Issues in Mustache.php (master) - Issues in master - andrewslince/slim3-mustache-view - Measure and Improve Code Quality continuously with Scrutinizer

Issues (9)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Mustache.php (9 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/**
 * MIT License
 *
 * Copyright (c) 2016 Andrews Lince
 *
 * Permission is hereby granted, free of charge, to any person obtaining a copy
 * of this software and associated documentation files (the "Software"), to deal
 * in the Software without restriction, including without limitation the rights
 * copies of the Software, and to permit persons to whom the Software is
 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 * furnished to do so, subject to the following conditions:
 *
 * The above copyright notice and this permission notice shall be included in all
 * copies or substantial portions of the Software.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 * SOFTWARE.
 */

namespace Slim\Views;

use Psr\Http\Message\ResponseInterface;
use InvalidArgumentException;

/**
 * A Mustache view class for Slim 3 Framework
 * @author    Andrews Lince <[email protected]>
 * @version   1.0.5
 * @link      https://github.com/andrewslince/slim3-mustache-view
 * @package   Slim/Views
 * @copyright 2016 Andrews Lince
 */
class Mustache
{
    /**
     * Instance of Mustache Template Engine
     * @since 1.0.0
     * @var   Mustache_Engine
     */
    protected $templateEngine = null;

    /**
     * Constructor method
     * @author Andrews Lince <[email protected]>
     * @since  1.0.0
     * @param  array $options
     * @return void

     */
    public function __construct(array $options = [])
    {
        $this->templateEngine = $this->getTemplateEngine($options);
    }

    /**
     * Render a mustache template
     * @author Andrews Lince <[email protected]>
     * @since  1.0.0
     * @param  ResponseInterface $response
     * @param  string            $template
     * @param  array             $data
     * @return ResponseInterface
     */
    public function render(
        ResponseInterface $response,
        $template,
        array $data = []
    ) {

        // render output
        $response->getBody()->write(
            $this->templateEngine->render($template, $data)
        );

        return $response;
    }

    /**
     * Fetch a HTML script tag with the template content
     * @author Andrews Lince <[email protected]>
     * @since  1.0.0
     * @param  string $template Template to fetch content
     * @param  string $options

     * - (array)   htmlAttributes => HTML attributes to print in script tag
     * - (boolean) minify         => returns the minified content
     * @throws InvalidArgumentException
     * @return string HTML script tag with the template content
     */
    public function getTemplateScriptTag($template, array $options = [])
    {
        // validate the template name
        if (!$template) {
            throw new InvalidArgumentException(
                'The template name must be informed to get your HTML script tag'
            );
        }

        // process attributes from HTML script tag
        if (!isset($options['htmlAttributes'])) {
            $options['htmlAttributes'] = [];
        } else if (!is_array($options['htmlAttributes'])) {
            throw new InvalidArgumentException(
                'The "htmlAttributes" option must be an array'
            );
        }
        $htmlAttributes = $this->processHtmlAttributes(
            $options['htmlAttributes']
        );

        // process template content
        $templateContent = $this->templateEngine->getLoader()->load($template);
        if (isset($options['minify']) && $options['minify']) {
            $templateContent = $this->htmlMinify($templateContent);
        }

        return "<script $htmlAttributes>$templateContent</script>";
// Instead of
$x = "foo $bar $baz";

// Better use either
$x = "foo " . $bar . " " . $baz;
$x = sprintf("foo %s %s", $bar, $baz);
    }

    /**
     * Returns the instance from Mustache Template Engine
     * @author Andrews Lince <[email protected]>
     * @since  1.0.0
     * @param  array $options
     * - template
     *   - extension
     *   - charset
     *   - paths[]
     * @throws InvalidArgumentException
     * @return Mustache_Engine
     */
    private function getTemplateEngine(array $options = [])
    {
        if (is_null($this->templateEngine)) {

            if (!isset($options['template']['paths'])) {
                throw new InvalidArgumentException(
                    'Template paths was not informed'
                );
            }

            if (!is_array($options['template']['paths'])) {
                throw new InvalidArgumentException(
                    'Template paths must be an array'
                );
            }

            $loaders = [];
            foreach ($options['template']['paths'] as $templatePath) {
                $loaders[] = new \Mustache_Loader_FilesystemLoader(
                    $templatePath,
                    $options['template']
                );
            }

            // defines the mustache loaders
            $options['loader'] = new \Mustache_Loader_CascadingLoader($loaders);

