Issues in Checker.php (master) - Issues in master - bootjp/crawler - Measure and Improve Code Quality continuously with Scrutinizer

Issues (2)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

Checker.php (2 issues)

Labels

Severity

Minor 2

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php


namespace Error;

require_once (__DIR__ . '/vendor/autoload.php');

/**
 * Description of Checker Main
 *
 * @author bootjp
 */
class Checker
{
    protected $client;

    protected $contentsSize = 500;

    protected $doubleCheck = true;

    protected $recursion = false;

    protected $garbage = [];

    protected $isContentsFetch = true;


    /**
     * initialisation.
     * @param array $args
     */
    public function __construct(array $args)
    {
        $this->client = new \GuzzleHttp\Client([
                'defaults' => [
                    'exceptions' => false,
                    'headers' => [
                        'User-Agent' => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) ' .
                        'AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36'
                    ]
                ]
            ]
        );
        if (array_key_exists('contentSize', $args)) {
            $this->contentsSize = (int) $args['contentSize'];
        }

        if (array_key_exists('doubleCheck', $args)) {
            $this->doubleCheck = (bool) $args['doubleCheck'];
        }

        if (array_key_exists('isContentsFetch', $args)) {
            $this->isContentsFetch = (bool) $args['isContentsFetch'];
        }

        if (array_key_exists('recursion', $args)) {
            $this->recursion = (bool) $args['recursion'];
        }

        if (array_key_exists('auth', $args)) {
            list($username, $password) = explode(':', $args['auth'], 2);
            $this->client->setDefaultOption('auth', [$username, $password]);
        }

    }

    /**
     * Wrapper
     * @param  mixed $url [require]
     * @return array
     * @throws \ErrorException
     * @throws \ReflectionException
     */
    public function start($url)
    {
        $urlList = [];
        $result = [];
        $result['white'] = [];
        $result['black'] = [];

        if ((bool) $this->isContentsFetch) {
            echo 'Contents fetching..';
            $url = $this->fetchByContents($url);

            if ((bool) $this->recursion) {
                $url = $this->urlFilter($url);
            }
        }

        if (is_null($url)) {
            throw new \ReflectionException('Start URL is not null.');
        } else if (is_array($url)) {
            $urlList = $this->urlFilter($url);
        } else if (is_string($url)) {
            $urlList[] = $url;
        } else if (is_object($url)) {
            $urlList[] = (string) $url;
        }

        echo "\n";
        echo 'Cheking..';

        foreach ($urlList as $key => $url) {
            try {
                $metaData = $this->client->get($url);
            } catch (\Exception $e) {
                echo "\n {$url}\t {$e->getMessage()}";
            }
            $hardCheck = (array) $this->hardCheckByHeader($metaData);
            $softCheck = (array) $this->softCheckByContents($metaData);

            if ($hardCheck['result'] && $softCheck['result']) {
                $result['white'][$key]['url'] = $url;
                $result['white'][$key]['status'] = 'OK';
            } else {
                $result['black'][$key]['url'] = $url;
                $result['black'][$key]['status'] = array_key_exists('status', $hardCheck) ? $hardCheck['status'] : $softCheck['status'];
            }

            usleep(500000);
            echo '.';
        }
        $result['UnknownLinks'] = $this->garbage;

        return $result;
    }

    /**
     * Fetch Page Contents Links
     * @param  mixed $baseUrl
     * @return array URlList
     * @throws \ErrorException
     */
    private function fetchByContents($baseUrl)
    {
        $urlList = [];
        $matches = [];
        $urlList['baseUrl'] = (string) $baseUrl;
        try {
            $contents = $this->client->get($baseUrl)->getBody()->getContents();
        } catch (\Exception $e) {
            echo "\n {$baseUrl}\t {$e->getMessage()}";
        }

        preg_match_all('{<a.+?href=[\"|\'](?<url>.+?)[\"\|\'].*?>}is', $contents, $matches);

        if (!array_key_exists('url', $matches)) {
            throw new \ErrorException('Not match contents on url.');
        }

