Issues in ScriptHandler.php (master) - Issues in master - allejo/bzion - Measure and Improve Code Quality continuously with Scrutinizer

Issues (273)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Composer/ScriptHandler.php (1 issue)

Labels

Documentation 1

Severity

Minor 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * This file contains scripts that are run on composer events and commands - for
 * example, you might want to regenerate the cache after updating
 *
 * @license    https://github.com/allejo/bzion/blob/master/LICENSE.md GNU General Public License Version 3
 */

namespace BZIon\Composer;

use Composer\IO\ConsoleIO;
use Composer\IO\IOInterface;
use Composer\Script\Event;
use Phinx\Console\PhinxApplication;
use Symfony\Component\Console\Helper\HelperSet;
use Symfony\Component\Console\Helper\QuestionHelper;
use Symfony\Component\Console\Input\ArrayInput;
use Symfony\Component\Console\Output\ConsoleOutput;
use Symfony\Component\Filesystem\Filesystem;
use Symfony\Component\Finder\Finder;
use Symfony\Component\Process\Process;
use Symfony\Component\Yaml\Yaml;

/**
 * A manager for composer events
 */
class ScriptHandler
{
    /**
     * Shows what changed since the last update
     *
     * @param $event Event Composer's event
     */
    public static function showChangelog(Event $event)
    {
        static::executeCommand($event, 'bzion:changes');
    }

    /**
     * Clears the Symfony cache.
     *
     * This command won't fail if the current cache prevents the kernel from
     * booting
     *
     * @param $event Event       Composer's event
     * @param $env   string|null The environment to clear the cache for, 'all'
     *                           to clear the cache for all environments, null
     *                           to pick an environment based on command line
     *                           arguments (defaults to 'all')
     */
    public static function clearCache(Event $event, $env = null)
    {
        $io = $event->getIO();
        $args = $event->getArguments();

        if ($env === null) {
            if (isset($args[0])) {
                $env = $args[0];
            } elseif (getenv('SYMFONY_ENV')) {
                $env = getenv('SYMFONY_ENV');
            } else {
                $env = 'all';
            }
        }

    // Delete all cache files
    $finder = new Finder();
        $cacheDirectory = __DIR__ . '/../../app/cache/';

        $fs = new Filesystem();

        $clear = true;

    // We make sure that the root directories for each environment aren't
    // removed, so that permission settings are kept
    if ($env === 'all') {
        $io->write("Clearing cache for <fg=green;bold>all</> environments");
        $finder->in($cacheDirectory)->depth('== 1');
    } else {
        $directory = $cacheDirectory . str_replace('/', '', $env);

        if ($fs->exists($directory)) {
            $io->write("Clearing cache for the <fg=green>$env</> environment");
            $finder->in($directory)->depth('== 0');
        } else {
            $io->write("Cache directory for the <fg=green>$env</> environment doesn't exist and won't be cleared");
            $clear = false;
        }
    }

        if ($clear) {
            // We use Symfony's Filesystem component to delete files recursively
        $fs->remove($finder);
function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
        }

        if ($env === 'prod' || $env === 'all') {
            static::executeCommand($event, 'cache:warmup');
        }
    }

    /**
     * Clear the cache for all environments
     *
     * @param $event Event Composer's event
     */
    public static function clearAllCaches(Event $event)
    {
        return static::clearCache($event, 'all');
    }

    /**
     * Initialize the last update file so that when the user updates and asks
     * for the changelog, the entries added before the installation are not shown
     *
     * @param $event Event Composer's event
     */
    public static function initializeChangelog(Event $event)
    {
        static::executeCommand($event, 'bzion:changes --read');
    }

    /**
     * Migrate the config.yml file
     *
     * @param $event Event Composer's event
     */
    public static function buildConfig(Event $event)
    {
        $configHandler = new ConfigHandler($event);
        $configHandler->build();
    }

