Issues in Component.php (master) - Issues in master - Kylob/BootPress - Measure and Improve Code Quality continuously with Scrutinizer

Issues (164)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Theme/Component.php (3 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace BootPress\Theme;

use BootPress\Page\Component as Page;
use BootPress\Bootstrap\Component as Bootstrap;
use Symfony\Component\Yaml\Yaml;
use Smarty;

class Component
{
    public $bp;
    private $page;
    private $vars;
    private $config;
    private $folder;

    /**
     * Theme folder getter.
     * 
     * @param string $name 
     * 
     * @return null|string
     */
    public function __get($name)
    {
        switch ($name) {
            case 'folder':
                return $this->$name;
                break;
switch ($x) {
    case 1:
        return 'foo';
        break; // This break is not necessary and can be left off.
}
        }
    }

    public function __construct($folder = 'themes')
    {
        $this->folder = Page::html()->dir($folder);
        if (!is_dir($this->folder)) {
            mkdir($this->folder, 0755, true);
        }
        $file = $this->folder.'config.yml';
        $this->config = (is_file($file)) ? (array) Yaml::parse(file_get_contents($file)) : array();
        if (!isset($this->config['default']) || !isset($this->config['bootstrap'])) {
            $this->config = array_merge(array(
                'default' => '',
                'bootstrap' => '3.3.6',
            ), $this->config);
            file_put_contents($file, Yaml::dump($this->config, 3));
        }
        $this->vars = array();
        $this->page = new PageClone();
        $this->bp = Bootstrap::version($this->config['bootstrap']);
    }

    public function layout($html)
    {
        $page = Page::html();
        $theme = $page->theme;
        if ($theme === false) {
            return $html;
        } elseif (is_callable($theme)) {
            return $theme($html, $this->config);
        } elseif (is_file($theme)) {
            return $page->load($theme, array(
                'content' => $html,
                'config' => $this->config,
            ));
        } elseif (!$index = $this->getTemplate('index.tpl')) {
            return $html;
        }
        $vars = array(
            'content' => $html,
            'config' => $this->config
        );
        if ($index['dir'] != $this->folder) {
            $theme = substr($index['dir'], mb_strlen($this->folder)); // with trailing slash
            $parent = strstr($theme, '/', true); // good thing we had that trailing slash
$myVar = 'Value';
$higher = false;

if (rand(1, 6) > 3) {
    $higher = true;
} else {
    $higher = false;
}
            $path = substr($index['dir'], mb_strlen($page->dir()));
            $page->url('set', 'theme', $page->url['base'].'page/'.$path);
            $config = array();
            $previous = '';
            foreach (explode('/', substr($theme, 0, -1)) as $folder) {
                $previous .= $folder . '/';
                $file = $this->folder . $previous . 'config.yml';
                if (is_file($file)) { // any child values will override the parents
                    $config = array_merge($config, (array) Yaml::parse(file_get_contents($file)));
                }
            }
            $vars['config'] += $config; // The original config values override them all
        }
        
        return $this->fetchSmarty($index['file'], $vars);
    }

    public function globalVars($name, $value = null)
    {
        $vars = (is_array($name)) ? $name : array($name => $value);
        foreach ($vars as $name => $value) {
            if (is_array($value) && isset($this->vars[$name]) && is_array($this->vars[$name])) {
                $this->vars[$name] = array_merge($this->vars[$name], $value);
            } else {
                $this->vars[$name] = $value;
            }
        }
    }

    public function addPageMethod($name, $function)
    {
        if (!is_callable($function, false, $method)) {
            throw new \LogicException("'{$method}' cannot be called");
        }
        $this->page->additional[$name] = $function;
    }

    public function fetchSmarty($file, array $vars = array(), $testing = false)
    {
        static $smarty = null;
        if (is_null($smarty)) {
            $functions = array('var_dump', 'preg_replace', 'number_format', 'implode', 'explode', 'array_keys', 'array_values', 'array_flip', 'array_reverse', 'array_shift', 'array_unshift', 'array_pop', 'array_push', 'array_combine', 'array_merge');
            $smarty = new Smarty();
            $smarty->addPluginsDir($this->folder.'smarty/plugins/');
            $smarty->setCompileDir($this->folder.'smarty/templates_c/');
            $smarty->setConfigDir($this->folder.'smarty/configs/');
            $smarty->setCacheDir($this->folder.'smarty/cache/');
            $smarty->error_reporting = false;
$answer = 42;

$correct = false;

