Issues (80)

Security Analysis    not enabled

This project does not seem to handle request data directly as such no vulnerable execution paths were found.

  File Inclusion
File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.
  Regex Injection
Regex Injection enables an attacker to execute arbitrary code in your PHP process.
  SQL Injection
SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.
  Response Splitting
Response Splitting can be used to send arbitrary responses.
  File Manipulation
File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.
  Object Injection
Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.
  File Exposure
File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.
  XML Injection
XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.
  Code Injection
Code Injection enables an attacker to execute arbitrary code on the server.
  Variable Injection
Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.
  XPath Injection
XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.
  Other Vulnerability
This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.
  Command Injection
Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.
  LDAP Injection
LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.
  Cross-Site Scripting
Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.
  Header Injection
Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

class/Common/SysUtility.php (6 issues)

1
<?php
2
3
declare(strict_types=1);
4
5
namespace XoopsModules\Rssfit\Common;
6
7
/*
8
 Utility Class Definition
9
10
 You may not change or alter any portion of this comment or credits of
11
 supporting developers from this source code or any supporting source code
12
 which is considered copyrighted (c) material of the original comment or credit
13
 authors.
14
15
 This program is distributed in the hope that it will be useful, but
16
 WITHOUT ANY WARRANTY; without even the implied warranty of
17
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
18
 */
19
20
/**
21
 *
22
 * @license      https://www.fsf.org/copyleft/gpl.html GNU public license
23
 * @copyright    https://xoops.org 2000-2020 &copy; XOOPS Project
24
 * @author       ZySpec <[email protected]>
25
 * @author       Mamba <[email protected]>
26
 */
27
28
use Xmf\Request;
29
use XoopsFormEditor;
30
use XoopsModules\Rssfit\{
31
    Helper
32
};
33
34
/**
35
 * Class SysUtility
36
 */
37
class SysUtility
38
{
39
    use VersionChecks;
0 ignored issues
show
The trait XoopsModules\Rssfit\Common\VersionChecks requires some properties which are not provided by XoopsModules\Rssfit\Common\SysUtility: $tag_name, $prerelease
Loading history...
40
41
    //checkVerXoops, checkVerPhp Traits
42
43
    use ServerStats;
44
45
    // getServerStats Trait
46
47
    use FilesManagement;
48
49
    // Files Management Trait
50
    //    use ModuleStats;    // ModuleStats Trait
51
52
    //--------------- Common module methods -----------------------------
53
54
    /**
55
     * Access the only instance of this class
56
     *
57
     *
58
     */
59
    public static function getInstance(): SysUtility
60
    {
61
        static $instance;
62
        if (null === $instance) {
63
            $instance = new static();
64
        }
65
66
        return $instance;
67
    }
68
69
    public static function selectSorting(string $text, string $form_sort): string
70
    {
71
        global $start, $order, $sort;
72
73
        $selectView   = '';
0 ignored issues
show
The assignment to $selectView is dead and can be removed.
Loading history...
74
        $helper        = Helper::getInstance();
75
76
        //$pathModIcon16 = XOOPS_URL . '/modules/' . $moduleDirName . '/' . $helper->getConfig('modicons16');
77
        $pathModIcon16 = $helper->url($helper->getModule()->getInfo('modicons16'));
0 ignored issues
show
It seems like $helper->getModule()->getInfo('modicons16') can also be of type array; however, parameter $url of Xmf\Module\Helper\GenericHelper::url() does only seem to accept string, maybe add an additional type check? ( Ignorable by Annotation )

If this is a false-positive, you can also ignore this issue in your code via the ignore-type  annotation