    /*
     * Create and update the database schema
     *
     * @param $event   Event|null Composer's event
     * @param $testing boolean    Whether to migrate the testing database (only applicable when $event is null)
     */
    public static function migrateDatabase(Event $event = null, $testing = false)
    {
        if ($event) {
            // Use the event's IO
            $io = $event->getIO();

            $arguments = $event->getArguments();

            $testingArguments = array('testing', '--testing', '-t');
            $testing = count(array_intersect($arguments, $testingArguments)) > 0;
        } else {
            // Create our own IO
            $input = new ArrayInput(array());
            $output = new ConsoleOutput();
            $helperSet = new HelperSet(array(new QuestionHelper()));

            $io = new ConsoleIO($input, $output, $helperSet);
        }

        try {
            $config = self::getDatabaseConfig($testing);
        } catch (\Exception $e) {
            $io->write("<bg=red>\n\n [WARNING] " . $e->getMessage() . ", the database won't be updated\n</>");

            return;
        }

        // If the database doesn't exist, ask the user to create it and perform
        // the necessary migrations (unless the user didn't agree to
        // create the database)
        if (self::createDatabase($io, $config['host'], $config['username'], $config['password'], $config['database'])) {
            $io->write(''); // newline

            $arguments = array('migrate', '-e' => ($testing) ? 'test' : 'main');
            $app = new PhinxApplication();
            $app->doRun(new ArrayInput($arguments), new ConsoleOutput());
        }
    }

    /**
     * Shows an installation success message
     *
     * @param $event Event Composer's event
     */
    public static function showSuccessMessage(Event $event)
    {
        static::executeCommand($event, 'bzion:success');
    }

    /**
     * Create the database schema if needed
     *
     * @param IOInterface $io       Composer's IO interface
     * @param string      $host     The database host
     * @param string      $username The username for the MySQL user
     * @param string      $password The password for the MySQL user
     * @param string      $database The name of the database
     *
     * @return bool Whether the database was created
     */
    private static function createDatabase(IOInterface $io, $host, $username, $password, $database)
    {
        $io->write(" Connecting to MySQL database $database@$host");

        $dsn = 'mysql:host=' . $host . ';charset=UTF8';
        $pdo = new \PDO($dsn, $username, $password);

        $statement = $pdo->prepare("USE `$database`");
        $status = $statement->execute();
        $errors = $statement->errorInfo();

        // Throw an exception on error for any query that will be sent next
        $pdo->setAttribute(\PDO::ATTR_ERRMODE, \PDO::ERRMODE_EXCEPTION);

        // 1049 is the error code thrown when the database doesn't exist, but
        // the MySQL user has the privilege to see it
        if ($errors[1] == 1049) {
            $answer = $io->askConfirmation(
                " <fg=green>The $database database doesn't exist. Would you like to have it created? (yes/no)</> [<comment>yes</comment>]\n > ",
                true);

            if ($answer) {
                $pdo->query("CREATE DATABASE `$database` COLLATE utf8_unicode_ci");
                $pdo->query("USE `$database`");

                $io->write(" <fg=green>New database created</>");
            } else {
                return false;
            }
        } elseif (!$status) {
            throw new \Exception("Unable to connect to database: " . $errors[2]);
        }

        // If the database is empty, fill it
        if ($pdo->query('SHOW TABLES')->rowCount() === 0) {
            $io->write(" <fg=green>Creating database schema...</> ", false);

            $sqlPath = realpath(__DIR__ . '/../../migrations/' . 'DATABASE.sql');
            $pdo->exec(file_get_contents($sqlPath));

            $io->write("<fg=green>done.</>");
        }

        return true;
    }

    /**
     * Execute a symfony console command
     *
     * @param  Event  $event   Composer's event
     * @param  string $command The command to execute
     * @param  int    $timeout The timeout of the command in seconds
     * @return void
     */
    protected static function executeCommand(Event $event, $command, $timeout = 300)
    {
        $console = escapeshellarg(__DIR__ . '/../../app/console') . ' --env=prod';

        if ($event->getIO()->isDecorated()) {
            $console .= ' --ansi';
        }

