Issues in BaseServiceProvider.php (master) - Issues in master - Laravel-Backpack/Base - Measure and Improve Code Quality continuously with Scrutinizer

Issues (207)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/BaseServiceProvider.php (3 issues)

Labels

Severity

Major 3

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace Backpack\Base;

use Illuminate\Routing\Router;
use Illuminate\Support\ServiceProvider;
use Route;

class BaseServiceProvider extends ServiceProvider
{
    const VERSION = '1.0.0';

    protected $commands = [
        \Backpack\Base\app\Console\Commands\Install::class,
        \Backpack\Base\app\Console\Commands\AddSidebarContent::class,
        \Backpack\Base\app\Console\Commands\AddCustomRouteContent::class,
        \Backpack\Base\app\Console\Commands\Version::class,
        \Backpack\Base\app\Console\Commands\CreateUser::class,
        \Backpack\Base\app\Console\Commands\PublishBackpackUserModel::class,
        \Backpack\Base\app\Console\Commands\PublishBackpackMiddleware::class,
    ];

    /**
     * Indicates if loading of the provider is deferred.
     *
     * @var bool
     */
    protected $defer = false;

    /**
     * Where the route file lives, both inside the package and in the app (if overwritten).
     *
     * @var string
     */
    public $routeFilePath = '/routes/backpack/base.php';

    /**
     * Where custom routes can be written, and will be registered by Backpack.
     *
     * @var string
     */
    public $customRoutesFilePath = '/routes/backpack/custom.php';

    /**
     * Perform post-registration booting of services.
     *
     * @return void
     */
    public function boot(\Illuminate\Routing\Router $router)
    {
        $_SERVER['BACKPACK_BASE_VERSION'] = $this::VERSION;
        $customViewsFolder = resource_path('views/vendor/backpack/base');

        // LOAD THE VIEWS
        // - first the published views (in case they have any changes)
        if (file_exists(resource_path('views/vendor/backpack/base'))) {
            $this->loadViewsFrom($customViewsFolder, 'backpack');
        }
        // - then the stock views that come with the package, in case a published view might be missing
        $this->loadViewsFrom(realpath(__DIR__.'/resources/views'), 'backpack');

        $this->loadTranslationsFrom(realpath(__DIR__.'/resources/lang'), 'backpack');

        // use the vendor configuration file as fallback
        $this->mergeConfigFrom(
            __DIR__.'/config/backpack/base.php',
            'backpack.base'
        );

        // add the root disk to filesystem configuration
        app()->config['filesystems.disks.'.config('backpack.base.root_disk_name')] = [
            'driver' => 'local',
            'root'   => base_path(),
        ];

        $this->addCustomAuthConfigurationValues();
        $this->registerMiddlewareGroup($this->app->router);
interface SomeInterface { }
class SomeClass implements SomeInterface {
    public $a;
}

function someFunction(SomeInterface $object) {
    if ($object instanceof SomeClass) {
        $a = $object->a;
    }
}
        $this->setupRoutes($this->app->router);
interface SomeInterface { }
class SomeClass implements SomeInterface {
    public $a;
}

function someFunction(SomeInterface $object) {
    if ($object instanceof SomeClass) {
        $a = $object->a;
    }
}
        $this->setupCustomRoutes($this->app->router);
interface SomeInterface { }
class SomeClass implements SomeInterface {
    public $a;
}

function someFunction(SomeInterface $object) {
    if ($object instanceof SomeClass) {
        $a = $object->a;
    }
}
        $this->publishFiles();
        $this->checkLicenseCodeExists();
    }

    /**
     * Load the Backpack helper methods, for convenience.
     */
    public function loadHelpers()
    {
        require_once __DIR__.'/helpers.php';
    }

    /**
     * Backpack login differs from the standard Laravel login.
     * As such, Backpack uses its own authentication provider, password broker and guard.
     *
     * This method adds those configuration values on top of whatever is in config/auth.php. Developers can overwrite the backpack provider, password broker or guard by adding a provider/broker/guard with the "backpack" name inside their config/auth.php file. Or they can use another provider/broker/guard entirely, by changing the corresponding value inside config/backpack/base.php
     */
    public function addCustomAuthConfigurationValues()
    {
        // add the backpack_users authentication provider to the configuration
        app()->config['auth.providers'] = app()->config['auth.providers'] +
        [
            'backpack' => [
                'driver'  => 'eloquent',
                'model'   => config('backpack.base.user_model_fqn'),
            ],
        ];

