Issues in foafprofilesPlugin.class.php (master) - Issues in master - Enalean/tuleap - Measure and Improve Code Quality continuously with Scrutinizer

Issues (4873)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

foafprofiles/include/foafprofilesPlugin.class.php (1 issue)

Labels

Bug 1

Severity

Major 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/**
 * foafprofilesPlugin Class
 *
 * Copyright 2011, Olivier Berger & Institut Telecom
 *
 * This program was developped in the frame of the COCLICO project
 * (http://www.coclico-project.org/) with financial support of the Paris
 * Region council.
 *
 * This file is part of FusionForge. FusionForge is free software;
 * you can redistribute it and/or modify it under the terms of the
 * GNU General Public License as published by the Free Software
 * Foundation; either version 2 of the Licence, or (at your option)
 * any later version.
 *
 * FusionForge is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License along
 * with FusionForge; if not, write to the Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 */

require_once 'common/include/rdfutils.php';

class foafprofilesPlugin extends Plugin {
	public function __construct($id=0) {
		$this->Plugin($id) ;
		$this->name = "foafprofiles";
		$this->text = "User FOAF Profiles"; // To show in the tabs, use...
		$this->_addHook("script_accepted_types");
		$this->_addHook("content_negociated_user_home");

	}

    /**
     * @see Plugin::getDependencies()
     */
    public function getDependencies() {
        return array('fusionforge_compat');
    }

	/**
	 * Declares itself as accepting RDF XML on /users
	 * @param unknown_type $params
	 */
	function script_accepted_types (&$params) {
		$script = $params['script'];
		if ($script == 'user_home') {
			$params['accepted_types'][] = 'application/rdf+xml';
		}
	}

	/**
	 * Outputs user's FOAF profile
	 * @param unknown_type $params
	 */
	function content_negociated_user_home (&$params) {
		$username = $params['username'];
		$accept = $params['accept'];

		if($accept == 'application/rdf+xml') {
				$params['content_type'] = 'application/rdf+xml';

				$user_obj = user_get_object_by_name($username);

				$user_real_name = $user_obj->getRealName();
				$user_email = $user_obj->getEmail();
				$mbox = 'mailto:'.$user_email;
				$mbox_sha1sum = sha1($mbox);

				$projects = $user_obj->getGroups() ;
				sortProjectList($projects) ;
				$roles = RBACEngine::getInstance()->getAvailableRolesForUser($user_obj) ;
				sortRoleList($roles) ;
				
				// Construct an ARC2_Resource containing the project's RDF (DOAP) description
				$ns = array(
						'rdf' => 'http://www.w3.org/1999/02/22-rdf-syntax-ns#',
						'rdfs' => 'http://www.w3.org/2000/01/rdf-schema#',
						'foaf' => 'http://xmlns.com/foaf/0.1/',
						'sioc' => 'http://rdfs.org/sioc/ns#', 
						'doap' => 'http://usefulinc.com/ns/doap#',
						'dcterms' => 'http://purl.org/dc/terms/',
						'planetforge' => 'http://coclico-project.org/ontology/planetforge#'
				);
				 
				$conf = array(
						'ns' => $ns
				);
				
				// First, let's deal with the account
				$account_res = ARC2::getResource($conf);
				$account_uri = util_make_url_u($username, $user_obj->getID());
				$account_uri = rtrim($account_uri,'/');
				$person_uri = $account_uri . '#person';
				
				$account_res->setURI( $account_uri );
				// $account_res->setRel('rdf:type', 'foaf:OnlineAccount');
				rdfutils_setPropToUri($account_res, 'rdf:type', 'foaf:OnlineAccount');
				rdfutils_setPropToUri($account_res, 'foaf:accountServiceHomepage', $account_uri . '/');
				$account_res->setProp('foaf:accountName', $username);
				rdfutils_setPropToUri($account_res, 'sioc:account_of', $person_uri);
				rdfutils_setPropToUri($account_res, 'foaf:accountProfilePage', $account_uri);

				$groups_index = array();
				$projects_index = array();
				$roles_index = array();
				
				$usergroups_uris = array();
				// see if there were any groups
				if (count($projects) >= 1) {
					foreach ($projects as $p) {
						// TODO : report also private projects if authenticated, for instance through OAuth
						if($p->isPublic()) {
							$project_link = util_make_link_g ($p->getUnixName(),$p->getID(),$p->getPublicName());
							$project_uri = util_make_url_g ($p->getUnixName(),$p->getID());
							// sioc:UserGroups for all members of a project are named after /projects/A_PROJECT/members/
							$usergroup_uri = $project_uri .'members/';

