Issues in SugarJobQueue.php (scrutinizer-code-quality) - Issues in scrutinizer-code-quality - adamjakab/SuiteCRM - Measure and Improve Code Quality continuously with Scrutinizer

Issues (4069)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

include/SugarQueue/SugarJobQueue.php (2 issues)

Labels

Bug 2

Severity

Minor 2

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
if(!defined('sugarEntry') || !sugarEntry) die('Not A Valid Entry Point');
/*********************************************************************************
 * SugarCRM Community Edition is a customer relationship management program developed by
 * SugarCRM, Inc. Copyright (C) 2004-2013 SugarCRM Inc.

 * SuiteCRM is an extension to SugarCRM Community Edition developed by Salesagility Ltd.
 * Copyright (C) 2011 - 2014 Salesagility Ltd.
 *
 * This program is free software; you can redistribute it and/or modify it under
 * the terms of the GNU Affero General Public License version 3 as published by the
 * Free Software Foundation with the addition of the following permission added
 * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK
 * IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY
 * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS.
 *
 * This program is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
 * FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
 * details.
 *
 * You should have received a copy of the GNU Affero General Public License along with
 * this program; if not, see http://www.gnu.org/licenses or write to the Free
 * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301 USA.
 *
 * You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road,
 * SW2-130, Cupertino, CA 95014, USA. or at email address [email protected].
 *
 * The interactive user interfaces in modified source and object code versions
 * of this program must display Appropriate Legal Notices, as required under
 * Section 5 of the GNU Affero General Public License version 3.
 *
 * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
 * these Appropriate Legal Notices must retain the display of the "Powered by
 * SugarCRM" logo and "Supercharged by SuiteCRM" logo. If the display of the logos is not
 * reasonably feasible for  technical reasons, the Appropriate Legal Notices must
 * display the words  "Powered by SugarCRM" and "Supercharged by SuiteCRM".
 ********************************************************************************/


require_once 'modules/SchedulersJobs/SchedulersJob.php';

/**
 * Job queue driver
 * @api
 */
class SugarJobQueue
{
    /**
     * Max number of failures for job
     * @var int
     */
    public $jobTries = 5;
    /**
     * Job running timeout - longer than that, job is failed by force
     * @var int
     */
    public $timeout = 86400; // 24 hours

    /**
     * Table in the DB that stores jobs
     * @var string
     */
    protected $job_queue_table;

    /**
     * DB connection
     * @var DBManager
     */
    public $db;

    public function __construct()
    {
        $this->db = DBManagerFactory::getInstance();
        $job = new SchedulersJob();
        $this->job_queue_table = $job->table_name;
        if(!empty($GLOBALS['sugar_config']['jobs']['max_retries'])) {
            $this->jobTries = $GLOBALS['sugar_config']['jobs']['max_retries'];
        }
        if(!empty($GLOBALS['sugar_config']['jobs']['timeout'])) {
            $this->timeout = $GLOBALS['sugar_config']['jobs']['timeout'];
        }
    }

    /**
     * Submit a new job to the queue
     * @param SugarJob $job
     * @param User $user User to run the job under
/**
 * @param array $germany
 * @param array $island
 * @param array $italy
 */
function finale($germany, $island) {
    return "2:1";
}
     */
    public function submitJob($job)
    {
        $job->id = create_guid();
        $job->new_with_id = true;
        $job->status = SchedulersJob::JOB_STATUS_QUEUED;
        $job->resolution = SchedulersJob::JOB_PENDING;
        if(empty($job->execute_time)) {
            $job->execute_time = $GLOBALS['timedate']->nowDb();
        }
        $job->save();

        return $job->id;
    }

    /**
     * Get Job object by ID
     * @param string $jobId
     * @return SugarJob
     */
    protected function getJob($jobId)
    {
        $job = new SchedulersJob();
        $job->retrieve($jobId);
        if(empty($job->id)) {
            $GLOBALS['log']->info("Job $jobId not found!");
            return null;
        }
        return $job;
    }

    /**
     * Resolve job as success or failure
     * @param string $jobId
     * @param string $resolution One of JOB_ constants that define job status
     * @param string $message
     * @return bool
     */
    public function resolveJob($jobId, $resolution, $message = null)
    {
        $job = $this->getJob($jobId);
        if(empty($job)) return false;
        return $job->resolveJob($resolution, $message);
    }