            $this->templateEngine = new \Mustache_Engine($options);

        }

        return $this->templateEngine;

    }

    /**
     * Process the attributes to HTML script tag from template
     * @author Andrews Lince <[email protected]>
     * @since  1.0.0
     * @param  array $options
     * - htmlAttributes
     * @return string
     */
    private function processHtmlAttributes(array $options = [])
    {
        $htmlAttributes = '';

        // default attributes
        $attributes = array('type' => 'x-tmpl-mustache');

        // check if exists custom attributes
        if (!empty($options)) {
            $attributes = array_merge($attributes, $options);
        }

        // compose the string with all HTML attributes
        foreach ($attributes as $key => $value) {
            $htmlAttributes .= " $key=\"$value\"";
// Instead of
$x = "foo $bar $baz";

// Better use either
$x = "foo " . $bar . " " . $baz;
$x = sprintf("foo %s %s", $bar, $baz);
        }

        return ltrim($htmlAttributes);
    }

    /**
     * Minify a HTML content
     * @author Andrews Lince <[email protected]>
     * @since  1.0.0
     * @link   https://github.com/HossamYousef/slim3-minify/blob/master/src/Slim/Middleware/Minify.php
     * @param  string $content
     * @return string
     */
    private function htmlMinify($content)
    {
        $search = array(

            /**
             * remove tabs before and after HTML tags
             */
            '/\>[^\S ]+/s',
            '/[^\S ]+\</s',

            /**
             * remove empty lines (between HTML tags); cannot remove just
             * any line-end characters because in inline JS they can matter!
             */
            '/\>[\r\n\t ]+\</s',

            /**
             * shorten multiple whitespace sequences
             */
            '/(\s)+/s',

            /**
             * replace end of line by a space
             */
            '/\n/',

            /**
             * remove any HTML comments, except MSIE conditional comments
             */
            '/<!--(?!\s*(?:\[if [^\]]+]|<!|>))(?:(?!-->).)*-->/s',
        );

        $replace = array(
            '>',
            '<',
            '><',
            '\\1',
            ' ',
            ''
        );

