Issues in CLI_Module.class.php (master) - Issues in master - Enalean/tuleap - Measure and Improve Code Quality continuously with Scrutinizer

Issues (4873)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

cli/include/CLI_Module.class.php (3 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
* Copyright (c) Xerox Corporation, Codendi Team, 2001-2007. All rights reserved
*
* 
*/

class CLI_Module {

    var $name;
    var $description;
    var $params;
    function CLI_Module($name, $description) {
        $this->name         = $name;
        $this->description = $description;
        $this->params       = array();
        $this->actions      = array();
    }
    function getName() {
        return $this->name;
    }
    function getDescription() {
        return $this->description;
    }
    function addAction(&$action) {
        $this->actions[$action->getName()] =& $action;
        $action->setModule($this);
    }
    function getAllActions() {
        return $this->actions;
    }
    function execute($params) {
        $result = null;
        $action_name = array_shift($params);
        if (isset($this->actions[$action_name])) {
            $result = $this->actions[$action_name]->execute($params);
        } else {
            echo $this->help();
        }
        return $result;
    }
    
    function help() {
        $help = $this->getName() .":\n";
        $help .= $this->getDescription() ."\n\n";
        if (count($this->actions)) {
            $help .= "Available actions:\n";
            foreach($this->actions as $action) {
                $help .= "  * ". $action->getName() ."\n    ". $action->getDescription() ."\n";
            }
            $help .= "\n";
        }
        return $help;
    }
    /**
     * getParameter - Get a specified parameter from the command line.
     *
     * extracted from GForge Command-line Interface
     * contained in GForge.
     * Copyright 2005 GForge, LLC
     * http://gforge.org/
     *
     * Given an array of parameters passed by the command line, this function
     * searches the specified parameter in that array.
     * For example, if we want the "name" parameter in the following command:
     * $ ./script --name="john" --lastname="doe"
     * this function will return the string "john".
     * There is an option to give aliases for a certain parameter. For example, these
     * commands can be equivalent:
     * $ ./script -n "john" --lastname="doe"
     * $ ./script --name="john" --lastname="doe"
     * $ ./script -n "john" -l "doe"
     * This is done by passing an array to the parameter "name".
     * In the case of "flags", this function returns "true" is the flag is specified,
     * for instance:
     * $ ./script -v
     * $ ./script --verbose
     * This function also detects when several flags are grouped into one, for example:
     * $ ./script -abc
     * instead of
     * $ ./script -a -b -c
     * (this only works with one-character flags)
     * Note that parameter names with more than one character are assumed to be preceded by
     * "--" (like in "--name") parameters with one character are assumed to be preceded by
     * a single "-" (like in "-n")
     *
     * @param array    Array of parameters where we should look
     * @param mixed    A string that specifies the name of the parameter to look for, or an 
     *     array of aliases (ej: array("name", "n"))
     * @param bool Indicate if the parameter MUST have a value associated to it, and that it is
     *    not just a flag. This can also be seen as "isn't a flag" value
     */
    
    function getParameter(&$parameter_array, $parameter, $require_value=false) {
        for ($i=0; $i < count($parameter_array); $i++) {
for ($i=0; $i<count($array); $i++) { // calls count() on each iteration
}

// Better
for ($i=0, $c=count($array); $i<$c; $i++) { // calls count() just once
}
            $res = array();
            if (preg_match("/^\\-\\-(.+)/s",$parameter_array[$i],$res)) {    // several-character parameter? (IE, "--username=john")
                $passed_string = $res[1];
                // is it --parameter=value or just --parameter?
                $res = preg_split("/=(.+)/", $passed_string, -1, PREG_SPLIT_DELIM_CAPTURE);
                if (isset($res[1])) {
                    $passed_parameter = $res[0];
                    $passed_value = $res[1];
                    $has_value = true;
                } else {
                    $passed_parameter = $passed_string;
                    $has_value = false;
                }
                
                if (!is_array($parameter)) $search_array = array($parameter);
                else $search_array = $parameter;
                
                foreach ($search_array as $alias) {
                    if ($alias == $passed_parameter) {        // Match
                        if ($has_value) return $passed_value;
                        else if ($require_value) return null;        // Requires a value but none is passed
                        else return true;        // notify parameter was passed
                    }
                }
                
