignore_symlinks = false ) {
		if ( is_dir( $path ) )
			$this->last_dir = $this->path = @realpath( $path );
		else
			$this->last_dir = $this->path = dirname( @realpath( $path ) );
		$this->ignore_symlinks = $ignore_symlinks;
	}

	function get_files( $limit = 100 ) {
		$files = array();
		if ( is_dir( $this->last_dir ) ) {
			$return = $this->_scan_files( $this->path, $files, $this->offset, $limit, $this->last_dir );
			$this->offset = $return[0];
			$this->last_dir = $return[1];
			if ( count( $files ) < $limit )
				$this->last_dir = false;
		}
		return $files;
	}

	function _scan_files( $path, &$files, $offset, $limit, &$last_dir ) {
		$_offset = 0;
		if ( is_readable( $path ) && $handle = opendir( $path ) ) {
			while( false !== ( $entry = readdir( $handle ) ) ) {
				if ( '.' == $entry || '..' == $entry )
					continue;

				$_offset++;
				$full_entry = $path . DIRECTORY_SEPARATOR . $entry;
				$next_item = ltrim( str_replace( $path, '', $last_dir ), DIRECTORY_SEPARATOR );
				$next = preg_split( '#(?<!\\\\)' . preg_quote( DIRECTORY_SEPARATOR, '#' ) . '#', $next_item, 2 );

				// Skip if the next item is not found.
				if ( !empty( $next[0] ) && $next[0] != $entry )
					continue;
				if ( rtrim( $last_dir, DIRECTORY_SEPARATOR ) == rtrim( $path, DIRECTORY_SEPARATOR ) && $_offset < $offset )
					continue;
				if ( $this->ignore_symlinks && is_link( $full_entry ) )
					continue;

				if ( rtrim( $last_dir, DIRECTORY_SEPARATOR ) == rtrim( $path, DIRECTORY_SEPARATOR ) ) {
					// Reset last_dir and offset when we reached the previous last_dir value.
					$last_dir = '';
					$offset = 0;
				}

				if ( is_file( $full_entry ) ) {
					if ( !vp_is_interesting_file( $full_entry ) )
						continue;
					$_return_offset = $_offset;
					$_return_dir = dirname( $full_entry );
					$files[] = $full_entry;
				} elseif ( is_dir( $full_entry ) ) {
					list( $_return_offset, $_return_dir ) = $this->_scan_files( $full_entry, $files, $offset, $limit, $last_dir );
				}
				if ( count( $files ) >= $limit ) {
					closedir( $handle );
					return array( $_return_offset, $_return_dir );
function myFunction($a) {
    switch ($a) {
        case 'foo':
            $x = 1;
            break;

        case 'bar':
            $x = 2;
            break;
    }

    // $x is potentially undefined here.
    echo $x;
}
				}
			}
			closedir( $handle );
		}
		return array( $_offset, $path );
	}
}

function vp_get_real_file_path( $file_path, $tmp_file = false ) {
	global $site, $site_id;
	$site_id = !empty( $site->id ) ? $site->id : $site_id;
	if ( !$tmp_file && !empty( $site_id ) && function_exists( 'determine_file_type_path' ) ) {
		$path = determine_file_type_path( $file_path );
		$file = file_by_path( $site_id, $path );
		if ( !$file )
			return false;
		return $file->get_unencrypted();
	}
	return !empty( $tmp_file ) ? $tmp_file : $file_path;
}

function vp_is_interesting_file($file) {
	$scan_only_regex = apply_filters( 'scan_only_extension_regex', '#\.(ph(p3|p4|p5|p|tml)|html|js|htaccess)$#i' );
	return preg_match( $scan_only_regex, $file );
}

/**
 * Uses the PHP tokenizer to split a file into 3 arrays: PHP code with no comments,
 * PHP code with comments, and HTML/JS code. Helper wrapper around split_to_php_html()
 *
 * @param string $file The file path to read and parse
 * @return array An array with 3 arrays of lines
 */
function split_file_to_php_html( $file ) {
	$source = @file_get_contents( $file );
	if ( $source === false ) {
		$source = '';
	}
	return split_to_php_html( $source );
}

