Issues in PhpSecInfo.php (master) - Issues in master - XoopsModules25x/xoopsinfo - Measure and Improve Code Quality continuously with Scrutinizer

Issues (1626)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

phpsecinfo/PhpSecInfo/PhpSecInfo.php (53 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Main class file
 *
 * @package PhpSecInfo
 * @author Ed Finkler <[email protected]>
 */


/**
 * The default language setting if none is set/retrievable
 *
 */
define ('PHPSECINFO_LANG_DEFAULT', 'en');

/**
 * a general version string to differentiate releases
 *
 */
define ('PHPSECINFO_VERSION', '0.2.2');

/**
 * a YYYYMMDD date string to indicate "build" date
 *
 */
define ('PHPSECINFO_BUILD', '20080723');

/**
 * Homepage for phpsecinfo project
 *
 */
define ('PHPSECINFO_URL', 'http://phpsecinfo.com');

/**
 * The base folder where views are stored.  Include trailing slash
 *
 */
define('PHPSECINFO_VIEW_DIR_DEFAULT', 'View/');


/**
 * The default format, used to load the proper view.
 */
define('PHPSECINFO_FORMAT_DEFAULT', 'Html');


/**
 * The base directory, used to resolve requires and includes
 */
define('PHPSECINFO_BASE_DIR', dirname(__FILE__));

/**
 * This is the main class for the phpsecinfo system.  It's responsible for
 * dynamically loading tests, running those tests, and generating the results
 * output
 *
 * Example:
 * <code>
 * <?php require_once(PHPSECINFO_BASE_DIR.'/PhpSecInfo.php'); ?>
 * <?php phpsecinfo(); ?>
 * </code>
 *
 * If you want to capture the output, or just grab the test results and display them
 * in your own way, you'll need to do slightly more work.
 *
 * Example:
 * <code>
 * require_once(PHPSECINFO_BASE_DIR.'/PhpSecInfo.php');
 * // instantiate the class
 * $psi = new PhpSecInfo();
 *
 * // load and run all tests
 * $psi->loadAndRun();
 *
 * // grab the results as a multidimensional array
 * $results = $psi->getResultsAsArray();
 * echo "<pre>"; echo print_r($results, true); echo "</pre>";
 *
 * // grab the standard results output as a string
 * $html = $psi->getOutput();
 *
 * // send it to the browser
 * echo $html;
 * </code>
 *
 *
 * The procedural function "phpsecinfo" is defined below this class.
 * @see phpsecinfo()
 *
 * @author Ed Finkler <[email protected]>
 *
 * see CHANGELOG for changes
 *
 */
class PhpSecInfo
namespace YourVendor;

class YourClass { }
{

	/**
	 * An array of tests to run
	 *
	 * @var array PhpSecInfo_Test
	 */
	var $tests_to_run = array();
class A {
    var $property;
}


	/**
	 * An array of results.  Each result is an associative array:
	 * <code>
	 * $result['result'] = PHPSECINFO_TEST_RESULT_NOTICE;
	 * $result['message'] = "a string describing the test results and what they mean";
	 * </code>
	 *
	 * @var array
	 */
	var $test_results = array();
class A {
    var $property;
}


	/**
	 * An array of tests that were not run
	 *
	 * <code>
	 * $result['result'] = PHPSECINFO_TEST_RESULT_NOTRUN;
	 * $result['message'] = "a string explaining why the test was not run";
	 * </code>
	 *
	 * @var array
	 */
	var $tests_not_run = array();
class A {
    var $property;
}


	/**
	 * The language code used.  Defaults to PHPSECINFO_LANG_DEFAULT, which
	 * is 'en'
	 *
	 * @var string
	 * @see PHPSECINFO_LANG_DEFAULT
	 */
	var $language = PHPSECINFO_LANG_DEFAULT;
class A {
    var $property;
}