        return preg_replace($search, $replace, $content);
    }
}



1			<?php
2
3			/**
4			* MIT License
5			*
6			* Copyright (c) 2016 Andrews Lince
7			*
8			* Permission is hereby granted, free of charge, to any person obtaining a copy
9			* of this software and associated documentation files (the "Software"), to deal
10			* in the Software without restriction, including without limitation the rights
11			* copies of the Software, and to permit persons to whom the Software is
12			* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
13			* furnished to do so, subject to the following conditions:
14			*
15			* The above copyright notice and this permission notice shall be included in all
16			* copies or substantial portions of the Software.
17			*
18			* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
19			* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
20			* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
21			* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
22			* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
23			* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
24			* SOFTWARE.
25			*/
26
27			namespace Slim\Views;
28
29			use Psr\Http\Message\ResponseInterface;
30			use InvalidArgumentException;
31
32			/**
33			* A Mustache view class for Slim 3 Framework
34			* @author Andrews Lince <[email protected]>
35			* @version 1.0.5
36			* @link https://github.com/andrewslince/slim3-mustache-view
37			* @package Slim/Views
38			* @copyright 2016 Andrews Lince
39			*/
40			class Mustache
41			{
42			/**
43			* Instance of Mustache Template Engine
44			* @since 1.0.0
45			* @var Mustache_Engine
46			*/
47			protected $templateEngine = null;
48
49			/**
50			* Constructor method
51			* @author Andrews Lince <[email protected]>
52			* @since 1.0.0
53			* @param array $options
54			* @return void
			0 ignored issues – show Comprehensibility Best Practice introduced 2016-11-27 10:02 UTC by Report Bug Copy Issue Report Show Similar Issues like this Adding a `@return` annotation to constructors is generally not recommended as a constructor does not have a meaningful return value. Adding a `@return` annotation to a constructor is not recommended, since a constructor does not have a meaningful return value. Please refer to the PHP core documentation on constructors. Loading history...
55			*/
56			public function __construct(array $options = [])
57			{
58			$this->templateEngine = $this->getTemplateEngine($options);
59			}
60
61			/**
62			* Render a mustache template
63			* @author Andrews Lince <[email protected]>
64			* @since 1.0.0
65			* @param ResponseInterface $response
66			* @param string $template
67			* @param array $data
68			* @return ResponseInterface
69			*/
70			public function render(
71			ResponseInterface $response,
72			$template,
73			array $data = []
74			) {
75
76			// render output
77			$response->getBody()->write(
78			$this->templateEngine->render($template, $data)
79			);
80
81			return $response;
82			}
83
84			/**
85			* Fetch a HTML script tag with the template content
86			* @author Andrews Lince <[email protected]>
87			* @since 1.0.0
88			* @param string $template Template to fetch content
89			* @param string $options
			0 ignored issues – show Documentation introduced 2016-11-27 10:59 UTC by Report Bug Copy Issue Report Show Similar Issues like this Should the type for parameter `$options` not be `array`? Also, consider making the array more specific, something like `array<String>`, or `String[]`. This check looks for `@param` annotations where the type inferred by our type inference engine differs from the declared type. It makes a suggestion as to what type it considers more descriptive. In addition it looks for parameters that have the generic type `array` and suggests a stricter type like `array<String>`. Most often this is a case of a parameter that can be null in addition to its declared types. Loading history...
90			* - (array) htmlAttributes => HTML attributes to print in script tag
91			* - (boolean) minify => returns the minified content
92			* @throws InvalidArgumentException
93			* @return string HTML script tag with the template content
94			*/
95			public function getTemplateScriptTag($template, array $options = [])
96			{
97			// validate the template name
98			if (!$template) {
99			throw new InvalidArgumentException(
100			'The template name must be informed to get your HTML script tag'
101			);
102			}
103
104			// process attributes from HTML script tag
105			if (!isset($options['htmlAttributes'])) {
106			$options['htmlAttributes'] = [];
107			} else if (!is_array($options['htmlAttributes'])) {
108			throw new InvalidArgumentException(
109			'The "htmlAttributes" option must be an array'
110			);
111			}
112			$htmlAttributes = $this->processHtmlAttributes(
113			$options['htmlAttributes']
114			);
115
116			// process template content
117			$templateContent = $this->templateEngine->getLoader()->load($template);
118			if (isset($options['minify']) && $options['minify']) {
119			$templateContent = $this->htmlMinify($templateContent);
120			}
121
122			return "<script $htmlAttributes>$templateContent</script>";
			0 ignored issues – show Coding Style Best Practice introduced 2016-11-27 10:59 UTC by Report Bug Copy Issue Report Show Similar Issues like this As per coding-style, please use concatenation or `sprintf` for the variable `$htmlAttributes` instead of interpolation. It is generally a best practice as it is often more readable to use concatenation instead of interpolation for variables inside strings. // Instead of $x = "foo $bar $baz"; // Better use either $x = "foo " . $bar . " " . $baz; $x = sprintf("foo %s %s", $bar, $baz); Loading history... Coding Style Best Practice introduced 2016-11-27 10:59 UTC by Report Bug Copy Issue Report Show Similar Issues like this As per coding-style, please use concatenation or `sprintf` for the variable `$templateContent` instead of interpolation. It is generally a best practice as it is often more readable to use concatenation instead of interpolation for variables inside strings. // Instead of $x = "foo $bar $baz"; // Better use either $x = "foo " . $bar . " " . $baz; $x = sprintf("foo %s %s", $bar, $baz); Loading history...
