Issues in SampleController.php (master) - Issues in master - canax/controller - Measure and Improve Code Quality continuously with Scrutinizer

Issues (11)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Controller/SampleController.php (3 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace Anax\Controller;

use Anax\Commons\ContainerInjectableInterface;
use Anax\Commons\ContainerInjectableTrait;

// use Anax\Route\Exception\ForbiddenException;
// use Anax\Route\Exception\NotFoundException;
// use Anax\Route\Exception\InternalErrorException;

/**
 * A sample controller to show how a controller class can be implemented.
 * The controller will be injected with $di if implementing the interface
 * ContainerInjectableInterface, like this sample class does.
 * The controller is mounted on a particular route and can then handle all
 * requests for that mount point.
 *
 * @SuppressWarnings(PHPMD.TooManyPublicMethods)
 */
class SampleController implements ContainerInjectableInterface

{
    use ContainerInjectableTrait;



    /**
     * @var string $db a sample member variable that gets initialised
     */
    private $db = "not active";



    /**
     * The initialize method is optional and will always be called before the
     * target method/action. This is a convienient method where you could
     * setup internal properties that are commonly used by several methods.
     *
     * @return void
     */
    public function initialize() : void
    {
        // Use to initialise member variables.
        $this->db = "active";
    }



    /**
     * This is the index method action, it handles:
     * ANY METHOD mountpoint
     * ANY METHOD mountpoint/
     * ANY METHOD mountpoint/index
     *
     * @return string
     */
    public function indexAction() : string
    {
        // Deal with the action and return a response.
        return __METHOD__ . ", \$db is {$this->db}";
    }



    /**
     * This sample method dumps the content of $di.
     * GET mountpoint/dump-app
     *
     * @return string
     */
    public function dumpDiActionGet() : string
    {
        // Deal with the action and return a response.
        $services = implode(", ", $this->di->getServices());
        return __METHOD__ . "<p>\$di contains: $services";
    }



    /**
     * Add the request method to the method name to limit what request methods
     * the handler supports.
     * GET mountpoint/info
     *
     * @return string
     */
    public function infoActionGet() : string
    {
        // Deal with the action and return a response.
        return __METHOD__ . ", \$db is {$this->db}";
    }



    /**
     * This sample method action it the handler for route:
     * GET mountpoint/create
     *
     * @return string
     */
    public function createActionGet() : string
    {
        // Deal with the action and return a response.
        return __METHOD__ . ", \$db is {$this->db}";
    }



    /**
     * This sample method action it the handler for route:
     * POST mountpoint/create
     *
     * @return string
     */
    public function createActionPost() : string
    {
        // Deal with the action and return a response.
        return __METHOD__ . ", \$db is {$this->db}";
    }



    /**
     * This sample method action takes one argument:
     * GET mountpoint/argument/<value>
     *
     * @param mixed $value
     *
     * @return string
     */
    public function argumentActionGet($value) : string
    {
        // Deal with the action and return a response.
        return __METHOD__ . ", \$db is {$this->db}, got argument '$value'";
    }



    /**
     * This sample method action takes zero or one argument and you can use - as a separator which will then be removed:
     * GET mountpoint/defaultargument/
     * GET mountpoint/defaultargument/<value>
     * GET mountpoint/default-argument/
     * GET mountpoint/default-argument/<value>
     *
     * @param mixed $value with a default string.
     *
     * @return string
     */
    public function defaultArgumentActionGet($value = "default") : string
    {
        // Deal with the action and return a response.
        return __METHOD__ . ", \$db is {$this->db}, got argument '$value'";
    }



    /**
     * This sample method action takes two typed arguments:
     * GET mountpoint/typed-argument/<string>/<int>
     *
     * NOTE. Its recommended to not use int as type since it will still
     * accept numbers such as 2hundred givving a PHP NOTICE. So, its better to
     * deal with type check within the action method and throuw exceptions
     * when the expected type is not met.
     *
     * @param mixed $value with a default string.
/**
 * @param array $germany
 * @param array $island
 * @param array $italy
 */
function finale($germany, $island) {
    return "2:1";
}
     *
     * @return string
     */
    public function typedArgumentActionGet(string $str, int $int) : string
    {
        // Deal with the action and return a response.
        return __METHOD__ . ", \$db is {$this->db}, got string argument '$str' and int argument '$int'.";
    }