        foreach ($matches['url'] as $url) {

            if (preg_match('{https?://[\w/:%#\$&\?\(\)~\.=\+\-]+}i', $url)) {
                $urlList[] = $url;
            } else if (preg_match('{https?:\/\/[\w/:%#\$&\?\(\)~\.=\+\-]+}i', $baseUrl . $url)) {
                if (preg_match("{(^#[A-Z0-9].+?$)}i", $url)) {
                    $this->garbage[] = $url;
                } else if (preg_match("#javascript.*#i", $url)) {
                    $this->garbage[] = $url;
                } else {
                    $urlList[] = $baseUrl . $url;
                }
            } else {
                $this->garbage[] = $url;
            }

            usleep(500000);
            echo '.';
        }

        return array_unique($urlList);
    }

    /**
     * Error check by header
     * @param \GuzzleHttp\Message\Response $metaData
     * @return array
     */
    private function hardCheckByHeader(\GuzzleHttp\Message\Response $metaData)

    {
        $headers = array_change_key_case($metaData->getHeaders());
        $statusCode = (int) $metaData->getStatusCode();

        $isErrorPageCode = [
            '40x' => [401, 403, 404],
            '50x' => [500, 502, 503],
            '30x' => [301, 302, 308]
        ];

        foreach($isErrorPageCode as $errorType => $statuses) {
            if (in_array($statusCode, $statuses)) {
                return [
                    'result' => false,
                    'status' => "NG : status code {$errorType}"
                ];
            }
        }

        if ($statusCode === 200 && $statusCode === 304) {
            return [
                'result' => true
            ];
        }

        if (array_key_exists('content-length', $headers) && $headers['content-length'][0] < $this->contentsSize) {
            return [
                'result' => false,
                'status' => 'NG : contentsSize'
            ];
        }

        return [
            'result' => true
        ];
    }

    /**
     * Soft404 check by contents Length
     * @param \GuzzleHttp\Message\Response $metaData
     * @return array
     */
    public function softCheckByContents(\GuzzleHttp\Message\Response $metaData)
    {
        if ($metaData->getBody()->getSize() <= $this->contentsSize) {
            return [
                'result' => false,
                'status' => 'NG : contentsSize'
            ];
        }

        if ($this->doubleCheck) {
            $result = $this->softCheckByContentsWords($metaData);
            if (!$result['result']) {
                return [
                    'result' => $result['result'],
                    'status' => $result['status']
                ];
            }
        }

        return [
            'result' => true
        ];
    }

    /**
     * Soft404 Error check by words
     * @param \GuzzleHttp\Message\Response $metaData
     * @return array Result
     */
    private function softCheckByContentsWords(\GuzzleHttp\Message\Response $metaData)
    {
        foreach (self::getSoftErrorWords() as $word) {
            if (mb_stripos($metaData->getBody()->getContents(), $word) !== false) {
                return [
                    'result' => false,
                    'status' => 'NG WORD : ' . $word
                ];
            }
        }

        return [
            'result' => true
        ];

    }

    /**
     * Return soft404 Page on Words.
     * @param  none
     * @return array
     */
    private static function getSoftErrorWords()
    {
        return file(__DIR__ . '/ErrorPageWords.txt', FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
    }

    /**
     * multidimensional array to single arry comvert.
     * @param array $urlList
     * @return array URLLIST
     */
    private function urlFilter(array $urlList)
    {
        $result = [];
        array_walk_recursive($urlList, function($v) use (&$result) {
            $result[] = $v;
        });

