Issues in Module.php (master) - Issues in master - SamsonPHP/view - Measure and Improve Code Quality continuously with Scrutinizer

Issues (1)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Module.php (1 issue)

Labels

Unused Code 1

Severity

Minor 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Created by Vitaly Iegorov <[email protected]>.
 * on 21.02.16 at 14:14
 */
namespace samsonphp\view;

use samsonframework\core\ResourcesInterface;
use samsonframework\core\SystemInterface;
use samsonframework\view\Generator;
use samsonphp\Event\Event;

/**
 * SamsonPHP view module
 * @package samsonphp\view
 */
class Module extends \samson\core\ExternalModule implements \samsonframework\core\CompressInterface
{
    /** View handling events */
    const EVENT_VIEW_HANDLER = 'samsonphp.view.handler';
    const EVENT_VIEW_COMPRESSION = 'samsonphp.view.compression';

    /** Pattern for compressing $this->src() calls with resource path */
    const SRC_COMPRESSION_PATTERN = '/(<\?=|<\?php\s*echo)\s*\$this->src\(\s*(\'|\")\s*\/?(src|www)\/(?<path>[^\'\"]+)(\'|\")\s*\);?\s*\?>/';
    /** Pattern for replacing $this->src() calls with controller url */
    const SRC_PATTERN = '/(<\?=|<\?php\s*echo\s*\(?)\s*\$this->src\(\s*(\'|\")(?<path>[^\'\"]+)(\'|\")\s*\);?\s*\?>/';

    /** @var Generator */
    protected $generator;

    /**
     * Module constructor.
     *
     * @param string             $path
     * @param ResourcesInterface $resources
     * @param SystemInterface    $system
     * @param Generator          $generator
     */
    public function __construct($path, ResourcesInterface $resources, SystemInterface $system, Generator $generator = null)
    {
        parent::__construct($path, $resources, $system);

        $this->generator = isset($generator)
            ? $generator
            : new Generator(
                new \samsonphp\generator\Generator(),
                'view',
                array('\www', '\view'),
                View::class
            );

        // Register View class file autoloader
        spl_autoload_register(array($this, 'autoload'));
    }

    /**
     * This method should be used to override generic compression logic.
     *
     * @param mixed $obj Pointer to compressor instance
     * @param array|null $code Collection of already compressed code
     *
     * @return bool False if generic compression needs to be avoided
     */
    public function beforeCompress(&$obj = null, array &$code = null)
    {

    }

    /**
     * This method is called after generic compression logic has finished.
     *
     * @param mixed      $obj  Pointer to compressor instance
     * @param array|null $code Collection of already compressed code
     *
     * @return bool False if generic compression needs to be avoided
     */
    public function afterCompress(&$obj = null, array &$code = null)
    {
        $this->generator->generate($this->cache_path, array($this, 'compressionHandler'));
        // Iterate through generated php code
        foreach ($this->generator->metadata as $file => $metadata) {
            // Compress generated php code
            $obj->compress_php($metadata->generatedPath, $this, $code, $metadata->namespace);
        }
    }

    /**
     * Generator view code handler.
     *
     * @param string $viewCode Source view code
     *
     * @return string Modified view code
     */
    public function viewHandler($viewCode)
    {
        // Fire event
        Event::fire(self::EVENT_VIEW_HANDLER, array(&$viewCode));

        // Find all paths to intermediate controller
        if (preg_match_all(self::SRC_PATTERN, $viewCode, $matches)) {
            for ($i = 0, $size = count($matches['path']); $i < $size; $i++) {
                // Remove function call just leave path related to src(for modules) or www(for local)
                $viewCode = str_replace($matches[0][$i], '/' . STATIC_RESOURCE_HANDLER . '/?p=' . $matches['path'][$i], $viewCode);
            }
        }

        // Return modified view code
        return $viewCode;
    }

    /**
     * Compression view code handler.
     *
     * @param string $viewCode Source view code
     *
     * @return string Modified view code
     */
    public function compressionHandler($viewCode)
    {
        // Fire event
        Event::fire(self::EVENT_VIEW_COMPRESSION, array(&$viewCode));

