Issues in TaskController.php (master) - Issues in master - Jitamin/jitamin - Measure and Improve Code Quality continuously with Scrutinizer

Issues (3948)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

app/Http/Controllers/Api/TaskController.php (1 issue)

Labels

Severity

Major 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/*
 * This file is part of Jitamin.
 *
 * Copyright (C) Jitamin Team
 *
 * For the full copyright and license information, please view the LICENSE
 * file that was distributed with this source code.
 */

namespace Jitamin\Http\Controllers\Api;

use Jitamin\Filter\TaskProjectFilter;
use Jitamin\Model\TaskModel;
use Jitamin\Policy\ProjectPolicy;
use Jitamin\Policy\TaskPolicy;

/**
 * Task API controller.
 */
class TaskController extends Controller
{
    /**
     * Get the tasks for applied filter.
     *
     * @param int    $project_id
     * @param string $query
     *
     * @return array
     */
    public function searchTasks($project_id, $query)
    {
        ProjectPolicy::getInstance($this->container)->check($this->getClassName(), 'searchTasks', $project_id);

        return $this->taskLexer->build($query)->withFilter(new TaskProjectFilter($project_id))->toArray();
    }

    /**
     * Fetch a task by the id.
     *
     * @param int $task_id Task id
     *
     * @return array
     */
    public function getTask($task_id)
    {
        TaskPolicy::getInstance($this->container)->check($this->getClassName(), 'getTask', $task_id);

        return $this->formatTask($this->taskFinderModel->getById($task_id));
    }

    /**
     * Fetch a task by the reference (external id).
     *
     * @param int    $project_id Project id
     * @param string $reference  Task reference
     *
     * @return array
     */
    public function getTaskByReference($project_id, $reference)
    {
        ProjectPolicy::getInstance($this->container)->check($this->getClassName(), 'getTaskByReference', $project_id);

        return $this->formatTask($this->taskFinderModel->getByReference($project_id, $reference));
    }

    /**
     * Get all tasks for a given project and status.
     *
     * @param int $project_id Project id
     * @param int $status_id  Status id
     *
     * @return array
     */
    public function getAllTasks($project_id, $status_id = TaskModel::STATUS_OPEN)
    {
        ProjectPolicy::getInstance($this->container)->check($this->getClassName(), 'getAllTasks', $project_id);

        return $this->formatTasks($this->taskFinderModel->getAll($project_id, $status_id));
    }

    /**
     * Get a list of overdue tasks for all projects.
     *
     * @return array
     */
    public function getOverdueTasks()
    {
        return $this->taskFinderModel->getOverdueTasks();
    }

    /**
     * Get a list of overdue tasks by project.
     *
     * @param int $project_id
     *
     * @return array
     */
    public function getOverdueTasksByProject($project_id)
    {
        ProjectPolicy::getInstance($this->container)->check($this->getClassName(), 'getOverdueTasksByProject', $project_id);

        return $this->taskFinderModel->getOverdueTasksByProject($project_id);
    }

    /**
     * Mark a task open.
     *
     * @param int $task_id Task id
     *
     * @return bool
     */
    public function openTask($task_id)
    {
        TaskPolicy::getInstance($this->container)->check($this->getClassName(), 'openTask', $task_id);

        return $this->taskStatusModel->open($task_id);
    }

    /**
     * Mark a task closed.
     *
     * @param int $task_id Task id
     *
     * @return bool
     */
    public function closeTask($task_id)
    {
        TaskPolicy::getInstance($this->container)->check($this->getClassName(), 'closeTask', $task_id);

        return $this->taskStatusModel->close($task_id);
    }

    /**
     * Remove a task.
     *
     * @param int $task_id Task id
     *
     * @return bool
     */
    public function removeTask($task_id)
    {
        TaskPolicy::getInstance($this->container)->check($this->getClassName(), 'removeTask', $task_id);