/**
 * Uses the PHP tokenizer to split a string into 3 arrays: PHP code with no comments,
 * PHP code with comments, and HTML/JS code.
 *
 * @param string $file The file path to read and parse
/**
 * @param array $germany
 * @param array $island
 * @param array $italy
 */
function finale($germany, $island) {
    return "2:1";
}
 * @return array An array with 3 arrays of lines
 */
function split_to_php_html( $source ) {
	$tokens = @token_get_all( $source );

	$ret = array( 'php' => array(), 'php-with-comments' => array(), 'html' => array() );
	$current_line = 0;
	$mode = 'html'; // need to see an open tag to switch to PHP mode

	foreach ( $tokens as $token ) {
		if ( ! is_array( $token ) ) {
			// single character, can't switch our mode; just add it and continue
			// if it's PHP, should go into both versions; mode 'php' will do that
			add_text_to_parsed( $ret, $mode, $current_line, $token );
			$current_line += substr_count( $token, "\n" );
		} else {
			// more complex tokens is the interesting case
			list( $id, $text, $line ) = $token;
<?php

function returnThreeValues() {
    return array('a', 'b', 'c');
}

list($a, $b, $c) = returnThreeValues();

print $a . " - " . $c;
			
			if ( 'php' === $mode ) {
				// we're in PHP code

				// might be a comment
				if ( T_COMMENT === $id || T_DOC_COMMENT === $id ) {
					// add it to the PHP with comments array only
					add_text_to_parsed( $ret, 'php-with-comments', $current_line, $text );

					// special case for lines like: "     // comment\n":
					// if we're adding a comment with a newline, and the 'php' array current line
					// has no trailing newline, add one
					if ( substr_count( $text, "\n" ) >= 1 && isset( $ret['php'][ $current_line ] ) && 0 === substr_count( $ret['php'][ $current_line ], "\n" ) ) {
						$ret['php'][ $current_line ] .= "\n";
					}

					// make sure to count newlines in comments 
					$current_line += substr_count( $text, "\n" );
					continue;
				}

				// otherwise add it to both the PHP array and the with comments array
				add_text_to_parsed( $ret, $mode, $current_line, $text );

				// then see if we're breaking out
				if ( T_CLOSE_TAG === $id ) {
					$mode = 'html';
				}
			} else if ( 'html' === $mode ) {
				// we're in HTML code

				// if we see an open tag, switch to PHP
				if ( T_OPEN_TAG === $id || T_OPEN_TAG_WITH_ECHO === $id ) {
					$mode = 'php';
				}

				// add to the HTML array (or PHP if it was an open tag)
				// if it is PHP, this will add it to both arrays, which is what we want
				add_text_to_parsed( $ret, $mode, $current_line, $text );
			}
			$current_line += substr_count( $text, "\n" );
		}
	}

	return $ret;
}

/**
 * Helper function for split_file_to_php_html; adds a chunk of text to the arrays we'll return.
 * @param array $parsed The array containing all the languages we'll return
 * @param string $prefix The prefix for the languages we want to add this text to
 * @param int $line_number The line number that this text goes on
/**
 * @param array $germany
 * @param array $ireland
 */
function finale($germany, $island) {
    return "2:1";
}
 * @param string $text The text to add
/**
 * @param array $germany
 * @param array $island
 * @param array $italy
 */
function finale($germany, $island) {
    return "2:1";
}
 */
function add_text_to_parsed( &$parsed, $prefix, $start_line_number, $all_text ) {
	$line_number = $start_line_number;

	// whitespace tokens may span multiple lines; we need to split them up so that the indentation goes on the next line
	$fragments = explode( "\n", $all_text );
	foreach ( $fragments as $i => $fragment ) {
		// each line needs to end with a newline to match the behavior of file()
		if ( $i < count( $fragments ) - 1 ) {
			$text = $fragment . "\n";
		} else {
			$text = $fragment;
		}

		if ( '' === $text ) {
			// check for the empty string explicitly, rather than using empty()
			// otherwise things like a '0' token will get skipped, because PHP is stupid
			continue;
		}

		if ( ! isset( $parsed[ $prefix ][ $line_number ] ) ) {
			$parsed[ $prefix ][ $line_number ] = '';
		}
		$parsed[ $prefix ][ $line_number ] .= $text;
		if ( 'php' == $prefix ) {
			if ( ! isset( $parsed[ 'php-with-comments' ][ $line_number ] ) ) {
				$parsed[ 'php-with-comments' ][ $line_number ] = '';
			}
			$parsed[ 'php-with-comments' ][ $line_number ] .= $text;
		}

