Issues in TemplatedShortcode.php (master) - Issues in master - brightnucleus/shortcodes - Measure and Improve Code Quality continuously with Scrutinizer

Issues (5)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/TemplatedShortcode.php (1 issue)

Labels

Bug 1

Severity

Major 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Bright Nucleus Shortcode Component.
 *
 * @package   BrightNucleus\Shortcode
 * @author    Alain Schlesser <[email protected]>
 * @license   MIT
 * @link      http://www.brightnucleus.com/
 * @copyright 2015-2016 Alain Schlesser, Bright Nucleus
 */

namespace BrightNucleus\Shortcode;

use BrightNucleus\Config\ConfigInterface as Config;
use BrightNucleus\Shortcode\ShortcodeAttsParserInterface as ShortcodeAttsParser;
.
|-- OtherDir
|   |-- Bar.php
|   `-- Foo.php
`-- SomeDir
    `-- Foo.php
use BrightNucleus\Dependency\DependencyManagerInterface as DependencyManager;
use BrightNucleus\Exception\RuntimeException;
use Gamajo_Template_Loader;

/**
 * Templated Implementation of the Shortcode Interface.
 *
 * This version of the Shortcode
 *
 * @since   0.2.6
 *
 * @package BrightNucleus\Shortcode
 * @author  Alain Schlesser <[email protected]>
 */
class TemplatedShortcode extends Shortcode {

	/**
	 * Template loader that allows a theme to override the shortcode's views.
	 *
	 * @var Gamajo_Template_Loader|null
	 */
	protected $template_loader;

	/**
	 * Instantiate Basic Shortcode.
	 *
	 * @since 0.2.6
	 *
	 * @param string                 $shortcode_tag Tag that identifies the
	 *                                              shortcode.
	 * @param Config                 $config        Configuration settings.
	 * @param ShortcodeAttsParser    $atts_parser   Attributes parser and
	 *                                              validator.
	 * @param DependencyManager|null $dependencies  Optional. Dependencies of
	 *                                              the shortcode.
	 * @throws RuntimeException If the config could not be processed.
	 */
	public function __construct(
		$shortcode_tag,
		Config $config,
		ShortcodeAttsParser $atts_parser,
		DependencyManager $dependencies = null
	) {

		parent::__construct(
			$shortcode_tag,
			$config,
			$atts_parser,
			$dependencies
		);

		$this->template_loader = $this->init_template_loader();
	}

	/**
	 * Initialize the template loader class.
	 *
	 * @since 0.2.6
	 *
	 * @return Gamajo_Template_Loader
	 */
	public function init_template_loader() {
		$loader_class  = $this->hasConfigKey( 'template', 'custom_loader' )
			? $this->getConfigKey( 'template', 'custom_loader' )
			: $this->get_default_template_loader_class();
		$filter_prefix = $this->hasConfigKey( 'template', 'filter_prefix' )
			? $this->getConfigKey( 'template', 'filter_prefix' )
			: $this->get_default_filter_prefix();
		$template_dir  = $this->hasConfigKey( 'template', 'template_directory' )
			? $this->getConfigKey( 'template', 'template_directory' )
			: $this->get_default_template_directory();
		$view_dir      = $this->hasConfigKey( 'view' )
			? $this->get_directory_from_view( $this->getConfigKey( 'view' ) )
			: $this->get_default_view_directory();

		return new $loader_class(
			$filter_prefix,
			$template_dir,
			$view_dir
		);
	}

	/**
	 * Get the default template loader class that is used when none is defined
	 * in the config file.
	 *
	 * @since 0.2.6
	 *
	 * @return string The default template laoder class to use.
	 */
	protected function get_default_template_loader_class() {
		return 'BrightNucleus\Shortcode\ShortcodeTemplateLoader';
	}

	/**
	 * Get the default filter prefix that is used when none is defined in the
	 * config file.
	 *
	 * Defaults to 'bn_shortcode.'.
	 *
	 * @since 0.2.6
	 *
	 * @return string Default filter prefix to use.
	 */
	protected function get_default_filter_prefix() {
		return 'bn_shortcode';
	}

	/**
	 * Get the default template directory that is used when none is defined in
	 * the config file.
	 *
	 * Defaults to 'bn_shortcode'.
	 *
	 * @since 0.2.6
	 *
	 * @return string Default template directory to use.
	 */
	protected function get_default_template_directory() {
		return 'bn_shortcode';
	}

	/**
	 * Get the directory for a given view file.
	 *
	 * @since 0.2.6
	 *
	 * @param string $view View file to extract the directory from.
	 * @return string Directory that contains the given view.
	 */
	protected function get_directory_from_view( $view ) {
		return dirname( $view );
	}