    /**
     * This sample method action takes a variadic list of arguments:
     * GET mountpoint/variadic/
     * GET mountpoint/variadic/<value>
     * GET mountpoint/variadic/<value>/<value>
     * GET mountpoint/variadic/<value>/<value>/<value>
     * etc.
     *
     * @param array $value as a variadic parameter.
     *
     * @return string
     */
    public function variadicActionGet(...$value) : string
    {
        // Deal with the action and return a response.
        return __METHOD__ . ", \$db is {$this->db}, got '" . count($value) . "' arguments: " . implode(", ", $value);
    }



    /**
     * Adding an optional catchAll() method will catch all actions sent to the
     * router. You can then reply with an actual response or return void to
     * allow for the router to move on to next handler.
     * A catchAll() handles the following, if a specific action method is not
     * created:
     * ANY METHOD mountpoint/**
     *
     * @param array $args as a variadic parameter.
     *
     * @return mixed
     *
     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
     */
    public function catchAll(...$args)

    {
        // Deal with the request and send an actual response, or not.
        //return __METHOD__ . ", \$db is {$this->db}, got '" . count($args) . "' arguments: " . implode(", ", $args);
        return;
    }
}


1		<?php
2
3		namespace Anax\Controller;
4
5		use Anax\Commons\ContainerInjectableInterface;
6		use Anax\Commons\ContainerInjectableTrait;
7
8		// use Anax\Route\Exception\ForbiddenException;
9		// use Anax\Route\Exception\NotFoundException;
10		// use Anax\Route\Exception\InternalErrorException;
11
12		/**
13		* A sample controller to show how a controller class can be implemented.
14		* The controller will be injected with $di if implementing the interface
15		* ContainerInjectableInterface, like this sample class does.
16		* The controller is mounted on a particular route and can then handle all
17		* requests for that mount point.
18		*
19		* @SuppressWarnings(PHPMD.TooManyPublicMethods)
20		*/
21	View Code Duplication	class SampleController implements ContainerInjectableInterface
		0 ignored issues – show Duplication introduced 2018-09-25 17:31 UTC by Report Bug Copy Issue Report Show Similar Issues like this This class seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
22		{
23		use ContainerInjectableTrait;
24
25
26
27		/**
28		* @var string $db a sample member variable that gets initialised
29		*/
30		private $db = "not active";
31
32
33
34		/**
35		* The initialize method is optional and will always be called before the
36		* target method/action. This is a convienient method where you could
37		* setup internal properties that are commonly used by several methods.
38		*
39		* @return void
40		*/
41		public function initialize() : void
42		{
43		// Use to initialise member variables.
44		$this->db = "active";
45		}
46
47
48
49		/**
50		* This is the index method action, it handles:
51		* ANY METHOD mountpoint
52		* ANY METHOD mountpoint/
53		* ANY METHOD mountpoint/index
54		*
55		* @return string
56		*/
57		public function indexAction() : string
58		{
59		// Deal with the action and return a response.
60		return __METHOD__ . ", \$db is {$this->db}";
61		}
62
63
64
65		/**
66		* This sample method dumps the content of $di.
67		* GET mountpoint/dump-app
68		*
69		* @return string
70		*/
71		public function dumpDiActionGet() : string
72		{
73		// Deal with the action and return a response.
74		$services = implode(", ", $this->di->getServices());
75		return __METHOD__ . "<p>\$di contains: $services";
76		}
77
78
79
80		/**
81		* Add the request method to the method name to limit what request methods
82		* the handler supports.
83		* GET mountpoint/info
84		*
85		* @return string
86		*/
87		public function infoActionGet() : string
88		{
89		// Deal with the action and return a response.
90		return __METHOD__ . ", \$db is {$this->db}";
91		}
92
93
94
95		/**
96		* This sample method action it the handler for route:
97		* GET mountpoint/create
98		*
99		* @return string
100		*/
101		public function createActionGet() : string
102		{
103		// Deal with the action and return a response.
104		return __METHOD__ . ", \$db is {$this->db}";
105		}
106
107
108
109		/**
110		* This sample method action it the handler for route:
111		* POST mountpoint/create
112		*
113		* @return string
114		*/