	/**
	 * An array of integers recording the number of test results in each category.  Categories can include
	 * some or all of the PHPSECINFO_TEST_* constants.  Constants are the keys, # of results are the values.
	 *
	 * @var array
	 */
	var $result_counts = array();
class A {
    var $property;
}


	/**
	 * The number of tests that have been run
	 *
	 * @var integer
	 */
	var $num_tests_run = 0;
class A {
    var $property;
}


	/**
	 * The base directory for phpsecinfo. Set within the constructor. Paths are resolved from this.
	 * @var string
	 */
	var $_base_dir;
class A {
    var $property;
}


	/**
	 * The directory PHPSecInfo will look for views.  It defaults to the value
	 * in PHPSECINFO_VIEW_DIR_DEFAULT, but can be changed with the setViewDirectory()
	 * method.
	 *
	 * @var string
	 */
	var $_view_directory;
class A {
    var $property;
}


	/**
	 * The output format, used to load the proper view
	 *
	 * @var string
	 **/
	var $_format;
class A {
    var $property;
}

	/**
	 * Constructor
	 *
	 * @return PhpSecInfo

	 */
	function __construct($opts = null) {

		
		$this->_base_dir = dirname(__FILE__);
		
		if ($opts) {
			if (isset($opts['view_directory'])) {
				$this->setViewDirectory($opts['view_directory']);
			} else {
				$this->setViewDirectory(dirname(__FILE__).DIRECTORY_SEPARATOR . PHPSECINFO_VIEW_DIR_DEFAULT);
			}
			
			if (isset($opts['format'])) {
				$this->setFormat($opts['format']);
			} else {
				if (!strcasecmp(PHP_SAPI, 'cli')) {
					$this->setFormat('Cli');
				} else {
					$this->setFormat(PHPSECINFO_FORMAT_DEFAULT);
				}
			}
			
		} else { /* Use defaults */
			$this->setViewDirectory(dirname(__FILE__).DIRECTORY_SEPARATOR . PHPSECINFO_VIEW_DIR_DEFAULT);
			if (!strcasecmp(PHP_SAPI, 'cli')) {
				$this->setFormat('Cli');
			} else {
				$this->setFormat(PHPSECINFO_FORMAT_DEFAULT);
			}
		}
	}


	/**
	 * recurses through the Test subdir and includes classes in each test group subdir,
	 * then builds an array of classnames for the tests that will be run
	 *
	 */
	function loadTests() {


		$test_root = dir(dirname(__FILE__).DIRECTORY_SEPARATOR.'Test');

		//echo "<pre>"; echo print_r($test_root, true); echo "</pre>";


		while (false !== ($entry = $test_root->read())) {
			if ( is_dir($test_root->path.DIRECTORY_SEPARATOR.$entry) && !preg_match('~^(\.|_vti)(.*)$~', $entry) ) {

				$test_dirs[] = $entry;
foreach ($collection as $item) {
    $myArray['foo'] = $item->getFoo();

    if ($item->hasBar()) {
        $myArray['bar'] = $item->getBar();
    }

    // do something with $myArray
}
			}
		}
		//echo "<pre>"; echo print_r($test_dirs, true); echo "</pre>";


		// include_once all files in each test dir
		foreach ($test_dirs as $test_dir) {
function myFunction($a) {
    switch ($a) {
        case 'foo':
            $x = 1;
            break;

        case 'bar':
            $x = 2;
            break;
    }

    // $x is potentially undefined here.
    echo $x;
}
			$this_dir = dir($test_root->path.DIRECTORY_SEPARATOR.$test_dir);

			while (false !== ($entry = $this_dir->read())) {
				if (!is_dir($this_dir->path.DIRECTORY_SEPARATOR.$entry)) {
					include_once $this_dir->path.DIRECTORY_SEPARATOR.$entry;
					$classNames[] = "PhpSecInfo_Test_".$test_dir."_".basename($entry, '.php');
foreach ($collection as $item) {
    $myArray['foo'] = $item->getFoo();

