Issues in ParamDefinitionFactory.php (master) - Issues in master - JeroenDeDauw/ParamProcessor - Measure and Improve Code Quality continuously with Scrutinizer

Issues (51)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/ParamDefinitionFactory.php (2 issues)

Labels

Deprecated Code 2

Severity

Minor 2

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace ParamProcessor;

use Exception;
use OutOfBoundsException;
use ParamProcessor\PackagePrivate\ParamType;
use ValueValidators\NullValidator;

/**
 * Factory for ParamDefinition implementing objects.
 *
 * @licence GNU GPL v2+
 * @author Jeroen De Dauw < [email protected] >
 */
class ParamDefinitionFactory {

	private $types;

	/**
	 * @since 1.8
	 */
	public function __construct( ParameterTypes $types = null ) {
		$this->types = $types ?? new ParameterTypes();
	}

	/**
	 * Returns a ParamDefinitionFactory that already has the core parameter types (@see ParameterTypes) registered.
	 *
	 * @since 1.6
	 */
	public static function newDefault(): self {
		return new self( ParameterTypes::newCoreTypes() );
	}

	/**
	 * @deprecated since 1.0
	 */
	public static function singleton(): self {
		static $instance = false;

		if ( $instance === false ) {
			$instance = new self();
			$instance->registerGlobals();

		}

		return $instance;
	}

	/**
	 * Registers the parameter types specified in the global $wgParamDefinitions.
	 * @deprecated since 1.6
	 */
	public function registerGlobals() {
		if ( array_key_exists( 'wgParamDefinitions', $GLOBALS ) ) {
			foreach ( $GLOBALS['wgParamDefinitions'] as $type => $data ) {
				if ( is_string( $data ) ) {
					$data = [ 'definition' => $data ];
				}

				$this->registerType( $type, $data );
			}
		}
	}

	/**
	 * Registers a parameter type.
	 *
	 * The type is specified as a string identifier for the type, ie 'boolean',
	 * and an array containing further data. This data currently includes:
	 *
	 * - string-parser:       the parser to use to transform string values
	 *                        This class needs to implement ValueParser. Default: NullParser
	 * - typed-parser:        DEPRECATED since 1.6 - the parser to use to transform typed PHP values
	 *                        This class needs to implement ValueParser. Default: NullParser
	 * - validator:           the validation object to use
	 *                        This class needs to implement ValueValidator. Default: NullValidator
	 * - validation-callback  a callback to use for validation, called before the ValueValidator
	 *                        This callback needs to return a boolean indicating validity.
	 *
	 * @since 1.0
	 *
	 * @param string $type
	 * @param array $data
	 *
	 * @return boolean DEPRECATED since 1.6 - Indicates if the type was registered
	 */
	public function registerType( $type, array $data ) {
		if ( $this->types->hasType( $type ) ) {
			return false;
		}

		$this->types->addType( $type, $data );

		return true;
	}

	/**
	 * Creates a new instance of a ParamDefinition based on the provided type.
	 *
	 * @param string $typeName
	 * @param string $name
	 * @param mixed $default
	 * @param string $message
	 * @param boolean $isList
	 *
	 * @return ParamDefinition
	 * @throws OutOfBoundsException
	 */
	public function newDefinition( string $typeName, string $name, $default, string $message, bool $isList = false ): ParamDefinition {
		if ( !$this->types->hasType( $typeName ) ) {
			throw new OutOfBoundsException( 'Unknown parameter type "' . $typeName . '".' );
		}

		$type = $this->types->getType( $typeName );
		$class = $type->getClassName();

		/**
		 * @var ParamDefinition $definition
		 */
		$definition = new $class(
			$typeName,
			$name,
			$default,
			$message,
			$isList
		);

		$validator = $type->getValidatorClass();

		if ( $validator !== NullValidator::class ) {
			$definition->setValueValidator( new $validator() );
		}

		$validationCallback = $type->getValidationCallback();

		if ( $validationCallback !== null ) {
			$definition->setValidationCallback( $validationCallback );
		}

		return $definition;
	}

	/**
	 * Package private
	 */
	public function getType( string $typeName ): ParamType {
		return $this->types->getType( $typeName );
	}

