Issues in Session.php (master) - Issues in master - arrilot/sessions - Measure and Improve Code Quality continuously with Scrutinizer

Issues (5)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Session.php (5 issues)

Labels

Coding Style 5

Severity

Minor 5

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace Arrilot\Sessions;

use Illuminate\Support\Arr;

class Session
{
    /**
     * Age flash data.
     *
     * @return void
     */
    public static function ageFlashData()
    {
        $new = static::pull('flash.new', []);

        static::set('flash.old', $new);
    }

    /**
     * Get all of the items from the session.
     *
     * @return array
     */
    public static function all()
// Bad
class Router
{
    public function generate($path)
    {
        return $_SERVER['HOST'].$path;
    }
}

// Better
class Router
{
    private $host;

    public function __construct($host)
    {
        $this->host = $host;
    }

    public function generate($path)
    {
        return $this->host.$path;
    }
}

class Controller
{
    public function myAction(Request $request)
    {
        // Instead of
        $page = isset($_GET['page']) ? intval($_GET['page']) : 1;

        // Better (assuming you use the Symfony2 request)
        $page = $request->query->get('page', 1);
    }
}
    {
        return $_SESSION;
    }

    /**
     * Remove all of the items from the session.
     *
     * @return array
     */
    public static function clear()
    {
        static::flush();
    }

    /**
     * Flash data for a single request.
     *
     * @param $key
     * @param $value
     *
     * @return void
     */
    public static function flash($key, $value)
    {
        static::put($key, $value);

        static::push('flash.new', $key);

        static::removeFromOldFlashData([$key]);
    }

    /**
     * Flash data for a single request.
     *
     * @param $key
     * @param $value
     *
     * @return void
     */
    public static function now($key, $value)
    {
        static::put($key, $value);

        static::push('flash.old', $key);
    }

    /**
     * Remove all of the items from the session.
     *
     * @return array
     */
    public static function flush()
    {
        session_unset();
    }

    /**
     * Remove an item from the session.
     *
     * @param string $key
     *
     * @return void
     */
    public static function forget($key)
// Bad
class Router
{
    public function generate($path)
    {
        return $_SERVER['HOST'].$path;
    }
}

// Better
class Router
{
    private $host;

    public function __construct($host)
    {
        $this->host = $host;
    }

    public function generate($path)
    {
        return $this->host.$path;
    }
}

class Controller
{
    public function myAction(Request $request)
    {
        // Instead of
        $page = isset($_GET['page']) ? intval($_GET['page']) : 1;

        // Better (assuming you use the Symfony2 request)
        $page = $request->query->get('page', 1);
    }
}
    {
        Arr::forget($_SESSION, $key);
    }

    /**
     * Get an item from the session.
     *
     * @param $name
     * @param $default
     *
     * @return mixed
     */
    public static function get($name, $default = null)
// Bad
class Router
{
    public function generate($path)
    {
        return $_SERVER['HOST'].$path;
    }
}

// Better
class Router
{
    private $host;

    public function __construct($host)
    {
        $this->host = $host;
    }

    public function generate($path)
    {
        return $this->host.$path;
    }
}

class Controller
{
    public function myAction(Request $request)
    {
        // Instead of
        $page = isset($_GET['page']) ? intval($_GET['page']) : 1;

        // Better (assuming you use the Symfony2 request)
        $page = $request->query->get('page', 1);
    }
}
    {
        return Arr::get($_SESSION, $name, $default);
    }

    /**
     * Determining if an item exists in the session.
     *
     * @param $name
     *
     * @return bool
     */
    public static function has($name)
    {
        return !is_null(static::get($name));
    }

    /**
     * Reflash a subset of the current flash data.
     *
     * @param $keys
     *
     * @return void
     */
    public static function keep($keys = null)
    {
        $keys = is_array($keys) ? $keys : func_get_args();

        static::mergeWithCurrentFlashes($keys);
        static::removeFromOldFlashData($keys);
    }