		// the caller will also update their line number based on the number of \n characters in the text
		$line_number++;
	}
}
/**
 * Scans a file with the registered signatures. To report a security notice for a specified signature, all its regular
 * expressions should result in a match.
 * @param $file the filename to be scanned.
 * @param null $tmp_file used if the file to be scanned doesn't exist or if the filename doesn't match vp_is_interesting_file().
 * @return array|bool false if no matched signature is found. A list of matched signatures otherwise.
 */
function vp_scan_file( $file, $tmp_file = null, $use_parser = false ) {
	$real_file = vp_get_real_file_path( $file, $tmp_file );
function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
	$file_size = file_exists( $real_file ) ? @filesize( $real_file ) : 0;
	if ( !is_readable( $real_file ) || !$file_size || $file_size > apply_filters( 'scan_max_file_size', 3 * 1024 * 1024 ) ) { // don't scan empty or files larger than 3MB.
		return false;
	}

	$file_content = null;
	$file_parsed = null;
	$skip_file = apply_filters_ref_array( 'pre_scan_file', array ( false, $file, $real_file, &$file_content ) );
	if ( false !== $skip_file ) { // maybe detect malware without regular expressions.
		return $skip_file;
	}

	if ( !vp_is_interesting_file( $file ) ) { // only scan relevant files.
		return false;
	}

	if ( !isset( $GLOBALS['vp_signatures'] ) ) {
		$GLOBALS['vp_signatures'] = array();
	}

	$found = array ();
	foreach ( $GLOBALS['vp_signatures'] as $signature ) {
		if ( !is_object( $signature ) || !isset( $signature->patterns ) ) {
			continue;
		}
		// if there is no filename_regex, we assume it's the same of vp_is_interesting_file().
		if ( empty( $signature->filename_regex ) || preg_match( '#' . addcslashes( $signature->filename_regex, '#' ) . '#i', $file ) ) {
			if ( null === $file_content || !is_array( $file_content ) ) {
				$file_content = @file( $real_file );

				if ( $file_content === false ) {
					return false;
				}

				if ( $use_parser ) {
					$file_parsed = split_file_to_php_html( $real_file );
				}
			}

			$is_vulnerable = true;

			$code = $file_content;

			if ( $use_parser ) {
				// use the language specified in the signature if it has one
				if ( ! empty( $signature->target_language ) && array_key_exists( $signature->target_language, $file_parsed ) ) {
					$code = $file_parsed[ $signature->target_language ];


				}
			}

			$matches = array();
			if ( ! empty( $signature->patterns ) ) {
				foreach ( $signature->patterns as $pattern ) {
					$match = preg_grep( '#' . addcslashes( $pattern, '#' ) . '#im', $code );
					if ( empty( $match ) ) {
						$is_vulnerable = false;
						break;
					}

					$matches += $match;
				}
			}

			// convert the matched line to an array of details showing context around the lines
			$lines = array();

			$lines_parsed = array();

			$line_indices_parsed = array();

			if ( $use_parser ) {
				$line_indices_parsed = array_keys( $code );
			}

			foreach ( $matches as $line => $text ) {
				$lines = array_merge( $lines, range( $line - 1, $line + 1 ) );
				if ( $use_parser ) {
					$idx = array_search( $line, $line_indices_parsed );

					// we might be looking at the first or last line; for the non-parsed case, array_intersect_key
					// handles this transparently below; for the parsed case, since we have another layer of
					// indirection, we have to handle that case here
					$idx_around = array();
					if ( isset( $line_indices_parsed[ $idx - 1 ] ) ) {
						$idx_around[] = $line_indices_parsed[ $idx - 1 ];
					}
					$idx_around[] = $line_indices_parsed[ $idx ];
					if ( isset( $line_indices_parsed[ $idx + 1 ] ) ) {
						$idx_around[] = $line_indices_parsed[ $idx + 1 ];
					}
					$lines_parsed = array_merge( $lines_parsed, $idx_around );
				}
			}

			$details = array_intersect_key( $file_content, array_flip( $lines ) );

