Issues in WidgetRenderer.php (master) - Issues in master - Victoire/victoire - Measure and Improve Code Quality continuously with Scrutinizer

Issues (1704)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

Bundle/WidgetBundle/Renderer/WidgetRenderer.php (3 issues)

Labels

Bug 1

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace Victoire\Bundle\WidgetBundle\Renderer;

use Doctrine\ORM\EntityManager;
use Symfony\Component\DependencyInjection\Container;
use Victoire\Bundle\BusinessPageBundle\Entity\BusinessPage;
use Victoire\Bundle\BusinessPageBundle\Entity\BusinessTemplate;
use Victoire\Bundle\BusinessPageBundle\Helper\BusinessPageHelper;
use Victoire\Bundle\CoreBundle\DataCollector\VictoireCollector;
use Victoire\Bundle\CoreBundle\Entity\View;
use Victoire\Bundle\CoreBundle\Event\WidgetRenderEvent;
use Victoire\Bundle\CoreBundle\VictoireCmsEvents;
use Victoire\Bundle\ORMBusinessEntityBundle\Entity\ORMBusinessEntity;
use Victoire\Bundle\WidgetBundle\Cache\WidgetCache;
use Victoire\Bundle\WidgetBundle\Entity\Widget;
use Victoire\Bundle\WidgetBundle\Helper\WidgetHelper;
use Victoire\Bundle\WidgetMapBundle\Helper\WidgetMapHelper;

class WidgetRenderer

{
    private $container;
    /**
     * @var WidgetCache
     */
    private $widgetCache;
    /**
     * @var WidgetHelper
     */
    private $widgetHelper;
    /**
     * @var VictoireCollector
     */
    private $victoireCollector;
    /**
     * @var BusinessPageHelper
     */
    private $bepHelper;

    /**
     * WidgetRenderer constructor.
     *
     * @param Container          $container
     * @param WidgetCache        $widgetCache
     * @param WidgetHelper       $widgetHelper
     * @param VictoireCollector  $victoireCollector
     * @param BusinessPageHelper $bepHelper
     *
     * @internal param Client $redis
     */
    public function __construct(Container $container, WidgetCache $widgetCache, WidgetHelper $widgetHelper, VictoireCollector $victoireCollector, BusinessPageHelper $bepHelper)
    {
        $this->container = $container;
        $this->widgetCache = $widgetCache;
        $this->widgetHelper = $widgetHelper;
        $this->victoireCollector = $victoireCollector;
        $this->bepHelper = $bepHelper;
    }

    /**
     * render the Widget.
     *
     * @param Widget $widget
     * @param View   $view
     *
     * @return widget show
     */
    public function render(Widget $widget, View $view)
    {
        //the mode of display of the widget
        $mode = $widget->getMode();

        //if entity is given and it's not the object, retrieve it and set the entity for the widget
        if ($mode == Widget::MODE_BUSINESS_ENTITY && $view instanceof BusinessPage) {
            $widget->setEntity($view->getEntity());
        } elseif ($view instanceof BusinessTemplate) {
            //We'll try to find a sample entity to mock the widget behavior
            /** @var EntityManager $entityManager */
            $entityManager = $this->container->get('doctrine.orm.entity_manager');
            if ($view->getBusinessEntity()->getType() === ORMBusinessEntity::TYPE) {
                if ($mock = $this->bepHelper->getEntitiesAllowedQueryBuilder($view, $entityManager)->setMaxResults(1)->getQuery()->getOneOrNullResult()) {
                    $widget->setEntity($mock);
                }
            }
        }

        //the templating service
        $templating = $this->container->get('templating');

        //the content of the widget

        $parameters = $this->container->get('victoire_widget.widget_content_resolver')->getWidgetContent($widget);
        /*
         * In some cases, for example, WidgetRender in BusinessEntity mode with magic variables {{entity.id}} transformed
         * into the real business entity id, then if in the rendered action, we need to flush, it would persist the
         * modified widget which really uncomfortable ;)
         */
        if ($widget->getMode() == Widget::MODE_BUSINESS_ENTITY) {
            $this->container->get('doctrine.orm.entity_manager')->refresh($widget);
        }

        //the template displayed is in the widget bundle (with the potential theme)
        $showView = 'show'.ucfirst($widget->getTheme());
        $templateName = $this->container->get('victoire_widget.widget_helper')->getTemplateName($showView, $widget);

        return $templating->render($templateName, $parameters);
    }

    /**
     * render a widget.
     *
     * @param Widget $widget
     * @param View   $view
     *
     * @return string
     */
    public function renderContainer(Widget $widget, View $view)
    {
        $dispatcher = $this->container->get('event_dispatcher');

        $dispatcher->dispatch(VictoireCmsEvents::WIDGET_PRE_RENDER, new WidgetRenderEvent($widget));

