Issues in ContentParser.php (master) - Issues in master - SemanticMediaWiki/SemanticMediaWiki - Measure and Improve Code Quality continuously with Scrutinizer

Issues (2950)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

includes/ContentParser.php (2 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace SMW;

use Parser;
use ParserOptions;
use Revision;
use Title;
use User;

/**
 * Fetches the ParserOutput either by parsing an invoked text component,
 * re-parsing a text revision, or accessing the ContentHandler to generate a
 * ParserOutput object
 *
 * @ingroup SMW
 *
 * @licence GNU GPL v2+
 * @since 1.9
 *
 * @author mwjames
 */
class ContentParser {

	/** @var Title */
	protected $title;

	/** @var Parser */
	protected $parser = null;

	/** @var ParserOutput */
	protected $parserOutput = null;

	/** @var Revision */
	protected $revision = null;

	/** @var array */
	protected $errors = array();

	/**
	 * @var boolean
	 */
	private $enabledToUseContentHandler = true;

	/**
	 * @var boolean
	 */
	private $skipInTextAnnotationParser = false;

	/**
	 * @note Injecting new Parser() alone will not yield an expected result and
	 * doing new Parser( $GLOBALS['wgParserConf'] brings no benefits therefore
	 * we stick to the GLOBAL as fallback if no parser is injected.
	 *
	 * @since 1.9
	 *
	 * @param Title $title
	 * @param Parser|null $parser
	 */
	public function __construct( Title $title, Parser $parser = null ) {
// Bad
class Router
{
    public function generate($path)
    {
        return $_SERVER['HOST'].$path;
    }
}

// Better
class Router
{
    private $host;

    public function __construct($host)
    {
        $this->host = $host;
    }

    public function generate($path)
    {
        return $this->host.$path;
    }
}

class Controller
{
    public function myAction(Request $request)
    {
        // Instead of
        $page = isset($_GET['page']) ? intval($_GET['page']) : 1;

        // Better (assuming you use the Symfony2 request)
        $page = $request->query->get('page', 1);
    }
}
		$this->title  = $title;
		$this->parser = $parser;

		if ( $this->parser === null ) {
			$this->parser = $GLOBALS['wgParser'];
		}
	}

	/**
	 * @since 2.3
	 *
	 * @return Parser $parser
	 */
	public function setParser( Parser $parser ) {
		$this->parser = $parser;
	}

	/**
	 * @since 1.9.1
	 *
	 * @return ContentParser
	 */
	public function setRevision( Revision $revision = null ) {
		$this->revision = $revision;
		return $this;
	}

	/**
	 * @bug 62856 and #212
	 *
	 * @since 2.0
	 */
	public function forceToUseParser() {
		$this->enabledToUseContentHandler = false;
	}

	/**
	 * @since 1.9
	 *
	 * @return Title
	 */
	public function getTitle() {
		return $this->title;
	}

	/**
	 * @since 1.9
	 *
	 * @return ParserOutput|null
	 */
	public function getOutput() {
		return $this->parserOutput;
	}

	/**
	 * @since 1.9
	 *
	 * @return array
	 */
	public function getErrors() {
		return $this->errors;
	}

	public function skipInTextAnnotationParser() {
		return $this->skipInTextAnnotationParser = true;
	}

	/**
	 * Generates or fetches the ParserOutput object from an appropriate source
	 *
	 * @since 1.9
	 *
	 * @param string|null $text
	 *
	 * @return ContentParser
	 */
	public function parse( $text = null ) {

		if ( $text !== null ) {
			return $this->parseText( $text );
		}

		if ( $this->hasContentHandler() && $this->enabledToUseContentHandler ) {
			return $this->fetchFromContent();
		}

		return $this->fetchFromParser();
	}

	protected function parseText( $text ) {

		$this->parserOutput = $this->parser->parse(
			$text,
			$this->getTitle(),
			$this->makeParserOptions()
		);

		return $this;
	}

	/**
	 * @note Revision ID must be passed to the parser output to
	 * get revision variables correct
	 *
	 * @note If no content is available create an empty object
	 */
	protected function fetchFromContent() {

		if ( $this->getRevision() === null ) {
			return $this->msgForNullRevision();
		}

		$content = $this->getRevision()->getContent( Revision::RAW );

		if ( !$content ) {
			$content = $this->getRevision()->getContentHandler()->makeEmptyContent();
		}

		$this->parserOutput = $content->getParserOutput(
			$this->getTitle(),
			$this->getRevision()->getId(),
			null,
			true
		);

		return $this;
	}

	protected function fetchFromParser() {

		if ( $this->getRevision() === null ) {
			return $this->msgForNullRevision();
		}