			$details_parsed = array();

			if ( $use_parser ) {
				$details_parsed = array_intersect_key( $code, array_flip( $lines_parsed ) );
			}

			// provide both 'matches' and 'details', as some places want 'matches'
			// this matches the old behavior, which would add 'details' to some items, without replacing 'matches'
			$debug_data = array( 'matches' => $matches, 'details' => $details  );
			if ( $use_parser ) {
				$debug_data['details_parsed'] = $details_parsed;
			}

			// Additional checking needed?
			if ( method_exists( $signature, 'get_detailed_scanner' ) && $scanner = $signature->get_detailed_scanner() )
				$is_vulnerable = $scanner->scan( $is_vulnerable, $file, $real_file, $file_content, $debug_data );
			if ( $is_vulnerable ) {
				$found[$signature->id] = $debug_data;
				if ( isset( $signature->severity ) && $signature->severity > 8 ) // don't continue scanning
					break;
			}
		}
	}

	return apply_filters_ref_array( 'post_scan_file', array ( $found, $file, $real_file, &$file_content ) );
}


Issues (3867)

Security Analysis not enabled

projects/plugins/vaultpress/vp-scanner.php (7 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Available Fixes

Available Fixes

1			<?php
2			// don't call the file directly
3			defined( 'ABSPATH' ) or die();
4
5			class VP_FileScan {
6			var $path;
7			var $last_dir = null;
8			var $offset = 0;
9			var $ignore_symlinks = false;
10
11			function __construct( $path, $ignore_symlinks = false ) {
12			if ( is_dir( $path ) )
13			$this->last_dir = $this->path = @realpath( $path );
14			else
15			$this->last_dir = $this->path = dirname( @realpath( $path ) );
16			$this->ignore_symlinks = $ignore_symlinks;
17			}
18
19			function get_files( $limit = 100 ) {
20			$files = array();
21			if ( is_dir( $this->last_dir ) ) {
22			$return = $this->_scan_files( $this->path, $files, $this->offset, $limit, $this->last_dir );
23			$this->offset = $return[0];
24			$this->last_dir = $return[1];
25			if ( count( $files ) < $limit )
26			$this->last_dir = false;
27			}
28			return $files;
29			}
30
31			function _scan_files( $path, &$files, $offset, $limit, &$last_dir ) {
32			$_offset = 0;
33			if ( is_readable( $path ) && $handle = opendir( $path ) ) {
34			while( false !== ( $entry = readdir( $handle ) ) ) {
35			if ( '.' == $entry \|\| '..' == $entry )
36			continue;
37
38			$_offset++;
39			$full_entry = $path . DIRECTORY_SEPARATOR . $entry;
40			$next_item = ltrim( str_replace( $path, '', $last_dir ), DIRECTORY_SEPARATOR );
41			$next = preg_split( '#(?<!\\\\)' . preg_quote( DIRECTORY_SEPARATOR, '#' ) . '#', $next_item, 2 );
42
43			// Skip if the next item is not found.
44			if ( !empty( $next[0] ) && $next[0] != $entry )
45			continue;
46			if ( rtrim( $last_dir, DIRECTORY_SEPARATOR ) == rtrim( $path, DIRECTORY_SEPARATOR ) && $_offset < $offset )
47			continue;
48			if ( $this->ignore_symlinks && is_link( $full_entry ) )
49			continue;
50
51			if ( rtrim( $last_dir, DIRECTORY_SEPARATOR ) == rtrim( $path, DIRECTORY_SEPARATOR ) ) {
52			// Reset last_dir and offset when we reached the previous last_dir value.
53			$last_dir = '';
54			$offset = 0;
55			}
56
57			if ( is_file( $full_entry ) ) {
58			if ( !vp_is_interesting_file( $full_entry ) )
59			continue;
60			$_return_offset = $_offset;
61			$_return_dir = dirname( $full_entry );
62			$files[] = $full_entry;
63			} elseif ( is_dir( $full_entry ) ) {
64			list( $_return_offset, $_return_dir ) = $this->_scan_files( $full_entry, $files, $offset, $limit, $last_dir );
65			}
66			if ( count( $files ) >= $limit ) {
67			closedir( $handle );
68			return array( $_return_offset, $_return_dir );