    /**
     * Rerun this job again
     * @param string $jobId
     * @param string $message
     * @param string $delay how long to delay (default is job's delay)
     * @return bool
     */
    public function postponeJob($jobId, $message = null, $delay = null)
    {
        $job = $this->getJob($jobId);
        if(empty($job)) return false;
        return $job->postponeJob($message, $delay);
    }

    /**
     * Delete a job
     * @param string $jobId
     */
    public function deleteJob($jobId)
    {
        $job = new SchedulersJob();
        if(empty($job)) return false;
        return $job->mark_deleted($jobId);
    }

    /**
     * Remove old jobs that still are marked as running
     * @return bool true if no failed job discovered, false if some job were failed
     */
    public function cleanup()
    {
        // fail jobs that are too old
        $ret = true;
        // [email protected] bugfix #56144: Scheduler Bug
        $date = $this->db->convert($this->db->quoted($GLOBALS['timedate']->getNow()->modify("-{$this->timeout} seconds")->asDb()), 'datetime');
        $res = $this->db->query("SELECT id FROM {$this->job_queue_table} WHERE status='".SchedulersJob::JOB_STATUS_RUNNING."' AND date_modified <= $date");
        while($row = $this->db->fetchByAssoc($res)) {
            $this->resolveJob($row["id"], SchedulersJob::JOB_FAILURE, translate('ERR_TIMEOUT', 'SchedulersJobs'));
            $ret = false;
        }
        // TODO: soft-delete old done jobs?
        return $ret;
    }

    /**
     * Nuke all jobs from the queue
     */
    public function cleanQueue()
    {
        $this->db->query("DELETE FROM {$this->job_queue_table}");
    }

    /**
     * Fetch the next job in the queue and mark it running
     * @param string $clientID ID of the client requesting the job
     * @return SugarJob
     */
    public function nextJob($clientID)
    {
        $now = $this->db->now();
        $queued = SchedulersJob::JOB_STATUS_QUEUED;
        $try = $this->jobTries;
        while($try--) {
            // TODO: tranaction start?
            $id = $this->db->getOne("SELECT id FROM {$this->job_queue_table} WHERE execute_time <= $now AND status = '$queued' ORDER BY date_entered ASC");
            if(empty($id)) {
                return null;
            }
            $job = new SchedulersJob();
            $job->retrieve($id);
            if(empty($job->id)) {
                return null;
            }
            $job->status = SchedulersJob::JOB_STATUS_RUNNING;
            $job->client = $clientID;
            $client = $this->db->quote($clientID);
            // using direct query here to be able to fetch affected count
            // if count is 0 this means somebody changed the job status and we have to try again
            $res = $this->db->query("UPDATE {$this->job_queue_table} SET status='{$job->status}', date_modified=$now, client='$client' WHERE id='{$job->id}' AND status='$queued'");
            if($this->db->getAffectedRowCount($res) == 0) {
/**
 * @return array|string
 */
function returnsDifferentValues($x) {
    if ($x) {
        return 'foo';
    }

    return array();
}

$x = returnsDifferentValues($y);
if (is_array($x)) {
    // $x is an array.
}
                // somebody stole our job, try again
                continue;
            } else {
                // to update dates & possible hooks
                $job->save();
                break;
            }
            // TODO: commit/check?
        }
        return $job;
    }

    /**
     * Run schedulers to instantiate scheduled jobs
     */
    public function runSchedulers()
    {
        $sched = new Scheduler();
        $sched->checkPendingJobs($this);
    }
}