							$role_names = array();
							
							$usergroups_uris[] = $usergroup_uri;
							
							$usergroup_res = ARC2::getResource($conf);
							$usergroup_res->setURI( $usergroup_uri );
							rdfutils_setPropToUri($usergroup_res, 'rdf:type', 'sioc:UserGroup');
							rdfutils_setPropToUri($usergroup_res, 'sioc:usergroup_of', $project_uri);

							$roles_uris = array();
							foreach ($roles as $r) {
								if ($r instanceof RoleExplicit
if ($x instanceof DoesNotExist) {
    // Do something.
}
										&& $r->getHomeProject() != NULL
										&& $r->getHomeProject()->getID() == $p->getID()) {
									$role_names[$r->getID()] = $r->getName() ;
									$role_uri = $project_uri .'roles/'.$r->getID();
									
									$roles_uris[] = $role_uri;
								}
							}
							rdfutils_setPropToUri($usergroup_res, 'planetforge:group_has_function', $roles_uris);

							$project_res = ARC2::getResource($conf);
							$project_res->setURI( $project_uri );
							rdfutils_setPropToUri($project_res, 'rdf:type', 'planetforge:ForgeProject');
							$project_res->setProp('doap:name', $p->getUnixName());
							
							$projects_index = ARC2::getMergedIndex($projects_index, $project_res->index);
							
							
							foreach ($role_names as $id => $name) {
								$role_res = ARC2::getResource($conf);
								$role_res->setURI( $project_uri .'roles/'.$id );
								rdfutils_setPropToUri($role_res, 'rdf:type', 'sioc:Role');
								$role_res->setProp('sioc:name', $name);
								
								$roles_index = ARC2::getMergedIndex($roles_index, $role_res->index);
							}
							
							$groups_index = ARC2::getMergedIndex($groups_index, $usergroup_res->index);
															
						}
					}
				} // end if groups
				rdfutils_setPropToUri($account_res, 'sioc:member_of', $usergroups_uris);
				
				// next, deal with the person
				$person_res = ARC2::getResource($conf);
				
				$person_res->setURI( $person_uri );
				rdfutils_setPropToUri($person_res, 'rdf:type', 'foaf:Person');
				$person_res->setProp('foaf:name', $user_real_name);
				rdfutils_setPropToUri($person_res, 'foaf:holdsAccount', $account_uri);
				$person_res->setProp('foaf:mbox_sha1sum', $mbox_sha1sum);
				
				// merge the two sets of triples
				$merged_index = ARC2::getMergedIndex($account_res->index, $person_res->index);
				$merged_index = ARC2::getMergedIndex($merged_index, $groups_index);
				$merged_index = ARC2::getMergedIndex($merged_index, $projects_index);
				$merged_index = ARC2::getMergedIndex($merged_index, $roles_index);
      			
    			$conf = array(
    					'ns' => $ns,
    					'serializer_type_nodes' => true
    			);
    				
    			$ser = ARC2::getRDFXMLSerializer($conf);
    				
    			/* Serialize a resource index */
    			$doc = $ser->getSerializedIndex($merged_index);
    			
    			$params['content'] = $doc . "\n";
		}
	}
}

// Local Variables:
// mode: php
// c-file-style: "bsd"
// End:


GitHub Access Token became invalid

Issues (4873)

Security Analysis not enabled

foafprofiles/include/foafprofilesPlugin.class.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

