Issues in start.php (master) - Issues in master - arckinteractive/Roles - Measure and Improve Code Quality continuously with Scrutinizer

Issues (115)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

start.php (1 issue)

Labels

Severity

Major 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/**
 * Roles plugin
 *
 * @package Roles
 * @author Andras Szepeshazi
 * @copyright Arck Interactive, LLC 2012
 * @link http://www.arckinteractive.com/
 */
require_once __DIR__ . '/autoloader.php';
require_once __DIR__ . '/lib/roles.php';
require_once __DIR__ . '/lib/config.php';

/**
 * Default role constants definitions
 */
define('DEFAULT_ROLE', \Elgg\Roles\Api::DEFAULT_ROLE);
define('ADMIN_ROLE', \Elgg\Roles\Api::ADMIN_ROLE);
define('VISITOR_ROLE', \Elgg\Roles\Api::VISITOR_ROLE);
define('NO_ROLE', \Elgg\Roles\Api::NO_ROLE);

/**
 * Register Roles plugin's init function
 */
elgg_register_event_handler('init', 'system', 'roles_init');

/**
 * Initializes the Roles plugin
 * @return void
 */
function roles_init() {

	elgg_extend_view('forms/useradd', 'roles/useradd');

	// Provides default roles by own handler. This should be extended by site specific handlers
	elgg_register_plugin_hook_handler('roles:config', 'role', 'roles_get_roles_config');

	// Catch all actions and page route requests
	elgg_register_plugin_hook_handler('action', 'all', 'roles_actions_permissions');
	elgg_register_plugin_hook_handler('route', 'all', 'roles_pages_permissions');

	// Remove menu items after all items have been registered
	elgg_register_plugin_hook_handler('register', 'all', 'roles_menus_permissions', 9999);
	elgg_register_plugin_hook_handler('register', 'all', 'roles_menus_cleanup', 9999);

	// Check for role configuration updates
	if (elgg_is_admin_logged_in()) { // @TODO think through if this should rather be a role-based permission
		run_function_once('roles_update_100_to_101');
		elgg_register_event_handler('ready', 'system', 'roles_check_update', 1);
	}
	
	// Set up role-specific views, hooks and events, after all plugins are initialized
	elgg_register_event_handler('ready', 'system', 'roles_hooks_permissions', 9999);
	elgg_register_event_handler('ready', 'system', 'roles_events_permissions', 9999);
	elgg_register_event_handler('ready', 'system', 'roles_register_views', 9999);

	elgg_register_event_handler('create', 'user', 'roles_create_user');
}

/**
 * Processes view permissions from the role configuration array. This is called after the 'ready', 'system' event.
 *
 * For view extension and replacements the function simply calls the corresponding {@link elgg_extend_view()} and
 * {@link elgg_set_view_location()} functions, to post-register views after all plugins have been initalized.
 *
 * For suppressing views (by using the "deny" rule), it registers a specific handler for the given view,
 * to return an empty string instead of the view's original output. This is to conserve resources -
 * there are hundreds of views contributing to any elgg page. Listening for all "views", "all" hooks would
 * be quite a waste.
 *
 * @param string $event      "ready"
 * @param string $event_type "system"
 * @param mixed  $object     Not in use for this specific listener
 * @return void
 */
function roles_register_views($event, $event_type, $object) {
	$role = roles_get_role();
	if (!$role instanceof \ElggRole) {
		return;
	}
	return roles()->setupViews($role);
}

/**
 * A hook handler registered by {@link roles_register_views()} to suppress the outputs of certain views defined by
 * the role configuration array.
 *
 * @param string $hook_name    "view"
 * @param string $type         The view name
 * @param mixed  $return_value The original view output
 * @param mixed  $params       An associative array of parameters provided by the hook trigger
 * @return string An empty string to suppress the output of the original view
 * @deprecated 2.0
 */
function roles_views_permissions($hook_name, $type, $return_value, $params) {
	return roles()->supressView();
}