    /**
     * Get the value of a given key and then forget it.
     *
     * @param $key
     * @param $default
     *
     * @return mixed
     */
    public static function pull($key, $default = null)
// Bad
class Router
{
    public function generate($path)
    {
        return $_SERVER['HOST'].$path;
    }
}

// Better
class Router
{
    private $host;

    public function __construct($host)
    {
        $this->host = $host;
    }

    public function generate($path)
    {
        return $this->host.$path;
    }
}

class Controller
{
    public function myAction(Request $request)
    {
        // Instead of
        $page = isset($_GET['page']) ? intval($_GET['page']) : 1;

        // Better (assuming you use the Symfony2 request)
        $page = $request->query->get('page', 1);
    }
}
    {
        return Arr::pull($_SESSION, $key, $default);
    }

    /**
     * Push a value onto a session array.
     *
     * @param $key
     * @param $value
     *
     * @return void
     */
    public static function push($key, $value)
    {
        $array = static::get($key, []);
        $array[] = $value;

        static::put($key, $array);
    }

    /**
     * Put a key / value pair in the session.
     *
     * @param $key
     * @param $value
     *
     * @return void
     */
    public static function put($key, $value = null)
    {
        if (!is_array($key)) {
            $key = [$key => $value];
        }

        foreach ($key as $arrayKey => $arrayValue) {
            static::set($arrayKey, $arrayValue);
        }
    }

    /**
     * Set an item in the session.
     *
     * @param $name
     * @param $value
     *
     * @return void
     */
    public static function set($name, $value)
// Bad
class Router
{
    public function generate($path)
    {
        return $_SERVER['HOST'].$path;
    }
}

// Better
class Router
{
    private $host;

    public function __construct($host)
    {
        $this->host = $host;
    }

    public function generate($path)
    {
        return $this->host.$path;
    }
}

class Controller
{
    public function myAction(Request $request)
    {
        // Instead of
        $page = isset($_GET['page']) ? intval($_GET['page']) : 1;

        // Better (assuming you use the Symfony2 request)
        $page = $request->query->get('page', 1);
    }
}
    {
        Arr::set($_SESSION, $name, $value);
    }

    /**
     * Reflash all flash data for one more request.
     */
    public static function reflash()
    {
        $old = static::pull('flash.old', []);

        static::mergeWithCurrentFlashes($old);
    }

    /**
     * Remove all old flash data from the session.
     *
     * @return void
     */
    public static function removeOldFlashData()
    {
        foreach (static::get('flash.old', []) as $key) {
            static::forget($key);
        }

        static::put('flash.old', []);
    }

    /**
     * Merge new flash keys into the new flash array.
     *
     * @param array $keys
     *
     * @return void
     */
    protected static function mergeWithCurrentFlashes(array $keys)
    {
        $current = static::get('flash.new', []);

        static::put('flash.new', array_unique(array_merge($current, $keys)));
    }

    /**
     * Remove the given keys from the old flash data.
     *
     * @param array $keys
     *
     * @return void
     */
    protected static function removeFromOldFlashData(array $keys)
    {
        $old = static::get('flash.old', []);