        return $this->taskModel->remove($task_id);
    }

    /**
     * Move a task to another column or to another position.
     *
     * @param int  $project_id  Project id
     * @param int  $task_id     Task id
     * @param int  $column_id   Column id
     * @param int  $position    Position (must be >= 1)
     * @param int  $swimlane_id Swimlane id
     * @param bool $fire_events Fire events
     * @param bool $onlyOpen    Do not move closed tasks
     *
     * @return bool
     */
    public function moveTaskPosition($project_id, $task_id, $column_id, $position, $swimlane_id = 0)
    {
        ProjectPolicy::getInstance($this->container)->check($this->getClassName(), 'moveTaskPosition', $project_id);

        return $this->taskPositionModel->movePosition($project_id, $task_id, $column_id, $position, $swimlane_id);
    }

    /**
     * Move a task to another project.
     *
     * @param int $task_id
     * @param int $project_id
     * @param int $swimlane_id
     * @param int $column_id
     * @param int $category_id
     * @param int $owner_id
     *
     * @return bool
     */
    public function moveTaskToProject($task_id, $project_id, $swimlane_id = null, $column_id = null, $category_id = null, $owner_id = null)
    {
        ProjectPolicy::getInstance($this->container)->check($this->getClassName(), 'moveTaskToProject', $project_id);

        return $this->taskProjectMoveModel->moveToProject($task_id, $project_id, $swimlane_id, $column_id, $category_id, $owner_id);
    }

    /**
     * Duplicate a task to another project.
     *
     * @param int $task_id
     * @param int $project_id
     * @param int $swimlane_id
     * @param int $column_id
     * @param int $category_id
     * @param int $owner_id
     *
     * @return bool|int
     */
    public function duplicateTaskToProject($task_id, $project_id, $swimlane_id = null, $column_id = null, $category_id = null, $owner_id = null)
    {
        ProjectPolicy::getInstance($this->container)->check($this->getClassName(), 'duplicateTaskToProject', $project_id);

        return $this->taskProjectDuplicationModel->duplicateToProject($task_id, $project_id, $swimlane_id, $column_id, $category_id, $owner_id);
    }

    /**
     * Create a task.
     *
     * @param string $title
     * @param int    $project_id
     * @param string $color_id
     * @param int    $column_id
     * @param int    $owner_id
     * @param int    $creator_id
     * @param string $date_due
     * @param string $description
     * @param int    $category_id
     * @param int    $score
     * @param int    $swimlane_id
     * @param int    $priority
     * @param int    $recurrence_status
     * @param int    $recurrence_trigger
     * @param int    $recurrence_factor
     * @param int    $recurrence_timeframe
     * @param int    $recurrence_basedate
     * @param string $reference
     *
     * @return int
     */
    public function createTask($title, $project_id, $color_id = '', $column_id = 0, $owner_id = 0, $creator_id = 0,
                                $date_due = '', $description = '', $category_id = 0, $score = 0, $swimlane_id = 0, $priority = 0,
                                $recurrence_status = 0, $recurrence_trigger = 0, $recurrence_factor = 0, $recurrence_timeframe = 0,
                                $recurrence_basedate = 0, $reference = '')
    {
        ProjectPolicy::getInstance($this->container)->check($this->getClassName(), 'createTask', $project_id);

        if ($owner_id !== 0 && !$this->projectPermissionModel->isAssignable($project_id, $owner_id)) {
            return false;
class Author {
    private $name;

    public function __construct($name) {
        $this->name = $name;
    }

    public function getName() {
        return $this->name;
    }
}

abstract class Post {
    public function getAuthor() {
        return 'Johannes';
    }
}

class BlogPost extends Post {
    public function getAuthor() {
        return new Author('Johannes');
    }
}

class ForumPost extends Post { /* ... */ }

function my_function(Post $post) {
    echo strtoupper($post->getAuthor());
}
        }

        if ($this->userSession->isLogged()) {
            $creator_id = $this->userSession->getId();
        }

