Issues in Process.php (master) - Issues in master - clansman-nl/scheduling - Measure and Improve Code Quality continuously with Scrutinizer

Issues (13)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Event/Process.php (4 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace Basebuilder\Scheduling\Event;

use Symfony\Component\Process\Process as OsProcess;
use Symfony\Component\Process\ProcessUtils;
use Webmozart\Assert\Assert;

class Process extends BaseEvent
{
    /**
     * The command to run.
     * @var string
     */
    protected $command;

    /**
     * The working directory.
     * @var string
     */
    protected $cwd;

    /**
     * The user the command should run as.
     * @var string
     */
    protected $user;

    /**
     * Indicates if the command should not overlap itself.
     * @var bool
     */
    protected $mutuallyExclusive = false;

    /**
     * Indicates if the command should run in background.
     * @var bool
     */
    protected $runInBackground = true;

    /**
     * The location that output should be sent to.
     * @var string
     */
    protected $output = '/dev/null';

    /**
     * The location of error output
     * @var string
     */
    protected $errorOutput = '/dev/null';

    /**
     * Indicates whether output should be appended or added (> vs >>)
     * @var bool
     */
    protected $shouldAppendOutput = true;

    public function __construct(/* string */ $command)
    {
        Assert::stringNotEmpty($command);

        $this->command = $command;
    }

    /**
     * @return string
     */
    public function getCommand()
    {
        return $this->command;
    }

    /**
     * @return string
     */
    public function __toString()
    {
        return $this->getCommand();
    }

    /**
     * Build the command string.
     *
     * @return string
     */
    public function compileCommand()
    {
        $redirect    = $this->shouldAppendOutput ? '>>' : '>';
        $output      = ProcessUtils::escapeArgument($this->output);
        $errorOutput = ProcessUtils::escapeArgument($this->errorOutput);

        // e.g. 1>> /dev/null 2>> /dev/null
        $outputRedirect = ' 1' . $redirect . ' ' . $output . ' 2' . $redirect . ' ' . $errorOutput;

        $parts = [];

        if ($this->cwd) {
            $parts[] =  'cd ' . $this->cwd . ';';
        }

        if ($this->user) {
            $parts[] = 'sudo -u ' . $this->user . ' --';
        }

        $wrapped = $this->mutuallyExclusive
            ? '(touch ' . $this->getMutexPath() . '; ' . $this->command . '; rm ' . $this->getMutexPath() . ')' . $outputRedirect

            : $this->command . $outputRedirect;

        $parts[] = "sh -c '{$wrapped}'";
// Instead of
$x = "foo $bar $baz";

// Better use either
$x = "foo " . $bar . " " . $baz;
$x = sprintf("foo %s %s", $bar, $baz);

        $command = implode(' ', $parts);

        return $command;
    }

    /**
     * Run the given event.
     *
     * @return OsProcess
     */
    public function run()
    {
        foreach ($this->beforeCallbacks as $callback) {
            call_user_func($callback);
        }

        if (!$this->runInBackground) {
            $process = $this->runCommandInForeground();
        } else {
            $process = $this->runCommandInBackground();
        }

        foreach ($this->afterCallbacks as $callback) {
            call_user_func($callback);
        }

        return $process;
    }

    /**
     * Run the command in the foreground.
     *
     * @return OsProcess
     */
    protected function runCommandInForeground()
    {
        $process = new OsProcess($this->compileCommand(), $this->cwd, null, null, null);
        $process->run();

        return $process;
    }

    /**
     * Run the command in the background.
     *
     * @return OsProcess
     */
    protected function runCommandInBackground()
    {
        $process = new OsProcess($this->compileCommand(), $this->cwd, null, null, null);
        $process->start();

        return $process;
    }

    /**
     * Get the mutex path for managing concurrency
     *
     * @return string
     */
    protected function getMutexPath()
    {
        return rtrim(sys_get_temp_dir(), '/') . '/scheduled-event-' . md5($this->cwd . $this->command);
    }

    /**
     * Do not allow the event to overlap each other.
     *
     * @return $this
     */
    public function preventOverlapping()
    {
        $this->mutuallyExclusive = true;

        // Skip the event if it's locked (processing)
        $this->skip(function() {
            return $this->isLocked();
        });

        return $this;
    }

    /**
     * Tells you whether this event has been denied from mutual exclusiveness
     *
     * @return bool
     */
    protected function isLocked()
    {
        return file_exists($this->getMutexPath());
    }

    /**
     * State that the command should run in the foreground
     *
     * @return $this
     */
    public function runInForeground()
    {
        $this->runInBackground = false;

        return $this;
    }

    /**
     * State that the command should run in the background.
     *
     * @return $this
     */
    public function runInBackground()
    {
        $this->runInBackground = true;

        return $this;
    }

    /**
     * Set which user the command should run as.
     *
     * @param  string?  $user