	/**
	 * @param array $definitionArray
	 * @param bool $getMad DEPRECATED since 1.6
	 *
	 * @return ParamDefinition|false
	 * @throws Exception
	 */
	public function newDefinitionFromArray( array $definitionArray, $getMad = true ) {
		foreach ( [ 'name', 'message' ] as $requiredElement ) {
			if ( !array_key_exists( $requiredElement, $definitionArray ) ) {
				if ( $getMad ) {
					throw new Exception( 'Could not construct a ParamDefinition from an array without ' . $requiredElement . ' element' );
				}

				return false;
			}
		}

		$definition = $this->newDefinition(
			array_key_exists( 'type', $definitionArray ) ? $definitionArray['type'] : 'string',
			$definitionArray['name'],
			array_key_exists( 'default', $definitionArray ) ? $definitionArray['default'] : null,
			$definitionArray['message'],
			array_key_exists( 'islist', $definitionArray ) ? $definitionArray['islist'] : false
		);

		$definition->setArrayValues( $definitionArray );


		return $definition;
	}

	/**
	 * @since 1.9
	 *
	 * @param array $definitionArrays Each element must either be
	 * - A definition array with "name" key
	 * - A name key pointing to a definition array
	 * - A ParamDefinition instance (discouraged)
	 *
	 * @return ParamDefinition[]
	 * @throws Exception
	 */
	public function newDefinitionsFromArrays( array $definitionArrays ): array {
		$cleanList = [];

		foreach ( $definitionArrays as $key => $definitionArray ) {
			if ( is_array( $definitionArray ) ) {
				if ( !array_key_exists( 'name', $definitionArray ) && is_string( $key ) ) {
					$definitionArray['name'] = $key;
				}

				$definitionArray = $this->newDefinitionFromArray( $definitionArray );
			}

			if ( !( $definitionArray instanceof IParamDefinition ) ) {
				throw new Exception( 'Parameter definition not an instance of IParamDefinition' );
			}