        $values = [
            'title'                => $title,
            'project_id'           => $project_id,
            'color_id'             => $color_id,
            'column_id'            => $column_id,
            'owner_id'             => $owner_id,
            'creator_id'           => $creator_id,
            'date_due'             => $date_due,
            'description'          => $description,
            'category_id'          => $category_id,
            'score'                => $score,
            'swimlane_id'          => $swimlane_id,
            'recurrence_status'    => $recurrence_status,
            'recurrence_trigger'   => $recurrence_trigger,
            'recurrence_factor'    => $recurrence_factor,
            'recurrence_timeframe' => $recurrence_timeframe,
            'recurrence_basedate'  => $recurrence_basedate,
            'reference'            => $reference,
            'priority'             => $priority,
        ];

        list($valid) = $this->taskValidator->validateCreation($values);

        return $valid ? $this->taskModel->create($values) : false;
    }

    /**
     * Update a task.
     *
     * @param int    $id
     * @param string $title
     * @param int    $project_id
     * @param string $color_id
     * @param int    $column_id
     * @param int    $owner_id
     * @param int    $creator_id
     * @param string $date_due
     * @param string $description
     * @param int    $category_id
     * @param int    $score
     * @param int    $swimlane_id
     * @param int    $priority
     * @param int    $recurrence_status
     * @param int    $recurrence_trigger
     * @param int    $recurrence_factor
     * @param int    $recurrence_timeframe
     * @param int    $recurrence_basedate
     * @param string $reference
     *
     * @return int
     */
    public function updateTask($id, $title = null, $color_id = null, $owner_id = null,
                                $date_due = null, $description = null, $category_id = null, $score = null, $priority = null,
                                $recurrence_status = null, $recurrence_trigger = null, $recurrence_factor = null,
                                $recurrence_timeframe = null, $recurrence_basedate = null, $reference = null)
    {
        TaskPolicy::getInstance($this->container)->check($this->getClassName(), 'updateTask', $id);
        $project_id = $this->taskFinderModel->getProjectId($id);

        if ($project_id === 0) {
            return false;
        }

        if ($owner_id !== null && $owner_id != 0 && !$this->projectPermissionModel->isAssignable($project_id, $owner_id)) {
            return false;
        }

        $values = $this->filterValues([
            'id'                   => $id,
            'title'                => $title,
            'color_id'             => $color_id,
            'owner_id'             => $owner_id,
            'date_due'             => $date_due,
            'description'          => $description,
            'category_id'          => $category_id,
            'score'                => $score,
            'recurrence_status'    => $recurrence_status,
            'recurrence_trigger'   => $recurrence_trigger,
            'recurrence_factor'    => $recurrence_factor,
            'recurrence_timeframe' => $recurrence_timeframe,
            'recurrence_basedate'  => $recurrence_basedate,
            'reference'            => $reference,
            'priority'             => $priority,
        ]);

        list($valid) = $this->taskValidator->validateApiModification($values);