        $process = new Process("$console $command", null, null, null, $timeout);
        $process->run(function ($type, $buffer) use ($event) { $event->getIO()->write($buffer, false); });

        if (!$process->isSuccessful()) {
            throw new \RuntimeException(sprintf('An error occurred when executing the "%s" command.', escapeshellarg($command)));
        }
    }

    /**
     * Get the database's configuration
     *
     * @param  bool    $testing Whether to retrieve the test database credentials
     * @return array|null The configuration as defined in the config.yml file, null if no configuration was found
     */
    public static function getDatabaseConfig($testing = false)
    {
        $configPath = ConfigHandler::getConfigurationPath();
        if (!is_file($configPath)) {
            throw new \Exception("The configuration file could not be read");
        }

        $path = $testing ? 'testing' : 'mysql';

        $config = Yaml::parse(file_get_contents($configPath));

        if (isset($config['bzion'][$path])) {
            return $config['bzion'][$path];
        }

        return null;
    }
}


1		<?php
2		/**
3		* This file contains scripts that are run on composer events and commands - for
4		* example, you might want to regenerate the cache after updating
5		*
6		* @license https://github.com/allejo/bzion/blob/master/LICENSE.md GNU General Public License Version 3
7		*/
8
9		namespace BZIon\Composer;
10
11		use Composer\IO\ConsoleIO;
12		use Composer\IO\IOInterface;
13		use Composer\Script\Event;
14		use Phinx\Console\PhinxApplication;
15		use Symfony\Component\Console\Helper\HelperSet;
16		use Symfony\Component\Console\Helper\QuestionHelper;
17		use Symfony\Component\Console\Input\ArrayInput;
18		use Symfony\Component\Console\Output\ConsoleOutput;
19		use Symfony\Component\Filesystem\Filesystem;
20		use Symfony\Component\Finder\Finder;
21		use Symfony\Component\Process\Process;
22		use Symfony\Component\Yaml\Yaml;
23
24		/**
25		* A manager for composer events
26		*/
27		class ScriptHandler
28		{
29		/**
30		* Shows what changed since the last update
31		*
32		* @param $event Event Composer's event
33		*/
34		public static function showChangelog(Event $event)
35		{
36		static::executeCommand($event, 'bzion:changes');
37		}
38
39		/**
40		* Clears the Symfony cache.
41		*
42		* This command won't fail if the current cache prevents the kernel from
43		* booting
44		*
45		* @param $event Event Composer's event
46		* @param $env string\|null The environment to clear the cache for, 'all'
47		* to clear the cache for all environments, null
48		* to pick an environment based on command line
49		* arguments (defaults to 'all')
50		*/
51		public static function clearCache(Event $event, $env = null)
52		{
53		$io = $event->getIO();
54		$args = $event->getArguments();
55
56		if ($env === null) {
57		if (isset($args[0])) {
58		$env = $args[0];
59		} elseif (getenv('SYMFONY_ENV')) {
60		$env = getenv('SYMFONY_ENV');
61		} else {
62		$env = 'all';
63		}
64		}
65
66		// Delete all cache files
67		$finder = new Finder();
68		$cacheDirectory = __DIR__ . '/../../app/cache/';
69
70		$fs = new Filesystem();
71
72		$clear = true;
73
74		// We make sure that the root directories for each environment aren't
75		// removed, so that permission settings are kept
76		if ($env === 'all') {
77		$io->write("Clearing cache for <fg=green;bold>all</> environments");
78		$finder->in($cacheDirectory)->depth('== 1');
79		} else {
80		$directory = $cacheDirectory . str_replace('/', '', $env);
81
82		if ($fs->exists($directory)) {
83		$io->write("Clearing cache for the <fg=green>$env</> environment");
84		$finder->in($directory)->depth('== 0');
85		} else {