        // add the backpack_users password broker to the configuration
        app()->config['auth.passwords'] = app()->config['auth.passwords'] +
        [
            'backpack' => [
                'provider'  => 'backpack',
                'table'     => 'password_resets',
                'expire'    => 60,
            ],
        ];

        // add the backpack_users guard to the configuration
        app()->config['auth.guards'] = app()->config['auth.guards'] +
        [
            'backpack' => [
                'driver'   => 'session',
                'provider' => 'backpack',
            ],
        ];
    }

    /**
     * Define the routes for the application.
     *
     * @param \Illuminate\Routing\Router $router
     *
     * @return void
     */
    public function setupRoutes(Router $router)
    {
        // by default, use the routes file provided in vendor
        $routeFilePathInUse = __DIR__.$this->routeFilePath;

        // but if there's a file with the same name in routes/backpack, use that one
        if (file_exists(base_path().$this->routeFilePath)) {
            $routeFilePathInUse = base_path().$this->routeFilePath;
        }

        $this->loadRoutesFrom($routeFilePathInUse);
    }

    /**
     * Load custom routes file.
     *
     * @param \Illuminate\Routing\Router $router
     *
     * @return void
     */
    public function setupCustomRoutes(Router $router)
    {
        // if the custom routes file is published, register its routes
        if (file_exists(base_path().$this->customRoutesFilePath)) {
            $this->loadRoutesFrom(base_path().$this->customRoutesFilePath);
        }
    }

    /**
     * Register any package services.
     *
     * @return void
     */
    public function register()
    {
        // register the current package
        $this->app->bind('base', function ($app) {
            return new Base($app);
        });

        // register the helper functions
        $this->loadHelpers();

        // register the services that are only used for development
        if ($this->app->environment() == 'local') {
            if (class_exists('Laracasts\Generators\GeneratorsServiceProvider')) {
                $this->app->register('Laracasts\Generators\GeneratorsServiceProvider');
            }
            if (class_exists('Backpack\Generators\GeneratorsServiceProvider')) {
                $this->app->register('Backpack\Generators\GeneratorsServiceProvider');
            }
        }

        // register the artisan commands
        $this->commands($this->commands);
    }

    public function registerMiddlewareGroup(Router $router)
    {
        $middleware_key = config('backpack.base.middleware_key');
        $middleware_class = config('backpack.base.middleware_class');

        if (!is_array($middleware_class)) {
            $router->pushMiddlewareToGroup($middleware_key, $middleware_class);

            return;
        }

        foreach ($middleware_class as $middleware_class) {
            $router->pushMiddlewareToGroup($middleware_key, $middleware_class);
        }
    }

    public function publishFiles()
    {
        $error_views = [__DIR__.'/resources/error_views' => resource_path('views/errors')];
        $backpack_base_views = [__DIR__.'/resources/views' => resource_path('views/vendor/backpack/base')];
        $backpack_public_assets = [__DIR__.'/public' => public_path('vendor/backpack')];
        $backpack_lang_files = [__DIR__.'/resources/lang' => resource_path('lang/vendor/backpack')];
        $backpack_config_files = [__DIR__.'/config' => config_path()];

        // sidebar_content view, which is the only view most people need to overwrite
        $backpack_menu_contents_view = [
            __DIR__.'/resources/views/inc/sidebar_content.blade.php'      => resource_path('views/vendor/backpack/base/inc/sidebar_content.blade.php'),
            __DIR__.'/resources/views/inc/topbar_left_content.blade.php'  => resource_path('views/vendor/backpack/base/inc/topbar_left_content.blade.php'),
            __DIR__.'/resources/views/inc/topbar_right_content.blade.php' => resource_path('views/vendor/backpack/base/inc/topbar_right_content.blade.php'),
        ];
        $backpack_custom_routes_file = [__DIR__.$this->customRoutesFilePath => base_path($this->customRoutesFilePath)];

        // calculate the path from current directory to get the vendor path
        $vendorPath = dirname(__DIR__, 3);
        $adminlte_assets = [$vendorPath.'/almasaeed2010/adminlte' => public_path('vendor/adminlte')];
        $gravatar_assets = [$vendorPath.'/creativeorange/gravatar/config' => config_path()];

        // establish the minimum amount of files that need to be published, for Backpack to work; there are the files that will be published by the install command
        $minimum = array_merge(
            $error_views,
            // $backpack_base_views,
            $backpack_public_assets,
            // $backpack_lang_files,
            $backpack_config_files,
            $backpack_menu_contents_view,
            $backpack_custom_routes_file,
            $adminlte_assets,
            $gravatar_assets
        );