        return $valid && $this->taskModel->update($values);
    }
}


1			<?php
2
3			/*
4			* This file is part of Jitamin.
5			*
6			* Copyright (C) Jitamin Team
7			*
8			* For the full copyright and license information, please view the LICENSE
9			* file that was distributed with this source code.
10			*/
11
12			namespace Jitamin\Http\Controllers\Api;
13
14			use Jitamin\Filter\TaskProjectFilter;
15			use Jitamin\Model\TaskModel;
16			use Jitamin\Policy\ProjectPolicy;
17			use Jitamin\Policy\TaskPolicy;
18
19			/**
20			* Task API controller.
21			*/
22			class TaskController extends Controller
23			{
24			/**
25			* Get the tasks for applied filter.
26			*
27			* @param int $project_id
28			* @param string $query
29			*
30			* @return array
31			*/
32			public function searchTasks($project_id, $query)
33			{
34			ProjectPolicy::getInstance($this->container)->check($this->getClassName(), 'searchTasks', $project_id);
35
36			return $this->taskLexer->build($query)->withFilter(new TaskProjectFilter($project_id))->toArray();
37			}
38
39			/**
40			* Fetch a task by the id.
41			*
42			* @param int $task_id Task id
43			*
44			* @return array
45			*/
46			public function getTask($task_id)
47			{
48			TaskPolicy::getInstance($this->container)->check($this->getClassName(), 'getTask', $task_id);
49
50			return $this->formatTask($this->taskFinderModel->getById($task_id));
51			}
52
53			/**
54			* Fetch a task by the reference (external id).
55			*
56			* @param int $project_id Project id
57			* @param string $reference Task reference
58			*
59			* @return array
60			*/
61			public function getTaskByReference($project_id, $reference)
62			{
63			ProjectPolicy::getInstance($this->container)->check($this->getClassName(), 'getTaskByReference', $project_id);
64
65			return $this->formatTask($this->taskFinderModel->getByReference($project_id, $reference));
66			}
67
68			/**
69			* Get all tasks for a given project and status.
70			*
71			* @param int $project_id Project id
72			* @param int $status_id Status id
73			*
74			* @return array
75			*/
76			public function getAllTasks($project_id, $status_id = TaskModel::STATUS_OPEN)
77			{
78			ProjectPolicy::getInstance($this->container)->check($this->getClassName(), 'getAllTasks', $project_id);
79
80			return $this->formatTasks($this->taskFinderModel->getAll($project_id, $status_id));
81			}
82
83			/**
84			* Get a list of overdue tasks for all projects.
85			*
86			* @return array
87			*/
88			public function getOverdueTasks()
89			{
90			return $this->taskFinderModel->getOverdueTasks();
91			}
92
93			/**
94			* Get a list of overdue tasks by project.
95			*
96			* @param int $project_id
97			*
98			* @return array
99			*/
100			public function getOverdueTasksByProject($project_id)
101			{
102			ProjectPolicy::getInstance($this->container)->check($this->getClassName(), 'getOverdueTasksByProject', $project_id);
103
104			return $this->taskFinderModel->getOverdueTasksByProject($project_id);
105			}
106
107			/**
108			* Mark a task open.
109			*
110			* @param int $task_id Task id
111			*
112			* @return bool
113			*/
114			public function openTask($task_id)
115			{
116			TaskPolicy::getInstance($this->container)->check($this->getClassName(), 'openTask', $task_id);
117
118			return $this->taskStatusModel->open($task_id);
119			}
120
121			/**
122			* Mark a task closed.
123			*
124			* @param int $task_id Task id
125			*
126			* @return bool
127			*/
128			public function closeTask($task_id)
129			{
130			TaskPolicy::getInstance($this->container)->check($this->getClassName(), 'closeTask', $task_id);
131
132			return $this->taskStatusModel->close($task_id);
133			}
134
135			/**
136			* Remove a task.
137			*
138			* @param int $task_id Task id
139			*
140			* @return bool
141			*/
142			public function removeTask($task_id)
143			{
144			TaskPolicy::getInstance($this->container)->check($this->getClassName(), 'removeTask', $task_id);
145
146			return $this->taskModel->remove($task_id);
147			}
148
149			/**
150			* Move a task to another column or to another position.
151			*
152			* @param int $project_id Project id
153			* @param int $task_id Task id