        $widgetMap = WidgetMapHelper::getWidgetMapByWidgetAndView($widget, $view);

        $directive = '';
        if ($this->container->get('security.authorization_checker')->isGranted('ROLE_VICTOIRE')) {
            $directive = 'widget';
        }

        $id = 'vic-widget-'.$widget->getId().'-container';

        $html = sprintf('<div %s widget-map="%s" id="%s" class="vic-widget-container" data-id="%s">', $directive, $widgetMap->getId(), $id, $widget->getId());
class A
{
    public function foo() { }
}

class B extends A
{
    public function bar() { }
}

/**
 * @param A|B $x
 */
function someFunction($x)
{
    $x->foo(); // This call is fine as the method exists in A and B.
    $x->bar(); // This method only exists in B and might cause an error.
}

        if ($this->widgetHelper->isCacheEnabled($widget)) {
            $content = $this->widgetCache->fetch($widget);
            if (null === $content) {
                $content = $this->render($widget, $view);
                $this->widgetCache->save($widget, $content);
            } else {
                $this->victoireCollector->addCachedWidget($widget);
            }
        } else {
            $content = $this->render($widget, $view);
        }
        $html .= $content;
        $html .= '</div>'; //close container

        $dispatcher->dispatch(VictoireCmsEvents::WIDGET_POST_RENDER, new WidgetRenderEvent($widget, $html));

        return $html;
    }

    /**
     * prepare a widget to be rendered asynchronously.
     *
     * @param int $widgetId
     *
     * @return string
     */
    public function prepareAsynchronousRender($widgetId)
    {
        $ngControllerName = 'widget'.$widgetId.'AsynchronousLoadCtrl';
        $ngDirectives = sprintf('ng-controller="WidgetAsynchronousLoadController as %s" class="vic-widget" ng-init="%s.init(%d)" ng-bind-html="html"', $ngControllerName, $ngControllerName, $widgetId);
        $html = sprintf('<div class="vic-widget-container vic-widget-asynchronous" data-id="%d" %s></div>', $widgetId, $ngDirectives);

        return $html;
    }

    /**
     * render widget unlink action.
     *
     * @param int  $widgetId
     * @param View $view
     *
     * @return string
     */
    public function renderUnlinkActionByWidgetId($widgetId, $view)
    {
        return $this->container->get('templating')->render(
            'VictoireCoreBundle:Widget:widgetUnlinkAction.html.twig',
            [
                'widgetId' => $widgetId,
                'view'     => $view,
            ]
        );
    }

    /**
     * Compute slot options.
     *
     * @param int   $slotId
     * @param array $options
     *
     * @return string
     */
    public function computeOptions($slotId, $options = [])
    {
        $slots = $this->container->getParameter('victoire_core.slots');

        $availableWidgets = $this->container->getParameter('victoire_core.widgets');
        $widgets = [];

        //If the slot is declared in config
        if (!empty($slots[$slotId]) && !empty($slots[$slotId]['widgets'])) {
            //parse declared widgets
            $slotWidgets = array_keys($slots[$slotId]['widgets']);
        } elseif (!empty($options['availableWidgets'])) {
            $slotWidgets = $options['availableWidgets'];
        } else {
            //parse all widgets
            $slotWidgets = array_keys($availableWidgets);
        }

        foreach ($slotWidgets as $slotWidget) {
            $widgetParams = $availableWidgets[$slotWidget];
            $widgets[$slotWidget]['params'] = $widgetParams;
        }
        $slots[$slotId]['availableWidgets'] = $widgets;
        if (isset($options['max'])) {
            $slots[$slotId]['max'] = $options['max'];
        }

        return $slots[$slotId];
    }

    /**

     * Get the extra classes for the css.
     *
     * @return string The classes
     */
    public function getExtraCssClass(Widget $widget)
    {
        $cssClass = 'v-widget--'.strtolower($this->container->get('victoire_widget.widget_helper')->getWidgetName($widget));

        return $cssClass;
    }
}


Issues (1704)

Security Analysis not enabled

Bundle/WidgetBundle/Renderer/WidgetRenderer.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Available Fixes