        static::put('flash.old', array_diff($old, $keys));
    }
}


1			<?php
2
3			namespace Arrilot\Sessions;
4
5			use Illuminate\Support\Arr;
6
7			class Session
8			{
9			/**
10			* Age flash data.
11			*
12			* @return void
13			*/
14			public static function ageFlashData()
15			{
16			$new = static::pull('flash.new', []);
17
18			static::set('flash.old', $new);
19			}
20
21			/**
22			* Get all of the items from the session.
23			*
24			* @return array
25			*/
26			public static function all()
			0 ignored issues – show Coding Style introduced 2015-12-03 21:45 UTC by Report Bug Copy Issue Report Show Similar Issues like this `all` uses the super-global variable `$_SESSION` which is generally not recommended. Instead of super-globals, we recommend to explicitly inject the dependencies of your class. This makes your code less dependent on global state and it becomes generally more testable: // Bad class Router { public function generate($path) { return $_SERVER['HOST'].$path; } } // Better class Router { private $host; public function __construct($host) { $this->host = $host; } public function generate($path) { return $this->host.$path; } } class Controller { public function myAction(Request $request) { // Instead of $page = isset($_GET['page']) ? intval($_GET['page']) : 1; // Better (assuming you use the Symfony2 request) $page = $request->query->get('page', 1); } } Loading history...
27			{
28			return $_SESSION;
29			}
30
31			/**
32			* Remove all of the items from the session.
33			*
34			* @return array
35			*/
36			public static function clear()
37			{
38			static::flush();
39			}
40
41			/**
42			* Flash data for a single request.
43			*
44			* @param $key
45			* @param $value
46			*
47			* @return void
48			*/
49			public static function flash($key, $value)
50			{
51			static::put($key, $value);
52
53			static::push('flash.new', $key);
54
55			static::removeFromOldFlashData([$key]);
56			}
57
58			/**
59			* Flash data for a single request.
60			*
61			* @param $key
62			* @param $value
63			*
64			* @return void
65			*/
66			public static function now($key, $value)
67			{
68			static::put($key, $value);
69
70			static::push('flash.old', $key);
71			}
72
73			/**
74			* Remove all of the items from the session.
75			*
76			* @return array
77			*/
78			public static function flush()
79			{
80			session_unset();
81			}
82
83			/**
84			* Remove an item from the session.
85			*
86			* @param string $key
87			*
88			* @return void
89			*/
90			public static function forget($key)
			0 ignored issues – show Coding Style introduced 2015-12-03 21:45 UTC by Report Bug Copy Issue Report Show Similar Issues like this `forget` uses the super-global variable `$_SESSION` which is generally not recommended. Instead of super-globals, we recommend to explicitly inject the dependencies of your class. This makes your code less dependent on global state and it becomes generally more testable: // Bad class Router { public function generate($path) { return $_SERVER['HOST'].$path; } } // Better class Router { private $host; public function __construct($host) { $this->host = $host; } public function generate($path) { return $this->host.$path; } } class Controller { public function myAction(Request $request) { // Instead of $page = isset($_GET['page']) ? intval($_GET['page']) : 1; // Better (assuming you use the Symfony2 request) $page = $request->query->get('page', 1); } } Loading history...
91			{
92			Arr::forget($_SESSION, $key);
93			}
94
95			/**
96			* Get an item from the session.
97			*
98			* @param $name
99			* @param $default
100			*
101			* @return mixed
102			*/
103			public static function get($name, $default = null)
			0 ignored issues – show Coding Style introduced 2015-12-03 21:45 UTC by Report Bug Copy Issue Report Show Similar Issues like this `get` uses the super-global variable `$_SESSION` which is generally not recommended. Instead of super-globals, we recommend to explicitly inject the dependencies of your class. This makes your code less dependent on global state and it becomes generally more testable: // Bad class Router { public function generate($path) { return $_SERVER['HOST'].$path; } } // Better class Router { private $host; public function __construct($host) { $this->host = $host; } public function generate($path) { return $this->host.$path; } } class Controller { public function myAction(Request $request) { // Instead of $page = isset($_GET['page']) ? intval($_GET['page']) : 1; // Better (assuming you use the Symfony2 request) $page = $request->query->get('page', 1); } } Loading history...
104			{
105			return Arr::get($_SESSION, $name, $default);
106			}
107
108			/**
109			* Determining if an item exists in the session.
110			*
111			* @param $name
112			*
113			* @return bool
114			*/
115			public static function has($name)