$correct = (bool) $answer;
            $security = new \Smarty_Security($smarty);
            $security->php_functions = array_merge(array('isset', 'empty', 'count', 'in_array', 'is_array', 'date', 'time', 'nl2br'), $functions); // Smarty defaults (except date)
            $security->allow_super_globals = false;
            $security->allow_constants = false;
            $smarty->enableSecurity($security);
            $smarty->assign('bp', new BPClone($this->bp));
        }
        $default = null;
        if (is_array($file)) {
            if (isset($file['default']) && is_dir($file['default'])) {
                $default = rtrim($file['default'], '/').'/';
            }
            if (isset($file['vars']) && is_array($file['vars'])) {
                $vars = $file['vars'];
            }
            $file = (isset($file['file']) && is_string($file['file'])) ? $file['file'] : '';
        }
        $page = Page::html();
        if (is_file($file) && strpos($file, $page->dir['page']) === 0) {
            if (strpos($file, $this->folder) === 0) {
                $dir = $this->folder;
                $file = substr($file, strlen($this->folder));
            } else {
                $dir = dirname($file).'/';
                $file = basename($file);
            }
            $page->url('set', 'folder', 'page/'.substr($dir, strlen($page->dir['page']), -1));
        } elseif ($template = $this->getTemplate($file, $default)) {
            $dir = $this->folder;
            $file = substr($template['file'], strlen($this->folder));
            $page->url('set', 'folder', 'page/'.$template['folder']);
        } else {
            return '<p>The "'.$file.'" file does not exist.</p>';
        }
        $vars = array_merge($vars, $this->vars);
        unset($vars['bp']);
        $vars['page'] = $this->page;
        $smarty->assign($vars);
        $smarty->setTemplateDir($dir);
        try {
            $html = $smarty->fetch($file);
            if (!empty($vars)) {
                $smarty->clearAssign(array_keys($vars));
            }
        } catch (\Exception $e) {
            $dir = str_replace('/', DIRECTORY_SEPARATOR, $this->folder);
            $page = str_replace('/', DIRECTORY_SEPARATOR, $page->dir['page']);
            $error = str_replace(array($dir, $page, '\\'), array('', '', '/'), $e->getMessage());
            if ($testing) {
                return htmlspecialchars_decode($error);
            }
            $html = '<p>'.$error.'</p>';
        }

        return ($testing) ? true : $html;
    }

    /**
     * Gets a template $file following a given pecking order.  If a ``$page->theme`` has been set and the folder exists, it looks there first.  If not and a default theme folder (that exists) has been established in the config file, then we will look for one there.  Otherwise we look in the root theme folder where the config file is.
     * 
     * @param string $file    The file name you are looking for eg. 'index.tpl'
     * @param string $default A file path to a default template if no other is available.  This will be saved (only once) in the root theme folder alongside the config file.
     * 
     * @return array Same as is returned from the ``$page->folder()`` method.
     */
    public function getTemplate($file, $default = null)
    {
        if (empty($file)) {
            return;
        }
        $page = Page::html();
        if (!is_null($default) && !is_file($this->folder.$file) && is_file($default.$file)) {
            copy($default.$file, $this->folder.$file);
        }
        if (!empty($page->theme) && is_string($page->theme) && is_dir($this->folder.$page->theme)) {
            $dir = $this->folder.$page->theme;
        } elseif (!empty($this->config['default']) && is_dir($this->folder.$this->config['default'])) {
            $dir = $this->folder.$this->config['default'];
        } else {
            $dir = $this->folder;
        }
        $path = substr($dir, strlen($this->folder));

