Issues in Shortcode.php (master) - Issues in master - brightnucleus/shortcodes - Measure and Improve Code Quality continuously with Scrutinizer

Issues (5)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Shortcode.php (2 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Bright Nucleus Shortcode Component.
 *
 * @package   BrightNucleus\Shortcode
 * @author    Alain Schlesser <[email protected]>
 * @license   MIT
 * @link      http://www.brightnucleus.com/
 * @copyright 2015-2016 Alain Schlesser, Bright Nucleus
 */

namespace BrightNucleus\Shortcode;

use BrightNucleus\Config\ConfigInterface as Config;
use BrightNucleus\Shortcode\ShortcodeAttsParserInterface as ShortcodeAttsParser;
.
|-- OtherDir
|   |-- Bar.php
|   `-- Foo.php
`-- SomeDir
    `-- Foo.php
use BrightNucleus\Config\ConfigTrait;
use BrightNucleus\Dependency\DependencyManagerInterface as DependencyManager;
use BrightNucleus\Exception\DomainException;
use BrightNucleus\Exception\RuntimeException;
use BrightNucleus\View\ViewBuilder;
use BrightNucleus\Views;

/**
 * Base Implementation of the Shortcode Interface.
 *
 * This is a basic implementation of the Shortcode Interface that registers one
 * view and passes all attributes unfiltered to that view.
 *
 * @since   0.1.0
 *
 * @package BrightNucleus\Shortcode
 * @author  Alain Schlesser <[email protected]>
 */
class Shortcode implements ShortcodeInterface {

	use ConfigTrait;
	use CheckNeedTrait;

	/**
	 * Name of the shortcode handler.
	 *
	 * @since 0.1.0
	 *
	 * @var string
	 */
	protected $shortcode_tag;

	/**
	 * Parser to parse and validate the shortcode's attributes.
	 *
	 * @since 0.1.0
	 *
	 * @var ShortcodeAttsParserInterface
	 */
	protected $atts_parser;

	/**
	 * Dependencies of the shortcode.
	 *
	 * @since 0.1.0
	 *
	 * @var DependencyManager
	 */
	protected $dependencies;

	/**
	 * View builder instance to use for creating views to render.
	 *
	 * @since 0.4.0
	 *
	 * @var ViewBuilder
	 */
	protected $view_builder;

	/**
	 * Cache context information so we can pass it on to the render() method.
	 *
	 * @var
	 *
	 * @since 0.2.3
	 */
	protected $context = [];

	/**
	 * Instantiate Basic Shortcode.
	 *
	 * @since 0.1.0
	 * @since 0.4.0 Added optional $view_builder argument.
	 *
	 * @param string                 $shortcode_tag Tag that identifies the
	 *                                              shortcode.
	 * @param Config                 $config        Configuration settings.
	 * @param ShortcodeAttsParser    $atts_parser   Attributes parser and
	 *                                              validator.
	 * @param DependencyManager|null $dependencies  Optional. Dependencies of
	 *                                              the shortcode.
	 * @param ViewBuilder|null       $view_builder  Optional. View builder
	 *                                              instance to use.
	 * @throws RuntimeException If the config could not be processed.
	 */
	public function __construct(
		$shortcode_tag,
		Config $config,
		ShortcodeAttsParser $atts_parser,
		DependencyManager $dependencies = null,
		ViewBuilder $view_builder = null
	) {

		$this->processConfig( $config );

		$this->shortcode_tag = $shortcode_tag;
		$this->atts_parser   = $atts_parser;
		$this->dependencies  = $dependencies;
		$this->view_builder  = $view_builder ?? Views::getViewBuilder();
	}

	/**
	 * Register the shortcode handler function with WordPress.
	 *
	 * @since 0.1.0
	 *
	 * @param mixed $context Optional. Arguments to pass on to the Registrable.
	 * @return void
	 */
	public function register( $context = null ) {
		if ( null !== $context ) {
			$this->add_context( $context );
		}

		if ( ! $this->is_needed( $this->context ) ) {
			return;
		}

		\add_shortcode( $this->get_tag(), [ $this, 'render' ] );
	}

	/**
	 * Add additional context to the shortcode.
	 *
	 * This can be used to pass more data to the view to be rendered.
	 *
	 * This is especially useful for additional preparation through a DI.
	 *
	 * @param array $context Associative array of context information to add.
	 */
	public function add_context( $context ) {
		$this->context = array_filter(
			array_merge( (array) $this->context, (array) $context )
		);
	}

	/**
	 * Get the shortcode tag.
	 *
	 * @since 0.1.0
	 *
	 * @return string Shortcode tag.
	 */
	public function get_tag() {
		return (string) $this->shortcode_tag;
	}

