Issues in BreadCrumbStack.php (scrutinizer-code-quality) - Issues in scrutinizer-code-quality - adamjakab/SuiteCRM - Measure and Improve Code Quality continuously with Scrutinizer

Issues (4069)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

modules/Trackers/BreadCrumbStack.php (1 issue)

Labels

Unused Code 1

Severity

Minor 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
if(!defined('sugarEntry') || !sugarEntry) die('Not A Valid Entry Point');
/*********************************************************************************
 * SugarCRM Community Edition is a customer relationship management program developed by
 * SugarCRM, Inc. Copyright (C) 2004-2013 SugarCRM Inc.

 * SuiteCRM is an extension to SugarCRM Community Edition developed by Salesagility Ltd.
 * Copyright (C) 2011 - 2014 Salesagility Ltd.
 *
 * This program is free software; you can redistribute it and/or modify it under
 * the terms of the GNU Affero General Public License version 3 as published by the
 * Free Software Foundation with the addition of the following permission added
 * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK
 * IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY
 * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS.
 *
 * This program is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
 * FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
 * details.
 *
 * You should have received a copy of the GNU Affero General Public License along with
 * this program; if not, see http://www.gnu.org/licenses or write to the Free
 * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301 USA.
 *
 * You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road,
 * SW2-130, Cupertino, CA 95014, USA. or at email address [email protected].
 *
 * The interactive user interfaces in modified source and object code versions
 * of this program must display Appropriate Legal Notices, as required under
 * Section 5 of the GNU Affero General Public License version 3.
 *
 * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
 * these Appropriate Legal Notices must retain the display of the "Powered by
 * SugarCRM" logo and "Supercharged by SuiteCRM" logo. If the display of the logos is not
 * reasonably feasible for  technical reasons, the Appropriate Legal Notices must
 * display the words  "Powered by SugarCRM" and "Supercharged by SuiteCRM".
 ********************************************************************************/


class BreadCrumbStack {

   /**
	* Maintain an ordered list of items in the breadcrumbs
	*
	* @var unknown_type
	*/
   private $stack;
   /**
    * Maps an item_id to the position index in stack
    *
    * @var unknown_type
    */
   private $stackMap;
   /**
    * Boolean flag to determine whether or not entries not visible should be removed
    *
    * @var
    */
   private $deleteInvisible = false;


   /**
    * BreadCrumbStack
    * Constructor for BreadCrumbStack that builds list of breadcrumbs using tracker table
    *
    * @param $user_id String value of user id to get bread crumb items for
    * @param $modules mixed value of module name(s) to provide extra filtering
    */
   public function __construct($user_id, $modules='') {
      $this->stack = array();
      $this->stackMap = array();

      $admin = new Administration();
	  $admin->retrieveSettings('tracker');

      $this->deleteInvisible = !empty($admin->settings['tracker_Tracker']);
      $db = DBManagerFactory::getInstance();

      $module_query = '';
      if(!empty($modules)) {
      	 $history_max_viewed = 10;
         $module_query = is_array($modules) ? ' AND module_name IN (\'' . implode("','" , $modules) . '\')' :  ' AND module_name = \'' . $modules . '\'';
      } else {
      	 $history_max_viewed = (!empty($GLOBALS['sugar_config']['history_max_viewed']))? $GLOBALS['sugar_config']['history_max_viewed'] : 50;
      }

      $query = 'SELECT distinct item_id AS item_id, id, item_summary, module_name, monitor_id, date_modified FROM tracker WHERE user_id = \'' . $user_id . '\' AND deleted = 0 AND visible = 1 ' . $module_query . ' ORDER BY date_modified DESC';
      $result = $db->limitQuery($query, 0, $history_max_viewed);
      $items = array();
      while(($row = $db->fetchByAssoc($result))) {
      		$items[] = $row;
      }
      $items = array_reverse($items);
      foreach($items as $item) {
      	  $this->push($item);
      }
   }

	/**
	 * @deprecated deprecated since version 7.6, PHP4 Style Constructors are deprecated and will be remove in 7.8, please update your code, use __construct instead
	 */
	public function BreadCrumbStack($user_id, $modules=''){
		$deprecatedMessage = 'PHP4 Style Constructors are deprecated and will be remove in 7.8, please update your code';
		if(isset($GLOBALS['log'])) {
			$GLOBALS['log']->deprecated($deprecatedMessage);
		}
		else {
			trigger_error($deprecatedMessage, E_USER_DEPRECATED);
		}
		self::__construct($user_id, $modules);
	}

   /**
    * contains
    * Returns true if the stack contains the specified item_id, false otherwise.
    *
    * @param item_id the item id to search for
    * @return id of the first item on the stack
    */
   public function contains($item_id) {
   	  	if(!empty($this->stackMap)){
   	  		return array_key_exists($item_id, $this->stackMap);
   	  	}else
   	  		return false;
   }