			$cleanList[$definitionArray->getName()] = $definitionArray;
		}

		return $cleanList;
	}

}


1		<?php
2
3		namespace ParamProcessor;
4
5		use Exception;
6		use OutOfBoundsException;
7		use ParamProcessor\PackagePrivate\ParamType;
8		use ValueValidators\NullValidator;
9
10		/**
11		* Factory for ParamDefinition implementing objects.
12		*
13		* @licence GNU GPL v2+
14		* @author Jeroen De Dauw < [email protected] >
15		*/
16		class ParamDefinitionFactory {
17
18		private $types;
19
20		/**
21		* @since 1.8
22		*/
23	59	public function __construct( ParameterTypes $types = null ) {
24	59	$this->types = $types ?? new ParameterTypes();
25	59	}
26
27		/**
28		* Returns a ParamDefinitionFactory that already has the core parameter types (@see ParameterTypes) registered.
29		*
30		* @since 1.6
31		*/
32	59	public static function newDefault(): self {
33	59	return new self( ParameterTypes::newCoreTypes() );
34		}
35
36		/**
37		* @deprecated since 1.0
38		*/
39	104	public static function singleton(): self {
40	104	static $instance = false;
41
42	104	if ( $instance === false ) {
43		$instance = new self();
44		$instance->registerGlobals();
		0 ignored issues – show Deprecated Code introduced 2019-07-28 09:15 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `ParamProcessor\ParamDefi...tory::registerGlobals()` has been deprecated with message: since 1.6 This method has been deprecated. The supplier of the class has supplied an explanatory message. The explanatory message should give you some clue as to whether and when the method will be removed from the class and what other method or class to use instead. Loading history...
45		}
46
47	104	return $instance;
48		}
49
50		/**
51		* Registers the parameter types specified in the global $wgParamDefinitions.
52		* @deprecated since 1.6
53		*/
54		public function registerGlobals() {
55		if ( array_key_exists( 'wgParamDefinitions', $GLOBALS ) ) {
56		foreach ( $GLOBALS['wgParamDefinitions'] as $type => $data ) {
57		if ( is_string( $data ) ) {
58		$data = [ 'definition' => $data ];
59		}
60
61		$this->registerType( $type, $data );
62		}
63		}
64		}
65
66		/**
67		* Registers a parameter type.
68		*
69		* The type is specified as a string identifier for the type, ie 'boolean',
70		* and an array containing further data. This data currently includes:
71		*
72		* - string-parser: the parser to use to transform string values
73		* This class needs to implement ValueParser. Default: NullParser
74		* - typed-parser: DEPRECATED since 1.6 - the parser to use to transform typed PHP values
75		* This class needs to implement ValueParser. Default: NullParser
76		* - validator: the validation object to use
77		* This class needs to implement ValueValidator. Default: NullValidator
78		* - validation-callback a callback to use for validation, called before the ValueValidator
79		* This callback needs to return a boolean indicating validity.
80		*
81		* @since 1.0
82		*
83		* @param string $type
84		* @param array $data
85		*
86		* @return boolean DEPRECATED since 1.6 - Indicates if the type was registered
87		*/
88		public function registerType( $type, array $data ) {
89		if ( $this->types->hasType( $type ) ) {
90		return false;
91		}
92
93		$this->types->addType( $type, $data );
94
95		return true;
96		}
97
98		/**
99		* Creates a new instance of a ParamDefinition based on the provided type.
100		*
101		* @param string $typeName
102		* @param string $name
103		* @param mixed $default
104		* @param string $message
105		* @param boolean $isList
106		*
107		* @return ParamDefinition
108		* @throws OutOfBoundsException
109		*/
110	93	public function newDefinition( string $typeName, string $name, $default, string $message, bool $isList = false ): ParamDefinition {
111	93	if ( !$this->types->hasType( $typeName ) ) {
112		throw new OutOfBoundsException( 'Unknown parameter type "' . $typeName . '".' );
113		}
114
115	93	$type = $this->types->getType( $typeName );
116	93	$class = $type->getClassName();
117
118		/**
119		* @var ParamDefinition $definition
120		*/
121	93	$definition = new $class(
122	93	$typeName,
123		$name,
124		$default,
125		$message,
126		$isList
127		);
128
129	93	$validator = $type->getValidatorClass();
130
131	93	if ( $validator !== NullValidator::class ) {
132	93	$definition->setValueValidator( new $validator() );
133		}
134
135	93	$validationCallback = $type->getValidationCallback();
136
137	93	if ( $validationCallback !== null ) {
138	47	$definition->setValidationCallback( $validationCallback );
139		}
140
141	93	return $definition;
142		}
143
144		/**
145		* Package private
146		*/
147	104	public function getType( string $typeName ): ParamType {
148	104	return $this->types->getType( $typeName );
149		}
150
151		/**
152		* @param array $definitionArray
153		* @param bool $getMad DEPRECATED since 1.6
154		*
155		* @return ParamDefinition\|false
156		* @throws Exception
157		*/
158	93	public function newDefinitionFromArray( array $definitionArray, $getMad = true ) {
159	93	foreach ( [ 'name', 'message' ] as $requiredElement ) {
160	93	if ( !array_key_exists( $requiredElement, $definitionArray ) ) {
161	1	if ( $getMad ) {
162	1	throw new Exception( 'Could not construct a ParamDefinition from an array without ' . $requiredElement . ' element' );
163		}
164
165		return false;
166		}
167		}
168
169	92	$definition = $this->newDefinition(
170	92	array_key_exists( 'type', $definitionArray ) ? $definitionArray['type'] : 'string',
171	92	$definitionArray['name'],
172	92	array_key_exists( 'default', $definitionArray ) ? $definitionArray['default'] : null,
173	92	$definitionArray['message'],
174	92	array_key_exists( 'islist', $definitionArray ) ? $definitionArray['islist'] : false
175		);
176
177	92	$definition->setArrayValues( $definitionArray );
		0 ignored issues – show Deprecated Code introduced 2019-08-03 14:14 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `ParamProcessor\ParamDefinition::setArrayValues()` has been deprecated with message: since 1.7 TODO: provide alternative in ParamDefinitionFactory This method has been deprecated. The supplier of the class has supplied an explanatory message. The explanatory message should give you some clue as to whether and when the method will be removed from the class and what other method or class to use instead. Loading history...
178
179	92	return $definition;
180		}
181
182		/**
183		* @since 1.9
184		*
185		* @param array $definitionArrays Each element must either be
186		* - A definition array with "name" key
187		* - A name key pointing to a definition array
188		* - A ParamDefinition instance (discouraged)
189		*
190		* @return ParamDefinition[]
191		* @throws Exception
192		*/
193	100	public function newDefinitionsFromArrays( array $definitionArrays ): array {
194	100	$cleanList = [];
195
196	100	foreach ( $definitionArrays as $key => $definitionArray ) {
197	53	if ( is_array( $definitionArray ) ) {
198	52	if ( !array_key_exists( 'name', $definitionArray ) && is_string( $key ) ) {
199	50	$definitionArray['name'] = $key;
200		}
201
202	52	$definitionArray = $this->newDefinitionFromArray( $definitionArray );
203		}
204
205	52	if ( !( $definitionArray instanceof IParamDefinition ) ) {
206		throw new Exception( 'Parameter definition not an instance of IParamDefinition' );
207		}
208
209	52	$cleanList[$definitionArray->getName()] = $definitionArray;
210		}
211
212	99	return $cleanList;
213		}
214
215		}
216

JeroenDeDauw / ParamProcessor

Issues (51)

Security Analysis no request data

src/ParamDefinitionFactory.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like