	/**
	 * Render the shortcode.
	 *
	 * @since 0.1.0
	 *
	 * @throws DomainException
	 *
	 * @param array       $atts    Attributes to modify the standard behavior
	 *                             of the shortcode.
	 * @param string|null $content Optional. Content between enclosing
	 *                             shortcodes.
	 * @param string|null $tag     Optional. The tag of the shortcode to
	 *                             render. Ignored by current code.
	 * @return string              The shortcode's HTML output.
	 */
	public function render( $atts, $content = null, $tag = null ) {
		$atts    = $this->atts_parser->parse_atts( $atts, $this->get_tag() );
		$this->enqueue_dependencies( $this->get_dependency_handles(), $atts );

		return $this->render_view(
			$this->get_view(),
			$this->context,
			$atts,
			$content
		);
	}

	/**
	 * Enqueue the dependencies that the shortcode needs.
	 *
	 * @since 0.2.9
	 *
	 * @param array $handles Array of dependency handles to enqueue.
	 * @param mixed $context Optional. Context in which to enqueue.
	 */
	protected function enqueue_dependencies( $handles, $context = null ) {
		if ( null !== $context ) {
			$this->add_context( $context );
		}

		if ( ! $this->dependencies || count( $handles ) < 1 ) {
			return;
		}

		foreach ( $handles as $handle ) {
			$found = $this->dependencies->enqueue_handle(
				$handle,
				$this->context,
				true
			);
			if ( ! $found ) {
				$message = sprintf(
					__( 'Could not enqueue dependency "%1$s" for shortcode "%2$s".',
						'bn-shortcodes' ),
					$handle,
					$this->get_tag()
				);
				trigger_error( $message, E_USER_WARNING );
			}
		}

	}

	/**
	 * Get an array of dependency handles for the current shortcode.
	 *
	 * @since 0.2.7
	 *
	 * @return array Array of strings that are registered dependency handles.
	 */
	protected function get_dependency_handles() {
		if ( ! $this->hasConfigKey( 'dependencies' ) ) {
			return [ ];
		}
		return (array) $this->getConfigKey( 'dependencies' );
	}

	/**
	 * Get the rendered HTML for a given view.
	 *
	 * @since 0.2.6
	 *
	 * @param string      $uri     URI of the view to render.
	 * @param mixed       $context The context to pass through to the view.
	 * @param array       $atts    The shortcode attribute values to pass
	 *                             through to the view.
	 * @param string|null $content Optional. The inner content of the shortcode.
	 * @return string HTML rendering of the view.
	 */
	protected function render_view( $uri, $context, $atts, $content = null ) {
		$context = $this->prepare_context( $context, $atts );

		return $this->view_builder
			->create( $uri )
			->render(
				array_merge(
					(array) $context,
					(array) $atts,
					(array) $content
				)
			);
	}

	/**
	 * Do additional preparations on the context before rendering.
	 *
	 * @param array $context Context to prepare.
	 * @param array $atts    Array of attributes passed to the shortcode.
	 * @return array Prepared context.
	 */
	protected function prepare_context( array $context, array $atts ): array {

		return $context;
	}

	/**
	 * Get the name of the view to render.
	 *
	 * @since 0.2.6
	 *
	 * @return string Name of the view to render.
	 */
	protected function get_view() {
		if ( ! $this->hasConfigKey( 'view' ) ) {
			return '';
		}
		$view = $this->getConfigKey( 'view' );

		return $view;
	}

	/**
	 * Execute this shortcode directly from code.
	 *
	 * @since 0.2.4
	 *
	 * @param array       $atts    Array of attributes to pass to the shortcode.
	 * @param string|null $content Inner content to pass to the shortcode.
	 * @return string|false Rendered HTML.
	 */
	public function do_this( array $atts = [ ], $content = null ) {
		return \BrightNucleus\Shortcode\do_tag( $this->get_tag(), $atts, $content );
	}
}


