Issues in Module.php (master) - Issues in master - SAM-IT/yii2-phpfpm - Measure and Improve Code Quality continuously with Scrutinizer

Issues (1)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Module.php (1 issue)

Labels

Bug 1

Severity

Critical 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
declare(strict_types=1);

namespace SamIT\Yii2\PhpFpm;

use SamIT\Docker\Context;
use yii\base\InvalidConfigException;
use yii\base\UnknownPropertyException;
use yii\helpers\ArrayHelper;
use yii\helpers\Console;

/**
 * Class Module
 * @package SamIT\Yii2\PhpFpm
 * @property-write string[] $additionalExtensions
 * @property-write string|int[] $additionalPoolConfig
 * @property-write string[] $additionalPhpConfig
 * @property-write string[] $additionalFpmConfig
 */
class Module extends \yii\base\Module
{
    /**
     * The variables will be written to /runtime/env.json as JSON, where your application can read them.
     * @var string[] List of required environment variables. If one is missing the container will exit.
     *
     */
    public $environmentVariables = [];

    /**
     * @var array Pool directives
     * @see http://php.net/manual/en/install.fpm.configuration.php
     *
     */
    public $poolConfig = [
        'user' => 'nobody',
        'group' => 'nobody',
        'listen' => 9000,
        'pm' => 'dynamic',
        'pm.max_children' => 40,
        'pm.start_servers' => 3,
        'pm.min_spare_servers' => 1,
        'pm.max_spare_servers' => 3,
        'access.log' => '/proc/self/fd/2',
        'clear_env' => 'yes',
        'catch_workers_output' => 'yes'
    ];

    /**
     * @var array PHP configuration, supplied via php_admin_value in fpm config.
     */
    public $phpConfig = [
        'upload_max_filesize' => '20M',
        'post_max_size' => '25M'
    ];

    /**
     * @var array Global directives
     * @see http://php.net/manual/en/install.fpm.configuration.php
     *
     */
    public $fpmConfig = [
        'error_log' => '/proc/self/fd/2',
        'daemonize' => 'no',
    ];

    /**
     * List of php extensions to install
     */
    public $extensions = [
        'ctype',
        'gd',
        'iconv',
        'intl',
        'json',
        'mbstring',
        'session',
        'pdo_mysql',
        'session',
        'curl'
    ];

    /**
     * @var string The name of the created image.
     */
    public $image;

    /**
     * @var string The name of the base image to use for the container. Should contain php-fpm
     */
    public string $baseImage = 'php:7.4-fpm-alpine';

    /**
     * @var string The tag of the created image.
     */
    public $tag = 'latest';

    /**
     * @var bool wheter to push successful builds.
     */
    public $push = false;

    /**
     * @var string Location of composer.json / composer.lock
     */
    public $composerFilePath = '@app/../';

    /**
     * @var string[] List of console commands that are executed upon container launch.
     */
    public $initializationCommands = [];
    /**
     * @return string A PHP-FPM config file.
     */
    protected function createFpmConfig()
    {
        $config = [];
        // Add global directives.
        $config[] = '[global]';
        foreach ($this->fpmConfig as $key => $value) {
            $config[] = "$key = $value";
        }

        // Add pool directives.
        $poolConfig = $this->poolConfig;
        foreach ($this->phpConfig as $key => $value) {
            $poolConfig["php_admin_value[$key]"] = $value;
        }

        $config[] = '[www]';
        foreach ($poolConfig as $key => $value) {
            $config[] = "$key = $value";
        }

        return \implode("\n", $config);
    }

    /**
     * @return string A shell script that checks for existence of (non-empty) variables and runs php-fpm.
     */
    private function createEntrypoint(string $entryScript): string
    {
        // Get the route.
        $result = [];
        $result[] = '#!/bin/sh';
        // Check for variables.
        foreach ($this->environmentVariables as $name) {
            $result[] = \strtr('if [ -z "${name}" -a ! -f "$SECRET_DIR/{name}" ]; then echo "Variable \${name} is required."; exit 1; fi', [
                '{name}' => $name
            ]);
        }