	/**
	 * Get the default view directory that is used when none is defined in the
	 * config file.
	 *
	 * Defaults to 'views/shortcodes'. Will probably need to be changed into an
	 * absolute path if the shortcodes package is pulled in through Composer.
	 *
	 * @since 0.2.6
	 *
	 * @return string Default view directory to use.
	 */
	protected function get_default_view_directory() {
		return 'views/shortcodes';
	}

	/**
	 * Get the rendered HTML for a given view.
	 *
	 * @since 0.2.6
	 *
	 * @param string      $view    The view to render.
	 * @param mixed       $context The context to pass through to the view.
	 * @param array       $atts    The shortcode attribute values to pass
	 *                             through to the view.
	 * @param string|null $content Optional. The inner content of the shortcode.
	 * @return string HTML rendering of the view.
	 */
	protected function render_view( $view, $context, $atts, $content = null ) {
		if ( empty( $view ) ) {
			return '';
		}

		$view = $this->get_view_slug( $view );

		$this->template_loader->set_template_data( (array) $context, 'context' );

		ob_start();
		$this->template_loader->get_template_part( $view );
		return ob_get_clean();
	}

	/**
	 * Get the slug for a given view.
	 *
	 * @since 0.2.6
	 *
	 * @param string $view The view to get the slug for.
	 * @return string Slug that can be passed into `get_template_part()`.
	 */
	protected function get_view_slug( $view ) {
		return $this->maybe_strip_extension( basename( $view ) );
	}

	/**
	 * Strip the extension for a given view filename if it includes an
	 * extension.
	 *
	 * @since 0.2.6
	 *
	 * @param string $view The view that maybe needs its extension stripped.
	 * @return string Extension-less view.
	 */
	protected function maybe_strip_extension( $view ) {
		return pathinfo( $view, PATHINFO_FILENAME );
	}
}