		$this->parserOutput = $this->parser->parse(
			$this->getRevision()->getText(),
			$this->getTitle(),
			$this->makeParserOptions(),
			true,
			true,
			$this->getRevision()->getID()
		);

		return $this;
	}

	protected function msgForNullRevision( $fname = __METHOD__ ) {
		$this->errors = array( $fname . " No revision available for {$this->getTitle()->getPrefixedDBkey()}" );
		return $this;
	}

	protected function makeParserOptions() {

		$user = null;

		if ( $this->getRevision() !== null ) {
			$user = User::newFromId( $this->getRevision()->getUser() );
		}

		$parserOptions = new ParserOptions( $user );

		// Use the InterfaceMessage marker to skip InTextAnnotationParser
		// processing
		$parserOptions->setInterfaceMessage( $this->skipInTextAnnotationParser );

		return $parserOptions;
	}

	protected function getRevision() {

		if ( $this->revision instanceof Revision ) {

			return $this->revision;
		}

		// Revision::READ_NORMAL is not specified in MW 1.19
		if ( defined( 'Revision::READ_NORMAL' ) ) {
			$this->revision = Revision::newFromTitle( $this->getTitle(), false, Revision::READ_NORMAL );
		} else {
			$this->revision = Revision::newFromTitle( $this->getTitle() );
		}

		return $this->revision;
	}

	protected function hasContentHandler() {
		return defined( 'CONTENT_MODEL_WIKITEXT' );
	}