77
        $pathModIcon16 = $helper->url(/** @scrutinizer ignore-type */ $helper->getModule()->getInfo('modicons16'));
Loading history...
78
79
        $selectView = '<form name="form_switch" id="form_switch" action="' . Request::getString('REQUEST_URI', '', 'SERVER') . '" method="post"><span style="font-weight: bold;">' . $text . '</span>';
80
        //$sorts =  $sort ==  'asc' ? 'desc' : 'asc';
81
        if ($form_sort == $sort) {
82
            $sel1 = 'asc' === $order ? 'selasc.png' : 'asc.png';
83
            $sel2 = 'desc' === $order ? 'seldesc.png' : 'desc.png';
84
        } else {
85
            $sel1 = 'asc.png';
86
            $sel2 = 'desc.png';
87
        }
88
        $selectView .= '  <a href="' . Request::getString('SCRIPT_NAME', '', 'SERVER') . '?start=' . $start . '&sort=' . $form_sort . '&order=asc"><img src="' . $pathModIcon16 . '/' . $sel1 . '" title="ASC" alt="ASC"></a>';
89
        $selectView .= '<a href="' . Request::getString('SCRIPT_NAME', '', 'SERVER') . '?start=' . $start . '&sort=' . $form_sort . '&order=desc"><img src="' . $pathModIcon16 . '/' . $sel2 . '" title="DESC" alt="DESC"></a>';
90
        $selectView .= '</form>';
91
92
        return $selectView;
93
    }
94
95
    /***************Blocks***************/
96
    public static function blockAddCatSelect(array $cats): string
97
    {
98
        $catSql = '';
99
        if (!empty($cats)) {
100
            $catSql = '(' . \current($cats);
101
            \array_shift($cats);
102
            foreach ($cats as $cat) {
103
                $catSql .= ',' . $cat;
104
            }
105
            $catSql .= ')';
106
        }
107
108
        return $catSql;
109
    }
110
111
    public static function metaKeywords(string $content): void
112
    {
113
        global $xoopsTpl, $xoTheme;
114
        $myts    = \MyTextSanitizer::getInstance();
115
        $content = $myts->undoHtmlSpecialChars($myts->displayTarea($content));
116
        if (\is_object($xoTheme)) {
117
            $xoTheme->addMeta('meta', 'keywords', \strip_tags($content));
118
        } else {    // Compatibility for old Xoops versions
119
            $xoopsTpl->assign('xoops_metaKeywords', \strip_tags($content));
120
        }
121
    }
122
123
    public static function metaDescription(string $content): void
124
    {
125
        global $xoopsTpl, $xoTheme;
126
        $myts    = \MyTextSanitizer::getInstance();
127
        $content = $myts->undoHtmlSpecialChars($myts->displayTarea($content));
128
        if (\is_object($xoTheme)) {
129
            $xoTheme->addMeta('meta', 'description', \strip_tags($content));
130
        } else {    // Compatibility for old Xoops versions
131
            $xoopsTpl->assign('xoops_metaDescription', \strip_tags($content));
132
        }
133
    }
134
135
    public static function enumerate(string $tableName, string $columnName): ?array
136
    {
137
        $table = $GLOBALS['xoopsDB']->prefix($tableName);
138
139
        //    $result = $GLOBALS['xoopsDB']->query("SELECT COLUMN_TYPE FROM INFORMATION_SCHEMA.COLUMNS
140
        //        WHERE TABLE_NAME = '" . $table . "' AND COLUMN_NAME = '" . $columnName . "'")
141
        //    || exit ($GLOBALS['xoopsDB']->error());
142
143
        $sql    = 'SELECT COLUMN_TYPE FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = "' . $table . '" AND COLUMN_NAME = "' . $columnName . '"';
144
        $result = $GLOBALS['xoopsDB']->query($sql);
145
        if (!$result instanceof \mysqli_result) {
146
            //            exit($GLOBALS['xoopsDB']->error());
147
            $logger = \XoopsLogger::getInstance();
148
            $logger->handleError(\E_USER_WARNING, $sql, __FILE__, __LINE__);
149
            return null;
150
        }
151
152
        $row      = $GLOBALS['xoopsDB']->fetchBoth($result);
153
        $enumList = \explode(',', \str_replace("'", '', \mb_substr($row['COLUMN_TYPE'], 5, -6)));
154
        return $enumList;
155
    }
156
157
    /**
158
     * Clone a record in a dB
159
     *
160
     * @TODO need to exit more gracefully on error. Should throw/trigger error and then return false
161
     *
162
     * @param string $tableName name of dB table (without prefix)
163
     * @param string $idField   name of field (column) in dB table
164
     * @param int    $id        item id to clone
165
     */
166
    public static function cloneRecord(string $tableName, string $idField, int $id): ?int
167
    {
168
        $newId = null;
0 ignored issues
show
The assignment to $newId is dead and can be removed.
Loading history...
169
        $tempTable = '';
170
        $table = $GLOBALS['xoopsDB']->prefix($tableName);
171
        // copy content of the record you wish to clone
172
        $sql       = "SELECT * FROM $table WHERE $idField='" . $id . "' ";
173
        $result = $GLOBALS['xoopsDB']->query($sql);
174
175
        if ($result instanceof \mysqli_result) {
176
            $tempTable = $GLOBALS['xoopsDB']->fetchArray($result, \MYSQLI_ASSOC);
177
        }
178
179
         if (!$tempTable) {
180
            exit($GLOBALS['xoopsDB']->error());
0 ignored issues
show
Using exit here is not recommended.