86		$io->write("Cache directory for the <fg=green>$env</> environment doesn't exist and won't be cleared");
87		$clear = false;
88		}
89		}
90
91		if ($clear) {
92		// We use Symfony's Filesystem component to delete files recursively
93		$fs->remove($finder);
		0 ignored issues – show Documentation introduced 2017-12-29 10:52 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$finder` is of type `object<Symfony\Component\Finder\Finder>`, but the function expects a `string\|object<Symfony\Co...nt\Filesystem\iterable>`. It seems like the type of the argument is not accepted by the function/method which you are calling. In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug. We suggest to add an explicit type cast like in the following example: function acceptsInteger($int) { } $x = '123'; // string "123" // Instead of acceptsInteger($x); // we recommend to use acceptsInteger((integer) $x); Loading history...
94		}
95
96		if ($env === 'prod' \|\| $env === 'all') {
97		static::executeCommand($event, 'cache:warmup');
98		}
99		}
100
101		/**
102		* Clear the cache for all environments
103		*
104		* @param $event Event Composer's event
105		*/
106		public static function clearAllCaches(Event $event)
107		{
108		return static::clearCache($event, 'all');
109		}
110
111		/**
112		* Initialize the last update file so that when the user updates and asks
113		* for the changelog, the entries added before the installation are not shown
114		*
115		* @param $event Event Composer's event
116		*/
117		public static function initializeChangelog(Event $event)
118		{
119		static::executeCommand($event, 'bzion:changes --read');
120		}
121
122		/**
123		* Migrate the config.yml file
124		*
125		* @param $event Event Composer's event
126		*/
127		public static function buildConfig(Event $event)
128		{
129		$configHandler = new ConfigHandler($event);
130		$configHandler->build();
131		}
132
133		/*
134		* Create and update the database schema
135		*
136		* @param $event Event\|null Composer's event
137		* @param $testing boolean Whether to migrate the testing database (only applicable when $event is null)
138		*/
139	1	public static function migrateDatabase(Event $event = null, $testing = false)
140		{
141	1	if ($event) {
142		// Use the event's IO
143		$io = $event->getIO();
144
145		$arguments = $event->getArguments();
146
147		$testingArguments = array('testing', '--testing', '-t');
148		$testing = count(array_intersect($arguments, $testingArguments)) > 0;
149		} else {
150		// Create our own IO
151	1	$input = new ArrayInput(array());
152	1	$output = new ConsoleOutput();
153	1	$helperSet = new HelperSet(array(new QuestionHelper()));
154
155	1	$io = new ConsoleIO($input, $output, $helperSet);
156		}
157
158		try {
159	1	$config = self::getDatabaseConfig($testing);
160		} catch (\Exception $e) {
161		$io->write("<bg=red>\n\n [WARNING] " . $e->getMessage() . ", the database won't be updated\n</>");
162
163		return;
164		}
165
166		// If the database doesn't exist, ask the user to create it and perform
167		// the necessary migrations (unless the user didn't agree to
168		// create the database)
169	1	if (self::createDatabase($io, $config['host'], $config['username'], $config['password'], $config['database'])) {
170	1	$io->write(''); // newline
171
172	1	$arguments = array('migrate', '-e' => ($testing) ? 'test' : 'main');
173	1	$app = new PhinxApplication();
174	1	$app->doRun(new ArrayInput($arguments), new ConsoleOutput());
175		}
176	1	}
177
178		/**
179		* Shows an installation success message
180		*
181		* @param $event Event Composer's event
182		*/
183		public static function showSuccessMessage(Event $event)
184		{
185		static::executeCommand($event, 'bzion:success');
186		}
187
188		/**
189		* Create the database schema if needed
190		*