        // Find all paths to intermediate controller
        if (preg_match_all(self::SRC_COMPRESSION_PATTERN, $viewCode, $matches)) {
            for ($i = 0, $size = count($matches['path']); $i < $size; $i++) {
                // Remove function call just leave path related to src(for modules) or www(for local)
                $viewCode = str_replace($matches[0][$i], $matches['path'][$i], $viewCode);
            }
        }

        // Return modified view code
        return $viewCode;
    }

    /**
     * Help autoloading view classes as we know where we store them.
     *
     * @param string $class View class name for searching
     */
    public function autoload($class)
    {
        $classPath = $this->cache_path.str_replace('\\', '/', $class).'.php';
        if (file_exists($classPath)) {
            require_once($classPath);
        }
    }

    /**
     * Module preparation stage.
     * This function called after module instance creation but before
     * initialization stage.
     *
     * @param array $params Preparation stage parameters
     *
     * @return bool|void Preparation stage result
     */
    public function prepare(array $params = array())
    {
        $this->generator->scan(__SAMSON_CWD__.'/src');
        //$this->generator->scan(__SAMSON_CWD__.'/app');
        $signature = $this->generator->hash();

        if ($this->cache_refresh($signature)) {
            $this->generator->generate($this->cache_path, array($this, 'viewHandler'));
            // Store cache file
            file_put_contents($signature, '');
        }

        // Add system static variable to all classes
        require_once 'View.php';
        View::$system = &$this->system;

        // Continue parent logic
        return parent::prepare($params);

