Issues in UploadFile.php (master) - Issues in master - Doctrs/SonataImportBundle - Measure and Improve Code Quality continuously with Scrutinizer

Issues (13)

Security Analysis not enabled

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

Header Injection

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

Entity/UploadFile.php (2 issues)

Labels

Severity

Major 2

<?php

namespace Doctrs\SonataImportBundle\Entity;

use Doctrine\ORM\Mapping as ORM;
filter:
    dependency_paths: ["lib/*"]
use Symfony\Component\HttpFoundation\File\File;
use Symfony\Component\HttpFoundation\File\UploadedFile;

/**
 * UploadFile
 *
 * @ORM\Table("ext_sonata_import_file")
 * @ORM\Entity(repositoryClass="Doctrs\SonataImportBundle\Repository\DefaultRepository")
 * @ORM\HasLifecycleCallbacks()
 */
class UploadFile
{

    const STATUS_LOAD = 1;
    const STATUS_SUCCESS = 2;
    const STATUS_ERROR = 3;

    /**
     * @var integer
     *
     * @ORM\Column(name="id", type="integer")
     * @ORM\Id
     * @ORM\GeneratedValue(strategy="AUTO")
     */
    private $id;

    /**
     * @var \DateTime
     *
     * @ORM\Column(name="ts", type="datetime")
     */
    private $ts;

    /**
     * @var string
     *
     * @ORM\Column(name="file", type="string")
     * @var UploadedFile
     */
    private $file;

    /**
     * @var string
     *
     * @ORM\Column(name="encode", type="string")
     */
    private $encode;

    /**
     * @var string
     *
     * @ORM\Column(name="loader_class", type="string")
     */
    private $loaderClass;

    /**
     * @var string
     *
     * @ORM\Column(name="status", type="integer")
     */
    private $status;

    /**
     * @var string
     *
     * @ORM\Column(name="message", type="text", nullable=true)
     */
    private $message;

    /**
     * @ORM\OneToMany(targetEntity="Doctrs\SonataImportBundle\Entity\ImportLog", mappedBy="uploadFile")
     */
    private $importLog;


    /**
     * Get id
     *
     * @return integer 
     */
    public function getId()
    {
        return $this->id;
    }

    /**
     * Get ts
     *
     * @return \DateTime 
     */
    public function getTs()
    {
        return $this->ts;
    }

    /**
     * Set file
     *
     * @param string $file
     * @return UploadFile
     */
    public function setFile($file)
    {
        $this->file = $file;

        return $this;
    }

    /**
     * Get file
     *
     * @return UploadedFile|null
     */
    public function getFile()
    {
        return $this->file;

    }

    /**
     * @ORM\PrePersist()
     * @ORM\PreUpdate()
     */
    public function prePersistUpdate() {
        if (!$this->status) {
            $this->status = self::STATUS_LOAD;
        }
        $this->ts = new \DateTime();
    }

    /**
     * @param $encode
     * @return UploadFile
     */
    public function setEncode($encode) {
        $this->encode = $encode;

        return $this;
    }

    /**
     * @return string
     */
    public function getEncode() {
        return $this->encode;
    }

    /**
     * @param $message
     * @return UploadFile
     */
    public function setMessage($message) {
        $this->message = $message;

        return $this;
    }

    /**
     * @return string
     */
    public function getMessage() {
        return $this->message;
    }

    /**
     * @param $status
     * @return UploadFile
     */
    public function setStatus($status) {
        $this->status = $status;

        return $this;
    }

    /**
     * @return string
     */
    public function getStatus() {
        return $this->status;
    }

    /**
     * @param $loaderClass
     * @return $this
     */
    public function setLoaderClass($loaderClass) {
        $this->loaderClass = $loaderClass;

        return $this;
    }

    /**
     * @return string
     */
    public function getLoaderClass() {
        return $this->loaderClass;
    }

    public function move($uploadDir) {
        $file = $this->getFile();
        $fileName = md5(uniqid() . time()) . '.' . $file->guessExtension();
        $file->move($uploadDir, $fileName);
        $this->setFile($uploadDir . '/' . $fileName);
    }

    /**
     * @param $message
     * @return $this
     */
    public function setStatusError($message) {
        $this->setStatus(self::STATUS_ERROR);
        $this->setMessage($message);
        return $this;
    }

    /**
     * @return string
     */
    public function __toString() {
        return (string)$this->message;
    }

    /**
     * @return mixed
     */
    public function getImportLog()
    {
        return $this->importLog;
    }
}