			0 ignored issues – show Bug introduced 2021-06-17 16:12 UTC by Report Bug Copy Issue Report Show Similar Issues like this The variable `$_return_dir` does not seem to be defined for all execution paths leading up to this point. If you define a variable conditionally, it can happen that it is not defined for all execution paths. Let’s take a look at an example: function myFunction($a) { switch ($a) { case 'foo': $x = 1; break; case 'bar': $x = 2; break; } // $x is potentially undefined here. echo $x; } In the above example, the variable `$x` is defined if you pass “foo” or “bar” as argument for `$a`. However, since the `switch` statement has no default case statement, if you pass any other value, the variable `$x` would be undefined. Available Fixes Check for existence of the variable explicitly: function myFunction($a) { switch ($a) { case 'foo': $x = 1; break; case 'bar': $x = 2; break; } if (isset($x)) { // Make sure it's always set. echo $x; } } Define a default value for the variable: function myFunction($a) { $x = ''; // Set a default which gets overridden for certain paths. switch ($a) { case 'foo': $x = 1; break; case 'bar': $x = 2; break; } echo $x; } Add a value for the missing path: function myFunction($a) { switch ($a) { case 'foo': $x = 1; break; case 'bar': $x = 2; break; // We add support for the missing case. default: $x = ''; break; } echo $x; } Loading history... Bug introduced 2021-06-17 16:12 UTC by Report Bug Copy Issue Report Show Similar Issues like this The variable `$_return_offset` does not seem to be defined for all execution paths leading up to this point. If you define a variable conditionally, it can happen that it is not defined for all execution paths. Let’s take a look at an example: function myFunction($a) { switch ($a) { case 'foo': $x = 1; break; case 'bar': $x = 2; break; } // $x is potentially undefined here. echo $x; } In the above example, the variable `$x` is defined if you pass “foo” or “bar” as argument for `$a`. However, since the `switch` statement has no default case statement, if you pass any other value, the variable `$x` would be undefined. Available Fixes Check for existence of the variable explicitly: function myFunction($a) { switch ($a) { case 'foo': $x = 1; break; case 'bar': $x = 2; break; } if (isset($x)) { // Make sure it's always set. echo $x; } } Define a default value for the variable: function myFunction($a) { $x = ''; // Set a default which gets overridden for certain paths. switch ($a) { case 'foo': $x = 1; break; case 'bar': $x = 2; break; } echo $x; } Add a value for the missing path: function myFunction($a) { switch ($a) { case 'foo': $x = 1; break; case 'bar': $x = 2; break; // We add support for the missing case. default: $x = ''; break; } echo $x; } Loading history...
69			}
70			}
71			closedir( $handle );
72			}
73			return array( $_offset, $path );
74			}
75			}
76
77			function vp_get_real_file_path( $file_path, $tmp_file = false ) {
78			global $site, $site_id;
79			$site_id = !empty( $site->id ) ? $site->id : $site_id;
80			if ( !$tmp_file && !empty( $site_id ) && function_exists( 'determine_file_type_path' ) ) {
81			$path = determine_file_type_path( $file_path );
82			$file = file_by_path( $site_id, $path );
83			if ( !$file )
84			return false;
85			return $file->get_unencrypted();
86			}
87			return !empty( $tmp_file ) ? $tmp_file : $file_path;
88			}
89
90			function vp_is_interesting_file($file) {
91			$scan_only_regex = apply_filters( 'scan_only_extension_regex', '#\.(ph(p3\|p4\|p5\|p\|tml)\|html\|js\|htaccess)$#i' );
92			return preg_match( $scan_only_regex, $file );
93			}
94
95			/**
96			* Uses the PHP tokenizer to split a file into 3 arrays: PHP code with no comments,
97			* PHP code with comments, and HTML/JS code. Helper wrapper around split_to_php_html()
98			*
99			* @param string $file The file path to read and parse
100			* @return array An array with 3 arrays of lines
101			*/
102			function split_file_to_php_html( $file ) {
103			$source = @file_get_contents( $file );
104			if ( $source === false ) {
105			$source = '';
106			}
107			return split_to_php_html( $source );
108			}
109
110			/**
111			* Uses the PHP tokenizer to split a string into 3 arrays: PHP code with no comments,
112			* PHP code with comments, and HTML/JS code.
113			*
114			* @param string $file The file path to read and parse
			0 ignored issues – show Bug introduced 2021-06-17 16:12 UTC by Report Bug Copy Issue Report Show Similar Issues like this There is no parameter named `$file`. Was it maybe removed? This check looks for PHPDoc comments describing methods or function parameters that do not exist on the corresponding method or function. Consider the following example. The parameter `$italy` is not defined by the method `finale(...)`. /** * @param array $germany * @param array $island * @param array $italy */ function finale($germany, $island) { return "2:1"; } The most likely cause is that the parameter was removed, but the annotation was not. Loading history...