   /**
    * Push an element onto the stack.
    * This will only maintain a list of unique item_ids, if an item_id is found to
    * already exist in the stack, we want to remove it and update the database to reflect it's
    * visibility.
    *
    * @param array $row - a trackable item to store in memory
    */
   public function push($row) {
   	  if(is_array($row) && !empty($row['item_id'])) {
	   	  if($this->contains($row['item_id'])) {
			//if this item already exists in the stack then update the found items
			//to visible = 0 and add our new item to the stack
			$item = $this->stack[$this->stackMap[$row['item_id']]];
	   	  	if(!empty($item['id']) && $row['id'] != $item['id']){
	   	  		$this->makeItemInvisible($item['id'], 0);

	   	  	}
	   	  	$this->popItem($item['item_id']);
	   	  }
	   	  //If we reach the max count, shift the first element off the stack
	   	  $history_max_viewed = (!empty($GLOBALS['sugar_config']['history_max_viewed']))? $GLOBALS['sugar_config']['history_max_viewed'] : 50;

	   	  if($this->length() >= $history_max_viewed) {
	   	  	$this->pop();
	   	  }
	   	  //Push the element into the stack
	   	  $this->addItem($row);
   	  }
   }

   /**
    * Pop an item off the stack
    *
    */
   public function pop(){
   		$item = array_shift($this->stack);
   		if(!empty($item['item_id']) && isset($this->stackMap[$item['item_id']])){
   			unset($this->stackMap[$item['item_id']]);
   			$this->heal();
   		}
   }

   /**
    * Change the visibility of an item
    *
    * @param int $id
    */
   private function makeItemInvisible($id){
   	    if($this->deleteInvisible) {
   	      $query = "DELETE FROM tracker where id = '{$id}'";
   	    } else {
   		  $query = "UPDATE tracker SET visible = 0 WHERE id = '{$id}'";
   	    }
        $GLOBALS['db']->query($query, true);
   }

   /**
    * Pop an Item off the stack. Call heal to reconstruct the indices properly
    *
    * @param string $item_id - the item id to remove from the stack
    */
   public function popItem($item_id){
   		if(isset($this->stackMap[$item_id])){
   			$idx = $this->stackMap[$item_id];
	   		unset($this->stack[$idx]);
	   		unset($this->stackMap[$item_id]);
	   		$this->heal();
   		}
   }

   /**
    * Add an item to the stack
    *
    * @param array $row - the row from the db query
    */
   private function addItem($row){
   		$this->stack[] = $row;
   		$this->stackMap[$row['item_id']] = ($this->length() - 1);
   }

   /**
    * Once we have removed an item from the stack we need to be sure to have the
    * ids and indices match up properly.  Heal takes care of that.  This method should only
    * be called when an item_id is already in the stack and needs to be removed
    *
    */
   private function heal(){
   		$vals = array_values($this->stack);
   		$this->stack = array();
   		$this->stackMap = array();
   		foreach($vals as $key => $val){
   			$this->addItem($val);
   		}
   }

   /**
    * Return the number of elements in the stack
    *
    * @return int - the number of elements in the stack
    */
   public function length(){
   		return count($this->stack);
   }

   /**
    * Return the list of breadcrubmbs currently in memory
    *
    * @return array of breadcrumbs
    */
   public function getBreadCrumbList($filter_module='') {
   	  if(!empty($filter_module)) {
   	  	 $s2 = array();
   	  	 if(is_array($filter_module)) {
   	  	 	 foreach($this->stack as $entry) {
	   	  	    if(in_array($entry['module_name'], $filter_module)) {
	   	  	       $s2[$entry['item_id']] = $entry;
	   	  	    }
	   	  	 }
   	  	 } else {
	   	  	 foreach($this->stack as $entry) {
	   	  	    if($entry['module_name'] == $filter_module) {
	   	  	       $s2[$entry['item_id']] = $entry;
	   	  	    }
	   	  	 }
   	  	 }

   	  	 $s2 = array_reverse($s2);
   	     if(count($s2) > 10) {
   	  	 	$s2 = array_slice($s2, 0, 10);
   	  	 }
   	  	 return $s2;
   	  }

   	  $s = $this->stack;
   	  $s = array_reverse($s);
   	  if(count($s) > 10) {
   	  	 $s = array_slice($s, 0, 10);
   	  }
      return $s;
   }
}