115		public function createActionPost() : string
116		{
117		// Deal with the action and return a response.
118		return __METHOD__ . ", \$db is {$this->db}";
119		}
120
121
122
123		/**
124		* This sample method action takes one argument:
125		* GET mountpoint/argument/<value>
126		*
127		* @param mixed $value
128		*
129		* @return string
130		*/
131		public function argumentActionGet($value) : string
132		{
133		// Deal with the action and return a response.
134		return __METHOD__ . ", \$db is {$this->db}, got argument '$value'";
135		}
136
137
138
139		/**
140		* This sample method action takes zero or one argument and you can use - as a separator which will then be removed:
141		* GET mountpoint/defaultargument/
142		* GET mountpoint/defaultargument/<value>
143		* GET mountpoint/default-argument/
144		* GET mountpoint/default-argument/<value>
145		*
146		* @param mixed $value with a default string.
147		*
148		* @return string
149		*/
150		public function defaultArgumentActionGet($value = "default") : string
151		{
152		// Deal with the action and return a response.
153		return __METHOD__ . ", \$db is {$this->db}, got argument '$value'";
154		}
155
156
157
158		/**
159		* This sample method action takes two typed arguments:
160		* GET mountpoint/typed-argument/<string>/<int>
161		*
162		* NOTE. Its recommended to not use int as type since it will still
163		* accept numbers such as 2hundred givving a PHP NOTICE. So, its better to
164		* deal with type check within the action method and throuw exceptions
165		* when the expected type is not met.
166		*
167		* @param mixed $value with a default string.
		0 ignored issues – show Bug introduced 2018-09-25 17:31 UTC by Report Bug Copy Issue Report Show Similar Issues like this There is no parameter named `$value`. Was it maybe removed? This check looks for PHPDoc comments describing methods or function parameters that do not exist on the corresponding method or function. Consider the following example. The parameter `$italy` is not defined by the method `finale(...)`. /** * @param array $germany * @param array $island * @param array $italy */ function finale($germany, $island) { return "2:1"; } The most likely cause is that the parameter was removed, but the annotation was not. Loading history...
168		*
169		* @return string
170		*/
171		public function typedArgumentActionGet(string $str, int $int) : string
172		{
173		// Deal with the action and return a response.
174		return __METHOD__ . ", \$db is {$this->db}, got string argument '$str' and int argument '$int'.";
175		}
176
177
178
179		/**
180		* This sample method action takes a variadic list of arguments:
181		* GET mountpoint/variadic/
182		* GET mountpoint/variadic/<value>
183		* GET mountpoint/variadic/<value>/<value>
184		* GET mountpoint/variadic/<value>/<value>/<value>
185		* etc.
186		*
187		* @param array $value as a variadic parameter.
188		*
189		* @return string
190		*/
191		public function variadicActionGet(...$value) : string
192		{
193		// Deal with the action and return a response.
194		return __METHOD__ . ", \$db is {$this->db}, got '" . count($value) . "' arguments: " . implode(", ", $value);
195		}
196
197
198
199		/**
200		* Adding an optional catchAll() method will catch all actions sent to the
201		* router. You can then reply with an actual response or return void to
202		* allow for the router to move on to next handler.
203		* A catchAll() handles the following, if a specific action method is not
204		* created:
205		* ANY METHOD mountpoint/**
206		*
207		* @param array $args as a variadic parameter.
208		*
209		* @return mixed
210		*
211		* @SuppressWarnings(PHPMD.UnusedFormalParameter)
212		*/
213		public function catchAll(...$args)
		0 ignored issues – show Unused Code introduced 2018-11-05 11:26 UTC by Report Bug Copy Issue Report Show Similar Issues like this The parameter `$args` is not used and could be removed. This check looks from parameters that have been defined for a function or method, but which are not used in the method body. Loading history...
214		{
215		// Deal with the request and send an actual response, or not.
216		//return __METHOD__ . ", \$db is {$this->db}, got '" . count($args) . "' arguments: " . implode(", ", $args);
217		return;
218		}
219		}
220

canax / controller

Issues (11)

Security Analysis no request data

src/Controller/SampleController.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like