}


1		<?php
2
3		namespace SMW;
4
5		use Parser;
6		use ParserOptions;
7		use Revision;
8		use Title;
9		use User;
10
11		/**
12		* Fetches the ParserOutput either by parsing an invoked text component,
13		* re-parsing a text revision, or accessing the ContentHandler to generate a
14		* ParserOutput object
15		*
16		* @ingroup SMW
17		*
18		* @licence GNU GPL v2+
19		* @since 1.9
20		*
21		* @author mwjames
22		*/
23		class ContentParser {
24
25		/** @var Title */
26		protected $title;
27
28		/** @var Parser */
29		protected $parser = null;
30
31		/** @var ParserOutput */
32		protected $parserOutput = null;
33
34		/** @var Revision */
35		protected $revision = null;
36
37		/** @var array */
38		protected $errors = array();
39
40		/**
41		* @var boolean
42		*/
43		private $enabledToUseContentHandler = true;
44
45		/**
46		* @var boolean
47		*/
48		private $skipInTextAnnotationParser = false;
49
50		/**
51		* @note Injecting new Parser() alone will not yield an expected result and
52		* doing new Parser( $GLOBALS['wgParserConf'] brings no benefits therefore
53		* we stick to the GLOBAL as fallback if no parser is injected.
54		*
55		* @since 1.9
56		*
57		* @param Title $title
58		* @param Parser\|null $parser
59		*/
60	54	public function __construct( Title $title, Parser $parser = null ) {
		0 ignored issues – show Coding Style introduced 2015-11-23 10:29 UTC by Report Bug Copy Issue Report Show Similar Issues like this `__construct` uses the super-global variable `$GLOBALS` which is generally not recommended. Instead of super-globals, we recommend to explicitly inject the dependencies of your class. This makes your code less dependent on global state and it becomes generally more testable: // Bad class Router { public function generate($path) { return $_SERVER['HOST'].$path; } } // Better class Router { private $host; public function __construct($host) { $this->host = $host; } public function generate($path) { return $this->host.$path; } } class Controller { public function myAction(Request $request) { // Instead of $page = isset($_GET['page']) ? intval($_GET['page']) : 1; // Better (assuming you use the Symfony2 request) $page = $request->query->get('page', 1); } } Loading history...
61	54	$this->title = $title;
62	54	$this->parser = $parser;
63
64	54	if ( $this->parser === null ) {
65	33	$this->parser = $GLOBALS['wgParser'];
66		}
67	54	}
68
69		/**
70		* @since 2.3
71		*
72		* @return Parser $parser
73		*/
74		public function setParser( Parser $parser ) {
75		$this->parser = $parser;
76		}
77
78		/**
79		* @since 1.9.1
80		*
81		* @return ContentParser
82		*/
83	10	public function setRevision( Revision $revision = null ) {
84	10	$this->revision = $revision;
85	10	return $this;
86		}
87
88		/**
89		* @bug 62856 and #212
90		*
91		* @since 2.0
92		*/
93	1	public function forceToUseParser() {
94	1	$this->enabledToUseContentHandler = false;
95	1	}
96
97		/**
98		* @since 1.9
99		*
100		* @return Title
101		*/
102	53	public function getTitle() {
103	53	return $this->title;
104		}
105
106		/**
107		* @since 1.9
108		*
109		* @return ParserOutput\|null
110		*/
111	49	public function getOutput() {
112	49	return $this->parserOutput;
113		}
114
115		/**
116		* @since 1.9
117		*
118		* @return array
119		*/
120	3	public function getErrors() {
121	3	return $this->errors;
122		}
123
124		public function skipInTextAnnotationParser() {
125		return $this->skipInTextAnnotationParser = true;
126		}
127
128		/**
129		* Generates or fetches the ParserOutput object from an appropriate source
130		*
131		* @since 1.9
132		*
133		* @param string\|null $text
134		*
135		* @return ContentParser
136		*/
137	53	public function parse( $text = null ) {
138
139	53	if ( $text !== null ) {
140	16	return $this->parseText( $text );
141		}
142
143	37	if ( $this->hasContentHandler() && $this->enabledToUseContentHandler ) {
144	33	return $this->fetchFromContent();
145		}
146
147	4	return $this->fetchFromParser();
148		}
149
150	16	protected function parseText( $text ) {
151
152	16	$this->parserOutput = $this->parser->parse(
153		$text,
154	16	$this->getTitle(),
155	16	$this->makeParserOptions()
156		);
157
158	16	return $this;
159		}
160
161		/**
162		* @note Revision ID must be passed to the parser output to
163		* get revision variables correct
164		*
165		* @note If no content is available create an empty object
166		*/
167	33	protected function fetchFromContent() {
168
169	33	if ( $this->getRevision() === null ) {
170	2	return $this->msgForNullRevision();
171		}
172
173	31	$content = $this->getRevision()->getContent( Revision::RAW );
174
175	31	if ( !$content ) {
176	1	$content = $this->getRevision()->getContentHandler()->makeEmptyContent();
177		}
178
179	31	$this->parserOutput = $content->getParserOutput(
180	31	$this->getTitle(),
181	31	$this->getRevision()->getId(),
182	31	null,
183	31	true
184		);
185
186	31	return $this;
187		}
188
189	4	protected function fetchFromParser() {
190
191	4	if ( $this->getRevision() === null ) {
192	2	return $this->msgForNullRevision();
193		}
194
195	2	$this->parserOutput = $this->parser->parse(
196	2	$this->getRevision()->getText(),
197	2	$this->getTitle(),
198	2	$this->makeParserOptions(),
199	2	true,
200	2	true,
201	2	$this->getRevision()->getID()
202		);
203
204	2	return $this;
205		}
206
207	4	protected function msgForNullRevision( $fname = __METHOD__ ) {
208	4	$this->errors = array( $fname . " No revision available for {$this->getTitle()->getPrefixedDBkey()}" );
209	4	return $this;
210		}
211
212	18	protected function makeParserOptions() {
213
214	18	$user = null;
215
216	18	if ( $this->getRevision() !== null ) {
217	3	$user = User::newFromId( $this->getRevision()->getUser() );
218		}
219
220	18	$parserOptions = new ParserOptions( $user );
221
222		// Use the InterfaceMessage marker to skip InTextAnnotationParser
223		// processing
224	18	$parserOptions->setInterfaceMessage( $this->skipInTextAnnotationParser );
225
226	18	return $parserOptions;
227		}
228
229	53	protected function getRevision() {
230
231	53	if ( $this->revision instanceof Revision ) {
		0 ignored issues – show Bug introduced 2015-11-23 10:29 UTC by Report Bug Copy Issue Report Show Similar Issues like this The class `Revision` does not exist. Is this class maybe located in a folder that is not analyzed, or in a newer version of your dependencies than listed in your composer.lock/composer.json? Loading history...
232	34	return $this->revision;
233		}
234
235		// Revision::READ_NORMAL is not specified in MW 1.19
236	48	if ( defined( 'Revision::READ_NORMAL' ) ) {
237	48	$this->revision = Revision::newFromTitle( $this->getTitle(), false, Revision::READ_NORMAL );
238		} else {
239		$this->revision = Revision::newFromTitle( $this->getTitle() );
240		}
241
242	48	return $this->revision;
243		}
244
245	30	protected function hasContentHandler() {
246	30	return defined( 'CONTENT_MODEL_WIKITEXT' );
247		}
248
249		}
250

SemanticMediaWiki / SemanticMediaWiki

Issues (2950)

Security Analysis not enabled

includes/ContentParser.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like