In general, usage of exit should be done with care and only when running in a scripting context like a CLI script.

Loading history...
181
        }
182
        // set the auto-incremented id's value to blank.
183
        unset($tempTable[$idField]);
184
        // insert cloned copy of the original  record
185
        $sql    = "INSERT INTO $table (" . \implode(', ', \array_keys($tempTable)) . ") VALUES ('" . \implode("', '", $tempTable) . "')";
186
        $result = $GLOBALS['xoopsDB']->queryF($sql);
187
        if (!$result) {
188
            exit($GLOBALS['xoopsDB']->error());
0 ignored issues
show
Using exit here is not recommended.

In general, usage of exit should be done with care and only when running in a scripting context like a CLI script.

Loading history...
189
        }
190
        // Return the new id
191
        $newId = $GLOBALS['xoopsDB']->getInsertId();
192
        return $newId;
193
    }
194
195
    /**
196
     * truncateHtml can truncate a string up to a number of characters while preserving whole words and HTML tags
197
     * www.gsdesign.ro/blog/cut-html-string-without-breaking-the-tags
198
     * www.cakephp.org
199
     *
200
     * @TODO: Refactor to consider HTML5 & void (self-closing) elements
201
     * @TODO: Consider using https://github.com/jlgrall/truncateHTML/blob/master/truncateHTML.php
202
     *
203
     * @param string   $text         String to truncate.
204
     * @param int|null $length       Length of returned string, including ellipsis.
205
     * @param string   $ending       Ending to be appended to the trimmed string.
206
     * @param bool     $exact        If false, $text will not be cut mid-word
207
     * @param bool     $considerHtml If true, HTML tags would be handled correctly
208
     *
209
     * @return string Trimmed string.
210
     */
211
    public static function truncateHtml(
212
        string $text,
213
        ?int $length = 100,
214
        string $ending = '...',
215
        bool $exact = false,
216
        bool $considerHtml = true
217
    ): string {
218
        $openTags = [];
219
        if ($considerHtml) {
220
            // if the plain text is shorter than the maximum length, return the whole text
221
            if (\mb_strlen(\preg_replace('/<.*?' . '>/', '', $text)) <= $length) {
222
                return $text;
223
            }
224
            // splits all html-tags to scanable lines
225
            \preg_match_all('/(<.+?' . '>)?([^<>]*)/s', $text, $lines, \PREG_SET_ORDER);
226
            $totalLength = \mb_strlen($ending);
227
            //$openTags    = [];
228
            $truncate = '';
229
            foreach ($lines as $lineMatchings) {
230
                // if there is any html-tag in this line, handle it and add it (uncounted) to the output
231
                if (!empty($lineMatchings[1])) {
232
                    // if it's an "empty element" with or without xhtml-conform closing slash
233
                    if (\preg_match('/^<(\s*.+?\/\s*|\s*(img|br|input|hr|area|base|basefont|col|frame|isindex|link|meta|param)(\s.+?)?)>$/is', $lineMatchings[1])) {
234
                        // do nothing
235
                        // if tag is a closing tag
236
                    } elseif (\preg_match('/^<\s*\/(\S+?)\s*>$/s', $lineMatchings[1], $tagMatchings)) {
237
                        // delete tag from $openTags list
238
                        $pos = \array_search($tagMatchings[1], $openTags, true);
239
                        if (false !== $pos) {
240
                            unset($openTags[$pos]);
241
                        }
242
                        // if tag is an opening tag
243
                    } elseif (\preg_match('/^<\s*([^\s>!]+).*?' . '>$/s', $lineMatchings[1], $tagMatchings)) {
