Issues in TbEditableField.php (master) - Issues in master - clevertech/YiiBooster - Measure and Improve Code Quality continuously with Scrutinizer

Issues (107)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/widgets/TbEditableField.php (3 issues)

Labels

Severity

Major 3

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * TbEditableField class file.
 *
 * @author Vitaliy Potapov <[email protected]>
 * @link https://github.com/vitalets/x-editable-yii
 * @copyright Copyright &copy; Vitaliy Potapov 2012
 * @version 1.3.1
 */

Yii::import('booster.widgets.TbEditable');

/**
 * TbEditableField widget makes editable single attribute of model.
 *
 * @package widgets
 */
class TbEditableField extends TbEditable
{
    /**
    * @var CActiveRecord ActiveRecord to be updated.
    */
    public $model = null;
    /**
    * @var string attribute name.
    */
    public $attribute = null;
   
    /**
    * @var mixed instance of model that is created always:
    * E.g. if related model does not exist, it will be `newed` to be able to get Attribute label, etc
    * for live update. 
    */
    private $staticModel = null;
    
    /**
    * initialization of widget
    *
    */
    public function init()
    {
        if (!$this->model) {
            throw new CException('Parameter "model" should be provided for TbEditableField');
        }

        if (!$this->attribute) {
            throw new CException('Parameter "attribute" should be provided for TbEditableField');
        }

        $originalModel = $this->model;
        $originalAttribute = $this->attribute;
        $originalText = strlen($this->text) ? $this->text : CHtml::value($this->model, $this->attribute);

        //if apply set manually to false --> just render text, no js plugin applied
        if($this->apply === false) {
            $this->text = $originalText;
        } else {
            $this->apply = true;
        }

        //try to resolve related model (if attribute contains '.')
        $resolved = $this->resolveModels($this->model, $this->attribute);
        $this->model = $resolved['model'];
        $this->attribute = $resolved['attribute'];
        $this->staticModel = $resolved['staticModel'];
        $staticModel = $this->staticModel;
        $isMongo = $resolved['isMongo'];
        $isFormModel = $this->model instanceOf CFormModel;
if ($x instanceof DoesNotExist) {
    // Do something.
}
        
        //if real (related) model not exists --> just print text
        if(!$this->model) {
        	$this->apply = false;
        	$this->text = $originalText;
		}
        
        
        //for security reason only safe attributes can be editable (e.g. defined in rules of model)
        //just print text (see 'run' method)
        if (!$staticModel->isAttributeSafe($this->attribute)) {
            $this->apply = false;
            $this->text = $originalText;
        }
        
        /*
         try to detect type from metadata if not set
        */
        if ($this->type === null) {
            $this->type = 'text';
            if (!$isMongo && !$isFormModel && array_key_exists($this->attribute, $staticModel->tableSchema->columns)) {
                $dbType = $staticModel->tableSchema->columns[$this->attribute]->dbType;
                if($dbType == 'date') {
                    $this->type = 'date';
                }
                if($dbType == 'datetime') {
                    $this->type = 'datetime';
                }
                if(stripos($dbType, 'text') !== false) {
                    $this->type = 'textarea';
                }
            }
        }

        //name
        if(empty($this->name)) {
            $this->name = $isMongo ? $originalAttribute : $this->attribute;
        }
        
        //pk (for mongo takes pk from parent!)
        $pkModel = $isMongo ? $originalModel : $this->model; 
        if(!$isFormModel) {
            if($pkModel && !$pkModel->isNewRecord) {
                $this->pk = $pkModel->primaryKey;
            }
        } else {
            //formModel does not have pk, so set `send` option to `always` (send without pk)
            if(empty($this->send) && empty($this->options['send'])) {
                $this->send = 'always';
            }
        }      
        
        parent::init();        
        
        /*
         If text not defined, generate it from model attribute for types except lists ('select', 'checklist' etc)
         For lists keep it empty to apply autotext.
         $this->_prepareToAutotext calculated in parent class TbEditable.php
        */
        if (!strlen($this->text) && !$this->_prepareToAutotext) {
            $this->text = $originalText;
        }
        
        //set value directly for autotext generation
        if($this->model && $this->_prepareToAutotext) {
            $this->value = CHtml::value($this->model, $this->attribute); 
        }
        