    }
}


1			<?php
2			/**
3			* Created by Vitaly Iegorov <[email protected]>.
4			* on 21.02.16 at 14:14
5			*/
6			namespace samsonphp\view;
7
8			use samsonframework\core\ResourcesInterface;
9			use samsonframework\core\SystemInterface;
10			use samsonframework\view\Generator;
11			use samsonphp\Event\Event;
12
13			/**
14			* SamsonPHP view module
15			* @package samsonphp\view
16			*/
17			class Module extends \samson\core\ExternalModule implements \samsonframework\core\CompressInterface
18			{
19			/** View handling events */
20			const EVENT_VIEW_HANDLER = 'samsonphp.view.handler';
21			const EVENT_VIEW_COMPRESSION = 'samsonphp.view.compression';
22
23			/** Pattern for compressing $this->src() calls with resource path */
24			const SRC_COMPRESSION_PATTERN = '/(<\?=\|<\?php\secho)\s\$this->src\(\s(\'\|\")\s\/?(src\|www)\/(?<path>[^\'\"]+)(\'\|\")\s\);?\s\?>/';
25			/** Pattern for replacing $this->src() calls with controller url */
26			const SRC_PATTERN = '/(<\?=\|<\?php\secho\s\(?)\s\$this->src\(\s(\'\|\")(?<path>[^\'\"]+)(\'\|\")\s\);?\s\?>/';
27
28			/** @var Generator */
29			protected $generator;
30
31			/**
32			* Module constructor.
33			*
34			* @param string $path
35			* @param ResourcesInterface $resources
36			* @param SystemInterface $system
37			* @param Generator $generator
38			*/
39			public function __construct($path, ResourcesInterface $resources, SystemInterface $system, Generator $generator = null)
40			{
41			parent::__construct($path, $resources, $system);
42
43			$this->generator = isset($generator)
44			? $generator
45			: new Generator(
46			new \samsonphp\generator\Generator(),
47			'view',
48			array('\www', '\view'),
49			View::class
50			);
51
52			// Register View class file autoloader
53			spl_autoload_register(array($this, 'autoload'));
54			}
55
56			/**
57			* This method should be used to override generic compression logic.
58			*
59			* @param mixed $obj Pointer to compressor instance
60			* @param array\|null $code Collection of already compressed code
61			*
62			* @return bool False if generic compression needs to be avoided
63			*/
64			public function beforeCompress(&$obj = null, array &$code = null)
65			{
66
67			}
68
69			/**
70			* This method is called after generic compression logic has finished.
71			*
72			* @param mixed $obj Pointer to compressor instance
73			* @param array\|null $code Collection of already compressed code
74			*
75			* @return bool False if generic compression needs to be avoided
76			*/
77			public function afterCompress(&$obj = null, array &$code = null)
78			{
79			$this->generator->generate($this->cache_path, array($this, 'compressionHandler'));
80			// Iterate through generated php code
81			foreach ($this->generator->metadata as $file => $metadata) {
82			// Compress generated php code
83			$obj->compress_php($metadata->generatedPath, $this, $code, $metadata->namespace);
84			}
85			}
86
87			/**
88			* Generator view code handler.
89			*
90			* @param string $viewCode Source view code
91			*
92			* @return string Modified view code
93			*/
94			public function viewHandler($viewCode)
95			{
96			// Fire event
97			Event::fire(self::EVENT_VIEW_HANDLER, array(&$viewCode));
98
99			// Find all paths to intermediate controller
100			if (preg_match_all(self::SRC_PATTERN, $viewCode, $matches)) {
101			for ($i = 0, $size = count($matches['path']); $i < $size; $i++) {
102			// Remove function call just leave path related to src(for modules) or www(for local)
103			$viewCode = str_replace($matches[0][$i], '/' . STATIC_RESOURCE_HANDLER . '/?p=' . $matches['path'][$i], $viewCode);
104			}
105			}
106
107			// Return modified view code
108			return $viewCode;
109			}
110
111			/**
112			* Compression view code handler.
113			*
114			* @param string $viewCode Source view code
115			*
116			* @return string Modified view code
117			*/
118			public function compressionHandler($viewCode)
119			{
120			// Fire event
121			Event::fire(self::EVENT_VIEW_COMPRESSION, array(&$viewCode));
122
123			// Find all paths to intermediate controller
124			if (preg_match_all(self::SRC_COMPRESSION_PATTERN, $viewCode, $matches)) {
125			for ($i = 0, $size = count($matches['path']); $i < $size; $i++) {
126			// Remove function call just leave path related to src(for modules) or www(for local)
127			$viewCode = str_replace($matches[0][$i], $matches['path'][$i], $viewCode);
128			}
129			}
130
131			// Return modified view code
132			return $viewCode;
133			}
134
135			/**
136			* Help autoloading view classes as we know where we store them.
137			*
138			* @param string $class View class name for searching
139			*/
140			public function autoload($class)
141			{
142			$classPath = $this->cache_path.str_replace('\\', '/', $class).'.php';
143			if (file_exists($classPath)) {
144			require_once($classPath);
145			}
146			}
147
148			/**
149			* Module preparation stage.
150			* This function called after module instance creation but before
151			* initialization stage.
152			*
153			* @param array $params Preparation stage parameters
154			*
155			* @return bool\|void Preparation stage result
156			*/
157			public function prepare(array $params = array())
158			{
159			$this->generator->scan(__SAMSON_CWD__.'/src');
160			//$this->generator->scan(__SAMSON_CWD__.'/app');
161			$signature = $this->generator->hash();
162
163			if ($this->cache_refresh($signature)) {
164			$this->generator->generate($this->cache_path, array($this, 'viewHandler'));
165			// Store cache file
166			file_put_contents($signature, '');
167			}
168
169			// Add system static variable to all classes
170			require_once 'View.php';
171			View::$system = &$this->system;
172
173			// Continue parent logic
174			return parent::prepare($params);
			0 ignored issues – show Unused Code introduced 2016-02-21 13:49 UTC by Report Bug Copy Issue Report Show Similar Issues like this The call to `ExternalModule::prepare()` has too many arguments starting with `$params`. This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue. If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress. In this case you can add the `@ignore` PhpDoc annotation to the duplicate definition and it will be ignored. Loading history...
175			}
176			}
177

SamsonPHP / view

Issues (1)

Security Analysis no request data

src/Module.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like