?>


1		<?php
2		if(!defined('sugarEntry') \|\| !sugarEntry) die('Not A Valid Entry Point');
3		/*********************************************************************************
4		* SugarCRM Community Edition is a customer relationship management program developed by
5		* SugarCRM, Inc. Copyright (C) 2004-2013 SugarCRM Inc.
6
7		* SuiteCRM is an extension to SugarCRM Community Edition developed by Salesagility Ltd.
8		* Copyright (C) 2011 - 2014 Salesagility Ltd.
9		*
10		* This program is free software; you can redistribute it and/or modify it under
11		* the terms of the GNU Affero General Public License version 3 as published by the
12		* Free Software Foundation with the addition of the following permission added
13		* to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK
14		* IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY
15		* OF NON INFRINGEMENT OF THIRD PARTY RIGHTS.
16		*
17		* This program is distributed in the hope that it will be useful, but WITHOUT
18		* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
19		* FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
20		* details.
21		*
22		* You should have received a copy of the GNU Affero General Public License along with
23		* this program; if not, see http://www.gnu.org/licenses or write to the Free
24		* Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
25		* 02110-1301 USA.
26		*
27		* You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road,
28		* SW2-130, Cupertino, CA 95014, USA. or at email address [email protected].
29		*
30		* The interactive user interfaces in modified source and object code versions
31		* of this program must display Appropriate Legal Notices, as required under
32		* Section 5 of the GNU Affero General Public License version 3.
33		*
34		* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
35		* these Appropriate Legal Notices must retain the display of the "Powered by
36		* SugarCRM" logo and "Supercharged by SuiteCRM" logo. If the display of the logos is not
37		* reasonably feasible for technical reasons, the Appropriate Legal Notices must
38		* display the words "Powered by SugarCRM" and "Supercharged by SuiteCRM".
39		********************************************************************************/
40
41
42		class BreadCrumbStack {
43
44		/**
45		* Maintain an ordered list of items in the breadcrumbs
46		*
47		* @var unknown_type
48		*/
49		private $stack;
50		/**
51		* Maps an item_id to the position index in stack
52		*
53		* @var unknown_type
54		*/
55		private $stackMap;
56		/**
57		* Boolean flag to determine whether or not entries not visible should be removed
58		*
59		* @var
60		*/
61		private $deleteInvisible = false;
62
63
64		/**
65		* BreadCrumbStack
66		* Constructor for BreadCrumbStack that builds list of breadcrumbs using tracker table
67		*
68		* @param $user_id String value of user id to get bread crumb items for
69		* @param $modules mixed value of module name(s) to provide extra filtering
70		*/
71	2	public function __construct($user_id, $modules='') {
72	2	$this->stack = array();
73	2	$this->stackMap = array();
74
75	2	$admin = new Administration();
76	2	$admin->retrieveSettings('tracker');
77
78	2	$this->deleteInvisible = !empty($admin->settings['tracker_Tracker']);
79	2	$db = DBManagerFactory::getInstance();
80
81	2	$module_query = '';
82	2	if(!empty($modules)) {
83		$history_max_viewed = 10;
84		$module_query = is_array($modules) ? ' AND module_name IN (\'' . implode("','" , $modules) . '\')' : ' AND module_name = \'' . $modules . '\'';
85		} else {
86	2	$history_max_viewed = (!empty($GLOBALS['sugar_config']['history_max_viewed']))? $GLOBALS['sugar_config']['history_max_viewed'] : 50;
87		}
88
89	2	$query = 'SELECT distinct item_id AS item_id, id, item_summary, module_name, monitor_id, date_modified FROM tracker WHERE user_id = \'' . $user_id . '\' AND deleted = 0 AND visible = 1 ' . $module_query . ' ORDER BY date_modified DESC';
90	2	$result = $db->limitQuery($query, 0, $history_max_viewed);
91	2	$items = array();
92	2	while(($row = $db->fetchByAssoc($result))) {
93		$items[] = $row;
94		}
95	2	$items = array_reverse($items);
96	2	foreach($items as $item) {
97		$this->push($item);
98		}
99	2	}
100
101		/**
102		* @deprecated deprecated since version 7.6, PHP4 Style Constructors are deprecated and will be remove in 7.8, please update your code, use __construct instead
103		*/
104		public function BreadCrumbStack($user_id, $modules=''){
105		$deprecatedMessage = 'PHP4 Style Constructors are deprecated and will be remove in 7.8, please update your code';
106		if(isset($GLOBALS['log'])) {
107		$GLOBALS['log']->deprecated($deprecatedMessage);
108		}
109		else {
110		trigger_error($deprecatedMessage, E_USER_DEPRECATED);
111		}
112		self::__construct($user_id, $modules);
113		}
114
115		/**
116		* contains
117		* Returns true if the stack contains the specified item_id, false otherwise.
118		*
119		* @param item_id the item id to search for