        // register all possible publish commands and assign tags to each
        $this->publishes($backpack_config_files, 'config');
        $this->publishes($backpack_lang_files, 'lang');
        $this->publishes($backpack_base_views, 'views');
        $this->publishes($backpack_menu_contents_view, 'menu_contents');
        $this->publishes($error_views, 'errors');
        $this->publishes($backpack_public_assets, 'public');
        $this->publishes($backpack_custom_routes_file, 'custom_routes');
        $this->publishes($adminlte_assets, 'adminlte');
        $this->publishes($gravatar_assets, 'gravatar');
        $this->publishes($minimum, 'minimum');
    }

    /**
     * Check to to see if a license code exists.
     * If it does not, throw a notification bubble.
     *
     * @return void
     */
    private function checkLicenseCodeExists()
    {
        if ($this->app->environment() != 'local' && !config('backpack.base.license_code')) {
            \Alert::add('warning', "<strong>You're using unlicensed software.</strong> Please ask your web developer to <a target='_blank' href='http://backpackforlaravel.com'>purchase a license code</a> to hide this message.");
        }
    }
}


Issues (207)

Security Analysis not enabled

src/BaseServiceProvider.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Available Fixes

Available Fixes

Available Fixes

1			<?php
2
3			namespace Backpack\Base;
4
5			use Illuminate\Routing\Router;
6			use Illuminate\Support\ServiceProvider;
7			use Route;
8
9			class BaseServiceProvider extends ServiceProvider
10			{
11			const VERSION = '1.0.0';
12
13			protected $commands = [
14			\Backpack\Base\app\Console\Commands\Install::class,
15			\Backpack\Base\app\Console\Commands\AddSidebarContent::class,
16			\Backpack\Base\app\Console\Commands\AddCustomRouteContent::class,
17			\Backpack\Base\app\Console\Commands\Version::class,
18			\Backpack\Base\app\Console\Commands\CreateUser::class,
19			\Backpack\Base\app\Console\Commands\PublishBackpackUserModel::class,
20			\Backpack\Base\app\Console\Commands\PublishBackpackMiddleware::class,
21			];
22
23			/**
24			* Indicates if loading of the provider is deferred.
25			*
26			* @var bool
27			*/
28			protected $defer = false;
29
30			/**
31			* Where the route file lives, both inside the package and in the app (if overwritten).
32			*
33			* @var string
34			*/
35			public $routeFilePath = '/routes/backpack/base.php';
36
37			/**
38			* Where custom routes can be written, and will be registered by Backpack.
39			*
40			* @var string
41			*/
42			public $customRoutesFilePath = '/routes/backpack/custom.php';
43
44			/**
45			* Perform post-registration booting of services.
46			*
47			* @return void
48			*/
49			public function boot(\Illuminate\Routing\Router $router)
50			{
51			$_SERVER['BACKPACK_BASE_VERSION'] = $this::VERSION;
52			$customViewsFolder = resource_path('views/vendor/backpack/base');
53
54			// LOAD THE VIEWS
55			// - first the published views (in case they have any changes)
56			if (file_exists(resource_path('views/vendor/backpack/base'))) {
57			$this->loadViewsFrom($customViewsFolder, 'backpack');
58			}
59			// - then the stock views that come with the package, in case a published view might be missing
60			$this->loadViewsFrom(realpath(__DIR__.'/resources/views'), 'backpack');
61
62			$this->loadTranslationsFrom(realpath(__DIR__.'/resources/lang'), 'backpack');
63
64			// use the vendor configuration file as fallback
65			$this->mergeConfigFrom(
66			__DIR__.'/config/backpack/base.php',
67			'backpack.base'
68			);
69
70			// add the root disk to filesystem configuration
71			app()->config['filesystems.disks.'.config('backpack.base.root_disk_name')] = [
72			'driver' => 'local',
73			'root' => base_path(),
74			];
75
76			$this->addCustomAuthConfigurationValues();
77			$this->registerMiddlewareGroup($this->app->router);
			0 ignored issues – show Bug introduced 2018-03-06 09:45 UTC by Report Bug Copy Issue Report Show Similar Issues like this Accessing `router` on the interface `Illuminate\Contracts\Foundation\Application` suggest that you code against a concrete implementation. How about adding an `instanceof` check? If you access a property on an interface, you most likely code against a concrete implementation of the interface. Available Fixes Adding an additional type check: interface SomeInterface { } class SomeClass implements SomeInterface { public $a; } function someFunction(SomeInterface $object) { if ($object instanceof SomeClass) { $a = $object->a; } } Changing the type hint: interface SomeInterface { } class SomeClass implements SomeInterface { public $a; } function someFunction(SomeClass $object) { $a = $object->a; } Loading history...