            } else if (preg_match("/^\\-(.+)/s",$parameter_array[$i],$res)) {    // Single character parameter? (IE "-z") or a group of flags (IE "-zxvf")
                $passed_parameter = $res[1];
                if (strlen($passed_parameter) == 1) {        // Some flag like "-x" or parameter "-U username"
                    // Check to see if there is a value associated to this parameter, like in "-U username".
                    // To do this, we must see the following string in the parameter array
                    if (($i+1) < count($parameter_array) && !preg_match("/^\\-/", $parameter_array[$i+1])) {
                        $i++;        // position in value
                        $passed_value = $parameter_array[$i];
                        $has_value = true;
                    } else {
                        $has_value = false;
                    }
                } else {        // Several flags grouped into one string like "-zxvf"
                    $has_value = false;
                }
                
                if (!is_array($parameter)) $search_array = array($parameter);
                else $search_array = $parameter;
                
                foreach ($search_array as $alias) {
                    if (strlen($alias) == 1) {
                        if (strpos($passed_parameter, $alias) !== false) {    // Found a match
                            if ($has_value) return $passed_value;
                            else if ($require_value) return null;
                            else return true;        // indicates that the flag was set
                        }
                    }
                }
            }
        }
        
        return null;
    }
    /**
     * get_user_input - Receive input from the user
     *
     * extracted from GForge Command-line Interface
     * contained in GForge.
     * Copyright 2005 GForge, LLC
     * http://gforge.org/
     *
     * @param string Text to show to the user
     * @param bool Specify if input shouldn't be shown (useful when asking for passwords)
     */
    function get_user_input($text, $hide=false) {
        if ($hide && PHP_OS == 'WINNT') {
            $hide = false;  // disable echo does not work in Windows
        }
        if ($text) echo $text;
        if ($hide) @exec("stty -echo");        // disable echo of the input (only works in UNIX)
// For example instead of
@mkdir($dir);

// Better use
if (@mkdir($dir) === false) {
    throw new \RuntimeException('The directory '.$dir.' could not be created.');
}
        $input = trim(fgets(STDIN));
        if ($hide) {
            @exec("stty echo");
// For example instead of
@mkdir($dir);

// Better use
if (@mkdir($dir) === false) {
    throw new \RuntimeException('The directory '.$dir.' could not be created.');
}
            echo "\n";
        }
        return $input;
    }