1			<?php
2
3			namespace Victoire\Bundle\WidgetBundle\Renderer;
4
5			use Doctrine\ORM\EntityManager;
6			use Symfony\Component\DependencyInjection\Container;
7			use Victoire\Bundle\BusinessPageBundle\Entity\BusinessPage;
8			use Victoire\Bundle\BusinessPageBundle\Entity\BusinessTemplate;
9			use Victoire\Bundle\BusinessPageBundle\Helper\BusinessPageHelper;
10			use Victoire\Bundle\CoreBundle\DataCollector\VictoireCollector;
11			use Victoire\Bundle\CoreBundle\Entity\View;
12			use Victoire\Bundle\CoreBundle\Event\WidgetRenderEvent;
13			use Victoire\Bundle\CoreBundle\VictoireCmsEvents;
14			use Victoire\Bundle\ORMBusinessEntityBundle\Entity\ORMBusinessEntity;
15			use Victoire\Bundle\WidgetBundle\Cache\WidgetCache;
16			use Victoire\Bundle\WidgetBundle\Entity\Widget;
17			use Victoire\Bundle\WidgetBundle\Helper\WidgetHelper;
18			use Victoire\Bundle\WidgetMapBundle\Helper\WidgetMapHelper;
19
20			class WidgetRenderer
			0 ignored issues – show introduced 2017-03-21 09:25 UTC by Report Bug Copy Issue Report Show Similar Issues like this Missing class doc comment Loading history...
21			{
22			private $container;
23			/**
24			* @var WidgetCache
25			*/
26			private $widgetCache;
27			/**
28			* @var WidgetHelper
29			*/
30			private $widgetHelper;
31			/**
32			* @var VictoireCollector
33			*/
34			private $victoireCollector;
35			/**
36			* @var BusinessPageHelper
37			*/
38			private $bepHelper;
39
40			/**
41			* WidgetRenderer constructor.
42			*
43			* @param Container $container
44			* @param WidgetCache $widgetCache
45			* @param WidgetHelper $widgetHelper
46			* @param VictoireCollector $victoireCollector
47			* @param BusinessPageHelper $bepHelper
48			*
49			* @internal param Client $redis
50			*/
51			public function __construct(Container $container, WidgetCache $widgetCache, WidgetHelper $widgetHelper, VictoireCollector $victoireCollector, BusinessPageHelper $bepHelper)
52			{
53			$this->container = $container;
54			$this->widgetCache = $widgetCache;
55			$this->widgetHelper = $widgetHelper;
56			$this->victoireCollector = $victoireCollector;
57			$this->bepHelper = $bepHelper;
58			}
59
60			/**
61			* render the Widget.
62			*
63			* @param Widget $widget
64			* @param View $view
65			*
66			* @return widget show
67			*/
68			public function render(Widget $widget, View $view)
69			{
70			//the mode of display of the widget
71			$mode = $widget->getMode();
72
73			//if entity is given and it's not the object, retrieve it and set the entity for the widget
74			if ($mode == Widget::MODE_BUSINESS_ENTITY && $view instanceof BusinessPage) {
75			$widget->setEntity($view->getEntity());
76			} elseif ($view instanceof BusinessTemplate) {
77			//We'll try to find a sample entity to mock the widget behavior
78			/** @var EntityManager $entityManager */
79			$entityManager = $this->container->get('doctrine.orm.entity_manager');
80			if ($view->getBusinessEntity()->getType() === ORMBusinessEntity::TYPE) {
81			if ($mock = $this->bepHelper->getEntitiesAllowedQueryBuilder($view, $entityManager)->setMaxResults(1)->getQuery()->getOneOrNullResult()) {
82			$widget->setEntity($mock);
83			}
84			}
85			}
86
87			//the templating service
88			$templating = $this->container->get('templating');
89
90			//the content of the widget
91
92			$parameters = $this->container->get('victoire_widget.widget_content_resolver')->getWidgetContent($widget);
93			/*
94			* In some cases, for example, WidgetRender in BusinessEntity mode with magic variables {{entity.id}} transformed
95			* into the real business entity id, then if in the rendered action, we need to flush, it would persist the
96			* modified widget which really uncomfortable ;)
97			*/
98			if ($widget->getMode() == Widget::MODE_BUSINESS_ENTITY) {
99			$this->container->get('doctrine.orm.entity_manager')->refresh($widget);
100			}
101
102			//the template displayed is in the widget bundle (with the potential theme)
103			$showView = 'show'.ucfirst($widget->getTheme());
104			$templateName = $this->container->get('victoire_widget.widget_helper')->getTemplateName($showView, $widget);
105
106			return $templating->render($templateName, $parameters);
107			}
108
109			/**
110			* render a widget.
111			*
112			* @param Widget $widget
113			* @param View $view
114			*
115			* @return string
116			*/
117			public function renderContainer(Widget $widget, View $view)
118			{
119			$dispatcher = $this->container->get('event_dispatcher');
120
121			$dispatcher->dispatch(VictoireCmsEvents::WIDGET_PRE_RENDER, new WidgetRenderEvent($widget));
122
123			$widgetMap = WidgetMapHelper::getWidgetMapByWidgetAndView($widget, $view);
124
125			$directive = '';
126			if ($this->container->get('security.authorization_checker')->isGranted('ROLE_VICTOIRE')) {
127			$directive = 'widget';