191		* @param IOInterface $io Composer's IO interface
192		* @param string $host The database host
193		* @param string $username The username for the MySQL user
194		* @param string $password The password for the MySQL user
195		* @param string $database The name of the database
196		*
197		* @return bool Whether the database was created
198		*/
199	1	private static function createDatabase(IOInterface $io, $host, $username, $password, $database)
200		{
201	1	$io->write(" Connecting to MySQL database $database@$host");
202
203	1	$dsn = 'mysql:host=' . $host . ';charset=UTF8';
204	1	$pdo = new \PDO($dsn, $username, $password);
205
206	1	$statement = $pdo->prepare("USE `$database`");
207	1	$status = $statement->execute();
208	1	$errors = $statement->errorInfo();
209
210		// Throw an exception on error for any query that will be sent next
211	1	$pdo->setAttribute(\PDO::ATTR_ERRMODE, \PDO::ERRMODE_EXCEPTION);
212
213		// 1049 is the error code thrown when the database doesn't exist, but
214		// the MySQL user has the privilege to see it
215	1	if ($errors[1] == 1049) {
216		$answer = $io->askConfirmation(
217		" <fg=green>The $database database doesn't exist. Would you like to have it created? (yes/no)</> [<comment>yes</comment>]\n > ",
218		true);
219
220		if ($answer) {
221		$pdo->query("CREATE DATABASE `$database` COLLATE utf8_unicode_ci");
222		$pdo->query("USE `$database`");
223
224		$io->write(" <fg=green>New database created</>");
225		} else {
226		return false;
227		}
228	1	} elseif (!$status) {
229		throw new \Exception("Unable to connect to database: " . $errors[2]);
230		}
231
232		// If the database is empty, fill it
233	1	if ($pdo->query('SHOW TABLES')->rowCount() === 0) {
234	1	$io->write(" <fg=green>Creating database schema...</> ", false);
235
236	1	$sqlPath = realpath(__DIR__ . '/../../migrations/' . 'DATABASE.sql');
237	1	$pdo->exec(file_get_contents($sqlPath));
238
239	1	$io->write("<fg=green>done.</>");
240		}
241
242	1	return true;
243		}
244
245		/**
246		* Execute a symfony console command
247		*
248		* @param Event $event Composer's event
249		* @param string $command The command to execute
250		* @param int $timeout The timeout of the command in seconds
251		* @return void
252		*/
253		protected static function executeCommand(Event $event, $command, $timeout = 300)
254		{
255		$console = escapeshellarg(__DIR__ . '/../../app/console') . ' --env=prod';
256
257		if ($event->getIO()->isDecorated()) {
258		$console .= ' --ansi';
259		}
260
261		$process = new Process("$console $command", null, null, null, $timeout);
262		$process->run(function ($type, $buffer) use ($event) { $event->getIO()->write($buffer, false); });
263
264		if (!$process->isSuccessful()) {
265		throw new \RuntimeException(sprintf('An error occurred when executing the "%s" command.', escapeshellarg($command)));
266		}
267		}
268
269		/**
270		* Get the database's configuration
271		*
272		* @param bool $testing Whether to retrieve the test database credentials
273		* @return array\|null The configuration as defined in the config.yml file, null if no configuration was found
274		*/
275	1	public static function getDatabaseConfig($testing = false)
276		{
277	1	$configPath = ConfigHandler::getConfigurationPath();
278	1	if (!is_file($configPath)) {
279		throw new \Exception("The configuration file could not be read");
280		}
281
282	1	$path = $testing ? 'testing' : 'mysql';
283
284	1	$config = Yaml::parse(file_get_contents($configPath));
285
286	1	if (isset($config['bzion'][$path])) {
287	1	return $config['bzion'][$path];
288		}
289
290		return null;
291		}
292		}
293

allejo / bzion

Issues (273)

Security Analysis not enabled

src/Composer/ScriptHandler.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like