}

?>

1			<?php
2			/**
3			* Copyright (c) Xerox Corporation, Codendi Team, 2001-2007. All rights reserved
4			*
5			*
6			*/
7
8			class CLI_Module {
9
10			var $name;
11			var $description;
12			var $params;
13			function CLI_Module($name, $description) {
14			$this->name = $name;
15			$this->description = $description;
16			$this->params = array();
17			$this->actions = array();
18			}
19			function getName() {
20			return $this->name;
21			}
22			function getDescription() {
23			return $this->description;
24			}
25			function addAction(&$action) {
26			$this->actions[$action->getName()] =& $action;
27			$action->setModule($this);
28			}
29			function getAllActions() {
30			return $this->actions;
31			}
32			function execute($params) {
33			$result = null;
34			$action_name = array_shift($params);
35			if (isset($this->actions[$action_name])) {
36			$result = $this->actions[$action_name]->execute($params);
37			} else {
38			echo $this->help();
39			}
40			return $result;
41			}
42
43			function help() {
44			$help = $this->getName() .":\n";
45			$help .= $this->getDescription() ."\n\n";
46			if (count($this->actions)) {
47			$help .= "Available actions:\n";
48			foreach($this->actions as $action) {
49			$help .= " * ". $action->getName() ."\n ". $action->getDescription() ."\n";
50			}
51			$help .= "\n";
52			}
53			return $help;
54			}
55			/**
56			* getParameter - Get a specified parameter from the command line.
57			*
58			* extracted from GForge Command-line Interface
59			* contained in GForge.
60			* Copyright 2005 GForge, LLC
61			* http://gforge.org/
62			*
63			* Given an array of parameters passed by the command line, this function
64			* searches the specified parameter in that array.
65			* For example, if we want the "name" parameter in the following command:
66			* $ ./script --name="john" --lastname="doe"
67			* this function will return the string "john".
68			* There is an option to give aliases for a certain parameter. For example, these
69			* commands can be equivalent:
70			* $ ./script -n "john" --lastname="doe"
71			* $ ./script --name="john" --lastname="doe"
72			* $ ./script -n "john" -l "doe"
73			* This is done by passing an array to the parameter "name".
74			* In the case of "flags", this function returns "true" is the flag is specified,
75			* for instance:
76			* $ ./script -v
77			* $ ./script --verbose
78			* This function also detects when several flags are grouped into one, for example:
79			* $ ./script -abc
80			* instead of
81			* $ ./script -a -b -c
82			* (this only works with one-character flags)
83			* Note that parameter names with more than one character are assumed to be preceded by
84			* "--" (like in "--name") parameters with one character are assumed to be preceded by
85			* a single "-" (like in "-n")
86			*
87			* @param array Array of parameters where we should look
88			* @param mixed A string that specifies the name of the parameter to look for, or an
89			* array of aliases (ej: array("name", "n"))
90			* @param bool Indicate if the parameter MUST have a value associated to it, and that it is
91			* not just a flag. This can also be seen as "isn't a flag" value
92			*/
93
94			function getParameter(&$parameter_array, $parameter, $require_value=false) {
95			for ($i=0; $i < count($parameter_array); $i++) {
			0 ignored issues – show Performance Best Practice introduced 2015-12-16 20:30 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you are calling the size function `count()` as part of the test condition. You might want to compute the size beforehand, and not on each iteration. If the size of the collection does not change during the iteration, it is generally a good practice to compute it beforehand, and not on each iteration: for ($i=0; $i<count($array); $i++) { // calls count() on each iteration } // Better for ($i=0, $c=count($array); $i<$c; $i++) { // calls count() just once } Loading history...
96			$res = array();
97			if (preg_match("/^\\-\\-(.+)/s",$parameter_array[$i],$res)) { // several-character parameter? (IE, "--username=john")
98			$passed_string = $res[1];
99			// is it --parameter=value or just --parameter?
100			$res = preg_split("/=(.+)/", $passed_string, -1, PREG_SPLIT_DELIM_CAPTURE);
101			if (isset($res[1])) {
102			$passed_parameter = $res[0];
103			$passed_value = $res[1];
104			$has_value = true;
105			} else {
106			$passed_parameter = $passed_string;
107			$has_value = false;
108			}
109
110			if (!is_array($parameter)) $search_array = array($parameter);
111			else $search_array = $parameter;
112
113			foreach ($search_array as $alias) {
114			if ($alias == $passed_parameter) { // Match
115			if ($has_value) return $passed_value;
116			else if ($require_value) return null; // Requires a value but none is passed
117			else return true; // notify parameter was passed
118			}
119			}
120
121			} else if (preg_match("/^\\-(.+)/s",$parameter_array[$i],$res)) { // Single character parameter? (IE "-z") or a group of flags (IE "-zxvf")
122			$passed_parameter = $res[1];
123			if (strlen($passed_parameter) == 1) { // Some flag like "-x" or parameter "-U username"
124			// Check to see if there is a value associated to this parameter, like in "-U username".
125			// To do this, we must see the following string in the parameter array
126			if (($i+1) < count($parameter_array) && !preg_match("/^\\-/", $parameter_array[$i+1])) {
127			$i++; // position in value
128			$passed_value = $parameter_array[$i];
129			$has_value = true;
130			} else {
131			$has_value = false;
132			}
133			} else { // Several flags grouped into one string like "-zxvf"
134			$has_value = false;
135			}
136
137			if (!is_array($parameter)) $search_array = array($parameter);
138			else $search_array = $parameter;
139
140			foreach ($search_array as $alias) {
141			if (strlen($alias) == 1) {
142			if (strpos($passed_parameter, $alias) !== false) { // Found a match
143			if ($has_value) return $passed_value;
144			else if ($require_value) return null;
145			else return true; // indicates that the flag was set
146			}
147			}
148			}
149			}
150			}
151
152			return null;
153			}
154			/**
155			* get_user_input - Receive input from the user
156			*
157			* extracted from GForge Command-line Interface
158			* contained in GForge.
159			* Copyright 2005 GForge, LLC
160			* http://gforge.org/
161			*
162			* @param string Text to show to the user
163			* @param bool Specify if input shouldn't be shown (useful when asking for passwords)
164			*/
165			function get_user_input($text, $hide=false) {
166			if ($hide && PHP_OS == 'WINNT') {
167			$hide = false; // disable echo does not work in Windows
168			}
169			if ($text) echo $text;
170			if ($hide) @exec("stty -echo"); // disable echo of the input (only works in UNIX)
			0 ignored issues – show Security Best Practice introduced 2015-12-16 20:30 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you do not handle an error condition here. This can introduce security issues, and is generally not recommended. If you suppress an error, we recommend checking for the error condition explicitly: // For example instead of @mkdir($dir); // Better use if (@mkdir($dir) === false) { throw new \RuntimeException('The directory '.$dir.' could not be created.'); } Loading history...
171			$input = trim(fgets(STDIN));
172			if ($hide) {
173			@exec("stty echo");
			0 ignored issues – show Security Best Practice introduced 2015-12-16 20:30 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you do not handle an error condition here. This can introduce security issues, and is generally not recommended. If you suppress an error, we recommend checking for the error condition explicitly: // For example instead of @mkdir($dir); // Better use if (@mkdir($dir) === false) { throw new \RuntimeException('The directory '.$dir.' could not be created.'); } Loading history...
174			echo "\n";
175			}
176			return $input;
177			}
178
179			}
180
181			?>

GitHub Access Token became invalid

Issues (4873)

Security Analysis not enabled

cli/include/CLI_Module.class.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Enalean / tuleap

GitHub Access Token became invalid

Issues (4873)

Security Analysis not enabled

cli/include/CLI_Module.class.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like