115			* @return array An array with 3 arrays of lines
116			*/
117			function split_to_php_html( $source ) {
118			$tokens = @token_get_all( $source );
119
120			$ret = array( 'php' => array(), 'php-with-comments' => array(), 'html' => array() );
121			$current_line = 0;
122			$mode = 'html'; // need to see an open tag to switch to PHP mode
123
124			foreach ( $tokens as $token ) {
125			if ( ! is_array( $token ) ) {
126			// single character, can't switch our mode; just add it and continue
127			// if it's PHP, should go into both versions; mode 'php' will do that
128			add_text_to_parsed( $ret, $mode, $current_line, $token );
129			$current_line += substr_count( $token, "\n" );
130			} else {
131			// more complex tokens is the interesting case
132			list( $id, $text, $line ) = $token;
			0 ignored issues – show Unused Code introduced 2021-06-17 16:12 UTC by Report Bug Copy Issue Report Show Similar Issues like this The assignment to `$line` is unused. Consider omitting it like so `list($first,,$third)`. This checks looks for assignemnts to variables using the `list(...)` function, where not all assigned variables are subsequently used. Consider the following code example. <?php function returnThreeValues() { return array('a', 'b', 'c'); } list($a, $b, $c) = returnThreeValues(); print $a . " - " . $c; Only the variables `$a` and `$c` are used. There was no need to assign `$b`. Instead, the list call could have been. list($a,, $c) = returnThreeValues(); Loading history...
133
134			if ( 'php' === $mode ) {
135			// we're in PHP code
136
137			// might be a comment
138			if ( T_COMMENT === $id \|\| T_DOC_COMMENT === $id ) {
139			// add it to the PHP with comments array only
140			add_text_to_parsed( $ret, 'php-with-comments', $current_line, $text );
141
142			// special case for lines like: " // comment\n":
143			// if we're adding a comment with a newline, and the 'php' array current line
144			// has no trailing newline, add one
145			if ( substr_count( $text, "\n" ) >= 1 && isset( $ret['php'][ $current_line ] ) && 0 === substr_count( $ret['php'][ $current_line ], "\n" ) ) {
146			$ret['php'][ $current_line ] .= "\n";
147			}
148
149			// make sure to count newlines in comments
150			$current_line += substr_count( $text, "\n" );
151			continue;
152			}
153
154			// otherwise add it to both the PHP array and the with comments array
155			add_text_to_parsed( $ret, $mode, $current_line, $text );
156
157			// then see if we're breaking out
158			if ( T_CLOSE_TAG === $id ) {
159			$mode = 'html';
160			}
161			} else if ( 'html' === $mode ) {
162			// we're in HTML code
163
164			// if we see an open tag, switch to PHP
165			if ( T_OPEN_TAG === $id \|\| T_OPEN_TAG_WITH_ECHO === $id ) {
166			$mode = 'php';
167			}
168
169			// add to the HTML array (or PHP if it was an open tag)
170			// if it is PHP, this will add it to both arrays, which is what we want
171			add_text_to_parsed( $ret, $mode, $current_line, $text );
172			}
173			$current_line += substr_count( $text, "\n" );
174			}
175			}
176
177			return $ret;
178			}
179
180			/**
181			* Helper function for split_file_to_php_html; adds a chunk of text to the arrays we'll return.
182			* @param array $parsed The array containing all the languages we'll return
183			* @param string $prefix The prefix for the languages we want to add this text to
184			* @param int $line_number The line number that this text goes on
			0 ignored issues – show Documentation introduced 2021-06-17 16:12 UTC by Report Bug Copy Issue Report Show Similar Issues like this There is no parameter named `$line_number`. Did you maybe mean `$start_line_number`? This check looks for PHPDoc comments describing methods or function parameters that do not exist on the corresponding method or function. It has, however, found a similar but not annotated parameter which might be a good fit. Consider the following example. The parameter `$ireland` is not defined by the method `finale(...)`. /** * @param array $germany * @param array $ireland */ function finale($germany, $island) { return "2:1"; } The most likely cause is that the parameter was changed, but the annotation was not. Loading history...