    if ($item->hasBar()) {
        $myArray['bar'] = $item->getBar();
    }

    // do something with $myArray
}
				}
			}

		}

		// modded this to not throw a PHP5 STRICT notice, although I don't like passing by value here
		$this->tests_to_run = $classNames;
function myFunction($a) {
    switch ($a) {
        case 'foo':
            $x = 1;
            break;

        case 'bar':
            $x = 2;
            break;
    }

    // $x is potentially undefined here.
    echo $x;
}
	}


	/**
	 * This runs the tests in the tests_to_run array and
	 * places returned data in the following arrays/scalars:
	 * - $this->test_results
	 * - $this->result_counts
	 * - $this->num_tests_run
	 * - $this->tests_not_run;
	 *
	 */
	function runTests() {

		// initialize a bunch of arrays
		$this->test_results  = array();
		$this->result_counts = array();
		$this->result_counts[PHPSECINFO_TEST_RESULT_NOTRUN] = 0;
		$this->num_tests_run = 0;

		foreach ($this->tests_to_run as $testClass) {

			/**
			 * @var $test PhpSecInfo_Test
			 */
			$test = new $testClass();

			if ($test->isTestable()) {
				$test->test();
				$rs = array(	'result' => $test->getResult(),
							'message' => $test->getMessage(),
							'value_current' => $test->getCurrentTestValue(),
							'value_recommended' => $test->getRecommendedTestValue(),
							'moreinfo_url' => $test->getMoreInfoURL(),
						);
				$this->test_results[$test->getTestGroup()][$test->getTestName()] = $rs;

				// initialize if not yet set
				if (!isset ($this->result_counts[$rs['result']]) ) {
					$this->result_counts[$rs['result']] = 0;
				}

				$this->result_counts[$rs['result']]++;
				$this->num_tests_run++;
			} else {
				$rs = array(	'result' => $test->getResult(),
							'message' => $test->getMessage(),
							'value_current' => NULL,
							'value_recommended' => NULL,
							'moreinfo_url' => $test->getMoreInfoURL(),
						);
				$this->result_counts[PHPSECINFO_TEST_RESULT_NOTRUN]++;
				$this->tests_not_run[$test->getTestGroup()."::".$test->getTestName()] = $rs;
			}
		}
	}


	/**
	 * This is the main output method.  The look and feel mimics phpinfo()
	 *
	 */
	function renderOutput($page_title="Security Information About PHP") {

		/**
		 * We need to use PhpSecInfo_Test::getBooleanIniValue() below
		 * @see PhpSecInfo_Test::getBooleanIniValue()
		 */
		if (!class_exists('PhpSecInfo_Test')) {
			include( dirname(__FILE__).DIRECTORY_SEPARATOR.'Test'.DIRECTORY_SEPARATOR.'Test.php');
		}
		$this->loadView($this->_format);
	}


	/**
	 * This is a helper method that makes it easy to output tables of test results
	 * for a given test group
	 *
	 * @param string $group_name
	 * @param array $group_results
	 */
	function _outputRenderTable($group_name, $group_results) {


		// exit out if $group_results was empty or not an array.  This sorta seems a little hacky...
		if (!is_array($group_results) || sizeof($group_results) < 1) {
			return false;
		}

		ksort($group_results);

		$this->loadView($this->_format.'/Result', array('group_name'=>$group_name, 'group_results'=>$group_results));

		return true;
	}



	/**
	 * This outputs a table containing a summary of the test results (counts and % in each result type)
	 *
	 * @see PHPSecInfo::_outputRenderTable()
	 * @see PHPSecInfo::_outputGetResultTypeFromCode()
	 */
	function _outputRenderStatsTable() {


		foreach($this->result_counts as $code=>$val) {
			if ($code != PHPSECINFO_TEST_RESULT_NOTRUN) {
				$percentage = round($val/$this->num_tests_run * 100,2);
				$result_type = $this->_outputGetResultTypeFromCode($code);
				$stats[$result_type] = array( 'count' => $val,
foreach ($collection as $item) {
    $myArray['foo'] = $item->getFoo();

    if ($item->hasBar()) {
        $myArray['bar'] = $item->getBar();
    }

    // do something with $myArray
}
											'result' => $code,
											'message' => "$val out of {$this->num_tests_run} ($percentage%)");
			}
		}

