Issues (258)

Security Analysis    not enabled

This project does not seem to handle request data directly as such no vulnerable execution paths were found.

  Cross-Site Scripting
Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.
  File Exposure
File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.
  File Manipulation
File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.
  Object Injection
Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.
  Code Injection
Code Injection enables an attacker to execute arbitrary code on the server.
  Response Splitting
Response Splitting can be used to send arbitrary responses.
  File Inclusion
File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.
  Command Injection
Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.
  SQL Injection
SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.
  XPath Injection
XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.
  LDAP Injection
LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.
  Header Injection
  Other Vulnerability
This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.
  Regex Injection
Regex Injection enables an attacker to execute arbitrary code in your PHP process.
  XML Injection
XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.
  Variable Injection
Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.
Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

core/Commands/ListContainerDependenciesCommand.php (4 issues)

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

1
<?php
2
3
namespace Apiato\Core\Commands;
4
5
use Apiato\Core\Transformers\ComposerTransformer;
6
use App\Ship\Parents\Commands\ConsoleCommand;
7
use Dotenv\Exception\InvalidPathException;
8
use Exception;
9
use RecursiveDirectoryIterator;
10
use RecursiveIteratorIterator;
11
use Spatie\Fractal\Fractal;
12
use Spatie\Fractalistic\ArraySerializer;
13
14
/**
15
 * Class FindContainerDependenciesCommand
16
 * Parses all files in the Container. This is needed due to the implemented apiato calls.
17
 * It supports both $this->call(PATH/TO/FILE,... (by parsing imports)
18
 * as well as $Apiato::call('[email protected]',[args]...
19
 *
20
 * @author Fabian Widmann <[email protected]>
21
 */
22
class ListContainerDependenciesCommand extends ConsoleCommand
23
{
24
25
    protected $signature = 'apiato:list:dependencies {containerPath}';
26
27
    protected $description = 'Lists all dependencies from the given container to other containers.';
28
29
    public function __construct()
30
    {
31
        parent::__construct();
32
    }
33
34
    public function handle()
35
    {
36
        $containerPath = $this->argument('containerPath');
37
38
        $this->info('Searching for dependencies in container: ' . $containerPath);
39
        $input = $this->ask('Remove own container from listings? (y/n)');
40
41
        $filterOwnContainer = false;
42
        if (isset($input) && $input == 'y') {
43
            $filterOwnContainer = true;
44
        }
45
46
        $fileContainerMatch = $this->getDependencies($containerPath, $filterOwnContainer);
47
        if (count($fileContainerMatch) > 0) {
48
            $this->info('Found dependencies:');
49
            $this->info($this->prettyPrintArray($fileContainerMatch));
50
51
            $input = $this->ask('Display Container author and description from the composer.json?(y/n)');
52
            if (isset($input) && $input == 'y') {
53
                // $fileContainerMatch structure:
54
                // imports
55
                //    containerName(s)
56
                //         File(s)
57
                $matches = array_unique(array_keys(array_merge(...array_values($fileContainerMatch))));
58
                foreach ($matches as $match) {
59
                    $this->info($this->prettyPrintArray($this->getComposerInformation($match)));
60
                }
61
            }
62
        } else {
63
            $this->info('No dependencies found.');
64
        }
65
    }
66
67
    /**
68
     * Utility print function that takes an array and outputs it by applying the given indent. Each array found will be printed recursively with indent+indentmodifier.
69
     *
70
     * @param     $arr
71
     * @param int $indent
72
     * @param int $indentModifier
73
     *
74
     * @return string
75
     * @throws \InvalidArgumentException
76
     */
77
    private function prettyPrintArray($arr, $indent = 0, $indentModifier = 4)
78
    {
79
        if (!is_array($arr)) {
80
            return $arr;
81
        }
82
83
        $string = "";
84
85
        foreach ($arr as $key => $value) {
86
            $string = $string . str_repeat(" ", $indent) . "[" . $key . "]" . ": ";
87
88
            if (is_array($value)) {
89
                $string .= PHP_EOL . $this->prettyPrintArray($value, $indent + $indentModifier) . PHP_EOL;
90
            } else if (is_string($value) || settype($item, 'string') !== false || (is_object($value) && method_exists($value, '__toString'))){
91
                $string .= $value . PHP_EOL;
92
            }
93
            else {
94
                throw new \InvalidArgumentException('Current value cannot be converted to string: value=' . $value);
95
            }
96
        }
97
        return $string;
98
    }
99
100
    /**
101
     * Get composer information by decoding the json and applying the ComposerTransformer.
102
     *
103
     * @param $containerName
104
     * @return array|string
105
     */
106
    private function getComposerInformation($containerName)
107
    {
108
        $composerFile = 'app/Containers/' . $containerName . '/composer.json';
109
110
        try {
111
            $content = file_get_contents($composerFile);
112
113
            if (isset($content)) {
114
                $json = \GuzzleHttp\json_decode($content);
115
                return Fractal::create($json, ComposerTransformer::class, ArraySerializer::class)->toArray();
116
            }
117
        } catch (Exception $e) {
118
            return 'No composer.json found in path: ' . $composerFile;
119
        }
120
    }
121
122
    /**
123
     * Extracts the content of a file  and find all containers by finding all containers in App\Containers\$containerName\*
124
     *
125
     * @param $filePath string - path to the file
126
     * @return null | array of containers
127
     */
128 View Code Duplication
    private function getContainerFromUseStatement($filePath)
0 ignored issues
show
This method seems to be duplicated in your project.

Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation.

You can also find more detailed suggestions in the “Code” section of your repository.

Loading history...
129
    {
130
        $content = file_get_contents($filePath);
131
132
        // is the containername alphanumeric?
133
        preg_match_all('/use App\\\\Containers\\\\(?P<containers>[a-zA-Z\d]*)\\\\/', $content, $matches);
134
        $ret = [];
135
136
        if (isset($matches['containers'])) {
137
            $ret['containers'] = array_unique($matches['containers']);
138
        }
139
140
        return $ret;
141
    }
142
143
    /**
144
     * Extracts the content of a file  and find all containers by finding all containers in App\Containers\$containerName\*
145
     *
146
     * @param $filePath string - path to the file
147
     * @return null | array of containers
148
     */
149 View Code Duplication
    private function getContainerFromApiatoCall($filePath)
0 ignored issues
show
This method seems to be duplicated in your project.

Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation.

You can also find more detailed suggestions in the “Code” section of your repository.

Loading history...
150
    {
151
        $content = file_get_contents($filePath);
152
        //ignores everything that doesnt begin with spaces or tabs.
153
        //group 1: ignore lines that start with '//' or '/*', preg match into containers
154
        //group 2: get containers
155
        //group 3: parse functions (starting with one letter followed by alphanumeric letters
156
        //group 4: arguments inside of the square brackets
157
        //Examples @ http://www.phpliveregex.com/p/m8p
158
        $pattern = "/^([^\/\/]*|[^\/\*]*)Apiato::call\('(?P<containers>.*?)@([?P<functions>a-zA-Z][a-zA-Z\d]*?)',.*?\[(?P<args>.*?)]/m";
159
        preg_match_all($pattern, $content, $matches);
160
        $ret = [];
161
162
        if (isset($matches['containers'])) {
163
            $ret['containers'] = array_unique($matches['containers']);
164
        }
165
        //todo: add functions and arguments if needed currently unsupported. They are stored in the group 'functions' and 'args'.
166
        return $ret;
167
    }
168
169
    /**
170
     * Iterates through the given path recursively to obtain
171
     *  1) all used containers of the given container
172
     *  2) an array that contains the containers as keys and all files using it as value.
173
     *
174
     * @param      $path - to the container
175
     * @param bool $filterOwnContainer
176
     *
177
     * @return array - [$usedContainers, $filesInContainers]
178
     * @throws InvalidPathException
179
     */
180
    private function getDependencies($path, $filterOwnContainer = false)
181
    {
182
        $ownContainerName = explode('/', explode('app/Containers/', $path)[1])[0];
183
184
        if (!file_exists($path)) {
185
            throw new InvalidPathException('Given path does not exist: path=' . $path);
186
        }
187
188
        $recursiveIteratorIterator = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($path));
189
        $useStatements = [];
190
        $filesInContainers = [];
191
192
        foreach ($recursiveIteratorIterator as $file) {
193
            if (!$file->isDir()) {
194
                $apiatoCalls = $this->getContainerFromApiatoCall($file->getPathName());
195
                $imports = $this->getContainerFromUseStatement($file->getPathName());
196
197 View Code Duplication
                if (isset($apiatoCalls['containers'])) {
0 ignored issues
show
This code seems to be duplicated across your project.

Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation.

You can also find more detailed suggestions in the “Code” section of your repository.

Loading history...
198
                    if ($filterOwnContainer) {
199
                        $apiatoCalls['containers'] = array_diff($apiatoCalls['containers'], [$ownContainerName]);
200
                    }
201
202
                    foreach ($apiatoCalls['containers'] as $container) {
203
                        $filesInContainers['apiatoCalls'][$container][] = $file->getPathName();
204
                    }
205
                }
206
207 View Code Duplication
                if (isset($imports['containers'])) {
0 ignored issues
show
This code seems to be duplicated across your project.

Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation.

You can also find more detailed suggestions in the “Code” section of your repository.

Loading history...
208
                    if ($filterOwnContainer) {
209
                        $imports['containers'] = array_diff($imports['containers'], [$ownContainerName]);
210
                    }
211
212
                    foreach ($imports['containers'] as $container) {
213
                        $filesInContainers['imports'][$container][] = $file->getPathName();
214
                    }
215
                }
216
            }
217
        }
218
219
        return $filesInContainers;
220
    }
221
222
}
223