244
                        // add tag to the beginning of $openTags list
245
                        \array_unshift($openTags, \mb_strtolower($tagMatchings[1]));
246
                    }
247
                    // add html-tag to $truncate'd text
248
                    $truncate .= $lineMatchings[1];
249
                }
250
                // calculate the length of the plain text part of the line; handle entities as one character
251
                $contentLength = \mb_strlen(\preg_replace('/&[0-9a-z]{2,8};|&#\d{1,7};|[0-9a-f]{1,6};/i', ' ', $lineMatchings[2]));
252
                if ($totalLength + $contentLength > $length) {
253
                    // the number of characters which are left
254
                    $left            = $length - $totalLength;
255
                    $entitiesLength = 0;
256
                    // search for html entities
257
                    if (\preg_match_all('/&[0-9a-z]{2,8};|&#\d{1,7};|[0-9a-f]{1,6};/i', $lineMatchings[2], $entities, \PREG_OFFSET_CAPTURE)) {
258
                        // calculate the real length of all entities in the legal range
259
                        foreach ($entities[0] as $entity) {
260
                            if ($left >= $entity[1] + 1 - $entitiesLength) {
261
                                $left--;
262
                                $entitiesLength += \mb_strlen($entity[0]);
263
                            } else {
264
                                // no more characters left
265
                                break;
266
                            }
267
                        }
268
                    }
269
                    $truncate .= \mb_substr($lineMatchings[2], 0, $left + $entitiesLength);
270
                    // maximum length is reached, so get off the loop
271
                    break;
272
                }
273
                $truncate     .= $lineMatchings[2];
274
                $totalLength += $contentLength;
275
276
                // if the maximum length is reached, get off the loop
277
                if ($totalLength >= $length) {
278
                    break;
279
                }
280
            }
281
        } else {
282
            if (\mb_strlen($text) <= $length) {
283
                return $text;
284
            }
285
            $truncate = \mb_substr($text, 0, $length - \mb_strlen($ending));
286
        }
287
        // if the words shouldn't be cut in the middle...
288
        if (!$exact) {
289
            // ...search the last occurance of a space...
290
            $spacepos = \mb_strrpos($truncate, ' ');
291
            if (isset($spacepos)) {
292
                // ...and cut the text in this position
293
                $truncate = \mb_substr($truncate, 0, $spacepos);
294
            }
295
        }
296
        // add the defined ending to the text
297
        $truncate .= $ending;
298
        if ($considerHtml) {
299
            // close all unclosed html-tags
300
            foreach ($openTags as $tag) {
301
                $truncate .= '</' . $tag . '>';
302
            }
303
        }
304
305
        return $truncate;
306
    }
307
308
    /**
309
     * Get correct text editor based on user rights
310
     *
311
     * @return \XoopsFormDhtmlTextArea|\XoopsFormEditor
312
     */
313
    public static function getEditor(?\Xmf\Module\Helper $helper = null, ?array $options = null): ?\XoopsFormTextArea
314
    {
315
        $descEditor = null;
316
317
        /** @var Helper $helper */
318
        if (null === $options) {
319
            $options           = [];
320
            $options['name']   = 'Editor';
321
            $options['value']  = 'Editor';
322
            $options['rows']   = 10;
323
