Issues in Errors.php (master) - Issues in master - barbushin/php-console - Measure and Improve Code Quality continuously with Scrutinizer

Issues (30)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/PhpConsole/Dispatcher/Errors.php (2 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace PhpConsole\Dispatcher;
use PhpConsole\Dispatcher;
use PhpConsole\ErrorMessage;
use PhpConsole\Message;

/**
 * Sends system errors and exceptions to connector as client expected messages
 *
 * @package PhpConsole
 * @version 3.1
 * @link http://consle.com
 * @author Sergey Barbushin http://linkedin.com/in/barbushin
 * @copyright © Sergey Barbushin, 2011-2013. All rights reserved.
 * @license http://www.opensource.org/licenses/BSD-3-Clause "The BSD 3-Clause License"
 */
class Errors extends Dispatcher {

	/** @var array PHP errors constants values => names(will be initialized in first call) */
	protected static $errorsConstantsValues = array();
	/** @var array PHP errors constants names */
	protected static $errorsConstantsNames = array(
		'E_STRICT',
		'E_DEPRECATED',
		'E_RECOVERABLE_ERROR',
		'E_NOTICE',
		'E_WARNING',
		'E_ERROR',
		'E_PARSE',
		'E_USER_DEPRECATED',
		'E_USER_NOTICE',
		'E_USER_WARNING',
		'E_USER_ERROR',
		'E_CORE_WARNING',
		'E_CORE_ERROR',
		'E_COMPILE_ERROR',
		'E_COMPILE_WARNING',
	);

	/** @var bool Don't send errors messages with same file, line & class */
	public $ignoreRepeatedSource = true;
	/** @var bool Dispatch $exception->getPrevious() if not empty */
	public $dispatchPreviousExceptions = true;

	/** @var ErrorMessage[] */
	protected $sentMessages = array();

	/**
	 * Send error message to client
	 * @param null|integer $code
	 * @param null|string $text
	 * @param null|string $file
	 * @param null|integer $line
	 * @param int|array $ignoreTraceCalls Ignore tracing classes by name prefix `array('PhpConsole')` or fixed number of calls to ignore
	 */
	public function dispatchError($code = null, $text = null, $file = null, $line = null, $ignoreTraceCalls = 0) {
		if($this->isActive()) {
			$message = new ErrorMessage();
			$message->code = $code;
			$message->class = $this->getErrorTypeByCode($code);
			$message->data = $this->dumper->dump($text);
			$message->file = $file;
			$message->line = $line;
			if($ignoreTraceCalls !== null) {
				$message->trace = $this->fetchTrace(debug_backtrace(), $file, $line, is_array($ignoreTraceCalls) ? $ignoreTraceCalls : $ignoreTraceCalls + 1);
			}
			$this->sendMessage($message);
		}
	}

	/**
	 * Send exception message to client
	 * @param \Exception|\Throwable $exception
	 */
	public function dispatchException($exception) {
		if($this->isActive()) {
			if($this->dispatchPreviousExceptions && $exception->getPrevious()) {
				$this->dispatchException($exception->getPrevious());
			}
			$message = new ErrorMessage();
			$message->code = $exception->getCode();
			$message->class = get_class($exception);
			$message->data = $this->dumper->dump($exception->getMessage());
			$message->file = $exception->getFile();
			$message->line = $exception->getLine();
			$message->trace = self::fetchTrace($exception->getTrace(), $message->file, $message->line);
			$this->sendMessage($message);
		}
	}

	/**
	 * Send message to PHP Console connector
	 * @param Message $message
	 */
	protected function sendMessage(Message $message) {
		if(!$this->isIgnored($message)) {
			parent::sendMessage($message);
			$this->sentMessages[] = $message;
		}
	}

	/**
	 * Get PHP error constant name by value
	 * @param int $code
	 * @return string
	 */
	protected function getErrorTypeByCode($code) {
		if(!static::$errorsConstantsValues) {

			foreach(static::$errorsConstantsNames as $constantName) {
				if(defined($constantName)) {
					static::$errorsConstantsValues[constant($constantName)] = $constantName;
				}
			}
		}
		if(isset(static::$errorsConstantsValues[$code])) {
			return static::$errorsConstantsValues[$code];
		}
		return (string)$code;
	}

	/**
	 * Return true if message with same file, line & class was already sent
	 * @param ErrorMessage $message
	 * @return bool
	 */
	protected function isIgnored(ErrorMessage $message) {
		if($this->ignoreRepeatedSource && $message->file) {
''   == false // true
''   == null  // true
'ab' == false // false
'ab' == null  // false

// It is often better to use strict comparison
'' === false // false
'' === null  // false
			foreach($this->sentMessages as $sentMessage) {
				if($message->file == $sentMessage->file && $message->line == $sentMessage->line && $message->class == $sentMessage->class) {
					return true;
				}
			}
		}
		return false;
	}
}