1			<?php
2			/**
3			* Bright Nucleus Shortcode Component.
4			*
5			* @package BrightNucleus\Shortcode
6			* @author Alain Schlesser <[email protected]>
7			* @license MIT
8			* @link http://www.brightnucleus.com/
9			* @copyright 2015-2016 Alain Schlesser, Bright Nucleus
10			*/
11
12			namespace BrightNucleus\Shortcode;
13
14			use BrightNucleus\Config\ConfigInterface as Config;
15			use BrightNucleus\Shortcode\ShortcodeAttsParserInterface as ShortcodeAttsParser;
			0 ignored issues – show Bug introduced 2019-01-04 14:40 UTC by Report Bug Copy Issue Report Show Similar Issues like this This use statement conflicts with another class in this namespace, `BrightNucleus\Shortcode\ShortcodeAttsParser`. Let’s assume that you have a directory layout like this: . \|-- OtherDir \| \|-- Bar.php \| `-- Foo.php `-- SomeDir `-- Foo.php and let’s assume the following content of `Bar.php`: // Bar.php namespace OtherDir; use SomeDir\Foo; // This now conflicts the class OtherDir\Foo If both files `OtherDir/Foo.php` and `SomeDir/Foo.php` are loaded in the same runtime, you will see a PHP error such as the following: PHP Fatal error: Cannot use SomeDir\Foo as Foo because the name is already in use in OtherDir/Foo.php However, as `OtherDir/Foo.php` does not necessarily have to be loaded and the error is only triggered if it is loaded before `OtherDir/Bar.php`, this problem might go unnoticed for a while. In order to prevent this error from surfacing, you must import the namespace with a different alias: // Bar.php namespace OtherDir; use SomeDir\Foo as SomeDirFoo; // There is no conflict anymore. Loading history...
16			use BrightNucleus\Dependency\DependencyManagerInterface as DependencyManager;
17			use BrightNucleus\Exception\RuntimeException;
18			use Gamajo_Template_Loader;
19
20			/**
21			* Templated Implementation of the Shortcode Interface.
22			*
23			* This version of the Shortcode
24			*
25			* @since 0.2.6
26			*
27			* @package BrightNucleus\Shortcode
28			* @author Alain Schlesser <[email protected]>
29			*/
30			class TemplatedShortcode extends Shortcode {
31
32			/**
33			* Template loader that allows a theme to override the shortcode's views.
34			*
35			* @var Gamajo_Template_Loader\|null
36			*/
37			protected $template_loader;
38
39			/**
40			* Instantiate Basic Shortcode.
41			*
42			* @since 0.2.6
43			*
44			* @param string $shortcode_tag Tag that identifies the
45			* shortcode.
46			* @param Config $config Configuration settings.
47			* @param ShortcodeAttsParser $atts_parser Attributes parser and
48			* validator.
49			* @param DependencyManager\|null $dependencies Optional. Dependencies of
50			* the shortcode.
51			* @throws RuntimeException If the config could not be processed.
52			*/
53			public function __construct(
54			$shortcode_tag,
55			Config $config,
56			ShortcodeAttsParser $atts_parser,
57			DependencyManager $dependencies = null
58			) {
59
60			parent::__construct(
61			$shortcode_tag,
62			$config,
63			$atts_parser,
64			$dependencies
65			);
66
67			$this->template_loader = $this->init_template_loader();
68			}
69
70			/**
71			* Initialize the template loader class.
72			*
73			* @since 0.2.6
74			*
75			* @return Gamajo_Template_Loader
76			*/
77			public function init_template_loader() {
78			$loader_class = $this->hasConfigKey( 'template', 'custom_loader' )
79			? $this->getConfigKey( 'template', 'custom_loader' )
80			: $this->get_default_template_loader_class();
81			$filter_prefix = $this->hasConfigKey( 'template', 'filter_prefix' )
82			? $this->getConfigKey( 'template', 'filter_prefix' )
83			: $this->get_default_filter_prefix();
84			$template_dir = $this->hasConfigKey( 'template', 'template_directory' )
85			? $this->getConfigKey( 'template', 'template_directory' )
86			: $this->get_default_template_directory();
87			$view_dir = $this->hasConfigKey( 'view' )
88			? $this->get_directory_from_view( $this->getConfigKey( 'view' ) )
89			: $this->get_default_view_directory();
90
91			return new $loader_class(
92			$filter_prefix,
93			$template_dir,
94			$view_dir
95			);
96			}
97
98			/**
99			* Get the default template loader class that is used when none is defined
100			* in the config file.
101			*
102			* @since 0.2.6
103			*
104			* @return string The default template laoder class to use.
105			*/
106			protected function get_default_template_loader_class() {
107			return 'BrightNucleus\Shortcode\ShortcodeTemplateLoader';
108			}
109
110			/**
111			* Get the default filter prefix that is used when none is defined in the
112			* config file.
113			*
114			* Defaults to 'bn_shortcode.'.
115			*
116			* @since 0.2.6
117			*
118			* @return string Default filter prefix to use.
119			*/
120			protected function get_default_filter_prefix() {
121			return 'bn_shortcode';
122			}
123
124			/**
125			* Get the default template directory that is used when none is defined in
126			* the config file.
127			*
128			* Defaults to 'bn_shortcode'.
129			*
130			* @since 0.2.6
131			*
132			* @return string Default template directory to use.
133			*/
134			protected function get_default_template_directory() {
135			return 'bn_shortcode';
136			}
137
138			/**
139			* Get the directory for a given view file.
140			*
141			* @since 0.2.6
142			*
143			* @param string $view View file to extract the directory from.
144			* @return string Directory that contains the given view.
145			*/
146			protected function get_directory_from_view( $view ) {
147			return dirname( $view );
148			}
149
150			/**
151			* Get the default view directory that is used when none is defined in the
152			* config file.
153			*
154			* Defaults to 'views/shortcodes'. Will probably need to be changed into an
155			* absolute path if the shortcodes package is pulled in through Composer.
156			*
157			* @since 0.2.6
158			*
159			* @return string Default view directory to use.
160			*/
161			protected function get_default_view_directory() {
162			return 'views/shortcodes';
163			}
164
165			/**
166			* Get the rendered HTML for a given view.
167			*
168			* @since 0.2.6
169			*
170			* @param string $view The view to render.
171			* @param mixed $context The context to pass through to the view.
172			* @param array $atts The shortcode attribute values to pass
173			* through to the view.
174			* @param string\|null $content Optional. The inner content of the shortcode.
175			* @return string HTML rendering of the view.
176			*/
177			protected function render_view( $view, $context, $atts, $content = null ) {
178			if ( empty( $view ) ) {
179			return '';
180			}
181
182			$view = $this->get_view_slug( $view );
183
184			$this->template_loader->set_template_data( (array) $context, 'context' );
185
186			ob_start();
187			$this->template_loader->get_template_part( $view );
188			return ob_get_clean();
189			}
190
191			/**
192			* Get the slug for a given view.
193			*
194			* @since 0.2.6
195			*
196			* @param string $view The view to get the slug for.
197			* @return string Slug that can be passed into `get_template_part()`.
198			*/
199			protected function get_view_slug( $view ) {
200			return $this->maybe_strip_extension( basename( $view ) );
201			}
202
203			/**
204			* Strip the extension for a given view filename if it includes an
205			* extension.
206			*
207			* @since 0.2.6
208			*
209			* @param string $view The view that maybe needs its extension stripped.
210			* @return string Extension-less view.
211			*/
212			protected function maybe_strip_extension( $view ) {
213			return pathinfo( $view, PATHINFO_FILENAME );
214			}
215			}
216

brightnucleus / shortcodes

Issues (5)

Security Analysis no request data

src/TemplatedShortcode.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like