Issues in Terminal.php (master) - Issues in master - ByTIC/framework - Measure and Improve Code Quality continuously with Scrutinizer

Issues (917)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/WebTerminal/Terminal.php (2 issues)

Labels

Severity

Major 2

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace Nip\WebTerminal;

class Terminal
{
    protected $_OS = null;
    protected $_RunUser = null;

    protected $_requiredBinaries = [];
    protected $_commands = [];

    public function dispatch()
    {
        $this->init();
        $this->run();
        $this->postDispatch();
    }

    public function init()
    {
        $this->initHTML();
        $this->printHeader();
        $this->checkRequiredBinaries();
    }

    public function initHTML()
    {
        require(dirname(__FILE__).'/Layout/header.html');
    }

    public function printHeader()
    {
        echo '
Checking the environment ...
Running as <b>'.$this->getRunUser().'</b>.
';
    }

    public function getRunUser()
    {
        if ($this->_RunUser === null) {

            $this->_RunUser = trim(shell_exec('whoami'));
        }

        return $this->_RunUser;
    }

    public function checkRequiredBinaries()
    {
        foreach ($this->_requiredBinaries as $binary) {
            $this->checkRequiredBinary($binary);
        }
    }

    public function checkRequiredBinary($binary)
    {
        $shellCommand = $this->getCommand('which').' '.$binary;
        $process = $this->runProcess($shellCommand, false);
        $path = $process->getReturn();
        $this->checkRequiredBinaryPath($path, $shellCommand, $binary);
    }

    public function getCommand($command)
    {
        if ($this->getOS() == 'Windows') {
            switch ($command) {
                case 'which':
                    return 'where';

            }
        }

        return $command;
    }

    public function getOS()
    {
        if ($this->_OS === null) {
            $this->_OS = $this->getRunUser() == 'nt authority\system' ? 'Windows' : 'Linux';
        }

        return $this->_OS;
    }

    public function runProcess($command, $output = true)
    {
        $process = new Process();
        $process->setCommand($command);
        $process->setVerbose($output);
        $process->run();

        if ($process->isError()) {
            $this->printProcessError($process);
            die();

        }

        return $process;
    }

    public function printProcessError(Process $process)
    {
        echo '
<div class="error">
Error encountered!
Stopping the script to prevent possible data loss.
ERROR CODE ['.$process->getExitCode().']
</div>
';
    }

    public function checkRequiredBinaryPath($path, $shellCommand, $binary)
    {
        if ($path == '') {
            die(sprintf('<div class="error">

                    <b>%s</b> not available. It needs to be installed on the server for this script to work.
                    [%s]
                </div>', $binary, $shellCommand));
        } else {
            $version = explode("\n", shell_exec($binary.' --version'));
            printf('<b>%s</b> : %s'."\n", $path, $version[0]);
        }
    }

    public function run()
    {
        $this->runPreCheck();
        $this->printRunHeader();
        $this->runCommands();
    }

    public function runPreCheck()
    {
    }

    public function printRunHeader()
    {
        echo '
Environment OK.
Deploying ['.__DIR__.']
Run Commands on ['.getcwd()."]\n";
    }

    public function runCommands()
    {
        foreach ($this->_commands as $command) {
            $this->runCommand($command);
        }
    }

    public function runCommand($command)
    {
        set_time_limit(300); // Reset the time limit for each command
        $this->printCommand($command);
        echo '<div class="output">';
        $process = $this->runProcess($command);
        echo 'Exit Code ['.$process->getExitCode().']'."\n";
        echo '</div>';
    }

    public function printCommand($command)
    {
        echo '<span class="prompt">$</span> <span class="command">'.$command.'</span>';
    }

    public function postDispatch()
    {
        echo '
Done.
</pre>
</body>
</html>';
    }

    public function setCWD($dir)
    {
        chdir($dir);
    }

    public function addCommand($command)
    {
        $this->_commands[] = $command;

        return $this;
    }

    public function checklCommand($command)
    {
        set_time_limit(300); // Reset the time limit for each command
        $this->printCommand($command);
        echo '<div class="output">';
        $this->runProcess($command);
        echo '</div>';
    }

    public function addRequiredBinaries($required)
    {
        $this->_requiredBinaries[] = $required;

        return $this;
    }
}

GitHub Access Token became invalid

Issues (917)