1			<?php
2
3			namespace Doctrs\SonataImportBundle\Entity;
4
5			use Doctrine\ORM\Mapping as ORM;
			0 ignored issues – show Bug introduced 2017-10-12 09:32 UTC by Report Bug Copy Issue Report Show Similar Issues like this The type `Doctrine\ORM\Mapping` was not found. Maybe you did not declare it correctly or list all dependencies? The issue could also be caused by a filter entry in the build configuration. If the path has been excluded in your configuration, e.g. `excluded_paths: ["lib/"]`, you can move it to the dependency path list as follows: filter: dependency_paths: ["lib/"] For further information see https://scrutinizer-ci.com/docs/tools/php/php-scrutinizer/#list-dependency-paths Loading history...
6			use Symfony\Component\HttpFoundation\File\File;
7			use Symfony\Component\HttpFoundation\File\UploadedFile;
8
9			/**
10			* UploadFile
11			*
12			* @ORM\Table("ext_sonata_import_file")
13			* @ORM\Entity(repositoryClass="Doctrs\SonataImportBundle\Repository\DefaultRepository")
14			* @ORM\HasLifecycleCallbacks()
15			*/
16			class UploadFile
17			{
18
19			const STATUS_LOAD = 1;
20			const STATUS_SUCCESS = 2;
21			const STATUS_ERROR = 3;
22
23			/**
24			* @var integer
25			*
26			* @ORM\Column(name="id", type="integer")
27			* @ORM\Id
28			* @ORM\GeneratedValue(strategy="AUTO")
29			*/
30			private $id;
31
32			/**
33			* @var \DateTime
34			*
35			* @ORM\Column(name="ts", type="datetime")
36			*/
37			private $ts;
38
39			/**
40			* @var string
41			*
42			* @ORM\Column(name="file", type="string")
43			* @var UploadedFile
44			*/
45			private $file;
46
47			/**
48			* @var string
49			*
50			* @ORM\Column(name="encode", type="string")
51			*/
52			private $encode;
53
54			/**
55			* @var string
56			*
57			* @ORM\Column(name="loader_class", type="string")
58			*/
59			private $loaderClass;
60
61			/**
62			* @var string
63			*
64			* @ORM\Column(name="status", type="integer")
65			*/
66			private $status;
67
68			/**
69			* @var string
70			*
71			* @ORM\Column(name="message", type="text", nullable=true)
72			*/
73			private $message;
74
75			/**
76			* @ORM\OneToMany(targetEntity="Doctrs\SonataImportBundle\Entity\ImportLog", mappedBy="uploadFile")
77			*/
78			private $importLog;
79
80
81			/**
82			* Get id
83			*
84			* @return integer
85			*/
86			public function getId()
87			{
88			return $this->id;
89			}
90
91			/**
92			* Get ts
93			*
94			* @return \DateTime
95			*/
96			public function getTs()
97			{
98			return $this->ts;
99			}
100
101			/**
102			* Set file
103			*
104			* @param string $file
105			* @return UploadFile
106			*/
107			public function setFile($file)
108			{
109			$this->file = $file;
110
111			return $this;
112			}
113
114			/**
115			* Get file
116			*
117			* @return UploadedFile\|null
118			*/
119			public function getFile()
120			{
121			return $this->file;
			0 ignored issues – show Bug Best Practice introduced 2017-10-17 13:45 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `return $this->file` returns the type `string` which is incompatible with the documented return type `null\|Symfony\Component\H...ation\File\UploadedFile`. Loading history...
122			}
123
124			/**
125			* @ORM\PrePersist()
126			* @ORM\PreUpdate()
127			*/
128			public function prePersistUpdate() {
129			if (!$this->status) {
130			$this->status = self::STATUS_LOAD;
131			}
132			$this->ts = new \DateTime();
133			}
134
135			/**
136			* @param $encode
137			* @return UploadFile
138			*/
139			public function setEncode($encode) {
140			$this->encode = $encode;
141
142			return $this;
143			}
144
145			/**
146			* @return string
147			*/
148			public function getEncode() {
149			return $this->encode;
150			}
151
152			/**
153			* @param $message
154			* @return UploadFile
155			*/
156			public function setMessage($message) {
157			$this->message = $message;
158
159			return $this;
160			}
161
162			/**
163			* @return string
164			*/
165			public function getMessage() {
166			return $this->message;
167			}
168
169			/**
170			* @param $status
171			* @return UploadFile
172			*/
173			public function setStatus($status) {
174			$this->status = $status;
175
176			return $this;
177			}
178
179			/**
180			* @return string
181			*/
182			public function getStatus() {
183			return $this->status;
184			}
185
186			/**
187			* @param $loaderClass
188			* @return $this
189			*/
190			public function setLoaderClass($loaderClass) {
191			$this->loaderClass = $loaderClass;
192
193			return $this;
194			}
195
196			/**
197			* @return string
198			*/
199			public function getLoaderClass() {
200			return $this->loaderClass;
201			}
202
203			public function move($uploadDir) {
204			$file = $this->getFile();
205			$fileName = md5(uniqid() . time()) . '.' . $file->guessExtension();
206			$file->move($uploadDir, $fileName);
207			$this->setFile($uploadDir . '/' . $fileName);
208			}
209
210			/**
211			* @param $message
212			* @return $this
213			*/
214			public function setStatusError($message) {
215			$this->setStatus(self::STATUS_ERROR);
216			$this->setMessage($message);
217			return $this;
218			}
219
220			/**
221			* @return string
222			*/
223			public function __toString() {
224			return (string)$this->message;
225			}
226
227			/**
228			* @return mixed
229			*/
230			public function getImportLog()
231			{
232			return $this->importLog;
233			}
234			}
235

Doctrs / SonataImportBundle

Issues (13)

Security Analysis not enabled

Entity/UploadFile.php (2 issues)

Labels

Severity

Introduced By

Duplication Side-by-Side

Filter issues like