		$this->_outputRenderTable('Test Results Summary', $stats);
function myFunction($a) {
    switch ($a) {
        case 'foo':
            $x = 1;
            break;

        case 'bar':
            $x = 2;
            break;
    }

    // $x is potentially undefined here.
    echo $x;
}

	}



	/**
	 * This outputs a table containing a summary or test that were not executed, and the reasons why they were skipped
	 *
	 * @see PHPSecInfo::_outputRenderTable()
	 */
	function _outputRenderNotRunTable() {


		$this->_outputRenderTable('Tests Not Run', $this->tests_not_run);

	}




	/**
	 * This is a helper function that returns a CSS class corresponding to
	 * the result code the test returned.  This allows us to color-code
	 * results
	 *
	 * @param integer $code
	 * @return string

	 */
	function _outputGetCssClassFromResult($code) {


		switch ($code) {
			case PHPSECINFO_TEST_RESULT_OK:
				return 'value-ok';
				break;
switch ($x) {
    case 1:
        return 'foo';
        break; // This break is not necessary and can be left off.
}

			case PHPSECINFO_TEST_RESULT_NOTICE:
				return 'value-notice';
				break;
switch ($x) {
    case 1:
        return 'foo';
        break; // This break is not necessary and can be left off.
}

			case PHPSECINFO_TEST_RESULT_WARN:
				return 'value-warn';
				break;
switch ($x) {
    case 1:
        return 'foo';
        break; // This break is not necessary and can be left off.
}

			case PHPSECINFO_TEST_RESULT_NOTRUN:
				return 'value-notrun';
				break;
switch ($x) {
    case 1:
        return 'foo';
        break; // This break is not necessary and can be left off.
}

			case PHPSECINFO_TEST_RESULT_ERROR:
				return 'value-error';
				break;
switch ($x) {
    case 1:
        return 'foo';
        break; // This break is not necessary and can be left off.
}

			default:
				return 'value-notrun';
				break;
switch ($x) {
    case 1:
        return 'foo';
        break; // This break is not necessary and can be left off.
}
		}

	}



	/**
	 * This is a helper function that returns a label string corresponding to
	 * the result code the test returned.  This is mainly used for the Test
	 * Results Summary table.
	 *
	 * @see PHPSecInfo::_outputRenderStatsTable()
	 * @param integer $code
	 * @return string

	 */
	function _outputGetResultTypeFromCode($code) {


		switch ($code) {
			case PHPSECINFO_TEST_RESULT_OK:
				return 'Pass';
				break;
switch ($x) {
    case 1:
        return 'foo';
        break; // This break is not necessary and can be left off.
}

			case PHPSECINFO_TEST_RESULT_NOTICE:
				return 'Notice';
				break;
switch ($x) {
    case 1:
        return 'foo';
        break; // This break is not necessary and can be left off.
}

			case PHPSECINFO_TEST_RESULT_WARN:
				return 'Warning';
				break;
switch ($x) {
    case 1:
        return 'foo';
        break; // This break is not necessary and can be left off.
}

			case PHPSECINFO_TEST_RESULT_NOTRUN:
				return 'Not Run';
				break;
switch ($x) {
    case 1:
        return 'foo';
        break; // This break is not necessary and can be left off.
}

			case PHPSECINFO_TEST_RESULT_ERROR:
				return 'Error';
				break;
switch ($x) {
    case 1:
        return 'foo';
        break; // This break is not necessary and can be left off.
}

			default:
				return 'Invalid Result Code';
				break;
switch ($x) {
    case 1:
        return 'foo';
        break; // This break is not necessary and can be left off.
}
		}