Security Analysis not enabled

src/WebTerminal/Terminal.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

1			<?php
2
3			namespace Nip\WebTerminal;
4
5			class Terminal
6			{
7			protected $_OS = null;
8			protected $_RunUser = null;
9
10			protected $_requiredBinaries = [];
11			protected $_commands = [];
12
13			public function dispatch()
14			{
15			$this->init();
16			$this->run();
17			$this->postDispatch();
18			}
19
20			public function init()
21			{
22			$this->initHTML();
23			$this->printHeader();
24			$this->checkRequiredBinaries();
25			}
26
27			public function initHTML()
28			{
29			require(dirname(__FILE__).'/Layout/header.html');
30			}
31
32			public function printHeader()
33			{
34			echo '
35			Checking the environment ...
36			Running as <b>'.$this->getRunUser().'</b>.
37			';
38			}
39
40			public function getRunUser()
41			{
42			if ($this->_RunUser === null) {
43
44			$this->_RunUser = trim(shell_exec('whoami'));
45			}
46
47			return $this->_RunUser;
48			}
49
50			public function checkRequiredBinaries()
51			{
52			foreach ($this->_requiredBinaries as $binary) {
53			$this->checkRequiredBinary($binary);
54			}
55			}
56
57			public function checkRequiredBinary($binary)
58			{
59			$shellCommand = $this->getCommand('which').' '.$binary;
60			$process = $this->runProcess($shellCommand, false);
61			$path = $process->getReturn();
62			$this->checkRequiredBinaryPath($path, $shellCommand, $binary);
63			}
64
65			public function getCommand($command)
66			{
67			if ($this->getOS() == 'Windows') {
68			switch ($command) {
69			case 'which':
70			return 'where';
71
72			}
73			}
74
75			return $command;
76			}
77
78			public function getOS()
79			{
80			if ($this->_OS === null) {
81			$this->_OS = $this->getRunUser() == 'nt authority\system' ? 'Windows' : 'Linux';
82			}
83
84			return $this->_OS;
85			}
86
87			public function runProcess($command, $output = true)
88			{
89			$process = new Process();
90			$process->setCommand($command);
91			$process->setVerbose($output);
92			$process->run();
93
94			if ($process->isError()) {
95			$this->printProcessError($process);
96			die();
			0 ignored issues – show Coding Style Compatibility introduced 2017-03-05 14:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `runProcess()` contains an exit expression. An exit expression should only be used in rare cases. For example, if you write a short command line script. In most cases however, using an `exit` expression makes the code untestable and often causes incompatibilities with other libraries. Thus, unless you are absolutely sure it is required here, we recommend to refactor your code to avoid its usage. Loading history...
97			}
98
99			return $process;
100			}
101
102			public function printProcessError(Process $process)
103			{
104			echo '
105			<div class="error">
106			Error encountered!
107			Stopping the script to prevent possible data loss.
108			ERROR CODE ['.$process->getExitCode().']
109			</div>
110			';
111			}
112
113			public function checkRequiredBinaryPath($path, $shellCommand, $binary)
114			{
115			if ($path == '') {
116			die(sprintf('<div class="error">
			0 ignored issues – show Coding Style Compatibility introduced 2017-03-05 14:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `checkRequiredBinaryPath()` contains an exit expression. An exit expression should only be used in rare cases. For example, if you write a short command line script. In most cases however, using an `exit` expression makes the code untestable and often causes incompatibilities with other libraries. Thus, unless you are absolutely sure it is required here, we recommend to refactor your code to avoid its usage. Loading history...
117			<b>%s</b> not available. It needs to be installed on the server for this script to work.
118			[%s]
119			</div>', $binary, $shellCommand));
120			} else {
121			$version = explode("\n", shell_exec($binary.' --version'));
122			printf('<b>%s</b> : %s'."\n", $path, $version[0]);
123			}
124			}
125
126			public function run()
127			{
128			$this->runPreCheck();
129			$this->printRunHeader();
130			$this->runCommands();
131			}
132
133			public function runPreCheck()
134			{
135			}
136
137			public function printRunHeader()
138			{
139			echo '
140			Environment OK.
141			Deploying ['.__DIR__.']
142			Run Commands on ['.getcwd()."]\n";
143			}
144
145			public function runCommands()
146			{
147			foreach ($this->_commands as $command) {
148			$this->runCommand($command);
149			}
150			}
151
152			public function runCommand($command)
153			{
154			set_time_limit(300); // Reset the time limit for each command
155			$this->printCommand($command);
156			echo '<div class="output">';
157			$process = $this->runProcess($command);
158			echo 'Exit Code ['.$process->getExitCode().']'."\n";
159			echo '</div>';
160			}
161
162			public function printCommand($command)
163			{
164			echo '<span class="prompt">$</span> <span class="command">'.$command.'</span>';
165			}
166
167			public function postDispatch()
168			{
169			echo '
170			Done.
171			</pre>
172			</body>
173			</html>';
174			}
175
176			public function setCWD($dir)
177			{
178			chdir($dir);
179			}
180
181			public function addCommand($command)
182			{
183			$this->_commands[] = $command;
184
185			return $this;
186			}
187
188			public function checklCommand($command)
189			{
190			set_time_limit(300); // Reset the time limit for each command
191			$this->printCommand($command);
192			echo '<div class="output">';
193			$this->runProcess($command);
194			echo '</div>';
195			}
196
197			public function addRequiredBinaries($required)
198			{
199			$this->_requiredBinaries[] = $required;
200
201			return $this;
202			}
203			}

ByTIC / framework

GitHub Access Token became invalid

Issues (917)

Security Analysis not enabled

src/WebTerminal/Terminal.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like