Issues in Transactional.php (master) - Issues in master - Inneair/transaction-bundle - Measure and Improve Code Quality continuously with Scrutinizer

Issues (12)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Annotation/Transactional.php (2 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/**
 * Copyright 2016 Inneair
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * @license http://www.apache.org/licenses/LICENSE-2.0.html Apache-2.0
 */

namespace Inneair\TransactionBundle\Annotation;

use Doctrine\Common\Annotations\Annotation\Attribute;
use Doctrine\Common\Annotations\Annotation\Attributes;
use Doctrine\Common\Annotations\AnnotationException;
use Exception;
use ReflectionClass;
use ReflectionException;

/**
 * This class handles properties of the @Transactional annotation.
 * This annotation can be applied on classes or public methods. When applied on classes, all public methods inherit this
 * setting. By default, if the annotation exists with no explicit policy, the REQUIRED policy is set.
 *
 * @Annotation
 * @Target({"METHOD", "CLASS"})
 * @Attributes({
 *     @Attribute("policy", type="integer"),
 *     @Attribute("noRollbackExceptions", type="string[]")
 * })
 */
class Transactional
{
    /**
     * A transactional context is not required for this method execution.
     * No transactional context will be created, and the method will be executed in the outer transactional context, if
     * any.
     * @var integer
     */
    const NOT_REQUIRED = 1;
    /**
     * A transactional context is required for this method execution.
     * - If there is no transactional context in the call stack, this will lead to the creation of a new transaction.
     * - If there is a transactional context in the call stack, the method will be executed in this outer transactional
     * context.
     * @var integer
     */
    const REQUIRED = 2;
    /**
     * A new transactional context is required for this method execution.
     * Note that this behaviour is not strictly supported by default, and requires use of save points is enabled at
     * connection-level (see connection options).
     * - If there is no transactional context in the call stack, this will lead to the creation of a new transaction.
     * - If there is a transactional context in the call stack, this will 'only' lead to the incrementation of the
     * nesting level, and optionally to the creation of a nested transaction (with a save point), if enabled in the
     * connection configuration.
     * @var integer
     */
    const NESTED = 3;

    /**
     * Transaction policy.
     * @var integer
     */
    private $policy;
    /**
     * An array of exceptions that will not lead to a transaction rollback, if thrown during the method execution.
     * @var string[]
     */
    private $noRollbackExceptions;

    /**
     * Builds an instance of this annotation.
     *
     * @param array $options Options (defaults to an empty array).
     * @throws AnnotationException If the policy is set and has an invalid value, or if a no rollback exception does not
     * exist, or is not a valid exception.
     */
    public function __construct(array $options = [])
    {
        if (isset($options['policy'])) {
            $policy = $this->validatePolicy($options['policy']);
        } else {
            $policy = null;
        }
        $this->policy = $policy;

        if (isset($options['noRollbackExceptions'])) {
            $noRollbackExceptions = $this->validateNoRollbackExceptions(array_unique($options['noRollbackExceptions']));
        } else {
            $noRollbackExceptions = null;
        }
        $this->noRollbackExceptions = $noRollbackExceptions;
function aContainsB(array $needle = null, array  $haystack) {
    if (!$needle) {
        return false;
    }

    return array_intersect($haystack, $needle) == $haystack;
}
    }

    /**
     * Gets the transaction policy.
     *
     * @return integer Policy.
     */
    public function getPolicy()
    {
        return $this->policy;
    }

    /**
     * Gets the exception class names which does not trigger a rollback.
     *
     * @return string[] Exception class names. If <code>null</code>, the option was not set in the annotation, otherwise
     * the returned value is an array.
     */
    public function getNoRollbackExceptions()
    {
        return $this->noRollbackExceptions;
    }

    /**
     * Validates a policy specified in the annotation.
     *
     * @param integer $annotationPolicy Policy.
     * @return int Validated policy ID.
     * @throws AnnotationException If the policy is invalid.
     */
    private function validatePolicy($annotationPolicy)
    {
        $policies = [static::NOT_REQUIRED, static::REQUIRED, static::NESTED];
        if (in_array($annotationPolicy, $policies)) {
            $policy = $annotationPolicy;
        } else {
            throw new AnnotationException(
                'Invalid policy: "' . $annotationPolicy . '", must be one of the constants [' .
                implode(', ', $policies) . ']'
            );
        }
        return $policy;
    }