        return $page->folder($this->folder, $path, $file);
    }
}


1		<?php
2
3		namespace BootPress\Theme;
4
5		use BootPress\Page\Component as Page;
6		use BootPress\Bootstrap\Component as Bootstrap;
7		use Symfony\Component\Yaml\Yaml;
8		use Smarty;
9
10		class Component
11		{
12		public $bp;
13		private $page;
14		private $vars;
15		private $config;
16		private $folder;
17
18		/**
19		* Theme folder getter.
20		*
21		* @param string $name
22		*
23		* @return null\|string
24		*/
25	1	public function __get($name)
26		{
27		switch ($name) {
28	1	case 'folder':
29	1	return $this->$name;
30		break;
		0 ignored issues – show Unused Code introduced 2016-08-07 15:33 UTC by Report Bug Copy Issue Report Show Similar Issues like this `break` is not strictly necessary here and could be removed. The `break` statement is not necessary if it is preceded for example by a `return` statement: switch ($x) { case 1: return 'foo'; break; // This break is not necessary and can be left off. } If you would like to keep this construct to be consistent with other `case` statements, you can safely mark this issue as a false-positive. Loading history...
31		}
32	1	}
33
34	3	public function __construct($folder = 'themes')
35		{
36	3	$this->folder = Page::html()->dir($folder);
37	3	if (!is_dir($this->folder)) {
38	1	mkdir($this->folder, 0755, true);
39	1	}
40	3	$file = $this->folder.'config.yml';
41	3	$this->config = (is_file($file)) ? (array) Yaml::parse(file_get_contents($file)) : array();
42	3	if (!isset($this->config['default']) \|\| !isset($this->config['bootstrap'])) {
43	3	$this->config = array_merge(array(
44	3	'default' => '',
45	3	'bootstrap' => '3.3.6',
46	3	), $this->config);
47	3	file_put_contents($file, Yaml::dump($this->config, 3));
48	3	}
49	3	$this->vars = array();
50	3	$this->page = new PageClone();
51	3	$this->bp = Bootstrap::version($this->config['bootstrap']);
52	3	}
53
54	1	public function layout($html)
55		{
56	1	$page = Page::html();
57	1	$theme = $page->theme;
58	1	if ($theme === false) {
59	1	return $html;
60	1	} elseif (is_callable($theme)) {
61	1	return $theme($html, $this->config);
62	1	} elseif (is_file($theme)) {
63	1	return $page->load($theme, array(
64	1	'content' => $html,
65	1	'config' => $this->config,
66	1	));
67	1	} elseif (!$index = $this->getTemplate('index.tpl')) {
68	1	return $html;
69		}
70		$vars = array(
71	1	'content' => $html,
72	1	'config' => $this->config
73	1	);
74	1	if ($index['dir'] != $this->folder) {
75	1	$theme = substr($index['dir'], mb_strlen($this->folder)); // with trailing slash
76	1	$parent = strstr($theme, '/', true); // good thing we had that trailing slash
		0 ignored issues – show Unused Code introduced 2016-08-07 15:33 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$parent` is not used, you could remove the assignment. This check looks for variable assignements that are either overwritten by other assignments or where the variable is not used subsequently. $myVar = 'Value'; $higher = false; if (rand(1, 6) > 3) { $higher = true; } else { $higher = false; } Both the `$myVar` assignment in line 1 and the `$higher` assignment in line 2 are dead. The first because `$myVar` is never used and the second because `$higher` is always overwritten for every possible time line. Loading history...
77	1	$path = substr($index['dir'], mb_strlen($page->dir()));
78	1	$page->url('set', 'theme', $page->url['base'].'page/'.$path);
79	1	$config = array();
80	1	$previous = '';
81	1	foreach (explode('/', substr($theme, 0, -1)) as $folder) {
82	1	$previous .= $folder . '/';
83	1	$file = $this->folder . $previous . 'config.yml';
84	1	if (is_file($file)) { // any child values will override the parents
85	1	$config = array_merge($config, (array) Yaml::parse(file_get_contents($file)));
86	1	}
87	1	}
88	1	$vars['config'] += $config; // The original config values override them all
89	1	}
90
91	1	return $this->fetchSmarty($index['file'], $vars);
92		}
93
94	25	public function globalVars($name, $value = null)
95		{
96	25	$vars = (is_array($name)) ? $name : array($name => $value);
97	25	foreach ($vars as $name => $value) {
98	25	if (is_array($value) && isset($this->vars[$name]) && is_array($this->vars[$name])) {
99	24	$this->vars[$name] = array_merge($this->vars[$name], $value);
100	24	} else {
101	2	$this->vars[$name] = $value;
102		}
103	25	}
104	25	}
105
106	25	public function addPageMethod($name, $function)
107		{
108	25	if (!is_callable($function, false, $method)) {
109	1	throw new \LogicException("'{$method}' cannot be called");
110		}
111	25	$this->page->additional[$name] = $function;
112	25	}
113
114	25	public function fetchSmarty($file, array $vars = array(), $testing = false)
115		{
116	25	static $smarty = null;
117	25	if (is_null($smarty)) {