        return array_values(array_unique($result));
    }
}


1			<?php
			0 ignored issues – show Coding Style Compatibility introduced 2016-06-04 13:05 UTC by Report Bug Copy Issue Report Show Similar Issues like this For compatibility and reusability of your code, PSR1 recommends that a file should introduce either new symbols (like classes, functions, etc.) or have side-effects (like outputting something, or including other files), but not both at the same time. The first symbol is defined on line 12 and the first side effect is on line 5. The PSR-1: Basic Coding Standard recommends that a file should either introduce new symbols, that is classes, functions, constants or similar, or have side effects. Side effects are anything that executes logic, like for example printing output, changing ini settings or writing to a file. The idea behind this recommendation is that merely auto-loading a class should not change the state of an application. It also promotes a cleaner style of programming and makes your code less prone to errors, because the logic is not spread out all over the place. To learn more about the PSR-1, please see the PHP-FIG site on the PSR-1. Loading history...
2
3			namespace Error;
4
5			require_once (__DIR__ . '/vendor/autoload.php');
6
7			/**
8			* Description of Checker Main
9			*
10			* @author bootjp
11			*/
12			class Checker
13			{
14			protected $client;
15
16			protected $contentsSize = 500;
17
18			protected $doubleCheck = true;
19
20			protected $recursion = false;
21
22			protected $garbage = [];
23
24			protected $isContentsFetch = true;
25
26
27			/**
28			* initialisation.
29			* @param array $args
30			*/
31			public function __construct(array $args)
32			{
33			$this->client = new \GuzzleHttp\Client([
34			'defaults' => [
35			'exceptions' => false,
36			'headers' => [
37			'User-Agent' => 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) ' .
38			'AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.111 Safari/537.36'
39			]
40			]
41			]
42			);
43			if (array_key_exists('contentSize', $args)) {
44			$this->contentsSize = (int) $args['contentSize'];
45			}
46
47			if (array_key_exists('doubleCheck', $args)) {
48			$this->doubleCheck = (bool) $args['doubleCheck'];
49			}
50
51			if (array_key_exists('isContentsFetch', $args)) {
52			$this->isContentsFetch = (bool) $args['isContentsFetch'];
53			}
54
55			if (array_key_exists('recursion', $args)) {
56			$this->recursion = (bool) $args['recursion'];
57			}
58
59			if (array_key_exists('auth', $args)) {
60			list($username, $password) = explode(':', $args['auth'], 2);
61			$this->client->setDefaultOption('auth', [$username, $password]);
62			}
63
64			}
65
66			/**
67			* Wrapper
68			* @param mixed $url [require]
69			* @return array
70			* @throws \ErrorException
71			* @throws \ReflectionException
72			*/
73			public function start($url)
74			{
75			$urlList = [];
76			$result = [];
77			$result['white'] = [];
78			$result['black'] = [];
79
80			if ((bool) $this->isContentsFetch) {
81			echo 'Contents fetching..';
82			$url = $this->fetchByContents($url);
83
84			if ((bool) $this->recursion) {
85			$url = $this->urlFilter($url);
86			}
87			}
88
89			if (is_null($url)) {
90			throw new \ReflectionException('Start URL is not null.');
91			} else if (is_array($url)) {
92			$urlList = $this->urlFilter($url);
93			} else if (is_string($url)) {
94			$urlList[] = $url;
95			} else if (is_object($url)) {
96			$urlList[] = (string) $url;
97			}
98
99			echo "\n";
100			echo 'Cheking..';
101
102			foreach ($urlList as $key => $url) {
103			try {
104			$metaData = $this->client->get($url);
105			} catch (\Exception $e) {
106			echo "\n {$url}\t {$e->getMessage()}";
107			}
108			$hardCheck = (array) $this->hardCheckByHeader($metaData);
109			$softCheck = (array) $this->softCheckByContents($metaData);
110
111			if ($hardCheck['result'] && $softCheck['result']) {
112			$result['white'][$key]['url'] = $url;
113			$result['white'][$key]['status'] = 'OK';
114			} else {
115			$result['black'][$key]['url'] = $url;
116			$result['black'][$key]['status'] = array_key_exists('status', $hardCheck) ? $hardCheck['status'] : $softCheck['status'];
117			}
118
119			usleep(500000);
120			echo '.';
121			}
122			$result['UnknownLinks'] = $this->garbage;
123
124			return $result;
125			}
126
127			/**
128			* Fetch Page Contents Links
129			* @param mixed $baseUrl
130			* @return array URlList
131			* @throws \ErrorException