        // Check if runtime directory is writable.
        $result[] = <<<SH
su nobody -s /bin/touch /runtime/testfile && rm /runtime/testfile;
if [ $? -ne 0 ]; then
  echo Runtime directory is not writable;
  exit 1
fi
SH;



        // Check if runtime is a tmpfs.
        $message = Console::ansiFormat('/runtime should really be a tmpfs.', [Console::FG_RED]);
        $result[] = <<<SH
grep 'tmpfs /runtime' /proc/mounts;
if [ $? -ne 0 ]; then
  echo $message;
fi
SH;
        $result[] = <<<SH
su nobody -s /bin/touch /runtime/env.json
(test -d \$SECRET_DIR && cd \$SECRET_DIR && find * -type f -exec jq -sR '{(input_filename):.}' {} \; ) | jq -s 'env+add' > /runtime/env.json
if [ $? -ne 0 ]; then
  echo "failed to store env in /runtime/env.json";
  exit 1
fi
SH;


        foreach ($this->initializationCommands as $route) {
            $result[] = "$entryScript $route --interactive=0 || exit";
        }
        $result[] = 'exec php-fpm --force-stderr --fpm-config /php-fpm.conf';
        return \implode("\n", $result);
    }

    /**
     * @param Context $context The context to use
     * @param string $version This is stored in the VERSION environment variable.
     * @param string $sourcePath This is the path where app source is stored, it must be a top level dir, the project root is derived from it
     * @throws InvalidConfigException
     */
    public function createBuildContext(
        Context $context,
        string $version,
        string $sourcePath
    ): void {
        if (!is_dir($sourcePath)) {
            throw new \InvalidArgumentException("$sourcePath does not exist or is not a directory");
        }

        $entryScript = "/project/{$this->getConsoleEntryScript($sourcePath)}";

        /**
         * BEGIN COMPOSER
         */
        $context->command('FROM composer');
        $context->addFile('/build/composer.json', \Yii::getAlias($this->composerFilePath) .'/composer.json');

        if (\file_exists(\Yii::getAlias($this->composerFilePath) . '/composer.lock')) {
            $context->addFile('/build/composer.lock', \Yii::getAlias($this->composerFilePath) . '/composer.lock');
        }

        $context->run('cd /build && composer install --no-dev --no-autoloader --ignore-platform-reqs --prefer-dist');

        // Add the actual source code.
        $context->addFile('/build/' . \basename($sourcePath), $sourcePath);
        $context->run('cd /build && composer dumpautoload -o --no-dev');
        /**
         * END COMPOSER
         */

        $context->from($this->baseImage);
        $context->run('apk add --update --no-cache jq');
        $context->addUrl("/usr/local/bin/", "https://raw.githubusercontent.com/mlocati/docker-php-extension-installer/master/install-php-extensions");
        $context->run("chmod +x /usr/local/bin/install-php-extensions");
        $context->run('install-php-extensions ' . implode(' ', $this->extensions));
        $context->run('mkdir /runtime && chown nobody:nobody /runtime');
        $context->volume('/runtime');
        $context->copyFromLayer("/project", "0", "/build");

        $context->add('/entrypoint.sh', $this->createEntrypoint($entryScript));

        $context->run('chmod +x /entrypoint.sh');

        $context->add('/php-fpm.conf', $this->createFpmConfig());

        $context->run("php-fpm --force-stderr --fpm-config /php-fpm.conf -t");

        $context->entrypoint(["/entrypoint.sh"]);

        $context->env('VERSION', $version);
        // Test if we can run a console command.
        $context->run("[ -f $entryScript ]");
    }

