Issues in Migrations.php (master) - Issues in master - OpenBuildings/timestamped-migrations - Measure and Improve Code Quality continuously with Scrutinizer

Issues (24)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

classes/Migrations.php (3 issues)

Labels

Severity

Minor 3

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php defined('SYSPATH') OR die('No direct script access.');

/**
 * Migrations class.
 */
class Migrations
{
	protected $config;
	protected $driver;
	protected $migrations;
	public $output = NULL;

	/**
	 * Intialize migration library
	 *
	 * @param   bool   Do we want output of migration steps?
	 * @param   string Database group
	 */
	public function __construct($config = NULL)
	{
		$this->config = arr::merge(Kohana::$config->load('migrations')->as_array(), (array) $config);

		$database = Kohana::$config->load('database.'.Arr::get(Kohana::$config->load('migrations'), 'database', 'default'));
function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);

		// Set the driver class name
		$driver_name = in_array($database['type'], array('PDO', 'MySQL')) ? 'Mysql' : ucfirst($database['type']);
		$driver = 'Migration_Driver_'.$driver_name;

		// Create the database connection instance
		$this->driver = new $driver(Arr::get(Kohana::$config->load('migrations'), 'database', 'default'));
function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);

		$this->driver->versions()->init();

		if( ! is_dir($this->config['path']))
		{
			mkdir($this->config['path'], 0777, TRUE);
		}
	}

	public function set_executed($version)
	{
		$this->driver->versions()->set($version);
	}

	public function set_unexecuted($version)
	{
		$this->driver->versions()->clear($version);
	}

	public function generate_new_migration_file($name, $actions_template = NULL)
	{
		$actions = new Migration_Actions($this->driver);

		if ($actions_template)
		{
			$actions->template(getcwd().DIRECTORY_SEPARATOR.$actions_template);
		}
		else
		{
			$actions->parse($name);
		}

		$template = file_get_contents(Kohana::find_file('templates', 'migration', 'tpl'));
		$class_name = str_replace(' ', '_', ucwords(str_replace('_',' ',$name)));
		$filename = sprintf("%d_$name.php", time());

		file_put_contents(
			$this->config['path'].DIRECTORY_SEPARATOR.$filename,
			strtr($template, array(
				'{up}' => join("\n", array_map('Migrations::indent', $actions->up)),
				'{down}' => join("\n", array_map('Migrations::indent', $actions->down)),
				'{class_name}' => $class_name
			))
		);

		return $filename;
	}

	static function indent($action)

	{
		return "\t\t$action";
	}

	/**
	 * Loads a migration
	 *
	 * @param   integer   Migration version number
	 * @return  Migration_Core  Class object
	 */
	public function load_migration($version)
	{
		$f = glob(sprintf($this->config['path'] . DIRECTORY_SEPARATOR . '%d_*.php', $version));

		if (count($f) > 1)
			throw new Migration_Exception('Only one migration per step is permitted, there are :count of version :version', array(':count' => count($f), ':version' => $version));

		if (count($f) == 0)
			throw new Migration_Exception('Migration step not found with version :version', array(":version" => $version));

		$file = basename($f[0]);
		$name = basename($f[0], EXT);

		// Filename validations
		if ( ! preg_match('/^\d+_(\w+)$/', $name, $match))
			throw new Migration_Exception('Invalid filename :file', array(':file' => $file));

		$match[1] = strtolower($match[1]);

		include_once $f[0];
		$class = ucfirst($match[1]);

		if ( ! class_exists($class))
			throw new Migration_Exception('Migration class :class does not exist', array( ':class' => $class));

		return new $class($this->config);
	}

	/**
	 * Retrieves all the timestamps of the migration files
	 *
	 * @return   array
	 */
	public function get_migrations()
	{
		if ( ! $this->migrations)
		{
			$migrations = glob($this->config['path'] . DIRECTORY_SEPARATOR . '*' . EXT);
			$ids = array();
			foreach ((array) $migrations as $file)
			{
				$name = basename($file, EXT);
				$matches = array();
				if ( preg_match('/^(\d+)_(\w+)$/', $name, $matches))
				{
					$ids[] = intval($matches[1]);
				}
			}
			$this->migrations = $ids;
		}
		return $this->migrations;
	}

	public function clear_all()
	{
		$this->driver->clear_all();
		$this->driver->versions()->clear_all();
		return $this;
	}

	public function get_executed_migrations()
	{
		return $this->driver->versions()->get();
	}

	public function get_unexecuted_migrations()
	{
		return array_diff($this->get_migrations(), $this->get_executed_migrations());
	}

	protected function execute($version, $direction, $dry_run)
	{
		$migration = $this->load_migration($version)->dry_run($dry_run);