185			* @param string $text The text to add
			0 ignored issues – show Bug introduced 2021-06-17 16:12 UTC by Report Bug Copy Issue Report Show Similar Issues like this There is no parameter named `$text`. Was it maybe removed? This check looks for PHPDoc comments describing methods or function parameters that do not exist on the corresponding method or function. Consider the following example. The parameter `$italy` is not defined by the method `finale(...)`. /** * @param array $germany * @param array $island * @param array $italy */ function finale($germany, $island) { return "2:1"; } The most likely cause is that the parameter was removed, but the annotation was not. Loading history...
186			*/
187			function add_text_to_parsed( &$parsed, $prefix, $start_line_number, $all_text ) {
188			$line_number = $start_line_number;
189
190			// whitespace tokens may span multiple lines; we need to split them up so that the indentation goes on the next line
191			$fragments = explode( "\n", $all_text );
192			foreach ( $fragments as $i => $fragment ) {
193			// each line needs to end with a newline to match the behavior of file()
194			if ( $i < count( $fragments ) - 1 ) {
195			$text = $fragment . "\n";
196			} else {
197			$text = $fragment;
198			}
199
200			if ( '' === $text ) {
201			// check for the empty string explicitly, rather than using empty()
202			// otherwise things like a '0' token will get skipped, because PHP is stupid
203			continue;
204			}
205
206			if ( ! isset( $parsed[ $prefix ][ $line_number ] ) ) {
207			$parsed[ $prefix ][ $line_number ] = '';
208			}
209			$parsed[ $prefix ][ $line_number ] .= $text;
210			if ( 'php' == $prefix ) {
211			if ( ! isset( $parsed[ 'php-with-comments' ][ $line_number ] ) ) {
212			$parsed[ 'php-with-comments' ][ $line_number ] = '';
213			}
214			$parsed[ 'php-with-comments' ][ $line_number ] .= $text;
215			}
216
217			// the caller will also update their line number based on the number of \n characters in the text
218			$line_number++;
219			}
220			}
221			/**
222			* Scans a file with the registered signatures. To report a security notice for a specified signature, all its regular
223			* expressions should result in a match.
224			* @param $file the filename to be scanned.
225			* @param null $tmp_file used if the file to be scanned doesn't exist or if the filename doesn't match vp_is_interesting_file().
226			* @return array\|bool false if no matched signature is found. A list of matched signatures otherwise.
227			*/
228			function vp_scan_file( $file, $tmp_file = null, $use_parser = false ) {
229			$real_file = vp_get_real_file_path( $file, $tmp_file );
			0 ignored issues – show Documentation introduced 2021-06-17 16:12 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$tmp_file` is of type `null`, but the function expects a `boolean`. It seems like the type of the argument is not accepted by the function/method which you are calling. In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug. We suggest to add an explicit type cast like in the following example: function acceptsInteger($int) { } $x = '123'; // string "123" // Instead of acceptsInteger($x); // we recommend to use acceptsInteger((integer) $x); Loading history...
230			$file_size = file_exists( $real_file ) ? @filesize( $real_file ) : 0;
231			if ( !is_readable( $real_file ) \|\| !$file_size \|\| $file_size > apply_filters( 'scan_max_file_size', 3 * 1024 * 1024 ) ) { // don't scan empty or files larger than 3MB.
232			return false;
233			}
234
235			$file_content = null;
236			$file_parsed = null;
237			$skip_file = apply_filters_ref_array( 'pre_scan_file', array ( false, $file, $real_file, &$file_content ) );
238			if ( false !== $skip_file ) { // maybe detect malware without regular expressions.
239			return $skip_file;
240			}
241