        //generate title from attribute label
        if ($this->title === null) {
            $titles = array(
              'Select' => array('select', 'date'),
              'Check' => array('checklist')
            );
            $title = Yii::t('TbEditableField.editable', 'Enter');
            foreach($titles as $t => $types) {
                if(in_array($this->type, $types)) {
                   $title = Yii::t('TbEditableField.editable', $t);
                }
            }
            $this->title = $title . ' ' . $staticModel->getAttributeLabel($this->attribute);
        } else {
            $this->title = strtr($this->title, array('{label}' => $staticModel->getAttributeLabel($this->attribute)));
        }
        
        //scenario
        if ($pkModel) {
            if ((is_array($this->params) && !isset($this->params['scenario'])) || $this->params === null) {
                $this->params['scenario'] = $pkModel->getScenario();
            } elseif (strlen($this->params)) {
                $orig = $this->params;
                if (strpos($orig, 'js:') === 0) {
                    $orig = substr($orig, 3);
                }
                $orig = "params = ($orig).call(this, params);\n";
                $this->params = "js: function(params) {

                    params.scenario = '" . $pkModel->getScenario() . "';
                    $orig
                    return params;
                }";
            }

        }
    }

    public function getSelector()
    {
        return str_replace('\\', '_', get_class($this->staticModel)).'_'.parent::getSelector();
    }
    
    
    /**
    * Checks is model is instance of mongo model
    * see: http://www.yiiframework.com/extension/yiimongodbsuite
    * 
    * @param mixed $model
    * @return bool
    */
    public static function isMongo($model) 
    {   
    	return in_array('EMongoEmbeddedDocument', class_parents($model, false));
	}

	/**
	 * Resolves model and returns array of values:
	 * - staticModel: static class of model, need for checki safety of attribute
	 * - real model: containing attribute. Can be null
	 * - attribute: it will be without dots for activerecords
	 *
	 * @param CActiveRecord $model
	 * @param string $attribute
	 *
	 * @throws CException
	 * @return array
	 */
    public static function resolveModels($model, $attribute) 
    {
    	//attribute contains dot: related model, trying to resolve
        $explode = explode('.', $attribute);
        $len = count($explode);
        
        $isMongo = self::isMongo($model);
		         		
        if($len > 1) {
            $attribute = $explode[$len-1];
            //try to resolve model instance  
            $resolved = true;
            for($i = 0; $i < $len-1; $i++) {
                $name = $explode[$i];
                if($model->$name instanceof CModel) {
if ($x instanceof DoesNotExist) {
    // Do something.
}
                    $model = $model->$name;
                } else {
                    $resolved = false;
                    break;
                }
            }
            
            if($resolved) {
                $staticModel = $model;
            } else { //related model not resolved: maybe not exists
                $relationName = $explode[$len-2];
                if($model instanceof CActiveRecord) {
                    $className = $model->getActiveRelation($relationName)->className;
				} elseif($isMongo) {
					$embedded = $model->embeddedDocuments();
					if(isset($embedded[$relationName])) {
						$className = $embedded[$relationName];
					} else {
						throw new CException('Embedded relation not found');
					}
				} else {
					throw new CException('Unsupported model class '.$relationName);
				}
                $staticModel = new $className();
                $model = null;                
            }
        } else {
            $staticModel = $model;  
        }
        
        return array(
        	'model' 		=> $model,
        	'staticModel'   => $staticModel,
        	'attribute'     => $attribute,
        	'isMongo'       => $isMongo
        );
	}
}


GitHub Access Token became invalid

Issues (107)

Security Analysis not enabled

src/widgets/TbEditableField.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