    /**
     * Validates the no rollback exceptions in the annotation.
     *
     * @param string[] $annotationNoRollbackExceptions Exception class names.
     * @return array Rollback exceptions.
     * @throws AnnotationException If a class is not found, or is not an exception.
     */
    private function validateNoRollbackExceptions($annotationNoRollbackExceptions)
    {
        $noRollbackExceptions = [];
        foreach ($annotationNoRollbackExceptions as $exceptionClassName) {

            try {
                $exceptionClass = new ReflectionClass($exceptionClassName);
            } catch (ReflectionException $e) {
                throw new AnnotationException('Class not found: \'' . $exceptionClassName . '\'', null, $e);
            }

            if (($exceptionClassName !== Exception::class) && !$exceptionClass->isSubclassOf(Exception::class)) {
                throw new AnnotationException('Not an exception: \'' . $exceptionClassName . '\'');
            }

            $noRollbackExceptions[] = $exceptionClassName;
        }
        return $noRollbackExceptions;
    }
}


1			<?php
2
3			/**
4			* Copyright 2016 Inneair
5			*
6			* Licensed under the Apache License, Version 2.0 (the "License");
7			* you may not use this file except in compliance with the License.
8			* You may obtain a copy of the License at
9			*
10			* http://www.apache.org/licenses/LICENSE-2.0
11			*
12			* Unless required by applicable law or agreed to in writing, software
13			* distributed under the License is distributed on an "AS IS" BASIS,
14			* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15			* See the License for the specific language governing permissions and
16			* limitations under the License.
17			*
18			* @license http://www.apache.org/licenses/LICENSE-2.0.html Apache-2.0
19			*/
20
21			namespace Inneair\TransactionBundle\Annotation;
22
23			use Doctrine\Common\Annotations\Annotation\Attribute;
24			use Doctrine\Common\Annotations\Annotation\Attributes;
25			use Doctrine\Common\Annotations\AnnotationException;
26			use Exception;
27			use ReflectionClass;
28			use ReflectionException;
29
30			/**
31			* This class handles properties of the @Transactional annotation.
32			* This annotation can be applied on classes or public methods. When applied on classes, all public methods inherit this
33			* setting. By default, if the annotation exists with no explicit policy, the REQUIRED policy is set.
34			*
35			* @Annotation
36			* @Target({"METHOD", "CLASS"})
37			* @Attributes({
38			* @Attribute("policy", type="integer"),
39			* @Attribute("noRollbackExceptions", type="string[]")
40			* })
41			*/
42			class Transactional
43			{
44			/**
45			* A transactional context is not required for this method execution.
46			* No transactional context will be created, and the method will be executed in the outer transactional context, if
47			* any.
48			* @var integer
49			*/
50			const NOT_REQUIRED = 1;
51			/**
52			* A transactional context is required for this method execution.
53			* - If there is no transactional context in the call stack, this will lead to the creation of a new transaction.
54			* - If there is a transactional context in the call stack, the method will be executed in this outer transactional
55			* context.
56			* @var integer
57			*/
58			const REQUIRED = 2;
59			/**
60			* A new transactional context is required for this method execution.
61			* Note that this behaviour is not strictly supported by default, and requires use of save points is enabled at
62			* connection-level (see connection options).
63			* - If there is no transactional context in the call stack, this will lead to the creation of a new transaction.
64			* - If there is a transactional context in the call stack, this will 'only' lead to the incrementation of the
65			* nesting level, and optionally to the creation of a nested transaction (with a save point), if enabled in the
66			* connection configuration.
67			* @var integer
68			*/
69			const NESTED = 3;
70
71			/**
72			* Transaction policy.
73			* @var integer
74			*/
75			private $policy;
76			/**
77			* An array of exceptions that will not lead to a transaction rollback, if thrown during the method execution.
78			* @var string[]
79			*/
80			private $noRollbackExceptions;
81
82			/**
83			* Builds an instance of this annotation.
84			*
85			* @param array $options Options (defaults to an empty array).