/**
 * Processes action permissions from the role configuration array. This is  called u pon each action execution.
 *
 * @param string  $hook_name    "action"
 * @param string  $action       The registered action name
 * @param boolean $return_value Return value
 * @param mixed   $params       An associative array of parameters provided by the hook trigger
 * @return boolean|void True if the action should be executed, false if it should be stopped
 */
function roles_actions_permissions($hook_name, $action, $return_value, $params) {

	$role = roles_get_role();
	if (!$role instanceof \ElggRole) {
		return;
	}

	$result = roles()->actionGatekeeper($role, $action);
	if ($result === false) {
		register_error(elgg_echo('roles:action:denied'));
	}

	return $result;
}

/**
 * Processes menu permissions from the role configuration array. This is called upon each "register" triggered hook.
 *
 * @param string         $hook   "register"
 * @param string         $type   The triggered "register" hook's type
 * @param ElggMenuItem[] $menu   Return value
 * @return void
 */
function roles_menus_permissions($hook, $type, $menu) {

	$menu_name = explode(':', $type);
	$hook_type = array_shift($menu_name);
	$menu_name = implode(':', $menu_name);
	
	if ($hook_type !== 'menu' || empty($menu_name)) {
		return;
	}

	$role = roles_get_role();
	if (!$role instanceof ElggRole) {
		return;
	}

	return roles()->setupMenu($role, $menu_name, $menu);
}

/**
 * Remove all menu items that link to denied pages and actions
 *
 * @param string         $hook   "register"
 * @param string         $type   The triggered "register" hook's type
 * @param ElggMenuItem[] $menu   Return value
 * @return void
 */
function roles_menus_cleanup($hook, $type, $menu) {

	$menu_name = explode(':', $type);
	$hook_type = array_shift($menu_name);
	$menu_name = implode(':', $menu_name);

	if ($hook_type !== 'menu' || empty($menu_name)) {
		return;
	}

	$role = roles_get_role();
	if (!$role instanceof ElggRole) {
		return;
	}

	return roles()->cleanMenu($role, $menu);
}

/**
 * Processes page permissions from the role configuration array. This is called upon each "route" triggered hook.
 *
 * @param string $hook   "route"
 * @param string $type   The triggered "register" hook's type
 * @param array  $route  'identifier' and 'segments'
 * @return void
 */
function roles_pages_permissions($hook, $type, $route) {
	$role = roles_get_role();
	if (!$role instanceof ElggRole) {
		return;
	}

	$segments = (array) elgg_extract('segments', $route, array());
	$identifier = elgg_extract('identifier', $route, elgg_extract('handler', $route));
	array_unshift($segments, $identifier);

	$result = roles()->pageGatekeeper($role, implode('/', $segments));

	$error = elgg_extract('error', $result);
	$forward = elgg_extract('forward', $result);

	if ($error) {
		register_error(elgg_echo('roles:page:denied'));
	}
	if ($forward) {
		forward($forward);
	}
}

/**
 * Processes hook permissions from the role configuration array. Triggered by the 'ready','system' event.
 * This is to make sure that all plugins' init functions have been executed, and all hook handlers have already been initialized
 * @return void
 */
function roles_hooks_permissions() {
	$role = roles_get_role();
	if (!$role instanceof ElggRole) {
		return;
	}
	return roles()->setupHooks($role);
}

/**
 * Processes event permissions from the role configuration array. Triggered by the 'ready','system' event.
 * This is to make sure that all plugins' init functions have been executed, and all event handlers have already been initialized
 * @return void
 */
function roles_events_permissions() {
	$role = roles_get_role();
	if (!$role instanceof ElggRole) {
		return;
	}
	return roles()->setupEvents($role);
}