123			}
124
125			/**
126			* Returns the instance from Mustache Template Engine
127			* @author Andrews Lince <[email protected]>
128			* @since 1.0.0
129			* @param array $options
130			* - template
131			* - extension
132			* - charset
133			* - paths[]
134			* @throws InvalidArgumentException
135			* @return Mustache_Engine
136			*/
137			private function getTemplateEngine(array $options = [])
138			{
139			if (is_null($this->templateEngine)) {
140
141			if (!isset($options['template']['paths'])) {
142			throw new InvalidArgumentException(
143			'Template paths was not informed'
144			);
145			}
146
147			if (!is_array($options['template']['paths'])) {
148			throw new InvalidArgumentException(
149			'Template paths must be an array'
150			);
151			}
152
153			$loaders = [];
154			foreach ($options['template']['paths'] as $templatePath) {
155			$loaders[] = new \Mustache_Loader_FilesystemLoader(
156			$templatePath,
157			$options['template']
158			);
159			}
160
161			// defines the mustache loaders
162			$options['loader'] = new \Mustache_Loader_CascadingLoader($loaders);
163
164			$this->templateEngine = new \Mustache_Engine($options);
			0 ignored issues – show Documentation Bug introduced 2016-11-27 10:02 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `new \Mustache_Engine($options)` of type `object<Mustache_Engine>` is incompatible with the declared type `object<Slim\Views\Mustache_Engine>` of property `$templateEngine`. Our type inference engine has found an assignment to a property that is incompatible with the declared type of that property. Either this assignment is in error or the assigned type should be added to the documentation/type hint for that property.. Loading history...
165			}
166
167			return $this->templateEngine;
			0 ignored issues – show Bug Compatibility introduced 2016-11-27 10:02 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$this->templateEngine;` of type `Mustache_Engine\|Slim\Views\Mustache_Engine` adds the type `Mustache_Engine` to the return on line 167 which is incompatible with the return type documented by `Slim\Views\Mustache::getTemplateEngine` of type `Slim\Views\Mustache_Engine`. Loading history...
168			}
169
170			/**
171			* Process the attributes to HTML script tag from template
172			* @author Andrews Lince <[email protected]>
173			* @since 1.0.0
174			* @param array $options
175			* - htmlAttributes
176			* @return string
177			*/
178			private function processHtmlAttributes(array $options = [])
179			{
180			$htmlAttributes = '';
181
182			// default attributes
183			$attributes = array('type' => 'x-tmpl-mustache');
184
185			// check if exists custom attributes
186			if (!empty($options)) {
187			$attributes = array_merge($attributes, $options);
188			}
189
190			// compose the string with all HTML attributes
191			foreach ($attributes as $key => $value) {
192			$htmlAttributes .= " $key=\"$value\"";
			0 ignored issues – show Coding Style Best Practice introduced 2016-11-27 10:59 UTC by Report Bug Copy Issue Report Show Similar Issues like this As per coding-style, please use concatenation or `sprintf` for the variable `$key` instead of interpolation. It is generally a best practice as it is often more readable to use concatenation instead of interpolation for variables inside strings. // Instead of $x = "foo $bar $baz"; // Better use either $x = "foo " . $bar . " " . $baz; $x = sprintf("foo %s %s", $bar, $baz); Loading history... Coding Style Best Practice introduced 2016-11-27 10:59 UTC by Report Bug Copy Issue Report Show Similar Issues like this As per coding-style, please use concatenation or `sprintf` for the variable `$value` instead of interpolation. It is generally a best practice as it is often more readable to use concatenation instead of interpolation for variables inside strings. // Instead of $x = "foo $bar $baz"; // Better use either $x = "foo " . $bar . " " . $baz; $x = sprintf("foo %s %s", $bar, $baz); Loading history...
193			}
194
195			return ltrim($htmlAttributes);
196			}
197
198			/**
199			* Minify a HTML content
200			* @author Andrews Lince <[email protected]>
201			* @since 1.0.0
202			* @link https://github.com/HossamYousef/slim3-minify/blob/master/src/Slim/Middleware/Minify.php
203			* @param string $content
204			* @return string
205			*/
206			private function htmlMinify($content)
207			{
208			$search = array(
209
210			/**
211			* remove tabs before and after HTML tags
212			*/
213			'/\>[^\S ]+/s',
214			'/[^\S ]+\</s',
215
216			/**
217			* remove empty lines (between HTML tags); cannot remove just
218			* any line-end characters because in inline JS they can matter!
219			*/
220			'/\>[\r\n\t ]+\</s',
221
222			/**
223			* shorten multiple whitespace sequences
224			*/
225			'/(\s)+/s',
226
227			/**
228			* replace end of line by a space
229			*/
230			'/\n/',
231
232			/**
233			* remove any HTML comments, except MSIE conditional comments
234			*/
235			'/<!--(?!\s(?:\[if [^\]]+]\|<!\|>))(?:(?!-->).)-->/s',
236			);
237
238			$replace = array(
239			'>',
240			'<',
241			'><',
242			'\\1',
243			' ',
244			''
245			);
246
247			return preg_replace($search, $replace, $content);
248			}
249			}
			0 ignored issues – show Coding Style introduced 2016-11-27 10:59 UTC by Report Bug Copy Issue Report Show Similar Issues like this As per coding style, files should not end with a newline character. This check marks files that end in a newline character, i.e. an empy line. Loading history...
250

andrewslince / slim3-mustache-view

Issues (9)

Security Analysis no request data

src/Mustache.php (9 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like