86			* @throws AnnotationException If the policy is set and has an invalid value, or if a no rollback exception does not
87			* exist, or is not a valid exception.
88			*/
89	28		public function __construct(array $options = [])
90			{
91	28		if (isset($options['policy'])) {
92	17		$policy = $this->validatePolicy($options['policy']);
93	15		} else {
94	11		$policy = null;
95			}
96	26		$this->policy = $policy;
97
98	26		if (isset($options['noRollbackExceptions'])) {
99	8		$noRollbackExceptions = $this->validateNoRollbackExceptions(array_unique($options['noRollbackExceptions']));
100	4		} else {
101	18		$noRollbackExceptions = null;
102			}
103	22		$this->noRollbackExceptions = $noRollbackExceptions;
			0 ignored issues – show Documentation Bug introduced 2016-03-23 10:25 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$noRollbackExceptions` can be `null`. However, the property `$noRollbackExceptions` is declared as `array`. Maybe change the type of the property to `array\|null` or add a type check? Our type inference engine has found an assignment of a scalar value (like a string, an integer or null) to a property which is an array. Either this assignment is in error or the assigned type should be added to the documentation/type hint for that property. To type hint that a parameter can be either an array or null, you can set a type hint of array and a default value of null. The PHP interpreter will then accept both an array or null for that parameter. function aContainsB(array $needle = null, array $haystack) { if (!$needle) { return false; } return array_intersect($haystack, $needle) == $haystack; } The function can be called with either null or an array for the parameter `$needle` but will only accept an array as `$haystack`. Loading history...
104	22		}
105
106			/**
107			* Gets the transaction policy.
108			*
109			* @return integer Policy.
110			*/
111	20		public function getPolicy()
112			{
113	20		return $this->policy;
114			}
115
116			/**
117			* Gets the exception class names which does not trigger a rollback.
118			*
119			* @return string[] Exception class names. If <code>null</code>, the option was not set in the annotation, otherwise
120			* the returned value is an array.
121			*/
122	14		public function getNoRollbackExceptions()
123			{
124	14		return $this->noRollbackExceptions;
125			}
126
127			/**
128			* Validates a policy specified in the annotation.
129			*
130			* @param integer $annotationPolicy Policy.
131			* @return int Validated policy ID.
132			* @throws AnnotationException If the policy is invalid.
133			*/
134	17		private function validatePolicy($annotationPolicy)
135			{
136	17		$policies = [static::NOT_REQUIRED, static::REQUIRED, static::NESTED];
137	17		if (in_array($annotationPolicy, $policies)) {
138	15		$policy = $annotationPolicy;
139	15		} else {
140	2		throw new AnnotationException(
141	2		'Invalid policy: "' . $annotationPolicy . '", must be one of the constants [' .
142	2		implode(', ', $policies) . ']'
143	2		);
144			}
145	15		return $policy;
146			}
147
148			/**
149			* Validates the no rollback exceptions in the annotation.
150			*
151			* @param string[] $annotationNoRollbackExceptions Exception class names.
152			* @return array Rollback exceptions.
153			* @throws AnnotationException If a class is not found, or is not an exception.
154			*/
155	8		private function validateNoRollbackExceptions($annotationNoRollbackExceptions)
156			{
157	8		$noRollbackExceptions = [];
158	8	View Code Duplication	foreach ($annotationNoRollbackExceptions as $exceptionClassName) {
			0 ignored issues – show Duplication introduced 2016-03-23 10:25 UTC by Report Bug Copy Issue Report Show Similar Issues like this This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
159			try {
160	8		$exceptionClass = new ReflectionClass($exceptionClassName);
161	8		} catch (ReflectionException $e) {
162	2		throw new AnnotationException('Class not found: \'' . $exceptionClassName . '\'', null, $e);
163			}
164
165	6		if (($exceptionClassName !== Exception::class) && !$exceptionClass->isSubclassOf(Exception::class)) {
166	2		throw new AnnotationException('Not an exception: \'' . $exceptionClassName . '\'');
167			}
168
169	4		$noRollbackExceptions[] = $exceptionClassName;
170	4		}
171	4		return $noRollbackExceptions;
172			}
173			}
174

Inneair / transaction-bundle

Issues (12)

Security Analysis no request data

src/Annotation/Transactional.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like