1		<?php
2		if(!defined('sugarEntry') \|\| !sugarEntry) die('Not A Valid Entry Point');
3		/*********************************************************************************
4		* SugarCRM Community Edition is a customer relationship management program developed by
5		* SugarCRM, Inc. Copyright (C) 2004-2013 SugarCRM Inc.
6
7		* SuiteCRM is an extension to SugarCRM Community Edition developed by Salesagility Ltd.
8		* Copyright (C) 2011 - 2014 Salesagility Ltd.
9		*
10		* This program is free software; you can redistribute it and/or modify it under
11		* the terms of the GNU Affero General Public License version 3 as published by the
12		* Free Software Foundation with the addition of the following permission added
13		* to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK
14		* IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY
15		* OF NON INFRINGEMENT OF THIRD PARTY RIGHTS.
16		*
17		* This program is distributed in the hope that it will be useful, but WITHOUT
18		* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
19		* FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
20		* details.
21		*
22		* You should have received a copy of the GNU Affero General Public License along with
23		* this program; if not, see http://www.gnu.org/licenses or write to the Free
24		* Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
25		* 02110-1301 USA.
26		*
27		* You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road,
28		* SW2-130, Cupertino, CA 95014, USA. or at email address [email protected].
29		*
30		* The interactive user interfaces in modified source and object code versions
31		* of this program must display Appropriate Legal Notices, as required under
32		* Section 5 of the GNU Affero General Public License version 3.
33		*
34		* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
35		* these Appropriate Legal Notices must retain the display of the "Powered by
36		* SugarCRM" logo and "Supercharged by SuiteCRM" logo. If the display of the logos is not
37		* reasonably feasible for technical reasons, the Appropriate Legal Notices must
38		* display the words "Powered by SugarCRM" and "Supercharged by SuiteCRM".
39		********************************************************************************/
40
41
42		require_once 'modules/SchedulersJobs/SchedulersJob.php';
43
44		/**
45		* Job queue driver
46		* @api
47		*/
48		class SugarJobQueue
49		{
50		/**
51		* Max number of failures for job
52		* @var int
53		*/
54		public $jobTries = 5;
55		/**
56		* Job running timeout - longer than that, job is failed by force
57		* @var int
58		*/
59		public $timeout = 86400; // 24 hours
60
61		/**
62		* Table in the DB that stores jobs
63		* @var string
64		*/
65		protected $job_queue_table;
66
67		/**
68		* DB connection
69		* @var DBManager
70		*/
71		public $db;
72
73	1	public function __construct()
74		{
75	1	$this->db = DBManagerFactory::getInstance();
76	1	$job = new SchedulersJob();
77	1	$this->job_queue_table = $job->table_name;
78	1	if(!empty($GLOBALS['sugar_config']['jobs']['max_retries'])) {
79	1	$this->jobTries = $GLOBALS['sugar_config']['jobs']['max_retries'];
80		}
81	1	if(!empty($GLOBALS['sugar_config']['jobs']['timeout'])) {
82	1	$this->timeout = $GLOBALS['sugar_config']['jobs']['timeout'];
83		}
84	1	}
85
86		/**
87		* Submit a new job to the queue
88		* @param SugarJob $job
89		* @param User $user User to run the job under
		0 ignored issues – show Bug introduced 2016-03-07 17:58 UTC by Report Bug Copy Issue Report Show Similar Issues like this There is no parameter named `$user`. Was it maybe removed? This check looks for PHPDoc comments describing methods or function parameters that do not exist on the corresponding method or function. Consider the following example. The parameter `$italy` is not defined by the method `finale(...)`. /** * @param array $germany * @param array $island * @param array $italy */ function finale($germany, $island) { return "2:1"; } The most likely cause is that the parameter was removed, but the annotation was not. Loading history...
90		*/
91	1	public function submitJob($job)
92		{
93	1	$job->id = create_guid();
94	1	$job->new_with_id = true;
95	1	$job->status = SchedulersJob::JOB_STATUS_QUEUED;
96	1	$job->resolution = SchedulersJob::JOB_PENDING;
97	1	if(empty($job->execute_time)) {
98		$job->execute_time = $GLOBALS['timedate']->nowDb();
99		}
100	1	$job->save();
101
102	1	return $job->id;
103		}
104
105		/**
106		* Get Job object by ID
107		* @param string $jobId
108		* @return SugarJob
109		*/
110		protected function getJob($jobId)
111		{
112		$job = new SchedulersJob();
113		$job->retrieve($jobId);
114		if(empty($job->id)) {
115		$GLOBALS['log']->info("Job $jobId not found!");
116		return null;