		$this->log($version.' '.get_class($migration).' : migrating '.$direction.($dry_run ? " -- Dry Run" : ''));
		$start = microtime(TRUE);

		switch ($direction)
		{
			case 'down':
				$migration->down();
				if ( ! $dry_run)
				{
					$this->set_unexecuted($version);
				}
			break;

			case 'up':
				$migration->up();
				if ( ! $dry_run)
				{
					$this->set_executed($version);
				}
			break;
		}

		$end = microtime(TRUE);
		$this->log($version.' '.get_class($migration).' : migrated ('.number_format($end - $start, 4).'s)');
	}

	public function execute_all($up = array(), $down = array(), $dry_run = FALSE)
	{
		if ( ! count($down) AND ! count($up))
		{
			$this->log("Nothing to do");
		}
		else
		{
			foreach ($down as $version)
			{
				$this->execute($version, 'down', $dry_run);
			}

			foreach ($up as $version)
			{
				$this->execute($version, 'up', $dry_run);
			}
		}
	}

	public function log($message)
	{
		if ($this->config['log'])
		{
			call_user_func($this->config['log'], $message);
		}
		else
		{
			echo $message."\n";
			ob_flush();
		}
	}
}


1			<?php defined('SYSPATH') OR die('No direct script access.');
2
3			/**
4			* Migrations class.
5			*/
6			class Migrations
7			{
8			protected $config;
9			protected $driver;
10			protected $migrations;
11			public $output = NULL;
12
13			/**
14			* Intialize migration library
15			*
16			* @param bool Do we want output of migration steps?
17			* @param string Database group
18			*/
19			public function __construct($config = NULL)
20			{
21			$this->config = arr::merge(Kohana::$config->load('migrations')->as_array(), (array) $config);
22
23			$database = Kohana::$config->load('database.'.Arr::get(Kohana::$config->load('migrations'), 'database', 'default'));
			0 ignored issues – show Documentation introduced 2017-01-25 19:44 UTC by Report Bug Copy Issue Report Show Similar Issues like this `\Kohana::$config->load('migrations')` is of type `object<Kohana_Config_Group>`, but the function expects a `array`. It seems like the type of the argument is not accepted by the function/method which you are calling. In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug. We suggest to add an explicit type cast like in the following example: function acceptsInteger($int) { } $x = '123'; // string "123" // Instead of acceptsInteger($x); // we recommend to use acceptsInteger((integer) $x); Loading history...
24
25			// Set the driver class name
26			$driver_name = in_array($database['type'], array('PDO', 'MySQL')) ? 'Mysql' : ucfirst($database['type']);
27			$driver = 'Migration_Driver_'.$driver_name;
28
29			// Create the database connection instance
30			$this->driver = new $driver(Arr::get(Kohana::$config->load('migrations'), 'database', 'default'));
			0 ignored issues – show Documentation introduced 2017-01-25 19:44 UTC by Report Bug Copy Issue Report Show Similar Issues like this `\Kohana::$config->load('migrations')` is of type `object<Kohana_Config_Group>`, but the function expects a `array`. It seems like the type of the argument is not accepted by the function/method which you are calling. In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug. We suggest to add an explicit type cast like in the following example: function acceptsInteger($int) { } $x = '123'; // string "123" // Instead of acceptsInteger($x); // we recommend to use acceptsInteger((integer) $x); Loading history...
31
32			$this->driver->versions()->init();
33
34			if( ! is_dir($this->config['path']))
35			{
36			mkdir($this->config['path'], 0777, TRUE);
37			}
38			}
39
40			public function set_executed($version)
41			{
42			$this->driver->versions()->set($version);
43			}
44
45			public function set_unexecuted($version)
46			{
47			$this->driver->versions()->clear($version);
48			}
49
50			public function generate_new_migration_file($name, $actions_template = NULL)
51			{
52			$actions = new Migration_Actions($this->driver);
53
54			if ($actions_template)
55			{
56			$actions->template(getcwd().DIRECTORY_SEPARATOR.$actions_template);
57			}
58			else
59			{
60			$actions->parse($name);
61			}
62
63			$template = file_get_contents(Kohana::find_file('templates', 'migration', 'tpl'));
64			$class_name = str_replace(' ', '_', ucwords(str_replace('_',' ',$name)));
65			$filename = sprintf("%d_$name.php", time());
66
67			file_put_contents(
68			$this->config['path'].DIRECTORY_SEPARATOR.$filename,
69			strtr($template, array(
70			'{up}' => join("\n", array_map('Migrations::indent', $actions->up)),
