Issues in AbstractSignaturePointcut.php (master) - Issues in master - appserver-io/doppelgaenger - Measure and Improve Code Quality continuously with Scrutinizer

Issues (245)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

Entities/Pointcuts/AbstractSignaturePointcut.php (3 issues)

Labels

Coding Style 3

Severity

Informational 3

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/**
 * \AppserverIo\Doppelgaenger\Entities\Pointcuts\AbstractSignaturePointcut
 *
 * NOTICE OF LICENSE
 *
 * This source file is subject to the Open Software License (OSL 3.0)
 * that is available through the world-wide-web at this URL:
 * http://opensource.org/licenses/osl-3.0.php
 *
 * PHP version 5
 *
 * @author    Bernhard Wick <[email protected]>
 * @copyright 2015 TechDivision GmbH - <[email protected]>
 * @license   http://opensource.org/licenses/osl-3.0.php Open Software License (OSL 3.0)
 * @link      https://github.com/appserver-io/doppelgaenger
 * @link      http://www.appserver.io/
 */

namespace AppserverIo\Doppelgaenger\Entities\Pointcuts;

use AppserverIo\Doppelgaenger\Dictionaries\PointcutPatterns;
use AppserverIo\Doppelgaenger\Entities\Definitions\FunctionDefinition;
use AppserverIo\Doppelgaenger\Entities\Definitions\AttributeDefinition;

/**
 * Abstract parent class for pointcuts which accept expressions which express a signature like pattern
 *
 * @author    Bernhard Wick <[email protected]>
 * @copyright 2015 TechDivision GmbH - <[email protected]>
 * @license   http://opensource.org/licenses/osl-3.0.php Open Software License (OSL 3.0)
 * @link      https://github.com/appserver-io/doppelgaenger
 * @link      http://www.appserver.io/
 */
abstract class AbstractSignaturePointcut extends AbstractPointcut
{

    /**
     * Call type for a call from an object
     *
     * @var string CALL_TYPE_OBJECT
     */
    const CALL_TYPE_OBJECT = '->';

    /**
     * Call type for a static call
     *
     * @var string CALL_TYPE_STATIC
     */
    const CALL_TYPE_STATIC = '::';

    /**
     * The pattern used by this pointcut to match candidates
     *
     * @var string MATCH_PATTERN
     */
    const MATCH_PATTERN = PointcutPatterns::SIGNATURE;

    /**
     * The type of the call made to $function
     *
     * @var string|null $callType
     *
     * @Enum({"->", "::", null})
     */
    protected $callType;

    /**
     * Function/method which will get called within the signature expression
     *
     * @var string $function
     */
    protected $function;

    /**
     * Structure name (if any) of the structure the called method belongs to
     *
     * @var string|null $structure
     */
    protected $structure;

    /**
     * Default constructor
     *
     * @param string  $expression String representing the expression defining this pointcut
     * @param boolean $isNegated  If any match made against this pointcut's expression has to be negated in its result
     */
    public function __construct($expression, $isNegated)
    {
        parent::__construct($expression, $isNegated);

        // filter what we need
        if (strpos($expression, self::CALL_TYPE_OBJECT) !== false || strpos($expression, self::CALL_TYPE_STATIC) !== false) {
            // assume an object call but correct the call type in the unlikely case we did get a static call
            $this->callType = self::CALL_TYPE_OBJECT;
            if (strpos($expression, self::CALL_TYPE_STATIC) !== false) {
                $this->callType = self::CALL_TYPE_STATIC;
            }

            // we have to isolate the parts of the expression
            $this->structure = strstr($expression, $this->callType, true);
            $this->function = str_replace($this->structure . $this->callType, '', $expression);


        } else {
            $this->callType = null;
            $this->structure = null;
            $this->function = null;
        }
    }