	}


	/**
	 * Loads and runs all the tests
	 *
	 * As loading, then running, is a pretty common process, this saves a extra method call
	 *
	 * @since 0.1.1
	 *
	 */
	function loadAndRun() {

		$this->loadTests();
		$this->runTests();
	}


	/**
	 * returns an associative array of test data.  Four keys are set:
	 * - test_results  (array)
	 * - tests_not_run (array)
	 * - result_counts (array)
	 * - num_tests_run (integer)
	 *
	 * note that this must be called after tests are loaded and run
	 *
	 * @since 0.1.1
	 * @return array
	 */
	function getResultsAsArray() {

		$results = array();

		$results['test_results'] = $this->test_results;
		$results['tests_not_run'] = $this->tests_not_run;
		$results['result_counts'] = $this->result_counts;
		$results['num_tests_run'] = $this->num_tests_run;

		return $results;
	}



	/**
	 * returns the standard output as a string instead of echoing it to the browser
	 *
	 * note that this must be called after tests are loaded and run
	 *
	 * @since 0.1.1
	 *
	 * @return string
	 */
	function getOutput() {

		ob_start();
		$this->renderOutput();
		$output = ob_get_clean();
		return $output;
	}


	/**
	 * A very, very simple "view" system
	 *
	 */
	function loadView($view_name, $data=null) {

		if ($data != null) {
			extract($data);
		}

		$view_file = $this->getViewDirectory().$view_name.".php";

		if ( file_exists($view_file) && is_readable($view_file) ) {
			ob_start();
			include $view_file;
			echo ob_get_clean();
		} else {
			user_error("The view '{$view_file}' either does not exist or is not readable", E_USER_WARNING);
		}


	}


	/**
	 * Returns the current view directory
	 *
	 * @return string
	 */
	function getViewDirectory() {

		return $this->_view_directory;
	}


	/**
	 * Sets the directory that PHPSecInfo will look in for views
	 *
	 * @param string $newdir
	 */
	function setViewDirectory($newdir) {

		$this->_view_directory = $newdir;
	}




	function getFormat() {

		return $this->_format;
	}


	function setFormat($format) {

		$this->_format = $format;
	}

}




/**
 * A globally-available function that runs the tests and creates the result page
 *
 */
function phpsecinfo() {
	// modded this to not throw a PHP5 STRICT notice, although I don't like passing by value here
	$psi = new PhpSecInfo();
	$psi->loadAndRun();
	$psi->renderOutput();
}



Issues (1626)

Security Analysis not enabled

phpsecinfo/PhpSecInfo/PhpSecInfo.php (53 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Available Fixes

Available Fixes

Available Fixes

1			<?php
2			/**
3			* Main class file
4			*
5			* @package PhpSecInfo
6			* @author Ed Finkler <[email protected]>
7			*/
8
9
10			/**
11			* The default language setting if none is set/retrievable
12			*
13			*/
14			define ('PHPSECINFO_LANG_DEFAULT', 'en');
15
16			/**
17			* a general version string to differentiate releases
18			*
19			*/
20			define ('PHPSECINFO_VERSION', '0.2.2');
21
22			/**
23			* a YYYYMMDD date string to indicate "build" date
24			*
25			*/
26			define ('PHPSECINFO_BUILD', '20080723');
27
28			/**
29			* Homepage for phpsecinfo project
30			*
31			*/
32			define ('PHPSECINFO_URL', 'http://phpsecinfo.com');
33
34			/**
35			* The base folder where views are stored. Include trailing slash
36			*
37			*/
38			define('PHPSECINFO_VIEW_DIR_DEFAULT', 'View/');
39
40

XoopsModules25x / xoopsinfo

Issues (1626)

Security Analysis not enabled

phpsecinfo/PhpSecInfo/PhpSecInfo.php (53 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Available Fixes

Available Fixes

Available Fixes

Duplication Side-by-Side

Filter issues like