            $options['cols']   = '100%';
324
            $options['width']  = '100%';
325
            $options['height'] = '400px';
326
        }
327
328
        if (null === $helper) {
329
            $helper = Helper::getInstance();
330
        }
331
        $isAdmin = $helper->isUserAdmin();
332
333
        if (\class_exists('XoopsFormEditor')) {
334
            if ($isAdmin) {
335
                $descEditor = new \XoopsFormEditor(\ucfirst($options['name']), $helper->getConfig('editorAdmin'), $options, false, 'textarea');
336
            } else {
337
                $descEditor = new \XoopsFormEditor(\ucfirst($options['name']), $helper->getConfig('editorUser'), $options, false, 'textarea');
338
            }
339
        } else {
340
            $descEditor = new \XoopsFormDhtmlTextArea(\ucfirst($options['name']), $options['name'], $options['value']);
341
        }
342
343
        //        $form->addElement($descEditor);
344
345
        return $descEditor;
346
    }
347
348
    /**
349
     * Check if column in dB table exists
350
     *
351
     * @param string $fieldname name of dB table field
352
     * @param string $table     name of dB table (including prefix)
353
     *
354
     * @return bool true if table exists
355
     * @deprecated
356
     */
357
    public static function fieldExists(string $fieldname, string $table): bool
358
    {
359
        $trace = \debug_backtrace(\DEBUG_BACKTRACE_IGNORE_ARGS, 1);
360
        \trigger_error(__METHOD__ . " is deprecated, use Xmf\Database\Tables instead - instantiated from {$trace[0]['file']} line {$trace[0]['line']},");
361
362
        $result = $GLOBALS['xoopsDB']->queryF("SHOW COLUMNS FROM   $table LIKE '$fieldname'");
363
        return ($GLOBALS['xoopsDB']->getRowsNum($result) > 0);
364
    }
365
366
    /**
367
     * Function responsible for checking if a directory exists, we can also write in and create an index.html file
368
     *
369
     * @param string $folder The full path of the directory to check
370
     */
371
    public static function prepareFolder(string $folder): void
372
    {
373
        try {
374
            if (!@\mkdir($folder) && !\is_dir($folder)) {
375
                throw new \RuntimeException(\sprintf('Unable to create the %s directory', $folder));
376
            }
377
            file_put_contents($folder . '/index.html', '<script>history.go(-1);</script>');
378
        } catch (\Exception $e) {
379
            echo 'Caught exception: ', $e->getMessage(), "\n", '<br>';
380
        }
381
    }
382
383
    /**
384
     * Check if dB table exists
385
     *
386
     * @param string $tablename dB tablename with prefix
387
     * @return bool true if table exists
388
     */
389
    public static function tableExists(string $tablename): bool
390
    {
391
        $trace = \debug_backtrace(\DEBUG_BACKTRACE_IGNORE_ARGS, 1);
392
        \trigger_error(__FUNCTION__ . " is deprecated, called from {$trace[0]['file']} line {$trace[0]['line']}");
393
        $GLOBALS['xoopsLogger']->addDeprecated(
394
            \basename(\dirname(__DIR__, 2)) . ' Module: ' . __FUNCTION__ . ' function is deprecated, please use Xmf\Database\Tables method(s) instead.' . " Called from {$trace[0]['file']}line {$trace[0]['line']}"
395
        );
396
        $result = $GLOBALS['xoopsDB']->queryF("SHOW TABLES LIKE '$tablename'");
397
398
        return $GLOBALS['xoopsDB']->getRowsNum($result) > 0;
399
    }
400
401
    /**
402
     * Add a field to a mysql table
403
     *
404
     * @return bool|\mysqli_result
405
     */
406
    public static function addField(string $field, string $table)
407
    {
408
        global $xoopsDB;
409
        return $xoopsDB->queryF('ALTER TABLE ' . $table . " ADD $field;");
410
    }
411
}
412