    /**
     * Will return a chain of callbacks which can be used to call woven code in an onion like manner
     *
     * @param \AppserverIo\Doppelgaenger\Entities\Definitions\FunctionDefinition $functionDefinition Definition of the function to inject invocation code into
     *
     * @return array
     */
    public function getCallbackChain(FunctionDefinition $functionDefinition)
    {

        if ($this->callType === self::CALL_TYPE_STATIC) {
            // we can work with the structure name alone if we have a static call

            return array(array($this->structure, $this->function));


        } elseif (ltrim($this->structure, '\\') === $functionDefinition->getStructureName()) {
            // if the callback chain is used within the actual class we can use the current context

            return array(array('$this', $this->function));


        } else {
            // for everything else (mostly advice chain callbacks) we will create a new instance

            return array(array('new ' . $this->structure . '()', $this->function));
        }
    }

    /**
     * Used to "straighten out" an expression as some expressions allow for shell regex which makes them hard to
     * generate code from.
     * So with this method a matching pointcut can be altered into having a directly readable expression
     *
     * @param FunctionDefinition|AttributeDefinition $definition Definition to straighten the expression against
     *
     * @return null
     */
    public function straightenExpression($definition)
    {
        // structure name has to be absolute
        $structureName = '\\' . ltrim($definition->getStructureName(), '\\');

        // fix the expression
        $this->expression = str_replace(
            array($this->callType . $this->function, $this->structure),
            array($this->callType . $definition->getName(), $structureName),
            $this->getExpression()
        );

        // set the obvious properties
        $this->function = $definition->getName();
        $this->structure = $structureName;
    }
}