1. Missing dependencies

2. Missing use statement

1			<?php
2
3			/**
4			* foafprofilesPlugin Class
5			*
6			* Copyright 2011, Olivier Berger & Institut Telecom
7			*
8			* This program was developped in the frame of the COCLICO project
9			* (http://www.coclico-project.org/) with financial support of the Paris
10			* Region council.
11			*
12			* This file is part of FusionForge. FusionForge is free software;
13			* you can redistribute it and/or modify it under the terms of the
14			* GNU General Public License as published by the Free Software
15			* Foundation; either version 2 of the Licence, or (at your option)
16			* any later version.
17			*
18			* FusionForge is distributed in the hope that it will be useful,
19			* but WITHOUT ANY WARRANTY; without even the implied warranty of
20			* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21			* GNU General Public License for more details.
22			*
23			* You should have received a copy of the GNU General Public License along
24			* with FusionForge; if not, write to the Free Software Foundation, Inc.,
25			* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
26			*/
27
28			require_once 'common/include/rdfutils.php';
29
30			class foafprofilesPlugin extends Plugin {
31			public function __construct($id=0) {
32			$this->Plugin($id) ;
33			$this->name = "foafprofiles";
34			$this->text = "User FOAF Profiles"; // To show in the tabs, use...
35			$this->_addHook("script_accepted_types");
36			$this->_addHook("content_negociated_user_home");
37
38			}
39
40			/**
41			* @see Plugin::getDependencies()
42			*/
43			public function getDependencies() {
44			return array('fusionforge_compat');
45			}
46
47			/**
48			* Declares itself as accepting RDF XML on /users
49			* @param unknown_type $params
50			*/
51			function script_accepted_types (&$params) {
52			$script = $params['script'];
53			if ($script == 'user_home') {
54			$params['accepted_types'][] = 'application/rdf+xml';
55			}
56			}
57
58			/**
59			* Outputs user's FOAF profile
60			* @param unknown_type $params
61			*/
62			function content_negociated_user_home (&$params) {
63			$username = $params['username'];
64			$accept = $params['accept'];
65
66			if($accept == 'application/rdf+xml') {
67			$params['content_type'] = 'application/rdf+xml';
68
69			$user_obj = user_get_object_by_name($username);
70
71			$user_real_name = $user_obj->getRealName();
72			$user_email = $user_obj->getEmail();
73			$mbox = 'mailto:'.$user_email;
74			$mbox_sha1sum = sha1($mbox);
75
76			$projects = $user_obj->getGroups() ;
77			sortProjectList($projects) ;
78			$roles = RBACEngine::getInstance()->getAvailableRolesForUser($user_obj) ;
79			sortRoleList($roles) ;
80
81			// Construct an ARC2_Resource containing the project's RDF (DOAP) description
82			$ns = array(
83			'rdf' => 'http://www.w3.org/1999/02/22-rdf-syntax-ns#',
84			'rdfs' => 'http://www.w3.org/2000/01/rdf-schema#',
85			'foaf' => 'http://xmlns.com/foaf/0.1/',
86			'sioc' => 'http://rdfs.org/sioc/ns#',
87			'doap' => 'http://usefulinc.com/ns/doap#',
88			'dcterms' => 'http://purl.org/dc/terms/',
89			'planetforge' => 'http://coclico-project.org/ontology/planetforge#'
90			);
91
92			$conf = array(
93			'ns' => $ns
94			);
95
96			// First, let's deal with the account
97			$account_res = ARC2::getResource($conf);
98			$account_uri = util_make_url_u($username, $user_obj->getID());
99			$account_uri = rtrim($account_uri,'/');
100			$person_uri = $account_uri . '#person';
101
102			$account_res->setURI( $account_uri );
103			// $account_res->setRel('rdf:type', 'foaf:OnlineAccount');
104			rdfutils_setPropToUri($account_res, 'rdf:type', 'foaf:OnlineAccount');
105			rdfutils_setPropToUri($account_res, 'foaf:accountServiceHomepage', $account_uri . '/');
106			$account_res->setProp('foaf:accountName', $username);
107			rdfutils_setPropToUri($account_res, 'sioc:account_of', $person_uri);
108			rdfutils_setPropToUri($account_res, 'foaf:accountProfilePage', $account_uri);
109
110			$groups_index = array();
111			$projects_index = array();
112			$roles_index = array();
113
114			$usergroups_uris = array();
115			// see if there were any groups
116			if (count($projects) >= 1) {
117			foreach ($projects as $p) {
118			// TODO : report also private projects if authenticated, for instance through OAuth
119			if($p->isPublic()) {