118	1	$functions = array('var_dump', 'preg_replace', 'number_format', 'implode', 'explode', 'array_keys', 'array_values', 'array_flip', 'array_reverse', 'array_shift', 'array_unshift', 'array_pop', 'array_push', 'array_combine', 'array_merge');
119	1	$smarty = new Smarty();
120	1	$smarty->addPluginsDir($this->folder.'smarty/plugins/');
121	1	$smarty->setCompileDir($this->folder.'smarty/templates_c/');
122	1	$smarty->setConfigDir($this->folder.'smarty/configs/');
123	1	$smarty->setCacheDir($this->folder.'smarty/cache/');
124	1	$smarty->error_reporting = false;
		0 ignored issues – show Documentation Bug introduced 2016-08-07 15:33 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `$error_reporting` was declared of type `integer`, but `false` is of type `false`. Maybe add a type cast? This check looks for assignments to scalar types that may be of the wrong type. To ensure the code behaves as expected, it may be a good idea to add an explicit type cast. $answer = 42; $correct = false; $correct = (bool) $answer; Loading history...
125	1	$security = new \Smarty_Security($smarty);
126	1	$security->php_functions = array_merge(array('isset', 'empty', 'count', 'in_array', 'is_array', 'date', 'time', 'nl2br'), $functions); // Smarty defaults (except date)
127	1	$security->allow_super_globals = false;
128	1	$security->allow_constants = false;
129	1	$smarty->enableSecurity($security);
130	1	$smarty->assign('bp', new BPClone($this->bp));
131	1	}
132	25	$default = null;
133	25	if (is_array($file)) {
134	21	if (isset($file['default']) && is_dir($file['default'])) {
135	21	$default = rtrim($file['default'], '/').'/';
136	21	}
137	21	if (isset($file['vars']) && is_array($file['vars'])) {
138	21	$vars = $file['vars'];
139	21	}
140	21	$file = (isset($file['file']) && is_string($file['file'])) ? $file['file'] : '';
141	21	}
142	25	$page = Page::html();
143	25	if (is_file($file) && strpos($file, $page->dir['page']) === 0) {
144	11	if (strpos($file, $this->folder) === 0) {
145	1	$dir = $this->folder;
146	1	$file = substr($file, strlen($this->folder));
147	1	} else {
148	10	$dir = dirname($file).'/';
149	10	$file = basename($file);
150		}
151	11	$page->url('set', 'folder', 'page/'.substr($dir, strlen($page->dir['page']), -1));
152	25	} elseif ($template = $this->getTemplate($file, $default)) {
153	21	$dir = $this->folder;
154	21	$file = substr($template['file'], strlen($this->folder));
155	21	$page->url('set', 'folder', 'page/'.$template['folder']);
156	21	} else {
157	1	return '<p>The "'.$file.'" file does not exist.</p>';
158		}
159	25	$vars = array_merge($vars, $this->vars);
160	25	unset($vars['bp']);
161	25	$vars['page'] = $this->page;
162	25	$smarty->assign($vars);
163	25	$smarty->setTemplateDir($dir);
164		try {
165	25	$html = $smarty->fetch($file);
166	24	if (!empty($vars)) {
167	24	$smarty->clearAssign(array_keys($vars));
168	24	}
169	25	} catch (\Exception $e) {
170	2	$dir = str_replace('/', DIRECTORY_SEPARATOR, $this->folder);
171	2	$page = str_replace('/', DIRECTORY_SEPARATOR, $page->dir['page']);
172	2	$error = str_replace(array($dir, $page, '\\'), array('', '', '/'), $e->getMessage());
173	2	if ($testing) {
174	1	return htmlspecialchars_decode($error);
175		}
176	2	$html = '<p>'.$error.'</p>';
177		}
178
179	25	return ($testing) ? true : $html;
180		}
181
182		/**
183		* Gets a template $file following a given pecking order. If a ``$page->theme`` has been set and the folder exists, it looks there first. If not and a default theme folder (that exists) has been established in the config file, then we will look for one there. Otherwise we look in the root theme folder where the config file is.
184		*
185		* @param string $file The file name you are looking for eg. 'index.tpl'
186		* @param string $default A file path to a default template if no other is available. This will be saved (only once) in the root theme folder alongside the config file.
187		*
188		* @return array Same as is returned from the ``$page->folder()`` method.
189		*/
190	22	public function getTemplate($file, $default = null)
191		{
192	22	if (empty($file)) {
193	1	return;
194		}
195	22	$page = Page::html();
196	22	if (!is_null($default) && !is_file($this->folder.$file) && is_file($default.$file)) {
197	7	copy($default.$file, $this->folder.$file);
198	7	}
199	22	if (!empty($page->theme) && is_string($page->theme) && is_dir($this->folder.$page->theme)) {
200	2	$dir = $this->folder.$page->theme;
201	22	} elseif (!empty($this->config['default']) && is_dir($this->folder.$this->config['default'])) {
202	1	$dir = $this->folder.$this->config['default'];
203	1	} else {
204	21	$dir = $this->folder;
205		}
206	22	$path = substr($dir, strlen($this->folder));
207
208	22	return $page->folder($this->folder, $path, $file);
209		}
210		}
211

Kylob / BootPress

Issues (164)

Security Analysis not enabled

src/Theme/Component.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like