154			* @param int $column_id Column id
155			* @param int $position Position (must be >= 1)
156			* @param int $swimlane_id Swimlane id
157			* @param bool $fire_events Fire events
158			* @param bool $onlyOpen Do not move closed tasks
159			*
160			* @return bool
161			*/
162			public function moveTaskPosition($project_id, $task_id, $column_id, $position, $swimlane_id = 0)
163			{
164			ProjectPolicy::getInstance($this->container)->check($this->getClassName(), 'moveTaskPosition', $project_id);
165
166			return $this->taskPositionModel->movePosition($project_id, $task_id, $column_id, $position, $swimlane_id);
167			}
168
169			/**
170			* Move a task to another project.
171			*
172			* @param int $task_id
173			* @param int $project_id
174			* @param int $swimlane_id
175			* @param int $column_id
176			* @param int $category_id
177			* @param int $owner_id
178			*
179			* @return bool
180			*/
181			public function moveTaskToProject($task_id, $project_id, $swimlane_id = null, $column_id = null, $category_id = null, $owner_id = null)
182			{
183			ProjectPolicy::getInstance($this->container)->check($this->getClassName(), 'moveTaskToProject', $project_id);
184
185			return $this->taskProjectMoveModel->moveToProject($task_id, $project_id, $swimlane_id, $column_id, $category_id, $owner_id);
186			}
187
188			/**
189			* Duplicate a task to another project.
190			*
191			* @param int $task_id
192			* @param int $project_id
193			* @param int $swimlane_id
194			* @param int $column_id
195			* @param int $category_id
196			* @param int $owner_id
197			*
198			* @return bool\|int
199			*/
200			public function duplicateTaskToProject($task_id, $project_id, $swimlane_id = null, $column_id = null, $category_id = null, $owner_id = null)
201			{
202			ProjectPolicy::getInstance($this->container)->check($this->getClassName(), 'duplicateTaskToProject', $project_id);
203
204			return $this->taskProjectDuplicationModel->duplicateToProject($task_id, $project_id, $swimlane_id, $column_id, $category_id, $owner_id);
205			}
206
207			/**
208			* Create a task.
209			*
210			* @param string $title
211			* @param int $project_id
212			* @param string $color_id
213			* @param int $column_id
214			* @param int $owner_id
215			* @param int $creator_id
216			* @param string $date_due
217			* @param string $description
218			* @param int $category_id
219			* @param int $score
220			* @param int $swimlane_id
221			* @param int $priority
222			* @param int $recurrence_status
223			* @param int $recurrence_trigger
224			* @param int $recurrence_factor
225			* @param int $recurrence_timeframe
226			* @param int $recurrence_basedate
227			* @param string $reference
228			*
229			* @return int
230			*/
231			public function createTask($title, $project_id, $color_id = '', $column_id = 0, $owner_id = 0, $creator_id = 0,
232			$date_due = '', $description = '', $category_id = 0, $score = 0, $swimlane_id = 0, $priority = 0,
233			$recurrence_status = 0, $recurrence_trigger = 0, $recurrence_factor = 0, $recurrence_timeframe = 0,
234			$recurrence_basedate = 0, $reference = '')
235			{
236			ProjectPolicy::getInstance($this->container)->check($this->getClassName(), 'createTask', $project_id);
237
238			if ($owner_id !== 0 && !$this->projectPermissionModel->isAssignable($project_id, $owner_id)) {
239			return false;
			0 ignored issues – show Bug Best Practice introduced 2017-01-11 07:57 UTC by Report Bug Copy Issue Report Show Similar Issues like this The return type of `return false;` (`false`) is incompatible with the return type documented by `Jitamin\Http\Controllers...kController::createTask` of type `integer`. If you return a value from a function or method, it should be a sub-type of the type that is given by the parent type f.e. an interface, or abstract method. This is more formally defined by the Lizkov substitution principle, and guarantees that classes that depend on the parent type can use any instance of a child type interchangably. This principle also belongs to the SOLID principles for object oriented design. Let’s take a look at an example: class Author { private $name; public function __construct($name) { $this->name = $name; } public