/**
 * Saves user role upon changing role on the user settings page
 *
 * @param string $hook_name    "usersettings:save"
 * @param string $entity_type  "user"
 * @param mixed  $return_value Return value
 * @param mixed  $params       An associative array of parameters provided by the hook trigger
 * @return void
 */
function roles_user_settings_save($hook_name, $entity_type, $return_value, $params) {
	$role_name = get_input('role');
	$user_id = get_input('guid');

	$role_name = roles_filter_role_name($role_name, $user_id);
	$role = roles_get_role_by_name($role_name);
	$user = get_entity($user_id);

	$res = roles_set_role($role, $user);
<?php

function getDate($date)
{
    if ($date !== null) {
        return new DateTime($date);
    }

    return false;
}

	if ($res === false) {
		register_error(elgg_echo('user:role:fail'));
		return false;
	} else if ($res === true) {
		system_message(elgg_echo('user:role:success'));
		return true;
	}
}

/**
 * Assigns user role when user is created
 *
 * @param string   $event "create"
 * @param string   $type  "user"
 * @param ElggUser $user  User entity
 * @return void
 */
function roles_create_user($event, $type, $user) {
	$rolename = get_input('role', false);
	if (elgg_is_admin_logged_in() && $rolename) {
		// admin is adding a user, give them the role they asked for
		$role = roles_get_role_by_name($rolename);