     * @return $this
     */
    public function asUser(/* string? */ $user)
    {
        Assert::nullOrString($user);

        $this->user = $user;

        return $this;
    }

    /**
     * Change the current working directory.
     *
     * @param  string $directory
     * @return $this
     */
    public function in(/* string */ $directory)

    {
        Assert::stringNotEmpty($directory);

        $this->cwd = $directory;

        return $this;
    }

    /**
     * Whether we append or redirect output
     *
     * @param bool $switch
     * @return $this
     */
    public function appendOutput(/* boolean */ $switch = true)
    {
        Assert::boolean($switch);

        $this->shouldAppendOutput = $switch;

        return $this;
    }

    /**
     * Set the file or location where to send file descriptor 1 to
     *
     * @param string $output
     * @return $this
     */
    public function outputTo(/* string */ $output)
    {
        Assert::stringNotEmpty($output);

        $this->output = $output;

        return $this;
    }

    /**
     * Set the file or location where to send file descriptor 2 to
     *
     * @param string $output
     * @return $this
     */
    public function errorOutputTo(/* string */ $output)
    {
        Assert::stringNotEmpty($output);

        $this->errorOutput = $output;

        return $this;
    }
}


1		<?php
2
3		namespace Basebuilder\Scheduling\Event;
4
5		use Symfony\Component\Process\Process as OsProcess;
6		use Symfony\Component\Process\ProcessUtils;
7		use Webmozart\Assert\Assert;
8
9		class Process extends BaseEvent
10		{
11		/**
12		* The command to run.
13		* @var string
14		*/
15		protected $command;
16
17		/**
18		* The working directory.
19		* @var string
20		*/
21		protected $cwd;
22
23		/**
24		* The user the command should run as.
25		* @var string
26		*/
27		protected $user;
28
29		/**
30		* Indicates if the command should not overlap itself.
31		* @var bool
32		*/
33		protected $mutuallyExclusive = false;
34
35		/**
36		* Indicates if the command should run in background.
37		* @var bool
38		*/
39		protected $runInBackground = true;
40
41		/**
42		* The location that output should be sent to.
43		* @var string
44		*/
45		protected $output = '/dev/null';
46
47		/**
48		* The location of error output
49		* @var string
50		*/
51		protected $errorOutput = '/dev/null';
52
53		/**
54		* Indicates whether output should be appended or added (> vs >>)
55		* @var bool
56		*/
57		protected $shouldAppendOutput = true;
58
59	5	public function __construct(/* string */ $command)
60		{
61	5	Assert::stringNotEmpty($command);
62
63	5	$this->command = $command;
64	5	}
65
66		/**
67		* @return string
68		*/
69		public function getCommand()
70		{
71		return $this->command;
72		}
73
74		/**
75		* @return string
76		*/
77		public function __toString()
78		{
79		return $this->getCommand();
80		}
81
82		/**
83		* Build the command string.
84		*
85		* @return string
86		*/
87	5	public function compileCommand()
88		{
89	5	$redirect = $this->shouldAppendOutput ? '>>' : '>';
90	5	$output = ProcessUtils::escapeArgument($this->output);
91	5	$errorOutput = ProcessUtils::escapeArgument($this->errorOutput);
92
93		// e.g. 1>> /dev/null 2>> /dev/null
94	5	$outputRedirect = ' 1' . $redirect . ' ' . $output . ' 2' . $redirect . ' ' . $errorOutput;
95
96	5	$parts = [];
97
98	5	if ($this->cwd) {
99	1	$parts[] = 'cd ' . $this->cwd . ';';
100	1	}
101
102	5	if ($this->user) {
103	1	$parts[] = 'sudo -u ' . $this->user . ' --';
104	1	}
105
106	5	$wrapped = $this->mutuallyExclusive
107	5	? '(touch ' . $this->getMutexPath() . '; ' . $this->command . '; rm ' . $this->getMutexPath() . ')' . $outputRedirect
		0 ignored issues – show Coding Style introduced 2016-11-08 09:42 UTC by Report Bug Copy Issue Report Show Similar Issues like this This line exceeds maximum limit of 120 characters; contains 129 characters Overly long lines are hard to read on any screen. Most code styles therefor impose a maximum limit on the number of characters in a line. Loading history...
108	5	: $this->command . $outputRedirect;
109
110	5	$parts[] = "sh -c '{$wrapped}'";
		0 ignored issues – show Coding Style Best Practice introduced 2016-11-08 09:42 UTC by Report Bug Copy Issue Report Show Similar Issues like this As per coding-style, please use concatenation or `sprintf` for the variable `$wrapped` instead of interpolation. It is generally a best practice as it is often more readable to use concatenation instead of interpolation for variables inside strings. // Instead of $x = "foo $bar $baz"; // Better use either $x = "foo " . $bar . " " . $baz; $x = sprintf("foo %s %s", $bar, $baz); Loading history...
111
112	5	$command = implode(' ', $parts);
113
114	5	return $command;
115		}
116
117		/**
118		* Run the given event.