132			*/
133			private function fetchByContents($baseUrl)
134			{
135			$urlList = [];
136			$matches = [];
137			$urlList['baseUrl'] = (string) $baseUrl;
138			try {
139			$contents = $this->client->get($baseUrl)->getBody()->getContents();
140			} catch (\Exception $e) {
141			echo "\n {$baseUrl}\t {$e->getMessage()}";
142			}
143
144			preg_match_all('{<a.+?href=[\"\|\'](?<url>.+?)[\"\\|\'].*?>}is', $contents, $matches);
145
146			if (!array_key_exists('url', $matches)) {
147			throw new \ErrorException('Not match contents on url.');
148			}
149
150			foreach ($matches['url'] as $url) {
151
152			if (preg_match('{https?://[\w/:%#\$&\?\(\)~\.=\+\-]+}i', $url)) {
153			$urlList[] = $url;
154			} else if (preg_match('{https?:\/\/[\w/:%#\$&\?\(\)~\.=\+\-]+}i', $baseUrl . $url)) {
155			if (preg_match("{(^#[A-Z0-9].+?$)}i", $url)) {
156			$this->garbage[] = $url;
157			} else if (preg_match("#javascript.*#i", $url)) {
158			$this->garbage[] = $url;
159			} else {
160			$urlList[] = $baseUrl . $url;
161			}
162			} else {
163			$this->garbage[] = $url;
164			}
165
166			usleep(500000);
167			echo '.';
168			}
169
170			return array_unique($urlList);
171			}
172
173			/**
174			* Error check by header
175			* @param \GuzzleHttp\Message\Response $metaData
176			* @return array
177			*/
178			private function hardCheckByHeader(\GuzzleHttp\Message\Response $metaData)
			0 ignored issues – show Unused Code introduced 2016-06-04 13:05 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method is not used, and could be removed. Loading history...
179			{
180			$headers = array_change_key_case($metaData->getHeaders());
181			$statusCode = (int) $metaData->getStatusCode();
182
183			$isErrorPageCode = [
184			'40x' => [401, 403, 404],
185			'50x' => [500, 502, 503],
186			'30x' => [301, 302, 308]
187			];
188
189			foreach($isErrorPageCode as $errorType => $statuses) {
190			if (in_array($statusCode, $statuses)) {
191			return [
192			'result' => false,
193			'status' => "NG : status code {$errorType}"
194			];
195			}
196			}
197
198			if ($statusCode === 200 && $statusCode === 304) {
199			return [
200			'result' => true
201			];
202			}
203
204			if (array_key_exists('content-length', $headers) && $headers['content-length'][0] < $this->contentsSize) {
205			return [
206			'result' => false,
207			'status' => 'NG : contentsSize'
208			];
209			}
210
211			return [
212			'result' => true
213			];
214			}
215
216			/**
217			* Soft404 check by contents Length
218			* @param \GuzzleHttp\Message\Response $metaData
219			* @return array
220			*/
221			public function softCheckByContents(\GuzzleHttp\Message\Response $metaData)
222			{
223			if ($metaData->getBody()->getSize() <= $this->contentsSize) {
224			return [
225			'result' => false,
226			'status' => 'NG : contentsSize'
227			];
228			}
229
230			if ($this->doubleCheck) {
231			$result = $this->softCheckByContentsWords($metaData);
232			if (!$result['result']) {
233			return [
234			'result' => $result['result'],
235			'status' => $result['status']
236			];
237			}
238			}
239
240			return [
241			'result' => true
242			];
243			}
244
245			/**
246			* Soft404 Error check by words
247			* @param \GuzzleHttp\Message\Response $metaData
248			* @return array Result
249			*/
250			private function softCheckByContentsWords(\GuzzleHttp\Message\Response $metaData)
251			{
252			foreach (self::getSoftErrorWords() as $word) {
253			if (mb_stripos($metaData->getBody()->getContents(), $word) !== false) {
254			return [
255			'result' => false,
256			'status' => 'NG WORD : ' . $word
257			];
258			}
259			}
260
261			return [
262			'result' => true
263			];
264
265			}
266
267			/**
268			* Return soft404 Page on Words.
269			* @param none
270			* @return array
271			*/
272			private static function getSoftErrorWords()
273			{
274			return file(__DIR__ . '/ErrorPageWords.txt', FILE_IGNORE_NEW_LINES \| FILE_SKIP_EMPTY_LINES);
275			}
276
277			/**
278			* multidimensional array to single arry comvert.
279			* @param array $urlList
280			* @return array URLLIST
281			*/
282			private function urlFilter(array $urlList)
283			{
284			$result = [];
285			array_walk_recursive($urlList, function($v) use (&$result) {
286			$result[] = $v;
287			});
288
289			return array_values(array_unique($result));
290			}
291			}
292

bootjp / crawler

Issues (2)

Security Analysis no request data

Checker.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like