    /**
     * @throws \InvalidArgumentException in case the app is not configured as expected
     * @param string $sourcePath the path to the soruce files
     * @return string the relative path of the (console) entry script with respect to the project (not app) root.
     */
    private function getConsoleEntryScript(string $sourcePath): string
    {
        $full = \array_slice(\debug_backtrace(DEBUG_BACKTRACE_IGNORE_ARGS), -1)[0]['file'];
        $projectRoot = dirname($sourcePath);
        if (strncmp($projectRoot, $full, strlen($projectRoot)) !== 0) {
            throw new \InvalidArgumentException("The console entry script must be located inside the project root; $full is not in $projectRoot");
        }
        return \ltrim(substr($full, strlen($projectRoot)), '/');
    }


    public function __set($name, $value): void
    {
        if (\strncmp($name, 'additional', 10) !== 0) {
            parent::__set($name, $value);
            return;
        }


        $this->add(\lcfirst(\substr($name, 10)), $value);
    }

    private function add($name, array $value): void
    {
        if (!\property_exists($this, $name)) {
            throw new UnknownPropertyException("Unknown property $name");
        }
        $this->$name = ArrayHelper::merge($this->$name, $value);
    }
}


GitHub Access Token became invalid

Issues (1)

Security Analysis no request data

src/Module.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

1		<?php
2		declare(strict_types=1);
3
4		namespace SamIT\Yii2\PhpFpm;
5
6		use SamIT\Docker\Context;
7		use yii\base\InvalidConfigException;
8		use yii\base\UnknownPropertyException;
9		use yii\helpers\ArrayHelper;
10		use yii\helpers\Console;
11
12		/**
13		* Class Module
14		* @package SamIT\Yii2\PhpFpm
15		* @property-write string[] $additionalExtensions
16		* @property-write string\|int[] $additionalPoolConfig
17		* @property-write string[] $additionalPhpConfig
18		* @property-write string[] $additionalFpmConfig
19		*/
20		class Module extends \yii\base\Module
21		{
22		/**
23		* The variables will be written to /runtime/env.json as JSON, where your application can read them.
24		* @var string[] List of required environment variables. If one is missing the container will exit.
25		*
26		*/
27		public $environmentVariables = [];
28
29		/**
30		* @var array Pool directives
31		* @see http://php.net/manual/en/install.fpm.configuration.php
32		*
33		*/
34		public $poolConfig = [
35		'user' => 'nobody',
36		'group' => 'nobody',
37		'listen' => 9000,
38		'pm' => 'dynamic',
39		'pm.max_children' => 40,
40		'pm.start_servers' => 3,
41		'pm.min_spare_servers' => 1,
42		'pm.max_spare_servers' => 3,
43		'access.log' => '/proc/self/fd/2',
44		'clear_env' => 'yes',
45		'catch_workers_output' => 'yes'
46		];
47
48		/**
49		* @var array PHP configuration, supplied via php_admin_value in fpm config.
50		*/
51		public $phpConfig = [
52		'upload_max_filesize' => '20M',
53		'post_max_size' => '25M'
54		];
55
56		/**
57		* @var array Global directives
58		* @see http://php.net/manual/en/install.fpm.configuration.php
59		*
60		*/
61		public $fpmConfig = [
62		'error_log' => '/proc/self/fd/2',
63		'daemonize' => 'no',
64		];
65
66		/**
67		* List of php extensions to install
68		*/
69		public $extensions = [
70		'ctype',
71		'gd',
72		'iconv',
73		'intl',
74		'json',
75		'mbstring',
76		'session',
77		'pdo_mysql',
78		'session',
79		'curl'
80		];
81
82		/**
83		* @var string The name of the created image.
84		*/
85		public $image;
86
87		/**
