Issues in Minify.php (master) - Issues in master - consolidation/robo - Measure and Improve Code Quality continuously with Scrutinizer

Issues (569)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Task/Assets/Minify.php (1 issue)

Labels

Severity

Major 1

Dan Untenzu 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace Robo\Task\Assets;

use Robo\Result;
use Robo\Task\BaseTask;

/**
 * Minifies an asset file (CSS or JS).
 *
 * ``` php
 * <?php
 * $this->taskMinify('web/assets/theme.css')
 *      ->run()
 * ?>
 * ```
 * Please install additional packages to use this task:
 *
 * ```
 * composer require patchwork/jsqueeze:^2.0
 * composer require natxet/cssmin:^3.0
 * ```
 */
class Minify extends BaseTask
{
    /**
     * @var string[]
     */
    protected $types = ['css', 'js'];

    /**
     * @var string
     */
    protected $text;

    /**
     * @var string
     */
    protected $dst;

    /**
     * @var string
     */
    protected $type;

    /**
     * @var bool[]
     */
    protected $squeezeOptions = [
        'singleLine' => true,
        'keepImportantComments' => true,
        'specialVarRx' => false,
    ];

    /**
     * Constructor. Accepts asset file path or string source.
     *
     * @param string $input
     */
    public function __construct($input)
    {
        if (file_exists($input)) {
            $this->fromFile($input);
            return;
        }

        $this->fromText($input);
    }

    /**
     * Sets destination. Tries to guess type from it.
     *
     * @param string $dst
     *
     * @return $this
     */
    public function to($dst)
    {
        $this->dst = $dst;

        if (!empty($this->dst) && empty($this->type)) {
            $this->type($this->getExtension($this->dst));
        }

        return $this;
    }

    /**
     * Sets type with validation.
     *
     * @param string $type
     *   Allowed values: "css", "js".
     *
     * @return $this
     */
    public function type($type)
    {
        $type = strtolower($type);

        if (in_array($type, $this->types)) {
            $this->type = $type;
        }

        return $this;
    }

    /**
     * Sets text from string source.
     *
     * @param string $text
     *
     * @return $this
     */
    protected function fromText($text)
    {
        $this->text = (string)$text;
        unset($this->type);

        return $this;
    }

    /**
     * Sets text from asset file path. Tries to guess type and set default destination.
     *
     * @param string $path
     *
     * @return $this
     */
    protected function fromFile($path)
    {
        $this->text = file_get_contents($path);

        unset($this->type);
        $this->type($this->getExtension($path));

        if (empty($this->dst) && !empty($this->type)) {
            $ext_length = strlen($this->type) + 1;
            $this->dst = substr($path, 0, -$ext_length) . '.min.' . $this->type;
        }

        return $this;
    }

    /**
     * Gets file extension from path.
     *
     * @param string $path
     *
     * @return string
     */
    protected function getExtension($path)
    {
        return pathinfo($path, PATHINFO_EXTENSION);
    }

    /**
     * Minifies and returns text.
     *
     * @return string|bool
     */
    protected function getMinifiedText()
    {
        switch ($this->type) {
            case 'css':
                if (!class_exists('\CssMin')) {
                    return Result::errorMissingPackage($this, 'CssMin', 'natxet/cssmin');
class Author {
    private $name;

    public function __construct($name) {
        $this->name = $name;
    }

    public function getName() {
        return $this->name;
    }
}

abstract class Post {
    public function getAuthor() {
        return 'Johannes';
    }
}

class BlogPost extends Post {
    public function getAuthor() {
        return new Author('Johannes');
    }
}

class ForumPost extends Post { /* ... */ }

function my_function(Post $post) {
    echo strtoupper($post->getAuthor());
}
                }

                return \CssMin::minify($this->text);
                break;

            case 'js':
                if (!class_exists('\JSqueeze') && !class_exists('\Patchwork\JSqueeze')) {
                    return Result::errorMissingPackage($this, 'Patchwork\JSqueeze', 'patchwork/jsqueeze');
                }

                if (class_exists('\JSqueeze')) {
                    $jsqueeze = new \JSqueeze();
                } else {
                    $jsqueeze = new \Patchwork\JSqueeze();
                }

                return $jsqueeze->squeeze(
                    $this->text,
                    $this->squeezeOptions['singleLine'],
                    $this->squeezeOptions['keepImportantComments'],
                    $this->squeezeOptions['specialVarRx']
                );
                break;
        }

        return false;
    }

    /**
     * Single line option for the JS minimisation.
     *
     * @param bool $singleLine
     *
     * @return $this
     */
    public function singleLine($singleLine)
    {
        $this->squeezeOptions['singleLine'] = (bool)$singleLine;
        return $this;
    }