117		}
118		return $job;
119		}
120
121		/**
122		* Resolve job as success or failure
123		* @param string $jobId
124		* @param string $resolution One of JOB_ constants that define job status
125		* @param string $message
126		* @return bool
127		*/
128		public function resolveJob($jobId, $resolution, $message = null)
129		{
130		$job = $this->getJob($jobId);
131		if(empty($job)) return false;
132		return $job->resolveJob($resolution, $message);
133		}
134
135		/**
136		* Rerun this job again
137		* @param string $jobId
138		* @param string $message
139		* @param string $delay how long to delay (default is job's delay)
140		* @return bool
141		*/
142		public function postponeJob($jobId, $message = null, $delay = null)
143		{
144		$job = $this->getJob($jobId);
145		if(empty($job)) return false;
146		return $job->postponeJob($message, $delay);
147		}
148
149		/**
150		* Delete a job
151		* @param string $jobId
152		*/
153		public function deleteJob($jobId)
154		{
155		$job = new SchedulersJob();
156		if(empty($job)) return false;
157		return $job->mark_deleted($jobId);
158		}
159
160		/**
161		* Remove old jobs that still are marked as running
162		* @return bool true if no failed job discovered, false if some job were failed
163		*/
164		public function cleanup()
165		{
166		// fail jobs that are too old
167		$ret = true;
168		// [email protected] bugfix #56144: Scheduler Bug
169		$date = $this->db->convert($this->db->quoted($GLOBALS['timedate']->getNow()->modify("-{$this->timeout} seconds")->asDb()), 'datetime');
170		$res = $this->db->query("SELECT id FROM {$this->job_queue_table} WHERE status='".SchedulersJob::JOB_STATUS_RUNNING."' AND date_modified <= $date");
171		while($row = $this->db->fetchByAssoc($res)) {
172		$this->resolveJob($row["id"], SchedulersJob::JOB_FAILURE, translate('ERR_TIMEOUT', 'SchedulersJobs'));
173		$ret = false;
174		}
175		// TODO: soft-delete old done jobs?
176		return $ret;
177		}
178
179		/**
180		* Nuke all jobs from the queue
181		*/
182		public function cleanQueue()
183		{
184		$this->db->query("DELETE FROM {$this->job_queue_table}");
185		}
186
187		/**
188		* Fetch the next job in the queue and mark it running
189		* @param string $clientID ID of the client requesting the job
190		* @return SugarJob
191		*/
192		public function nextJob($clientID)
193		{
194		$now = $this->db->now();
195		$queued = SchedulersJob::JOB_STATUS_QUEUED;
196		$try = $this->jobTries;
197		while($try--) {
198		// TODO: tranaction start?
199		$id = $this->db->getOne("SELECT id FROM {$this->job_queue_table} WHERE execute_time <= $now AND status = '$queued' ORDER BY date_entered ASC");
200		if(empty($id)) {
201		return null;
202		}
203		$job = new SchedulersJob();
204		$job->retrieve($id);
205		if(empty($job->id)) {
206		return null;
207		}
208		$job->status = SchedulersJob::JOB_STATUS_RUNNING;
209		$job->client = $clientID;
210		$client = $this->db->quote($clientID);
211		// using direct query here to be able to fetch affected count
212		// if count is 0 this means somebody changed the job status and we have to try again
213		$res = $this->db->query("UPDATE {$this->job_queue_table} SET status='{$job->status}', date_modified=$now, client='$client' WHERE id='{$job->id}' AND status='$queued'");
214		if($this->db->getAffectedRowCount($res) == 0) {
		0 ignored issues – show Bug introduced 2016-03-07 17:58 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$res` defined by `$this->db->query("UPDATE...ND status='{$queued}'")` on line `213` can also be of type `boolean`; however, `DBManager::getAffectedRowCount()` does only seem to accept `resource`, maybe add an additional type check? If a method or function can return multiple different values and unless you are sure that you only can receive a single value in this context, we recommend to add an additional type check: /** * @return array\|string */ function returnsDifferentValues($x) { if ($x) { return 'foo'; } return array(); } $x = returnsDifferentValues($y); if (is_array($x)) { // $x is an array. } If this a common case that PHP Analyzer should handle natively, please let us know by opening an issue. Loading history...
215		// somebody stole our job, try again
216		continue;
217		} else {
218		// to update dates & possible hooks
219		$job->save();
220		break;
221		}
222		// TODO: commit/check?
223		}
224		return $job;
225		}
226
227		/**
228		* Run schedulers to instantiate scheduled jobs
229		*/
230		public function runSchedulers()
231		{
232		$sched = new Scheduler();
233		$sched->checkPendingJobs($this);
234		}
235		}
236

adamjakab / SuiteCRM

Issues (4069)

Security Analysis not enabled

include/SugarQueue/SugarJobQueue.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like