		if ($role) {
			roles_set_role($role, $user);
		}
	}
}


1		<?php
2
3		/**
4		* Roles plugin
5		*
6		* @package Roles
7		* @author Andras Szepeshazi
8		* @copyright Arck Interactive, LLC 2012
9		* @link http://www.arckinteractive.com/
10		*/
11		require_once __DIR__ . '/autoloader.php';
12		require_once __DIR__ . '/lib/roles.php';
13		require_once __DIR__ . '/lib/config.php';
14
15		/**
16		* Default role constants definitions
17		*/
18		define('DEFAULT_ROLE', \Elgg\Roles\Api::DEFAULT_ROLE);
19		define('ADMIN_ROLE', \Elgg\Roles\Api::ADMIN_ROLE);
20		define('VISITOR_ROLE', \Elgg\Roles\Api::VISITOR_ROLE);
21		define('NO_ROLE', \Elgg\Roles\Api::NO_ROLE);
22
23		/**
24		* Register Roles plugin's init function
25		*/
26		elgg_register_event_handler('init', 'system', 'roles_init');
27
28		/**
29		* Initializes the Roles plugin
30		* @return void
31		*/
32		function roles_init() {
33
34		elgg_extend_view('forms/useradd', 'roles/useradd');
35
36		// Provides default roles by own handler. This should be extended by site specific handlers
37		elgg_register_plugin_hook_handler('roles:config', 'role', 'roles_get_roles_config');
38
39		// Catch all actions and page route requests
40		elgg_register_plugin_hook_handler('action', 'all', 'roles_actions_permissions');
41		elgg_register_plugin_hook_handler('route', 'all', 'roles_pages_permissions');
42
43		// Remove menu items after all items have been registered
44		elgg_register_plugin_hook_handler('register', 'all', 'roles_menus_permissions', 9999);
45		elgg_register_plugin_hook_handler('register', 'all', 'roles_menus_cleanup', 9999);
46
47		// Check for role configuration updates
48		if (elgg_is_admin_logged_in()) { // @TODO think through if this should rather be a role-based permission
49		run_function_once('roles_update_100_to_101');
50		elgg_register_event_handler('ready', 'system', 'roles_check_update', 1);
51		}
52
53		// Set up role-specific views, hooks and events, after all plugins are initialized
54		elgg_register_event_handler('ready', 'system', 'roles_hooks_permissions', 9999);
55		elgg_register_event_handler('ready', 'system', 'roles_events_permissions', 9999);
56		elgg_register_event_handler('ready', 'system', 'roles_register_views', 9999);
57
58		elgg_register_event_handler('create', 'user', 'roles_create_user');
59		}
60
61		/**
62		* Processes view permissions from the role configuration array. This is called after the 'ready', 'system' event.
63		*
64		* For view extension and replacements the function simply calls the corresponding {@link elgg_extend_view()} and
65		* {@link elgg_set_view_location()} functions, to post-register views after all plugins have been initalized.
66		*
67		* For suppressing views (by using the "deny" rule), it registers a specific handler for the given view,
68		* to return an empty string instead of the view's original output. This is to conserve resources -
69		* there are hundreds of views contributing to any elgg page. Listening for all "views", "all" hooks would
70		* be quite a waste.
71		*
72		* @param string $event "ready"
73		* @param string $event_type "system"
74		* @param mixed $object Not in use for this specific listener
75		* @return void
76		*/
77		function roles_register_views($event, $event_type, $object) {
78		$role = roles_get_role();
79		if (!$role instanceof \ElggRole) {
80		return;
81		}
82		return roles()->setupViews($role);
83		}
84
85		/**
86		* A hook handler registered by {@link roles_register_views()} to suppress the outputs of certain views defined by
87		* the role configuration array.
88		*
89		* @param string $hook_name "view"
90		* @param string $type The view name
91		* @param mixed $return_value The original view output
92		* @param mixed $params An associative array of parameters provided by the hook trigger
93		* @return string An empty string to suppress the output of the original view
94		* @deprecated 2.0
95		*/
96		function roles_views_permissions($hook_name, $type, $return_value, $params) {
97		return roles()->supressView();
98		}
99
100		/**
101		* Processes action permissions from the role configuration array. This is called u pon each action execution.
102		*
103		* @param string $hook_name "action"
104		* @param string $action The registered action name
105		* @param boolean $return_value Return value
106		* @param mixed $params An associative array of parameters provided by the hook trigger
107		* @return boolean\|void True if the action should be executed, false if it should be stopped
108		*/
109		function roles_actions_permissions($hook_name, $action, $return_value, $params) {
110
111		$role = roles_get_role();
112		if (!$role instanceof \ElggRole) {
113		return;
114		}
115
116		$result = roles()->actionGatekeeper($role, $action);
117		if ($result === false) {
118		register_error(elgg_echo('roles:action:denied'));
119		}
120
121		return $result;
122		}
123
124		/**
125		* Processes menu permissions from the role configuration array. This is called upon each "register" triggered hook.
126		*
127		* @param string $hook "register"
128		* @param string $type The triggered "register" hook's type
129		* @param ElggMenuItem[] $menu Return value
130		* @return void
131		*/
132	View Code Duplication	function roles_menus_permissions($hook, $type, $menu) {
133
134		$menu_name = explode(':', $type);
135		$hook_type = array_shift($menu_name);
136		$menu_name = implode(':', $menu_name);
137