116			{
117			return !is_null(static::get($name));
118			}
119
120			/**
121			* Reflash a subset of the current flash data.
122			*
123			* @param $keys
124			*
125			* @return void
126			*/
127			public static function keep($keys = null)
128			{
129			$keys = is_array($keys) ? $keys : func_get_args();
130
131			static::mergeWithCurrentFlashes($keys);
132			static::removeFromOldFlashData($keys);
133			}
134
135			/**
136			* Get the value of a given key and then forget it.
137			*
138			* @param $key
139			* @param $default
140			*
141			* @return mixed
142			*/
143			public static function pull($key, $default = null)
			0 ignored issues – show Coding Style introduced 2015-12-03 21:45 UTC by Report Bug Copy Issue Report Show Similar Issues like this `pull` uses the super-global variable `$_SESSION` which is generally not recommended. Instead of super-globals, we recommend to explicitly inject the dependencies of your class. This makes your code less dependent on global state and it becomes generally more testable: // Bad class Router { public function generate($path) { return $_SERVER['HOST'].$path; } } // Better class Router { private $host; public function __construct($host) { $this->host = $host; } public function generate($path) { return $this->host.$path; } } class Controller { public function myAction(Request $request) { // Instead of $page = isset($_GET['page']) ? intval($_GET['page']) : 1; // Better (assuming you use the Symfony2 request) $page = $request->query->get('page', 1); } } Loading history...
144			{
145			return Arr::pull($_SESSION, $key, $default);
146			}
147
148			/**
149			* Push a value onto a session array.
150			*
151			* @param $key
152			* @param $value
153			*
154			* @return void
155			*/
156			public static function push($key, $value)
157			{
158			$array = static::get($key, []);
159			$array[] = $value;
160
161			static::put($key, $array);
162			}
163
164			/**
165			* Put a key / value pair in the session.
166			*
167			* @param $key
168			* @param $value
169			*
170			* @return void
171			*/
172			public static function put($key, $value = null)
173			{
174			if (!is_array($key)) {
175			$key = [$key => $value];
176			}
177
178			foreach ($key as $arrayKey => $arrayValue) {
179			static::set($arrayKey, $arrayValue);
180			}
181			}
182
183			/**
184			* Set an item in the session.
185			*
186			* @param $name
187			* @param $value
188			*
189			* @return void
190			*/
191			public static function set($name, $value)
			0 ignored issues – show Coding Style introduced 2015-12-03 21:45 UTC by Report Bug Copy Issue Report Show Similar Issues like this `set` uses the super-global variable `$_SESSION` which is generally not recommended. Instead of super-globals, we recommend to explicitly inject the dependencies of your class. This makes your code less dependent on global state and it becomes generally more testable: // Bad class Router { public function generate($path) { return $_SERVER['HOST'].$path; } } // Better class Router { private $host; public function __construct($host) { $this->host = $host; } public function generate($path) { return $this->host.$path; } } class Controller { public function myAction(Request $request) { // Instead of $page = isset($_GET['page']) ? intval($_GET['page']) : 1; // Better (assuming you use the Symfony2 request) $page = $request->query->get('page', 1); } } Loading history...
192			{
193			Arr::set($_SESSION, $name, $value);
194			}
195
196			/**
197			* Reflash all flash data for one more request.
198			*/
199			public static function reflash()
200			{
201			$old = static::pull('flash.old', []);
202
203			static::mergeWithCurrentFlashes($old);
204			}
205
206			/**
207			* Remove all old flash data from the session.
208			*
209			* @return void
210			*/
211			public static function removeOldFlashData()
212			{
213			foreach (static::get('flash.old', []) as $key) {
214			static::forget($key);
215			}
216
217			static::put('flash.old', []);
218			}
219
220			/**
221			* Merge new flash keys into the new flash array.
222			*
223			* @param array $keys
224			*
225			* @return void
226			*/
227			protected static function mergeWithCurrentFlashes(array $keys)
228			{
229			$current = static::get('flash.new', []);
230
231			static::put('flash.new', array_unique(array_merge($current, $keys)));
232			}
233
234			/**
235			* Remove the given keys from the old flash data.
236			*
237			* @param array $keys
238			*
239			* @return void
240			*/
241			protected static function removeFromOldFlashData(array $keys)
242			{
243			$old = static::get('flash.old', []);
244
245			static::put('flash.old', array_diff($old, $keys));
246			}
247			}
248

arrilot / sessions

Issues (5)

Security Analysis no request data

src/Session.php (5 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like