1. Missing dependencies

2. Missing use statement

1. Missing dependencies

2. Missing use statement

1			<?php
2			/**
3			* TbEditableField class file.
4			*
5			* @author Vitaliy Potapov <[email protected]>
6			* @link https://github.com/vitalets/x-editable-yii
7			* @copyright Copyright © Vitaliy Potapov 2012
8			* @version 1.3.1
9			*/
10
11			Yii::import('booster.widgets.TbEditable');
12
13			/**
14			* TbEditableField widget makes editable single attribute of model.
15			*
16			* @package widgets
17			*/
18			class TbEditableField extends TbEditable
19			{
20			/**
21			* @var CActiveRecord ActiveRecord to be updated.
22			*/
23			public $model = null;
24			/**
25			* @var string attribute name.
26			*/
27			public $attribute = null;
28
29			/**
30			* @var mixed instance of model that is created always:
31			* E.g. if related model does not exist, it will be `newed` to be able to get Attribute label, etc
32			* for live update.
33			*/
34			private $staticModel = null;
35
36			/**
37			* initialization of widget
38			*
39			*/
40			public function init()
41			{
42			if (!$this->model) {
43			throw new CException('Parameter "model" should be provided for TbEditableField');
44			}
45
46			if (!$this->attribute) {
47			throw new CException('Parameter "attribute" should be provided for TbEditableField');
48			}
49
50			$originalModel = $this->model;
51			$originalAttribute = $this->attribute;
52			$originalText = strlen($this->text) ? $this->text : CHtml::value($this->model, $this->attribute);
53
54			//if apply set manually to false --> just render text, no js plugin applied
55			if($this->apply === false) {
56			$this->text = $originalText;
57			} else {
58			$this->apply = true;
59			}
60
61			//try to resolve related model (if attribute contains '.')
62			$resolved = $this->resolveModels($this->model, $this->attribute);
63			$this->model = $resolved['model'];
64			$this->attribute = $resolved['attribute'];
65			$this->staticModel = $resolved['staticModel'];
66			$staticModel = $this->staticModel;
67			$isMongo = $resolved['isMongo'];
68			$isFormModel = $this->model instanceOf CFormModel;
			0 ignored issues – show Bug introduced 2016-05-24 16:13 UTC by Report Bug Copy Issue Report Show Similar Issues like this The class `CFormModel` does not exist. Did you forget a USE statement, or did you not list all dependencies? This error could be the result of: 1. Missing dependencies PHP Analyzer uses your `composer.json` file (if available) to determine the dependencies of your project and to determine all the available classes and functions. It expects the `composer.json` to be in the root folder of your repository. Are you sure this class is defined by one of your dependencies, or did you maybe not list a dependency in either the `require` or `require-dev` section? 2. Missing use statement PHP does not complain about undefined classes in `ìnstanceof` checks. For example, the following PHP code will work perfectly fine: if ($x instanceof DoesNotExist) { // Do something. } If you have not tested against this specific condition, such errors might go unnoticed. Loading history...
69
70			//if real (related) model not exists --> just print text
71			if(!$this->model) {
72			$this->apply = false;
73			$this->text = $originalText;
74			}
75
76
77			//for security reason only safe attributes can be editable (e.g. defined in rules of model)
78			//just print text (see 'run' method)
79			if (!$staticModel->isAttributeSafe($this->attribute)) {
80			$this->apply = false;
81			$this->text = $originalText;
82			}
83
84			/*
85			try to detect type from metadata if not set
86			*/
87			if ($this->type === null) {
88			$this->type = 'text';
89			if (!$isMongo && !$isFormModel && array_key_exists($this->attribute, $staticModel->tableSchema->columns)) {
90			$dbType = $staticModel->tableSchema->columns[$this->attribute]->dbType;
91			if($dbType == 'date') {
92			$this->type = 'date';
93			}
94			if($dbType == 'datetime') {
95			$this->type = 'datetime';
96			}
97			if(stripos($dbType, 'text') !== false) {
98			$this->type = 'textarea';
99			}
100			}
101			}
102
103			//name
104			if(empty($this->name)) {
105			$this->name = $isMongo ? $originalAttribute : $this->attribute;
106			}
107
108			//pk (for mongo takes pk from parent!)
109			$pkModel = $isMongo ? $originalModel : $this->model;
110			if(!$isFormModel) {
111			if($pkModel && !$pkModel->isNewRecord) {
112			$this->pk = $pkModel->primaryKey;
113			}
114			} else {
115			//formModel does not have pk, so set `send` option to `always` (send without pk)
116			if(empty($this->send) && empty($this->options['send'])) {
117			$this->send = 'always';
118			}
119			}
120
121			parent::init();
122
123			/*
124			If text not defined, generate it from model attribute for types except lists ('select', 'checklist' etc)
125			For lists keep it empty to apply autotext.
126			$this->_prepareToAutotext calculated in parent class TbEditable.php
127			*/
128			if (!strlen($this->text) && !$this->_prepareToAutotext) {
129			$this->text = $originalText;
130			}
131
132			//set value directly for autotext generation
133			if($this->model && $this->_prepareToAutotext) {
134			$this->value = CHtml::value($this->model, $this->attribute);
135			}
136
137			//generate title from attribute label
138			if ($this->title === null) {
139			$titles = array(