71			'{down}' => join("\n", array_map('Migrations::indent', $actions->down)),
72			'{class_name}' => $class_name
73			))
74			);
75
76			return $filename;
77			}
78
79			static function indent($action)
			0 ignored issues – show Best Practice introduced 2017-01-25 19:44 UTC by Report Bug Copy Issue Report Show Similar Issues like this It is generally recommended to explicitly declare the visibility for methods. Adding explicit visibility (`private`, `protected`, or `public`) is generally recommend to communicate to other developers how, and from where this method is intended to be used. Loading history...
80			{
81			return "\t\t$action";
82			}
83
84			/**
85			* Loads a migration
86			*
87			* @param integer Migration version number
88			* @return Migration_Core Class object
89			*/
90			public function load_migration($version)
91			{
92			$f = glob(sprintf($this->config['path'] . DIRECTORY_SEPARATOR . '%d_*.php', $version));
93
94			if (count($f) > 1)
95			throw new Migration_Exception('Only one migration per step is permitted, there are :count of version :version', array(':count' => count($f), ':version' => $version));
96
97			if (count($f) == 0)
98			throw new Migration_Exception('Migration step not found with version :version', array(":version" => $version));
99
100			$file = basename($f[0]);
101			$name = basename($f[0], EXT);
102
103			// Filename validations
104			if ( ! preg_match('/^\d+_(\w+)$/', $name, $match))
105			throw new Migration_Exception('Invalid filename :file', array(':file' => $file));
106
107			$match[1] = strtolower($match[1]);
108
109			include_once $f[0];
110			$class = ucfirst($match[1]);
111
112			if ( ! class_exists($class))
113			throw new Migration_Exception('Migration class :class does not exist', array( ':class' => $class));
114
115			return new $class($this->config);
116			}
117
118			/**
119			* Retrieves all the timestamps of the migration files
120			*
121			* @return array
122			*/
123			public function get_migrations()
124			{
125			if ( ! $this->migrations)
126			{
127			$migrations = glob($this->config['path'] . DIRECTORY_SEPARATOR . '*' . EXT);
128			$ids = array();
129			foreach ((array) $migrations as $file)
130			{
131			$name = basename($file, EXT);
132			$matches = array();
133			if ( preg_match('/^(\d+)_(\w+)$/', $name, $matches))
134			{
135			$ids[] = intval($matches[1]);
136			}
137			}
138			$this->migrations = $ids;
139			}
140			return $this->migrations;
141			}
142
143			public function clear_all()
144			{
145			$this->driver->clear_all();
146			$this->driver->versions()->clear_all();
147			return $this;
148			}
149
150			public function get_executed_migrations()
151			{
152			return $this->driver->versions()->get();
153			}
154
155			public function get_unexecuted_migrations()
156			{
157			return array_diff($this->get_migrations(), $this->get_executed_migrations());
158			}
159
160			protected function execute($version, $direction, $dry_run)
161			{
162			$migration = $this->load_migration($version)->dry_run($dry_run);
163
164			$this->log($version.' '.get_class($migration).' : migrating '.$direction.($dry_run ? " -- Dry Run" : ''));
165			$start = microtime(TRUE);
166
167			switch ($direction)
168			{
169			case 'down':
170			$migration->down();
171			if ( ! $dry_run)
172			{
173			$this->set_unexecuted($version);
174			}
175			break;
176
177			case 'up':
178			$migration->up();
179			if ( ! $dry_run)
180			{
181			$this->set_executed($version);
182			}
183			break;
184			}
185
186			$end = microtime(TRUE);
187			$this->log($version.' '.get_class($migration).' : migrated ('.number_format($end - $start, 4).'s)');
188			}
189
190			public function execute_all($up = array(), $down = array(), $dry_run = FALSE)
191			{
192			if ( ! count($down) AND ! count($up))
193			{
194			$this->log("Nothing to do");
195			}
196			else
197			{
198			foreach ($down as $version)
199			{
200			$this->execute($version, 'down', $dry_run);
201			}
202
203			foreach ($up as $version)
204			{
205			$this->execute($version, 'up', $dry_run);
206			}
207			}
208			}
209
210			public function log($message)
211			{
212			if ($this->config['log'])
213			{
214			call_user_func($this->config['log'], $message);
215			}
216			else
217			{
218			echo $message."\n";
219			ob_flush();
220			}
221			}
222			}
223

OpenBuildings / timestamped-migrations

Issues (24)

Security Analysis no request data

classes/Migrations.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like