78			$this->setupRoutes($this->app->router);
			0 ignored issues – show Bug introduced 2018-10-15 05:46 UTC by Report Bug Copy Issue Report Show Similar Issues like this Accessing `router` on the interface `Illuminate\Contracts\Foundation\Application` suggest that you code against a concrete implementation. How about adding an `instanceof` check? If you access a property on an interface, you most likely code against a concrete implementation of the interface. Available Fixes Adding an additional type check: interface SomeInterface { } class SomeClass implements SomeInterface { public $a; } function someFunction(SomeInterface $object) { if ($object instanceof SomeClass) { $a = $object->a; } } Changing the type hint: interface SomeInterface { } class SomeClass implements SomeInterface { public $a; } function someFunction(SomeClass $object) { $a = $object->a; } Loading history...
79			$this->setupCustomRoutes($this->app->router);
			0 ignored issues – show Bug introduced 2018-05-02 05:25 UTC by Report Bug Copy Issue Report Show Similar Issues like this Accessing `router` on the interface `Illuminate\Contracts\Foundation\Application` suggest that you code against a concrete implementation. How about adding an `instanceof` check? If you access a property on an interface, you most likely code against a concrete implementation of the interface. Available Fixes Adding an additional type check: interface SomeInterface { } class SomeClass implements SomeInterface { public $a; } function someFunction(SomeInterface $object) { if ($object instanceof SomeClass) { $a = $object->a; } } Changing the type hint: interface SomeInterface { } class SomeClass implements SomeInterface { public $a; } function someFunction(SomeClass $object) { $a = $object->a; } Loading history...
80			$this->publishFiles();
81			$this->checkLicenseCodeExists();
82			}
83
84			/**
85			* Load the Backpack helper methods, for convenience.
86			*/
87			public function loadHelpers()
88			{
89			require_once __DIR__.'/helpers.php';
90			}
91
92			/**
93			* Backpack login differs from the standard Laravel login.
94			* As such, Backpack uses its own authentication provider, password broker and guard.
95			*
96			* This method adds those configuration values on top of whatever is in config/auth.php. Developers can overwrite the backpack provider, password broker or guard by adding a provider/broker/guard with the "backpack" name inside their config/auth.php file. Or they can use another provider/broker/guard entirely, by changing the corresponding value inside config/backpack/base.php
97			*/
98			public function addCustomAuthConfigurationValues()
99			{
100			// add the backpack_users authentication provider to the configuration
101			app()->config['auth.providers'] = app()->config['auth.providers'] +
102			[
103			'backpack' => [
104			'driver' => 'eloquent',
105			'model' => config('backpack.base.user_model_fqn'),
106			],
107			];
108
109			// add the backpack_users password broker to the configuration
110			app()->config['auth.passwords'] = app()->config['auth.passwords'] +
111			[
112			'backpack' => [
113			'provider' => 'backpack',
114			'table' => 'password_resets',
115			'expire' => 60,
116			],
117			];
118
119			// add the backpack_users guard to the configuration
120			app()->config['auth.guards'] = app()->config['auth.guards'] +
121			[
122			'backpack' => [
123			'driver' => 'session',
124			'provider' => 'backpack',
125			],
126			];
127			}
128
129			/**
130			* Define the routes for the application.
131			*
132			* @param \Illuminate\Routing\Router $router
133			*
134			* @return void
135			*/
136			public function setupRoutes(Router $router)
137			{
138			// by default, use the routes file provided in vendor
139			$routeFilePathInUse = __DIR__.$this->routeFilePath;
140
141			// but if there's a file with the same name in routes/backpack, use that one
142			if (file_exists(base_path().$this->routeFilePath)) {
143			$routeFilePathInUse = base_path().$this->routeFilePath;
144			}
145
146			$this->loadRoutesFrom($routeFilePathInUse);
147			}
148
149			/**
150			* Load custom routes file.
151			*
152			* @param \Illuminate\Routing\Router $router
153			*
154			* @return void
155			*/
156			public function setupCustomRoutes(Router $router)
157			{
158			// if the custom routes file is published, register its routes
159			if (file_exists(base_path().$this->customRoutesFilePath)) {
160			$this->loadRoutesFrom(base_path().$this->customRoutesFilePath);
161			}
162			}
163
164			/**
165			* Register any package services.
166			*
167			* @return void
168			*/
169			public function register()