1			<?php
2			/**
3			* Bright Nucleus Shortcode Component.
4			*
5			* @package BrightNucleus\Shortcode
6			* @author Alain Schlesser <[email protected]>
7			* @license MIT
8			* @link http://www.brightnucleus.com/
9			* @copyright 2015-2016 Alain Schlesser, Bright Nucleus
10			*/
11
12			namespace BrightNucleus\Shortcode;
13
14			use BrightNucleus\Config\ConfigInterface as Config;
15			use BrightNucleus\Shortcode\ShortcodeAttsParserInterface as ShortcodeAttsParser;
			0 ignored issues – show Bug introduced 2019-01-04 14:40 UTC by Report Bug Copy Issue Report Show Similar Issues like this This use statement conflicts with another class in this namespace, `BrightNucleus\Shortcode\ShortcodeAttsParser`. Let’s assume that you have a directory layout like this: . \|-- OtherDir \| \|-- Bar.php \| `-- Foo.php `-- SomeDir `-- Foo.php and let’s assume the following content of `Bar.php`: // Bar.php namespace OtherDir; use SomeDir\Foo; // This now conflicts the class OtherDir\Foo If both files `OtherDir/Foo.php` and `SomeDir/Foo.php` are loaded in the same runtime, you will see a PHP error such as the following: PHP Fatal error: Cannot use SomeDir\Foo as Foo because the name is already in use in OtherDir/Foo.php However, as `OtherDir/Foo.php` does not necessarily have to be loaded and the error is only triggered if it is loaded before `OtherDir/Bar.php`, this problem might go unnoticed for a while. In order to prevent this error from surfacing, you must import the namespace with a different alias: // Bar.php namespace OtherDir; use SomeDir\Foo as SomeDirFoo; // There is no conflict anymore. Loading history...
16			use BrightNucleus\Config\ConfigTrait;
17			use BrightNucleus\Dependency\DependencyManagerInterface as DependencyManager;
18			use BrightNucleus\Exception\DomainException;
19			use BrightNucleus\Exception\RuntimeException;
20			use BrightNucleus\View\ViewBuilder;
21			use BrightNucleus\Views;
22
23			/**
24			* Base Implementation of the Shortcode Interface.
25			*
26			* This is a basic implementation of the Shortcode Interface that registers one
27			* view and passes all attributes unfiltered to that view.
28			*
29			* @since 0.1.0
30			*
31			* @package BrightNucleus\Shortcode
32			* @author Alain Schlesser <[email protected]>
33			*/
34			class Shortcode implements ShortcodeInterface {
35
36			use ConfigTrait;
37			use CheckNeedTrait;
38
39			/**
40			* Name of the shortcode handler.
41			*
42			* @since 0.1.0
43			*
44			* @var string
45			*/
46			protected $shortcode_tag;
47
48			/**
49			* Parser to parse and validate the shortcode's attributes.
50			*
51			* @since 0.1.0
52			*
53			* @var ShortcodeAttsParserInterface
54			*/
55			protected $atts_parser;
56
57			/**
58			* Dependencies of the shortcode.
59			*
60			* @since 0.1.0
61			*
62			* @var DependencyManager
63			*/
64			protected $dependencies;
65
66			/**
67			* View builder instance to use for creating views to render.
68			*
69			* @since 0.4.0
70			*
71			* @var ViewBuilder
72			*/
73			protected $view_builder;
74
75			/**
76			* Cache context information so we can pass it on to the render() method.
77			*
78			* @var
79			*
80			* @since 0.2.3
81			*/
82			protected $context = [];
83
84			/**
85			* Instantiate Basic Shortcode.
86			*
87			* @since 0.1.0
88			* @since 0.4.0 Added optional $view_builder argument.
89			*
90			* @param string $shortcode_tag Tag that identifies the
91			* shortcode.
92			* @param Config $config Configuration settings.
93			* @param ShortcodeAttsParser $atts_parser Attributes parser and
94			* validator.
95			* @param DependencyManager\|null $dependencies Optional. Dependencies of
96			* the shortcode.
97			* @param ViewBuilder\|null $view_builder Optional. View builder
98			* instance to use.
99			* @throws RuntimeException If the config could not be processed.
100			*/
101			public function __construct(
102			$shortcode_tag,
103			Config $config,
104			ShortcodeAttsParser $atts_parser,
105			DependencyManager $dependencies = null,
106			ViewBuilder $view_builder = null
107			) {
108
109			$this->processConfig( $config );
110
111			$this->shortcode_tag = $shortcode_tag;
112			$this->atts_parser = $atts_parser;
113			$this->dependencies = $dependencies;
114			$this->view_builder = $view_builder ?? Views::getViewBuilder();
115			}
116
117			/**
118			* Register the shortcode handler function with WordPress.
119			*
120			* @since 0.1.0
121			*
122			* @param mixed $context Optional. Arguments to pass on to the Registrable.
123			* @return void
124			*/
125			public function register( $context = null ) {
126			if ( null !== $context ) {
127			$this->add_context( $context );
128			}
129
130			if ( ! $this->is_needed( $this->context ) ) {
131			return;
132			}
133
134			\add_shortcode( $this->get_tag(), [ $this, 'render' ] );
135			}
136
137			/**
138			* Add additional context to the shortcode.
139			*
140			* This can be used to pass more data to the view to be rendered.
141			*
142			* This is especially useful for additional preparation through a DI.
143			*