140			'Select' => array('select', 'date'),
141			'Check' => array('checklist')
142			);
143			$title = Yii::t('TbEditableField.editable', 'Enter');
144			foreach($titles as $t => $types) {
145			if(in_array($this->type, $types)) {
146			$title = Yii::t('TbEditableField.editable', $t);
147			}
148			}
149			$this->title = $title . ' ' . $staticModel->getAttributeLabel($this->attribute);
150			} else {
151			$this->title = strtr($this->title, array('{label}' => $staticModel->getAttributeLabel($this->attribute)));
152			}
153
154			//scenario
155			if ($pkModel) {
156			if ((is_array($this->params) && !isset($this->params['scenario'])) \|\| $this->params === null) {
157			$this->params['scenario'] = $pkModel->getScenario();
158			} elseif (strlen($this->params)) {
159			$orig = $this->params;
160			if (strpos($orig, 'js:') === 0) {
161			$orig = substr($orig, 3);
162			}
163			$orig = "params = ($orig).call(this, params);\n";
164			$this->params = "js: function(params) {
			0 ignored issues – show Documentation Bug introduced 2016-05-24 16:13 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `'js: function(params) { ...ms;\n }"` of type `string` is incompatible with the declared type `array` of property `$params`. Our type inference engine has found an assignment to a property that is incompatible with the declared type of that property. Either this assignment is in error or the assigned type should be added to the documentation/type hint for that property.. Loading history...
165			params.scenario = '" . $pkModel->getScenario() . "';
166			$orig
167			return params;
168			}";
169			}
170
171			}
172			}
173
174			public function getSelector()
175			{
176			return str_replace('\\', '_', get_class($this->staticModel)).'_'.parent::getSelector();
177			}
178
179
180			/**
181			* Checks is model is instance of mongo model
182			* see: http://www.yiiframework.com/extension/yiimongodbsuite
183			*
184			* @param mixed $model
185			* @return bool
186			*/
187			public static function isMongo($model)
188			{
189			return in_array('EMongoEmbeddedDocument', class_parents($model, false));
190			}
191
192			/**
193			* Resolves model and returns array of values:
194			* - staticModel: static class of model, need for checki safety of attribute
195			* - real model: containing attribute. Can be null
196			* - attribute: it will be without dots for activerecords
197			*
198			* @param CActiveRecord $model
199			* @param string $attribute
200			*
201			* @throws CException
202			* @return array
203			*/
204			public static function resolveModels($model, $attribute)
205			{
206			//attribute contains dot: related model, trying to resolve
207			$explode = explode('.', $attribute);
208			$len = count($explode);
209
210			$isMongo = self::isMongo($model);
211
212			if($len > 1) {
213			$attribute = $explode[$len-1];
214			//try to resolve model instance
215			$resolved = true;
216			for($i = 0; $i < $len-1; $i++) {
217			$name = $explode[$i];
218			if($model->$name instanceof CModel) {
			0 ignored issues – show Bug introduced 2016-05-24 16:13 UTC by Report Bug Copy Issue Report Show Similar Issues like this The class `CModel` does not exist. Did you forget a USE statement, or did you not list all dependencies? This error could be the result of: 1. Missing dependencies PHP Analyzer uses your `composer.json` file (if available) to determine the dependencies of your project and to determine all the available classes and functions. It expects the `composer.json` to be in the root folder of your repository. Are you sure this class is defined by one of your dependencies, or did you maybe not list a dependency in either the `require` or `require-dev` section? 2. Missing use statement PHP does not complain about undefined classes in `ìnstanceof` checks. For example, the following PHP code will work perfectly fine: if ($x instanceof DoesNotExist) { // Do something. } If you have not tested against this specific condition, such errors might go unnoticed. Loading history...
219			$model = $model->$name;
220			} else {
221			$resolved = false;
222			break;
223			}
224			}
225
226			if($resolved) {
227			$staticModel = $model;
228			} else { //related model not resolved: maybe not exists
229			$relationName = $explode[$len-2];
230			if($model instanceof CActiveRecord) {
231			$className = $model->getActiveRelation($relationName)->className;
232			} elseif($isMongo) {
233			$embedded = $model->embeddedDocuments();
234			if(isset($embedded[$relationName])) {
235			$className = $embedded[$relationName];
236			} else {
237			throw new CException('Embedded relation not found');
238			}
239			} else {
240			throw new CException('Unsupported model class '.$relationName);
241			}
242			$staticModel = new $className();
243			$model = null;
244			}
245			} else {
246			$staticModel = $model;
247			}
248
249			return array(
250			'model' => $model,
251			'staticModel' => $staticModel,
252			'attribute' => $attribute,
253			'isMongo' => $isMongo
254			);
255			}
256			}
257

clevertech / YiiBooster

GitHub Access Token became invalid

Issues (107)

Security Analysis not enabled

src/widgets/TbEditableField.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

1. Missing dependencies

2. Missing use statement

1. Missing dependencies

2. Missing use statement

Duplication Side-by-Side

Filter issues like