120			$project_link = util_make_link_g ($p->getUnixName(),$p->getID(),$p->getPublicName());
121			$project_uri = util_make_url_g ($p->getUnixName(),$p->getID());
122			// sioc:UserGroups for all members of a project are named after /projects/A_PROJECT/members/
123			$usergroup_uri = $project_uri .'members/';
124
125			$role_names = array();
126
127			$usergroups_uris[] = $usergroup_uri;
128
129			$usergroup_res = ARC2::getResource($conf);
130			$usergroup_res->setURI( $usergroup_uri );
131			rdfutils_setPropToUri($usergroup_res, 'rdf:type', 'sioc:UserGroup');
132			rdfutils_setPropToUri($usergroup_res, 'sioc:usergroup_of', $project_uri);
133
134			$roles_uris = array();
135			foreach ($roles as $r) {
136			if ($r instanceof RoleExplicit
			0 ignored issues – show Bug introduced 2015-12-16 20:30 UTC by Report Bug Copy Issue Report Show Similar Issues like this The class `RoleExplicit` does not exist. Did you forget a USE statement, or did you not list all dependencies? This error could be the result of: 1. Missing dependencies PHP Analyzer uses your `composer.json` file (if available) to determine the dependencies of your project and to determine all the available classes and functions. It expects the `composer.json` to be in the root folder of your repository. Are you sure this class is defined by one of your dependencies, or did you maybe not list a dependency in either the `require` or `require-dev` section? 2. Missing use statement PHP does not complain about undefined classes in `ìnstanceof` checks. For example, the following PHP code will work perfectly fine: if ($x instanceof DoesNotExist) { // Do something. } If you have not tested against this specific condition, such errors might go unnoticed. Loading history...
137			&& $r->getHomeProject() != NULL
138			&& $r->getHomeProject()->getID() == $p->getID()) {
139			$role_names[$r->getID()] = $r->getName() ;
140			$role_uri = $project_uri .'roles/'.$r->getID();
141
142			$roles_uris[] = $role_uri;
143			}
144			}
145			rdfutils_setPropToUri($usergroup_res, 'planetforge:group_has_function', $roles_uris);
146
147			$project_res = ARC2::getResource($conf);
148			$project_res->setURI( $project_uri );
149			rdfutils_setPropToUri($project_res, 'rdf:type', 'planetforge:ForgeProject');
150			$project_res->setProp('doap:name', $p->getUnixName());
151
152			$projects_index = ARC2::getMergedIndex($projects_index, $project_res->index);
153
154
155			foreach ($role_names as $id => $name) {
156			$role_res = ARC2::getResource($conf);
157			$role_res->setURI( $project_uri .'roles/'.$id );
158			rdfutils_setPropToUri($role_res, 'rdf:type', 'sioc:Role');
159			$role_res->setProp('sioc:name', $name);
160
161			$roles_index = ARC2::getMergedIndex($roles_index, $role_res->index);
162			}
163
164			$groups_index = ARC2::getMergedIndex($groups_index, $usergroup_res->index);
165
166			}
167			}
168			} // end if groups
169			rdfutils_setPropToUri($account_res, 'sioc:member_of', $usergroups_uris);
170
171			// next, deal with the person
172			$person_res = ARC2::getResource($conf);
173
174			$person_res->setURI( $person_uri );
175			rdfutils_setPropToUri($person_res, 'rdf:type', 'foaf:Person');
176			$person_res->setProp('foaf:name', $user_real_name);
177			rdfutils_setPropToUri($person_res, 'foaf:holdsAccount', $account_uri);
178			$person_res->setProp('foaf:mbox_sha1sum', $mbox_sha1sum);
179
180			// merge the two sets of triples
181			$merged_index = ARC2::getMergedIndex($account_res->index, $person_res->index);
182			$merged_index = ARC2::getMergedIndex($merged_index, $groups_index);
183			$merged_index = ARC2::getMergedIndex($merged_index, $projects_index);
184			$merged_index = ARC2::getMergedIndex($merged_index, $roles_index);
185
186			$conf = array(
187			'ns' => $ns,
188			'serializer_type_nodes' => true
189			);
190
191			$ser = ARC2::getRDFXMLSerializer($conf);
192
193			/* Serialize a resource index */
194			$doc = $ser->getSerializedIndex($merged_index);
195
196			$params['content'] = $doc . "\n";
197			}
198			}
199			}
200
201			// Local Variables:
202			// mode: php
203			// c-file-style: "bsd"
204			// End:
205

Enalean / tuleap

GitHub Access Token became invalid

Issues (4873)

Security Analysis not enabled

foafprofiles/include/foafprofilesPlugin.class.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

1. Missing dependencies

2. Missing use statement

Duplication Side-by-Side

Filter issues like