144			* @param array $context Associative array of context information to add.
145			*/
146			public function add_context( $context ) {
147			$this->context = array_filter(
148			array_merge( (array) $this->context, (array) $context )
149			);
150			}
151
152			/**
153			* Get the shortcode tag.
154			*
155			* @since 0.1.0
156			*
157			* @return string Shortcode tag.
158			*/
159			public function get_tag() {
160			return (string) $this->shortcode_tag;
161			}
162
163			/**
164			* Render the shortcode.
165			*
166			* @since 0.1.0
167			*
168			* @throws DomainException
169			*
170			* @param array $atts Attributes to modify the standard behavior
171			* of the shortcode.
172			* @param string\|null $content Optional. Content between enclosing
173			* shortcodes.
174			* @param string\|null $tag Optional. The tag of the shortcode to
175			* render. Ignored by current code.
176			* @return string The shortcode's HTML output.
177			*/
178			public function render( $atts, $content = null, $tag = null ) {
179			$atts = $this->atts_parser->parse_atts( $atts, $this->get_tag() );
180			$this->enqueue_dependencies( $this->get_dependency_handles(), $atts );
181
182			return $this->render_view(
183			$this->get_view(),
184			$this->context,
185			$atts,
186			$content
187			);
188			}
189
190			/**
191			* Enqueue the dependencies that the shortcode needs.
192			*
193			* @since 0.2.9
194			*
195			* @param array $handles Array of dependency handles to enqueue.
196			* @param mixed $context Optional. Context in which to enqueue.
197			*/
198			protected function enqueue_dependencies( $handles, $context = null ) {
199			if ( null !== $context ) {
200			$this->add_context( $context );
201			}
202
203			if ( ! $this->dependencies \|\| count( $handles ) < 1 ) {
204			return;
205			}
206
207			foreach ( $handles as $handle ) {
208			$found = $this->dependencies->enqueue_handle(
209			$handle,
210			$this->context,
211			true
212			);
213			if ( ! $found ) {
214			$message = sprintf(
215			__( 'Could not enqueue dependency "%1$s" for shortcode "%2$s".',
216			'bn-shortcodes' ),
217			$handle,
218			$this->get_tag()
219			);
220			trigger_error( $message, E_USER_WARNING );
221			}
222			}
223
224			}
225
226			/**
227			* Get an array of dependency handles for the current shortcode.
228			*
229			* @since 0.2.7
230			*
231			* @return array Array of strings that are registered dependency handles.
232			*/
233			protected function get_dependency_handles() {
234			if ( ! $this->hasConfigKey( 'dependencies' ) ) {
235			return [ ];
236			}
237			return (array) $this->getConfigKey( 'dependencies' );
238			}
239
240			/**
241			* Get the rendered HTML for a given view.
242			*
243			* @since 0.2.6
244			*
245			* @param string $uri URI of the view to render.
246			* @param mixed $context The context to pass through to the view.
247			* @param array $atts The shortcode attribute values to pass
248			* through to the view.
249			* @param string\|null $content Optional. The inner content of the shortcode.
250			* @return string HTML rendering of the view.
251			*/
252			protected function render_view( $uri, $context, $atts, $content = null ) {
253			$context = $this->prepare_context( $context, $atts );
254
255			return $this->view_builder
256			->create( $uri )
257			->render(
258			array_merge(
259			(array) $context,
260			(array) $atts,
261			(array) $content
262			)
263			);
264			}
265
266			/**
267			* Do additional preparations on the context before rendering.
268			*
269			* @param array $context Context to prepare.
270			* @param array $atts Array of attributes passed to the shortcode.
271			* @return array Prepared context.
272			*/
273			protected function prepare_context( array $context, array $atts ): array {
			0 ignored issues – show Unused Code introduced 2019-01-18 00:59 UTC by Report Bug Copy Issue Report Show Similar Issues like this The parameter `$atts` is not used and could be removed. This check looks from parameters that have been defined for a function or method, but which are not used in the method body. Loading history...
274			return $context;
275			}
276
277			/**
278			* Get the name of the view to render.
279			*
280			* @since 0.2.6
281			*
282			* @return string Name of the view to render.
283			*/
284			protected function get_view() {
285			if ( ! $this->hasConfigKey( 'view' ) ) {
286			return '';
287			}
288			$view = $this->getConfigKey( 'view' );
289
290			return $view;
291			}
292
293			/**
294			* Execute this shortcode directly from code.
295			*
296			* @since 0.2.4
297			*
298			* @param array $atts Array of attributes to pass to the shortcode.
299			* @param string\|null $content Inner content to pass to the shortcode.
300			* @return string\|false Rendered HTML.
301			*/
302			public function do_this( array $atts = [ ], $content = null ) {
303			return \BrightNucleus\Shortcode\do_tag( $this->get_tag(), $atts, $content );
304			}
305			}
306

brightnucleus / shortcodes

Issues (5)

Security Analysis no request data

src/Shortcode.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like