88		* @var string The name of the base image to use for the container. Should contain php-fpm
89		*/
90		public string $baseImage = 'php:7.4-fpm-alpine';
		0 ignored issues – show Bug introduced 2021-06-18 10:50 UTC by Report Bug Copy Issue Report Show Similar Issues like this This code did not parse for me. Apparently, there is an error somewhere around this line: Syntax error, unexpected T_STRING, expecting T_FUNCTION or T_CONST Loading history...
91		/**
92		* @var string The tag of the created image.
93		*/
94		public $tag = 'latest';
95
96		/**
97		* @var bool wheter to push successful builds.
98		*/
99		public $push = false;
100
101		/**
102		* @var string Location of composer.json / composer.lock
103		*/
104		public $composerFilePath = '@app/../';
105
106		/**
107		* @var string[] List of console commands that are executed upon container launch.
108		*/
109		public $initializationCommands = [];
110		/**
111		* @return string A PHP-FPM config file.
112		*/
113	4	protected function createFpmConfig()
114		{
115	4	$config = [];
116		// Add global directives.
117	4	$config[] = '[global]';
118	4	foreach ($this->fpmConfig as $key => $value) {
119	4	$config[] = "$key = $value";
120		}
121
122		// Add pool directives.
123	4	$poolConfig = $this->poolConfig;
124	4	foreach ($this->phpConfig as $key => $value) {
125	4	$poolConfig["php_admin_value[$key]"] = $value;
126		}
127
128	4	$config[] = '[www]';
129	4	foreach ($poolConfig as $key => $value) {
130	4	$config[] = "$key = $value";
131		}
132
133	4	return \implode("\n", $config);
134		}
135
136		/**
137		* @return string A shell script that checks for existence of (non-empty) variables and runs php-fpm.
138		*/
139	4	private function createEntrypoint(string $entryScript): string
140		{
141		// Get the route.
142	4	$result = [];
143	4	$result[] = '#!/bin/sh';
144		// Check for variables.
145	4	foreach ($this->environmentVariables as $name) {
146	1	$result[] = \strtr('if [ -z "${name}" -a ! -f "$SECRET_DIR/{name}" ]; then echo "Variable \${name} is required."; exit 1; fi', [
147	1	'{name}' => $name
148		]);
149		}
150
151		// Check if runtime directory is writable.
152	4	$result[] = <<<SH
153		su nobody -s /bin/touch /runtime/testfile && rm /runtime/testfile;
154		if [ $? -ne 0 ]; then
155		echo Runtime directory is not writable;
156		exit 1
157		fi
158		SH;
159
160
161
162		// Check if runtime is a tmpfs.
163	4	$message = Console::ansiFormat('/runtime should really be a tmpfs.', [Console::FG_RED]);
164	4	$result[] = <<<SH
165	4	grep 'tmpfs /runtime' /proc/mounts;
166		if [ $? -ne 0 ]; then
167	4	echo $message;
168		fi
169		SH;
170	4	$result[] = <<<SH
171		su nobody -s /bin/touch /runtime/env.json
172		(test -d \$SECRET_DIR && cd \$SECRET_DIR && find * -type f -exec jq -sR '{(input_filename):.}' {} \; ) \| jq -s 'env+add' > /runtime/env.json
173		if [ $? -ne 0 ]; then
174		echo "failed to store env in /runtime/env.json";
175		exit 1
176		fi
177		SH;
178
179
180	4	foreach ($this->initializationCommands as $route) {
181	1	$result[] = "$entryScript $route --interactive=0 \|\| exit";
182		}
183	4	$result[] = 'exec php-fpm --force-stderr --fpm-config /php-fpm.conf';
184	4	return \implode("\n", $result);
185		}
186
187		/**
188		* @param Context $context The context to use
189		* @param string $version This is stored in the VERSION environment variable.
190		* @param string $sourcePath This is the path where app source is stored, it must be a top level dir, the project root is derived from it
191		* @throws InvalidConfigException
192		*/
193	6	public function createBuildContext(