242			if ( !vp_is_interesting_file( $file ) ) { // only scan relevant files.
243			return false;
244			}
245
246			if ( !isset( $GLOBALS['vp_signatures'] ) ) {
247			$GLOBALS['vp_signatures'] = array();
248			}
249
250			$found = array ();
251			foreach ( $GLOBALS['vp_signatures'] as $signature ) {
252			if ( !is_object( $signature ) \|\| !isset( $signature->patterns ) ) {
253			continue;
254			}
255			// if there is no filename_regex, we assume it's the same of vp_is_interesting_file().
256			if ( empty( $signature->filename_regex ) \|\| preg_match( '#' . addcslashes( $signature->filename_regex, '#' ) . '#i', $file ) ) {
257			if ( null === $file_content \|\| !is_array( $file_content ) ) {
258			$file_content = @file( $real_file );
259
260			if ( $file_content === false ) {
261			return false;
262			}
263
264			if ( $use_parser ) {
265			$file_parsed = split_file_to_php_html( $real_file );
266			}
267			}
268
269			$is_vulnerable = true;
270
271			$code = $file_content;
272
273			if ( $use_parser ) {
274			// use the language specified in the signature if it has one
275			if ( ! empty( $signature->target_language ) && array_key_exists( $signature->target_language, $file_parsed ) ) {
276			$code = $file_parsed[ $signature->target_language ];
277
278
279			}
280			}
281
282			$matches = array();
283			if ( ! empty( $signature->patterns ) ) {
284			foreach ( $signature->patterns as $pattern ) {
285			$match = preg_grep( '#' . addcslashes( $pattern, '#' ) . '#im', $code );
286			if ( empty( $match ) ) {
287			$is_vulnerable = false;
288			break;
289			}
290
291			$matches += $match;
292			}
293			}
294
295			// convert the matched line to an array of details showing context around the lines
296			$lines = array();
297
298			$lines_parsed = array();
299
300			$line_indices_parsed = array();
301
302			if ( $use_parser ) {
303			$line_indices_parsed = array_keys( $code );
304			}
305
306			foreach ( $matches as $line => $text ) {
307			$lines = array_merge( $lines, range( $line - 1, $line + 1 ) );
308			if ( $use_parser ) {
309			$idx = array_search( $line, $line_indices_parsed );
310
311			// we might be looking at the first or last line; for the non-parsed case, array_intersect_key
312			// handles this transparently below; for the parsed case, since we have another layer of
313			// indirection, we have to handle that case here
314			$idx_around = array();
315			if ( isset( $line_indices_parsed[ $idx - 1 ] ) ) {
316			$idx_around[] = $line_indices_parsed[ $idx - 1 ];
317			}
318			$idx_around[] = $line_indices_parsed[ $idx ];
319			if ( isset( $line_indices_parsed[ $idx + 1 ] ) ) {
320			$idx_around[] = $line_indices_parsed[ $idx + 1 ];
321			}
322			$lines_parsed = array_merge( $lines_parsed, $idx_around );
323			}
324			}
325
326			$details = array_intersect_key( $file_content, array_flip( $lines ) );
327
328			$details_parsed = array();
329
330			if ( $use_parser ) {
331			$details_parsed = array_intersect_key( $code, array_flip( $lines_parsed ) );
332			}
333
334			// provide both 'matches' and 'details', as some places want 'matches'
335			// this matches the old behavior, which would add 'details' to some items, without replacing 'matches'
336			$debug_data = array( 'matches' => $matches, 'details' => $details );
337			if ( $use_parser ) {
338			$debug_data['details_parsed'] = $details_parsed;
339			}
340
341			// Additional checking needed?
342			if ( method_exists( $signature, 'get_detailed_scanner' ) && $scanner = $signature->get_detailed_scanner() )
343			$is_vulnerable = $scanner->scan( $is_vulnerable, $file, $real_file, $file_content, $debug_data );
344			if ( $is_vulnerable ) {
345			$found[$signature->id] = $debug_data;
346			if ( isset( $signature->severity ) && $signature->severity > 8 ) // don't continue scanning
347			break;
348			}
349			}
350			}
351
352			return apply_filters_ref_array( 'post_scan_file', array ( $found, $file, $real_file, &$file_content ) );
353			}
354

Automattic / jetpack

Issues (3867)

Security Analysis not enabled

projects/plugins/vaultpress/vp-scanner.php (7 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Available Fixes

Available Fixes

Duplication Side-by-Side

Filter issues like