function getName() { return $this->name; } } abstract class Post { public function getAuthor() { return 'Johannes'; } } class BlogPost extends Post { public function getAuthor() { return new Author('Johannes'); } } class ForumPost extends Post { /* ... */ } function my_function(Post $post) { echo strtoupper($post->getAuthor()); } Our function `my_function` expects a `Post` object, and outputs the author of the post. The base class `Post` returns a simple string and outputting a simple string will work just fine. However, the child class `BlogPost` which is a sub-type of `Post` instead decided to return an `object`, and is therefore violating the SOLID principles. If a `BlogPost` were passed to `my_function`, PHP would not complain, but ultimately fail when executing the `strtoupper` call in its body. Loading history...
240			}
241
242			if ($this->userSession->isLogged()) {
243			$creator_id = $this->userSession->getId();
244			}
245
246			$values = [
247			'title' => $title,
248			'project_id' => $project_id,
249			'color_id' => $color_id,
250			'column_id' => $column_id,
251			'owner_id' => $owner_id,
252			'creator_id' => $creator_id,
253			'date_due' => $date_due,
254			'description' => $description,
255			'category_id' => $category_id,
256			'score' => $score,
257			'swimlane_id' => $swimlane_id,
258			'recurrence_status' => $recurrence_status,
259			'recurrence_trigger' => $recurrence_trigger,
260			'recurrence_factor' => $recurrence_factor,
261			'recurrence_timeframe' => $recurrence_timeframe,
262			'recurrence_basedate' => $recurrence_basedate,
263			'reference' => $reference,
264			'priority' => $priority,
265			];
266
267			list($valid) = $this->taskValidator->validateCreation($values);
268
269			return $valid ? $this->taskModel->create($values) : false;
270			}
271
272			/**
273			* Update a task.
274			*
275			* @param int $id
276			* @param string $title
277			* @param int $project_id
278			* @param string $color_id
279			* @param int $column_id
280			* @param int $owner_id
281			* @param int $creator_id
282			* @param string $date_due
283			* @param string $description
284			* @param int $category_id
285			* @param int $score
286			* @param int $swimlane_id
287			* @param int $priority
288			* @param int $recurrence_status
289			* @param int $recurrence_trigger
290			* @param int $recurrence_factor
291			* @param int $recurrence_timeframe
292			* @param int $recurrence_basedate
293			* @param string $reference
294			*
295			* @return int
296			*/
297			public function updateTask($id, $title = null, $color_id = null, $owner_id = null,
298			$date_due = null, $description = null, $category_id = null, $score = null, $priority = null,
299			$recurrence_status = null, $recurrence_trigger = null, $recurrence_factor = null,
300			$recurrence_timeframe = null, $recurrence_basedate = null, $reference = null)
301			{
302			TaskPolicy::getInstance($this->container)->check($this->getClassName(), 'updateTask', $id);
303			$project_id = $this->taskFinderModel->getProjectId($id);
304
305			if ($project_id === 0) {
306			return false;
307			}
308
309			if ($owner_id !== null && $owner_id != 0 && !$this->projectPermissionModel->isAssignable($project_id, $owner_id)) {
310			return false;
311			}
312
313			$values = $this->filterValues([
314			'id' => $id,
315			'title' => $title,
316			'color_id' => $color_id,
317			'owner_id' => $owner_id,
318			'date_due' => $date_due,
319			'description' => $description,
320			'category_id' => $category_id,
321			'score' => $score,
322			'recurrence_status' => $recurrence_status,
323			'recurrence_trigger' => $recurrence_trigger,
324			'recurrence_factor' => $recurrence_factor,
325			'recurrence_timeframe' => $recurrence_timeframe,
326			'recurrence_basedate' => $recurrence_basedate,
327			'reference' => $reference,
328			'priority' => $priority,
329			]);
330
331			list($valid) = $this->taskValidator->validateApiModification($values);
332
333			return $valid && $this->taskModel->update($values);
334			}
335			}
336

Jitamin / jitamin

Issues (3948)

Security Analysis not enabled

app/Http/Controllers/Api/TaskController.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like