1		<?php
2
3		namespace PhpConsole\Dispatcher;
4		use PhpConsole\Dispatcher;
5		use PhpConsole\ErrorMessage;
6		use PhpConsole\Message;
7
8		/**
9		* Sends system errors and exceptions to connector as client expected messages
10		*
11		* @package PhpConsole
12		* @version 3.1
13		* @link http://consle.com
14		* @author Sergey Barbushin http://linkedin.com/in/barbushin
15		* @copyright © Sergey Barbushin, 2011-2013. All rights reserved.
16		* @license http://www.opensource.org/licenses/BSD-3-Clause "The BSD 3-Clause License"
17		*/
18		class Errors extends Dispatcher {
19
20		/** @var array PHP errors constants values => names(will be initialized in first call) */
21		protected static $errorsConstantsValues = array();
22		/** @var array PHP errors constants names */
23		protected static $errorsConstantsNames = array(
24		'E_STRICT',
25		'E_DEPRECATED',
26		'E_RECOVERABLE_ERROR',
27		'E_NOTICE',
28		'E_WARNING',
29		'E_ERROR',
30		'E_PARSE',
31		'E_USER_DEPRECATED',
32		'E_USER_NOTICE',
33		'E_USER_WARNING',
34		'E_USER_ERROR',
35		'E_CORE_WARNING',
36		'E_CORE_ERROR',
37		'E_COMPILE_ERROR',
38		'E_COMPILE_WARNING',
39		);
40
41		/** @var bool Don't send errors messages with same file, line & class */
42		public $ignoreRepeatedSource = true;
43		/** @var bool Dispatch $exception->getPrevious() if not empty */
44		public $dispatchPreviousExceptions = true;
45
46		/** @var ErrorMessage[] */
47		protected $sentMessages = array();
48
49		/**
50		* Send error message to client
51		* @param null\|integer $code
52		* @param null\|string $text
53		* @param null\|string $file
54		* @param null\|integer $line
55		* @param int\|array $ignoreTraceCalls Ignore tracing classes by name prefix `array('PhpConsole')` or fixed number of calls to ignore
56		*/
57	18	public function dispatchError($code = null, $text = null, $file = null, $line = null, $ignoreTraceCalls = 0) {
58	18	if($this->isActive()) {
59	17	$message = new ErrorMessage();
60	17	$message->code = $code;
61	17	$message->class = $this->getErrorTypeByCode($code);
62	17	$message->data = $this->dumper->dump($text);
63	17	$message->file = $file;
64	17	$message->line = $line;
65	17	if($ignoreTraceCalls !== null) {
66	17	$message->trace = $this->fetchTrace(debug_backtrace(), $file, $line, is_array($ignoreTraceCalls) ? $ignoreTraceCalls : $ignoreTraceCalls + 1);
67		}
68	17	$this->sendMessage($message);
69		}
70	18	}
71
72		/**
73		* Send exception message to client
74		* @param \Exception\|\Throwable $exception
75		*/
76	14	public function dispatchException($exception) {
77	14	if($this->isActive()) {
78	14	if($this->dispatchPreviousExceptions && $exception->getPrevious()) {
79	1	$this->dispatchException($exception->getPrevious());
80		}
81	14	$message = new ErrorMessage();
82	14	$message->code = $exception->getCode();
83	14	$message->class = get_class($exception);
84	14	$message->data = $this->dumper->dump($exception->getMessage());
85	14	$message->file = $exception->getFile();
86	14	$message->line = $exception->getLine();
87	14	$message->trace = self::fetchTrace($exception->getTrace(), $message->file, $message->line);
88	14	$this->sendMessage($message);
89		}
90	14	}
91
92		/**
93		* Send message to PHP Console connector
94		* @param Message $message
95		*/
96	31	protected function sendMessage(Message $message) {
97	31	if(!$this->isIgnored($message)) {
98	31	parent::sendMessage($message);
99	31	$this->sentMessages[] = $message;
100		}
101	31	}
102
103		/**
104		* Get PHP error constant name by value
105		* @param int $code
106		* @return string
107		*/
108	17	protected function getErrorTypeByCode($code) {
109	17	if(!static::$errorsConstantsValues) {
		0 ignored issues – show Bug Best Practice introduced 2016-08-23 12:33 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `static::$errorsConstantsValues` of type `array` is implicitly converted to a boolean; are you sure this is intended? If so, consider using `empty($expr)` instead to make it clear that you intend to check for an array without elements. This check marks implicit conversions of arrays to boolean values in a comparison. While in PHP an empty array is considered to be equal (but not identical) to false, this is not always apparent. Consider making the comparison explicit by using `empty(..)` or `! empty(...)` instead. Loading history...
110	17	foreach(static::$errorsConstantsNames as $constantName) {
111	17	if(defined($constantName)) {
112	17	static::$errorsConstantsValues[constant($constantName)] = $constantName;
113		}
114		}
115		}
116	17	if(isset(static::$errorsConstantsValues[$code])) {
117	5	return static::$errorsConstantsValues[$code];
118		}
119	12	return (string)$code;
120		}
121
122		/**
123		* Return true if message with same file, line & class was already sent
124		* @param ErrorMessage $message
125		* @return bool
126		*/
127	31	protected function isIgnored(ErrorMessage $message) {
128	31	if($this->ignoreRepeatedSource && $message->file) {
		0 ignored issues – show Bug Best Practice introduced 2016-08-23 12:33 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$message->file` of type `null\|string` is loosely compared to `true`; this is ambiguous if the string can be empty. You might want to explicitly use `!== null` instead. In PHP, under loose comparison (like `==`, or `!=`, or `switch` conditions), values of different types might be equal. For `string` values, the empty string `''` is a special case, in particular the following results might be unexpected: '' == false // true '' == null // true 'ab' == false // false 'ab' == null // false // It is often better to use strict comparison '' === false // false '' === null // false Loading history...
129	18	foreach($this->sentMessages as $sentMessage) {
130	4	if($message->file == $sentMessage->file && $message->line == $sentMessage->line && $message->class == $sentMessage->class) {
131	4	return true;
132		}
133		}
134		}
135	31	return false;
136		}
137		}
138

barbushin / php-console

Issues (30)

Security Analysis not enabled

src/PhpConsole/Dispatcher/Errors.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like