119		*
120		* @return OsProcess
121		*/
122		public function run()
123		{
124		foreach ($this->beforeCallbacks as $callback) {
125		call_user_func($callback);
126		}
127
128		if (!$this->runInBackground) {
129		$process = $this->runCommandInForeground();
130		} else {
131		$process = $this->runCommandInBackground();
132		}
133
134		foreach ($this->afterCallbacks as $callback) {
135		call_user_func($callback);
136		}
137
138		return $process;
139		}
140
141		/**
142		* Run the command in the foreground.
143		*
144		* @return OsProcess
145		*/
146		protected function runCommandInForeground()
147		{
148		$process = new OsProcess($this->compileCommand(), $this->cwd, null, null, null);
149		$process->run();
150
151		return $process;
152		}
153
154		/**
155		* Run the command in the background.
156		*
157		* @return OsProcess
158		*/
159		protected function runCommandInBackground()
160		{
161		$process = new OsProcess($this->compileCommand(), $this->cwd, null, null, null);
162		$process->start();
163
164		return $process;
165		}
166
167		/**
168		* Get the mutex path for managing concurrency
169		*
170		* @return string
171		*/
172		protected function getMutexPath()
173		{
174		return rtrim(sys_get_temp_dir(), '/') . '/scheduled-event-' . md5($this->cwd . $this->command);
175		}
176
177		/**
178		* Do not allow the event to overlap each other.
179		*
180		* @return $this
181		*/
182		public function preventOverlapping()
183		{
184		$this->mutuallyExclusive = true;
185
186		// Skip the event if it's locked (processing)
187		$this->skip(function() {
188		return $this->isLocked();
189		});
190
191		return $this;
192		}
193
194		/**
195		* Tells you whether this event has been denied from mutual exclusiveness
196		*
197		* @return bool
198		*/
199		protected function isLocked()
200		{
201		return file_exists($this->getMutexPath());
202		}
203
204		/**
205		* State that the command should run in the foreground
206		*
207		* @return $this
208		*/
209		public function runInForeground()
210		{
211		$this->runInBackground = false;
212
213		return $this;
214		}
215
216		/**
217		* State that the command should run in the background.
218		*
219		* @return $this
220		*/
221		public function runInBackground()
222		{
223		$this->runInBackground = true;
224
225		return $this;
226		}
227
228		/**
229		* Set which user the command should run as.
230		*
231		* @param string? $user
		0 ignored issues – show Documentation introduced 2016-11-04 10:04 UTC by Report Bug Copy Issue Report Show Similar Issues like this The doc-type `string?` could not be parsed: Unknown type name "string?" at position 0. (view supported doc-types) This check marks PHPDoc comments that could not be parsed by our parser. To see which comment annotations we can parse, please refer to our documentation on supported doc-types. Loading history...
232		* @return $this
233		*/
234	1	public function asUser(/* string? */ $user)
235		{
236	1	Assert::nullOrString($user);
237
238	1	$this->user = $user;
239
240	1	return $this;
241		}
242
243		/**
244		* Change the current working directory.
245		*
246		* @param string $directory
247		* @return $this
248		*/
249	1	public function in(/* string */ $directory)
		0 ignored issues – show Coding Style introduced 2018-01-02 09:25 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method's name is shorter than the configured minimum length of `3` characters. Even though PHP does not care about the name of your methods, it is generally a good practice to choose method names which can be easily understood by other human readers. Loading history...
250		{
251	1	Assert::stringNotEmpty($directory);
252
253	1	$this->cwd = $directory;
254
255	1	return $this;
256		}
257
258		/**
259		* Whether we append or redirect output
260		*
261		* @param bool $switch
262		* @return $this
263		*/
264	2	public function appendOutput(/* boolean */ $switch = true)
265		{
266	2	Assert::boolean($switch);
267
268	2	$this->shouldAppendOutput = $switch;
269
270	2	return $this;
271		}
272
273		/**
274		* Set the file or location where to send file descriptor 1 to
275		*
276		* @param string $output
277		* @return $this
278		*/
279		public function outputTo(/* string */ $output)
280		{
281		Assert::stringNotEmpty($output);
282
283		$this->output = $output;
284
285		return $this;
286		}
287
288		/**
289		* Set the file or location where to send file descriptor 2 to
290		*
291		* @param string $output
292		* @return $this
293		*/
294		public function errorOutputTo(/* string */ $output)
295		{
296		Assert::stringNotEmpty($output);
297
298		$this->errorOutput = $output;
299
300		return $this;
301		}
302		}
303

clansman-nl / scheduling

Issues (13)

Security Analysis no request data

src/Event/Process.php (4 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like