120		* @return id of the first item on the stack
121		*/
122		public function contains($item_id) {
123		if(!empty($this->stackMap)){
124		return array_key_exists($item_id, $this->stackMap);
125		}else
126		return false;
127		}
128
129		/**
130		* Push an element onto the stack.
131		* This will only maintain a list of unique item_ids, if an item_id is found to
132		* already exist in the stack, we want to remove it and update the database to reflect it's
133		* visibility.
134		*
135		* @param array $row - a trackable item to store in memory
136		*/
137		public function push($row) {
138		if(is_array($row) && !empty($row['item_id'])) {
139		if($this->contains($row['item_id'])) {
140		//if this item already exists in the stack then update the found items
141		//to visible = 0 and add our new item to the stack
142		$item = $this->stack[$this->stackMap[$row['item_id']]];
143		if(!empty($item['id']) && $row['id'] != $item['id']){
144		$this->makeItemInvisible($item['id'], 0);
		0 ignored issues – show Unused Code introduced 2016-03-07 17:59 UTC by Report Bug Copy Issue Report Show Similar Issues like this The call to `BreadCrumbStack::makeItemInvisible()` has too many arguments starting with `0`. This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue. If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress. In this case you can add the `@ignore` PhpDoc annotation to the duplicate definition and it will be ignored. Loading history...
145		}
146		$this->popItem($item['item_id']);
147		}
148		//If we reach the max count, shift the first element off the stack
149		$history_max_viewed = (!empty($GLOBALS['sugar_config']['history_max_viewed']))? $GLOBALS['sugar_config']['history_max_viewed'] : 50;
150
151		if($this->length() >= $history_max_viewed) {
152		$this->pop();
153		}
154		//Push the element into the stack
155		$this->addItem($row);
156		}
157		}
158
159		/**
160		* Pop an item off the stack
161		*
162		*/
163		public function pop(){
164		$item = array_shift($this->stack);
165		if(!empty($item['item_id']) && isset($this->stackMap[$item['item_id']])){
166		unset($this->stackMap[$item['item_id']]);
167		$this->heal();
168		}
169		}
170
171		/**
172		* Change the visibility of an item
173		*
174		* @param int $id
175		*/
176		private function makeItemInvisible($id){
177		if($this->deleteInvisible) {
178		$query = "DELETE FROM tracker where id = '{$id}'";
179		} else {
180		$query = "UPDATE tracker SET visible = 0 WHERE id = '{$id}'";
181		}
182		$GLOBALS['db']->query($query, true);
183		}
184
185		/**
186		* Pop an Item off the stack. Call heal to reconstruct the indices properly
187		*
188		* @param string $item_id - the item id to remove from the stack
189		*/
190		public function popItem($item_id){
191		if(isset($this->stackMap[$item_id])){
192		$idx = $this->stackMap[$item_id];
193		unset($this->stack[$idx]);
194		unset($this->stackMap[$item_id]);
195		$this->heal();
196		}
197		}
198
199		/**
200		* Add an item to the stack
201		*
202		* @param array $row - the row from the db query
203		*/
204		private function addItem($row){
205		$this->stack[] = $row;
206		$this->stackMap[$row['item_id']] = ($this->length() - 1);
207		}
208
209		/**
210		* Once we have removed an item from the stack we need to be sure to have the
211		* ids and indices match up properly. Heal takes care of that. This method should only
212		* be called when an item_id is already in the stack and needs to be removed
213		*
214		*/
215		private function heal(){
216		$vals = array_values($this->stack);
217		$this->stack = array();
218		$this->stackMap = array();
219		foreach($vals as $key => $val){
220		$this->addItem($val);
221		}
222		}
223
224		/**
225		* Return the number of elements in the stack
226		*
227		* @return int - the number of elements in the stack
228		*/
229		public function length(){
230		return count($this->stack);
231		}
232
233		/**
234		* Return the list of breadcrubmbs currently in memory
235		*
236		* @return array of breadcrumbs
237		*/
238	2	public function getBreadCrumbList($filter_module='') {
239	2	if(!empty($filter_module)) {
240		$s2 = array();
241		if(is_array($filter_module)) {
242		foreach($this->stack as $entry) {
243		if(in_array($entry['module_name'], $filter_module)) {
244		$s2[$entry['item_id']] = $entry;
245		}
246		}
247		} else {
248		foreach($this->stack as $entry) {
249		if($entry['module_name'] == $filter_module) {
250		$s2[$entry['item_id']] = $entry;
251		}
252		}
253		}
254
255		$s2 = array_reverse($s2);
256		if(count($s2) > 10) {
257		$s2 = array_slice($s2, 0, 10);
258		}
259		return $s2;
260		}
261
262	2	$s = $this->stack;
263	2	$s = array_reverse($s);
264	2	if(count($s) > 10) {
265		$s = array_slice($s, 0, 10);
266		}
267	2	return $s;
268		}
269		}
270
271		?>
272

adamjakab / SuiteCRM

Issues (4069)

Security Analysis not enabled

modules/Trackers/BreadCrumbStack.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like