194		Context $context,
195		string $version,
196		string $sourcePath
197		): void {
198	6	if (!is_dir($sourcePath)) {
199	1	throw new \InvalidArgumentException("$sourcePath does not exist or is not a directory");
200		}
201
202	5	$entryScript = "/project/{$this->getConsoleEntryScript($sourcePath)}";
203
204		/**
205		* BEGIN COMPOSER
206		*/
207	4	$context->command('FROM composer');
208	4	$context->addFile('/build/composer.json', \Yii::getAlias($this->composerFilePath) .'/composer.json');
209
210	4	if (\file_exists(\Yii::getAlias($this->composerFilePath) . '/composer.lock')) {
211	4	$context->addFile('/build/composer.lock', \Yii::getAlias($this->composerFilePath) . '/composer.lock');
212		}
213
214	4	$context->run('cd /build && composer install --no-dev --no-autoloader --ignore-platform-reqs --prefer-dist');
215
216		// Add the actual source code.
217	4	$context->addFile('/build/' . \basename($sourcePath), $sourcePath);
218	4	$context->run('cd /build && composer dumpautoload -o --no-dev');
219		/**
220		* END COMPOSER
221		*/
222
223	4	$context->from($this->baseImage);
224	4	$context->run('apk add --update --no-cache jq');
225	4	$context->addUrl("/usr/local/bin/", "https://raw.githubusercontent.com/mlocati/docker-php-extension-installer/master/install-php-extensions");
226	4	$context->run("chmod +x /usr/local/bin/install-php-extensions");
227	4	$context->run('install-php-extensions ' . implode(' ', $this->extensions));
228	4	$context->run('mkdir /runtime && chown nobody:nobody /runtime');
229	4	$context->volume('/runtime');
230	4	$context->copyFromLayer("/project", "0", "/build");
231
232	4	$context->add('/entrypoint.sh', $this->createEntrypoint($entryScript));
233
234	4	$context->run('chmod +x /entrypoint.sh');
235
236	4	$context->add('/php-fpm.conf', $this->createFpmConfig());
237
238	4	$context->run("php-fpm --force-stderr --fpm-config /php-fpm.conf -t");
239
240	4	$context->entrypoint(["/entrypoint.sh"]);
241
242	4	$context->env('VERSION', $version);
243		// Test if we can run a console command.
244	4	$context->run("[ -f $entryScript ]");
245	4	}
246
247		/**
248		* @throws \InvalidArgumentException in case the app is not configured as expected
249		* @param string $sourcePath the path to the soruce files
250		* @return string the relative path of the (console) entry script with respect to the project (not app) root.
251		*/
252	5	private function getConsoleEntryScript(string $sourcePath): string
253		{
254	5	$full = \array_slice(\debug_backtrace(DEBUG_BACKTRACE_IGNORE_ARGS), -1)[0]['file'];
255	5	$projectRoot = dirname($sourcePath);
256	5	if (strncmp($projectRoot, $full, strlen($projectRoot)) !== 0) {
257	1	throw new \InvalidArgumentException("The console entry script must be located inside the project root; $full is not in $projectRoot");
258		}
259	4	return \ltrim(substr($full, strlen($projectRoot)), '/');
260		}
261
262
263	3	public function __set($name, $value): void
264		{
265	3	if (\strncmp($name, 'additional', 10) !== 0) {
266	1	parent::__set($name, $value);
267	1	return;
268		}
269
270
271	3	$this->add(\lcfirst(\substr($name, 10)), $value);
272	2	}
273
274	3	private function add($name, array $value): void
275		{
276	3	if (!\property_exists($this, $name)) {
277	1	throw new UnknownPropertyException("Unknown property $name");
278		}
279	2	$this->$name = ArrayHelper::merge($this->$name, $value);
280	2	}
281		}
282

SAM-IT / yii2-phpfpm

GitHub Access Token became invalid

Issues (1)

Security Analysis no request data

src/Module.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like