128			}
129
130			$id = 'vic-widget-'.$widget->getId().'-container';
131
132			$html = sprintf('<div %s widget-map="%s" id="%s" class="vic-widget-container" data-id="%s">', $directive, $widgetMap->getId(), $id, $widget->getId());
			0 ignored issues – show Bug introduced 2016-02-27 16:13 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `getId` does only exist in `Victoire\Bundle\WidgetMapBundle\Entity\WidgetMap`, but not in `Victoire\Bundle\WidgetMa...getMapNotFoundException`. It seems like the method you are trying to call exists only in some of the possible types. Let’s take a look at an example: class A { public function foo() { } } class B extends A { public function bar() { } } /** * @param A\|B $x / function someFunction($x) { $x->foo(); // This call is fine as the method exists in A and B. $x->bar(); // This method only exists in B and might cause an error. } Available Fixes Add an additional type-check: /* * @param A\|B $x / function someFunction($x) { $x->foo(); if ($x instanceof B) { $x->bar(); } } Only allow a single type to be passed if the variable comes from a parameter: function someFunction(B $x) { /* ... */ } Loading history...
133
134			if ($this->widgetHelper->isCacheEnabled($widget)) {
135			$content = $this->widgetCache->fetch($widget);
136			if (null === $content) {
137			$content = $this->render($widget, $view);
138			$this->widgetCache->save($widget, $content);
139			} else {
140			$this->victoireCollector->addCachedWidget($widget);
141			}
142			} else {
143			$content = $this->render($widget, $view);
144			}
145			$html .= $content;
146			$html .= '</div>'; //close container
147
148			$dispatcher->dispatch(VictoireCmsEvents::WIDGET_POST_RENDER, new WidgetRenderEvent($widget, $html));
149
150			return $html;
151			}
152
153			/**
154			* prepare a widget to be rendered asynchronously.
155			*
156			* @param int $widgetId
157			*
158			* @return string
159			*/
160			public function prepareAsynchronousRender($widgetId)
161			{
162			$ngControllerName = 'widget'.$widgetId.'AsynchronousLoadCtrl';
163			$ngDirectives = sprintf('ng-controller="WidgetAsynchronousLoadController as %s" class="vic-widget" ng-init="%s.init(%d)" ng-bind-html="html"', $ngControllerName, $ngControllerName, $widgetId);
164			$html = sprintf('<div class="vic-widget-container vic-widget-asynchronous" data-id="%d" %s></div>', $widgetId, $ngDirectives);
165
166			return $html;
167			}
168
169			/**
170			* render widget unlink action.
171			*
172			* @param int $widgetId
173			* @param View $view
174			*
175			* @return string
176			*/
177			public function renderUnlinkActionByWidgetId($widgetId, $view)
178			{
179			return $this->container->get('templating')->render(
180			'VictoireCoreBundle:Widget:widgetUnlinkAction.html.twig',
181			[
182			'widgetId' => $widgetId,
183			'view' => $view,
184			]
185			);
186			}
187
188			/**
189			* Compute slot options.
190			*
191			* @param int $slotId
192			* @param array $options
193			*
194			* @return string
195			*/
196			public function computeOptions($slotId, $options = [])
197			{
198			$slots = $this->container->getParameter('victoire_core.slots');
199
200			$availableWidgets = $this->container->getParameter('victoire_core.widgets');
201			$widgets = [];
202
203			//If the slot is declared in config
204			if (!empty($slots[$slotId]) && !empty($slots[$slotId]['widgets'])) {
205			//parse declared widgets
206			$slotWidgets = array_keys($slots[$slotId]['widgets']);
207			} elseif (!empty($options['availableWidgets'])) {
208			$slotWidgets = $options['availableWidgets'];
209			} else {
210			//parse all widgets
211			$slotWidgets = array_keys($availableWidgets);
212			}
213
214			foreach ($slotWidgets as $slotWidget) {
215			$widgetParams = $availableWidgets[$slotWidget];
216			$widgets[$slotWidget]['params'] = $widgetParams;
217			}
218			$slots[$slotId]['availableWidgets'] = $widgets;
219			if (isset($options['max'])) {
220			$slots[$slotId]['max'] = $options['max'];
221			}
222
223			return $slots[$slotId];
224			}
225
226			/**
			0 ignored issues – show introduced 2017-03-21 09:25 UTC by Report Bug Copy Issue Report Show Similar Issues like this Doc comment for parameter "$widget" missing Loading history...
227			* Get the extra classes for the css.
228			*
229			* @return string The classes
230			*/
231			public function getExtraCssClass(Widget $widget)
232			{
233			$cssClass = 'v-widget--'.strtolower($this->container->get('victoire_widget.widget_helper')->getWidgetName($widget));
234
235			return $cssClass;
236			}
237			}
238

Victoire / victoire

Issues (1704)

Security Analysis not enabled

Bundle/WidgetBundle/Renderer/WidgetRenderer.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Available Fixes

Duplication Side-by-Side

Filter issues like