1			<?php
2
3			/**
4			* \AppserverIo\Doppelgaenger\Entities\Pointcuts\AbstractSignaturePointcut
5			*
6			* NOTICE OF LICENSE
7			*
8			* This source file is subject to the Open Software License (OSL 3.0)
9			* that is available through the world-wide-web at this URL:
10			* http://opensource.org/licenses/osl-3.0.php
11			*
12			* PHP version 5
13			*
14			* @author Bernhard Wick <[email protected]>
15			* @copyright 2015 TechDivision GmbH - <[email protected]>
16			* @license http://opensource.org/licenses/osl-3.0.php Open Software License (OSL 3.0)
17			* @link https://github.com/appserver-io/doppelgaenger
18			* @link http://www.appserver.io/
19			*/
20
21			namespace AppserverIo\Doppelgaenger\Entities\Pointcuts;
22
23			use AppserverIo\Doppelgaenger\Dictionaries\PointcutPatterns;
24			use AppserverIo\Doppelgaenger\Entities\Definitions\FunctionDefinition;
25			use AppserverIo\Doppelgaenger\Entities\Definitions\AttributeDefinition;
26
27			/**
28			* Abstract parent class for pointcuts which accept expressions which express a signature like pattern
29			*
30			* @author Bernhard Wick <[email protected]>
31			* @copyright 2015 TechDivision GmbH - <[email protected]>
32			* @license http://opensource.org/licenses/osl-3.0.php Open Software License (OSL 3.0)
33			* @link https://github.com/appserver-io/doppelgaenger
34			* @link http://www.appserver.io/
35			*/
36			abstract class AbstractSignaturePointcut extends AbstractPointcut
37			{
38
39			/**
40			* Call type for a call from an object
41			*
42			* @var string CALL_TYPE_OBJECT
43			*/
44			const CALL_TYPE_OBJECT = '->';
45
46			/**
47			* Call type for a static call
48			*
49			* @var string CALL_TYPE_STATIC
50			*/
51			const CALL_TYPE_STATIC = '::';
52
53			/**
54			* The pattern used by this pointcut to match candidates
55			*
56			* @var string MATCH_PATTERN
57			*/
58			const MATCH_PATTERN = PointcutPatterns::SIGNATURE;
59
60			/**
61			* The type of the call made to $function
62			*
63			* @var string\|null $callType
64			*
65			* @Enum({"->", "::", null})
66			*/
67			protected $callType;
68
69			/**
70			* Function/method which will get called within the signature expression
71			*
72			* @var string $function
73			*/
74			protected $function;
75
76			/**
77			* Structure name (if any) of the structure the called method belongs to
78			*
79			* @var string\|null $structure
80			*/
81			protected $structure;
82
83			/**
84			* Default constructor
85			*
86			* @param string $expression String representing the expression defining this pointcut
87			* @param boolean $isNegated If any match made against this pointcut's expression has to be negated in its result
88			*/
89			public function __construct($expression, $isNegated)
90			{
91			parent::__construct($expression, $isNegated);
92
93			// filter what we need
94			if (strpos($expression, self::CALL_TYPE_OBJECT) !== false \|\| strpos($expression, self::CALL_TYPE_STATIC) !== false) {
95			// assume an object call but correct the call type in the unlikely case we did get a static call
96			$this->callType = self::CALL_TYPE_OBJECT;
97			if (strpos($expression, self::CALL_TYPE_STATIC) !== false) {
98			$this->callType = self::CALL_TYPE_STATIC;
99			}
100
101			// we have to isolate the parts of the expression
102			$this->structure = strstr($expression, $this->callType, true);
103			$this->function = str_replace($this->structure . $this->callType, '', $expression);
104
			0 ignored issues – show Coding Style introduced 2016-12-02 23:50 UTC by Report Bug Copy Issue Report Show Similar Issues like this Blank line found at end of control structure Loading history...
105			} else {
106			$this->callType = null;
107			$this->structure = null;
108			$this->function = null;
109			}
110			}
111
112			/**
113			* Will return a chain of callbacks which can be used to call woven code in an onion like manner
114			*
115			* @param \AppserverIo\Doppelgaenger\Entities\Definitions\FunctionDefinition $functionDefinition Definition of the function to inject invocation code into
116			*
117			* @return array
118			*/
119			public function getCallbackChain(FunctionDefinition $functionDefinition)
120			{
121
122			if ($this->callType === self::CALL_TYPE_STATIC) {
123			// we can work with the structure name alone if we have a static call
124
125			return array(array($this->structure, $this->function));
126
			0 ignored issues – show Coding Style introduced 2016-12-02 23:50 UTC by Report Bug Copy Issue Report Show Similar Issues like this Blank line found at end of control structure Loading history...
127			} elseif (ltrim($this->structure, '\\') === $functionDefinition->getStructureName()) {
128			// if the callback chain is used within the actual class we can use the current context
129
130			return array(array('$this', $this->function));
131
			0 ignored issues – show Coding Style introduced 2016-12-02 23:50 UTC by Report Bug Copy Issue Report Show Similar Issues like this Blank line found at end of control structure Loading history...
132			} else {
133			// for everything else (mostly advice chain callbacks) we will create a new instance
134
135			return array(array('new ' . $this->structure . '()', $this->function));
136			}
137			}
138
139			/**
140			* Used to "straighten out" an expression as some expressions allow for shell regex which makes them hard to
141			* generate code from.
142			* So with this method a matching pointcut can be altered into having a directly readable expression
143			*
144			* @param FunctionDefinition\|AttributeDefinition $definition Definition to straighten the expression against
145			*
146			* @return null
147			*/
148			public function straightenExpression($definition)
149			{
150			// structure name has to be absolute
151			$structureName = '\\' . ltrim($definition->getStructureName(), '\\');
152
153			// fix the expression
154			$this->expression = str_replace(
155			array($this->callType . $this->function, $this->structure),
156			array($this->callType . $definition->getName(), $structureName),
157			$this->getExpression()
158			);
159
160			// set the obvious properties
161			$this->function = $definition->getName();
162			$this->structure = $structureName;
163			}
164			}
165

appserver-io / doppelgaenger

Issues (245)

Security Analysis no request data

Entities/Pointcuts/AbstractSignaturePointcut.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like