170			{
171			// register the current package
172			$this->app->bind('base', function ($app) {
173			return new Base($app);
174			});
175
176			// register the helper functions
177			$this->loadHelpers();
178
179			// register the services that are only used for development
180			if ($this->app->environment() == 'local') {
181			if (class_exists('Laracasts\Generators\GeneratorsServiceProvider')) {
182			$this->app->register('Laracasts\Generators\GeneratorsServiceProvider');
183			}
184			if (class_exists('Backpack\Generators\GeneratorsServiceProvider')) {
185			$this->app->register('Backpack\Generators\GeneratorsServiceProvider');
186			}
187			}
188
189			// register the artisan commands
190			$this->commands($this->commands);
191			}
192
193			public function registerMiddlewareGroup(Router $router)
194			{
195			$middleware_key = config('backpack.base.middleware_key');
196			$middleware_class = config('backpack.base.middleware_class');
197
198			if (!is_array($middleware_class)) {
199			$router->pushMiddlewareToGroup($middleware_key, $middleware_class);
200
201			return;
202			}
203
204			foreach ($middleware_class as $middleware_class) {
205			$router->pushMiddlewareToGroup($middleware_key, $middleware_class);
206			}
207			}
208
209			public function publishFiles()
210			{
211			$error_views = [__DIR__.'/resources/error_views' => resource_path('views/errors')];
212			$backpack_base_views = [__DIR__.'/resources/views' => resource_path('views/vendor/backpack/base')];
213			$backpack_public_assets = [__DIR__.'/public' => public_path('vendor/backpack')];
214			$backpack_lang_files = [__DIR__.'/resources/lang' => resource_path('lang/vendor/backpack')];
215			$backpack_config_files = [__DIR__.'/config' => config_path()];
216
217			// sidebar_content view, which is the only view most people need to overwrite
218			$backpack_menu_contents_view = [
219			__DIR__.'/resources/views/inc/sidebar_content.blade.php' => resource_path('views/vendor/backpack/base/inc/sidebar_content.blade.php'),
220			__DIR__.'/resources/views/inc/topbar_left_content.blade.php' => resource_path('views/vendor/backpack/base/inc/topbar_left_content.blade.php'),
221			__DIR__.'/resources/views/inc/topbar_right_content.blade.php' => resource_path('views/vendor/backpack/base/inc/topbar_right_content.blade.php'),
222			];
223			$backpack_custom_routes_file = [__DIR__.$this->customRoutesFilePath => base_path($this->customRoutesFilePath)];
224
225			// calculate the path from current directory to get the vendor path
226			$vendorPath = dirname(__DIR__, 3);
227			$adminlte_assets = [$vendorPath.'/almasaeed2010/adminlte' => public_path('vendor/adminlte')];
228			$gravatar_assets = [$vendorPath.'/creativeorange/gravatar/config' => config_path()];
229
230			// establish the minimum amount of files that need to be published, for Backpack to work; there are the files that will be published by the install command
231			$minimum = array_merge(
232			$error_views,
233			// $backpack_base_views,
234			$backpack_public_assets,
235			// $backpack_lang_files,
236			$backpack_config_files,
237			$backpack_menu_contents_view,
238			$backpack_custom_routes_file,
239			$adminlte_assets,
240			$gravatar_assets
241			);
242
243			// register all possible publish commands and assign tags to each
244			$this->publishes($backpack_config_files, 'config');
245			$this->publishes($backpack_lang_files, 'lang');
246			$this->publishes($backpack_base_views, 'views');
247			$this->publishes($backpack_menu_contents_view, 'menu_contents');
248			$this->publishes($error_views, 'errors');
249			$this->publishes($backpack_public_assets, 'public');
250			$this->publishes($backpack_custom_routes_file, 'custom_routes');
251			$this->publishes($adminlte_assets, 'adminlte');
252			$this->publishes($gravatar_assets, 'gravatar');
253			$this->publishes($minimum, 'minimum');
254			}
255
256			/**
257			* Check to to see if a license code exists.
258			* If it does not, throw a notification bubble.
259			*
260			* @return void
261			*/
262			private function checkLicenseCodeExists()
263			{
264			if ($this->app->environment() != 'local' && !config('backpack.base.license_code')) {
265			\Alert::add('warning', "<strong>You're using unlicensed software.</strong> Please ask your web developer to <a target='_blank' href='http://backpackforlaravel.com'>purchase a license code</a> to hide this message.");
266			}
267			}
268			}
269

Laravel-Backpack / Base

Issues (207)

Security Analysis not enabled

src/BaseServiceProvider.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Available Fixes

Available Fixes

Available Fixes

Duplication Side-by-Side

Filter issues like