138		if ($hook_type !== 'menu' \|\| empty($menu_name)) {
139		return;
140		}
141
142		$role = roles_get_role();
143		if (!$role instanceof ElggRole) {
144		return;
145		}
146
147		return roles()->setupMenu($role, $menu_name, $menu);
148		}
149
150		/**
151		* Remove all menu items that link to denied pages and actions
152		*
153		* @param string $hook "register"
154		* @param string $type The triggered "register" hook's type
155		* @param ElggMenuItem[] $menu Return value
156		* @return void
157		*/
158	View Code Duplication	function roles_menus_cleanup($hook, $type, $menu) {
159
160		$menu_name = explode(':', $type);
161		$hook_type = array_shift($menu_name);
162		$menu_name = implode(':', $menu_name);
163
164		if ($hook_type !== 'menu' \|\| empty($menu_name)) {
165		return;
166		}
167
168		$role = roles_get_role();
169		if (!$role instanceof ElggRole) {
170		return;
171		}
172
173		return roles()->cleanMenu($role, $menu);
174		}
175
176		/**
177		* Processes page permissions from the role configuration array. This is called upon each "route" triggered hook.
178		*
179		* @param string $hook "route"
180		* @param string $type The triggered "register" hook's type
181		* @param array $route 'identifier' and 'segments'
182		* @return void
183		*/
184		function roles_pages_permissions($hook, $type, $route) {
185		$role = roles_get_role();
186		if (!$role instanceof ElggRole) {
187		return;
188		}
189
190		$segments = (array) elgg_extract('segments', $route, array());
191		$identifier = elgg_extract('identifier', $route, elgg_extract('handler', $route));
192		array_unshift($segments, $identifier);
193
194		$result = roles()->pageGatekeeper($role, implode('/', $segments));
195
196		$error = elgg_extract('error', $result);
197		$forward = elgg_extract('forward', $result);
198
199		if ($error) {
200		register_error(elgg_echo('roles:page:denied'));
201		}
202		if ($forward) {
203		forward($forward);
204		}
205		}
206
207		/**
208		* Processes hook permissions from the role configuration array. Triggered by the 'ready','system' event.
209		* This is to make sure that all plugins' init functions have been executed, and all hook handlers have already been initialized
210		* @return void
211		*/
212		function roles_hooks_permissions() {
213		$role = roles_get_role();
214		if (!$role instanceof ElggRole) {
215		return;
216		}
217		return roles()->setupHooks($role);
218		}
219
220		/**
221		* Processes event permissions from the role configuration array. Triggered by the 'ready','system' event.
222		* This is to make sure that all plugins' init functions have been executed, and all event handlers have already been initialized
223		* @return void
224		*/
225		function roles_events_permissions() {
226		$role = roles_get_role();
227		if (!$role instanceof ElggRole) {
228		return;
229		}
230		return roles()->setupEvents($role);
231		}
232
233		/**
234		* Saves user role upon changing role on the user settings page
235		*
236		* @param string $hook_name "usersettings:save"
237		* @param string $entity_type "user"
238		* @param mixed $return_value Return value
239		* @param mixed $params An associative array of parameters provided by the hook trigger
240		* @return void
241		*/
242		function roles_user_settings_save($hook_name, $entity_type, $return_value, $params) {
243		$role_name = get_input('role');
244		$user_id = get_input('guid');
245
246		$role_name = roles_filter_role_name($role_name, $user_id);
247		$role = roles_get_role_by_name($role_name);
248		$user = get_entity($user_id);
249
250		$res = roles_set_role($role, $user);
		0 ignored issues – show Security Bug introduced 2016-05-06 18:05 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$role` defined by `roles_get_role_by_name($role_name)` on line `247` can also be of type `false`; however, `roles_set_role()` does only seem to accept `object<ElggRole>`, did you maybe forget to handle an error condition? This check looks for type mismatches where the missing type is `false`. This is usually indicative of an error condtion. Consider the follow example <?php function getDate($date) { if ($date !== null) { return new DateTime($date); } return false; } This function either returns a new `DateTime` object or false, if there was an error. This is a typical pattern in PHP programming to show that an error has occurred without raising an exception. The calling code should check for this returned `false` before passing on the value to another function or method that may not be able to handle a `false`. Loading history...
251
252		if ($res === false) {
253		register_error(elgg_echo('user:role:fail'));
254		return false;
255		} else if ($res === true) {
256		system_message(elgg_echo('user:role:success'));
257		return true;
258		}
259		}
260
261		/**
262		* Assigns user role when user is created
263		*
264		* @param string $event "create"
265		* @param string $type "user"
266		* @param ElggUser $user User entity
267		* @return void
268		*/
269		function roles_create_user($event, $type, $user) {
270		$rolename = get_input('role', false);
271		if (elgg_is_admin_logged_in() && $rolename) {
272		// admin is adding a user, give them the role they asked for
273		$role = roles_get_role_by_name($rolename);
274
275		if ($role) {
276		roles_set_role($role, $user);
277		}
278		}
279		}
280

arckinteractive / Roles

Issues (115)

Security Analysis no request data

start.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like