Issues in AbstractWidget.php (master) - Issues in master - amarkal/amarkal-widget - Measure and Improve Code Quality continuously with Scrutinizer

Issues (7)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

AbstractWidget.php (3 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace Amarkal\Widget;

abstract class AbstractWidget extends \WP_Widget
{   

    /**
     * @var array The configuration array
     */
    private $config;
    
    /**
     * @var \Amarkal\UI\Form Amarkal UI for data processing 
     */
    private $form;
    
    /**
     * Get the user config and call the parent constructor
     */
    public function __construct() 
    {
        $config = $this->get_config();
        
        parent::__construct( 
            $config['id'], 
            $config['name'], 
            $config['widget_options'], 
            $config['control_options'] 
        );
    }
    
    /**
     * Generates the administration form for the widget
     * 
     * @param array $instance The array of keys and values for the widget
     */
    public function form( $instance ) 
    {
        $form = $this->get_form();
        $cl   = $form->get_component_list();
        
        $form->update($instance);
        
        // Set the widget-specific names and ids
        foreach( $cl->get_value_components() as $component )

        {
            $component->original_name = $component->name;
            $component->id = $this->get_field_id($component->name);
            $component->name = $this->get_field_name($component->name);
        }
        
        include __DIR__.'/Form.phtml';
        
        // Use the original names again (for when the components update)
        foreach( $cl->get_value_components() as $component )

        {
            $component->id = $component->original_name;
            $component->name = $component->original_name;
        }
    }

    /**
     * Process the widget's options before they are saved into the db
     *
     * @param array $new_instance The previous instance of values before the update.
     * @param array $old_instance The new instance of values to be generated via the update.
     */
    public function update( $new_instance, $old_instance ) 
    {
        $form = $this->get_form();
        return $form->update($new_instance, $old_instance);
    }
    
    /**
     * Get the Amarkal UI form.
     * 
     * @return \Amarkal\UI\Form
     */
    private function get_form()
    {
        if( !isset($this->form) )
        {
            $config = $this->get_config();
            $this->form = new \Amarkal\UI\Form(
                new \Amarkal\UI\ComponentList($config['fields'])
            );
        }
        return $this->form;
    }
    
    /**
     * Get the default widget configuration.
     * 
     * @return array
     */
    private function default_config()
    {
        return array(
            'id'              => null,
            'name'            => null,
            'widget_options'  => array(),
            'control_options' => array(),
            'fields'          => array()
        );
    }
    
    /**
     * Get the configuraiton array, merging between the user and the default 
     * configuration values.
     * 
     * @return array
     * @throws \RuntimeException if the configuration is missing the ID argument
     */
    private function get_config()
    {
        if( !isset($this->config) )
        {
            $this->config = array_merge(
                $this->default_config(),
                $this->config()
            );

            if( null === $this->config['id'] )
            {
                throw new \RuntimeException('No \'id\' was sepcified in the widget configuration');
            }
        }
        return $this->config;
    }
    
    /**
     * The user configuration array. Must be implemented in the child class.
     */
    abstract public function config();
}

1			<?php
2
3			namespace Amarkal\Widget;
4
5			abstract class AbstractWidget extends \WP_Widget
6			{
			0 ignored issues – show Coding Style introduced 2017-07-28 16:42 UTC by Report Bug Copy Issue Report Show Similar Issues like this The opening class brace should be on a newline by itself. Loading history...
7			/**
8			* @var array The configuration array
9			*/
10			private $config;
11
12			/**
13			* @var \Amarkal\UI\Form Amarkal UI for data processing
14			*/
15			private $form;
16
17			/**
18			* Get the user config and call the parent constructor
19			*/
20			public function __construct()
21			{
22			$config = $this->get_config();
23
24			parent::__construct(
25			$config['id'],
26			$config['name'],
27			$config['widget_options'],
28			$config['control_options']
29			);
30			}
31
32			/**
33			* Generates the administration form for the widget
34			*
35			* @param array $instance The array of keys and values for the widget
36			*/
37			public function form( $instance )
38			{
39			$form = $this->get_form();
40			$cl = $form->get_component_list();
41
42			$form->update($instance);
43
44			// Set the widget-specific names and ids
45			foreach( $cl->get_value_components() as $component )
			0 ignored issues – show Bug introduced 2017-12-02 20:47 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `get_value_components` cannot be called on `$cl` (of type `array<integer,object<Ama...\UI\AbstractComponent>>`). Methods can only be called on objects. This check looks for methods being called on variables that have been inferred to never be objects. Loading history...
46			{
47			$component->original_name = $component->name;
48			$component->id = $this->get_field_id($component->name);
49			$component->name = $this->get_field_name($component->name);
50			}
51
52			include __DIR__.'/Form.phtml';
53
54			// Use the original names again (for when the components update)
55			foreach( $cl->get_value_components() as $component )
			0 ignored issues – show Bug introduced 2017-12-02 20:47 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `get_value_components` cannot be called on `$cl` (of type `array<integer,object<Ama...\UI\AbstractComponent>>`). Methods can only be called on objects. This check looks for methods being called on variables that have been inferred to never be objects. Loading history...
56			{
57			$component->id = $component->original_name;
58			$component->name = $component->original_name;
59			}
60			}
61
62			/**
63			* Process the widget's options before they are saved into the db
64			*
65			* @param array $new_instance The previous instance of values before the update.
66			* @param array $old_instance The new instance of values to be generated via the update.
67			*/
68			public function update( $new_instance, $old_instance )
69			{
70			$form = $this->get_form();
71			return $form->update($new_instance, $old_instance);
72			}
73
74			/**
75			* Get the Amarkal UI form.
76			*
77			* @return \Amarkal\UI\Form
78			*/
79			private function get_form()
80			{
81			if( !isset($this->form) )
82			{
83			$config = $this->get_config();
84			$this->form = new \Amarkal\UI\Form(
85			new \Amarkal\UI\ComponentList($config['fields'])
86			);
87			}
88			return $this->form;
89			}
90
91			/**
92			* Get the default widget configuration.
93			*
94			* @return array
95			*/
96			private function default_config()
97			{
98			return array(
99			'id' => null,
100			'name' => null,
101			'widget_options' => array(),
102			'control_options' => array(),
103			'fields' => array()
104			);
105			}
106
107			/**
108			* Get the configuraiton array, merging between the user and the default
109			* configuration values.
110			*
111			* @return array
112			* @throws \RuntimeException if the configuration is missing the ID argument
113			*/
114			private function get_config()
115			{
116			if( !isset($this->config) )
117			{
118			$this->config = array_merge(
119			$this->default_config(),
120			$this->config()
121			);
122
123			if( null === $this->config['id'] )
124			{
125			throw new \RuntimeException('No \'id\' was sepcified in the widget configuration');
126			}
127			}
128			return $this->config;
129			}
130
131			/**
132			* The user configuration array. Must be implemented in the child class.
133			*/
134			abstract public function config();
135			}

amarkal / amarkal-widget

Issues (7)

Security Analysis no request data

AbstractWidget.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like