    /**
     * keepImportantComments option for the JS minimisation.
     *
     * @param bool $keepImportantComments
     *
     * @return $this
     */
    public function keepImportantComments($keepImportantComments)
    {
        $this->squeezeOptions['keepImportantComments'] = (bool)$keepImportantComments;
        return $this;
    }

    /**
     * Set specialVarRx option for the JS minimisation.
     *
     * @param bool $specialVarRx
     *
     * @return $this
     */
    public function specialVarRx($specialVarRx)
    {
        $this->squeezeOptions['specialVarRx'] = (bool)$specialVarRx;
        return $this;
    }

    /**
     * @return string
     */
    public function __toString()
    {
        return (string) $this->getMinifiedText();
    }

    /**
     * {@inheritdoc}
     */
    public function run()
    {
        if (empty($this->type)) {
            return Result::error($this, 'Unknown asset type.');
        }

        if (empty($this->dst)) {
            return Result::error($this, 'Unknown file destination.');
        }

        if (file_exists($this->dst) && !is_writable($this->dst)) {
            return Result::error($this, 'Destination already exists and cannot be overwritten.');
        }

        $size_before = strlen($this->text);
        $minified = $this->getMinifiedText();

        if ($minified instanceof Result) {
            return $minified;
        } elseif (false === $minified) {
            return Result::error($this, 'Minification failed.');
        }

        $size_after = strlen($minified);

        // Minification did not reduce file size, so use original file.
        if ($size_after > $size_before) {
            $minified = $this->text;
            $size_after = $size_before;
        }

        $dst = $this->dst . '.part';
        $write_result = file_put_contents($dst, $minified);

        if (false === $write_result) {
            @unlink($dst);
            return Result::error($this, 'File write failed.');
        }
        // Cannot be cross-volume; should always succeed.
        @rename($dst, $this->dst);
        if ($size_before === 0) {
            $minified_percent = 0;
        } else {
            $minified_percent = number_format(100 - ($size_after / $size_before * 100), 1);
        }
        $this->printTaskSuccess('Wrote {filepath}', ['filepath' => $this->dst]);
        $context = [
            'bytes' => $this->formatBytes($size_after),
            'reduction' => $this->formatBytes(($size_before - $size_after)),
            'percentage' => $minified_percent,
        ];
        $this->printTaskSuccess('Wrote {bytes} (reduced by {reduction} / {percentage})', $context);
        return Result::success($this, 'Asset minified.');
    }
}


1		<?php
2
3		namespace Robo\Task\Assets;
4
5		use Robo\Result;
6		use Robo\Task\BaseTask;
7
8		/**
9		* Minifies an asset file (CSS or JS).
10		*
11		* ``` php
12		* <?php
13		* $this->taskMinify('web/assets/theme.css')
14		* ->run()
15		* ?>
16		* ```
17		* Please install additional packages to use this task:
18		*
19		* ```
20		* composer require patchwork/jsqueeze:^2.0
21		* composer require natxet/cssmin:^3.0
22		* ```
23		*/
24		class Minify extends BaseTask
25		{
26		/**
27		* @var string[]
28		*/
29		protected $types = ['css', 'js'];
30
31		/**
32		* @var string
33		*/
34		protected $text;
35
36		/**
37		* @var string
38		*/
39		protected $dst;
40
41		/**
42		* @var string
43		*/
44		protected $type;
45
46		/**
47		* @var bool[]
48		*/
49		protected $squeezeOptions = [
50		'singleLine' => true,
51		'keepImportantComments' => true,
52		'specialVarRx' => false,
53		];
54
55		/**
56		* Constructor. Accepts asset file path or string source.
57		*
58		* @param string $input
59		*/
60		public function __construct($input)
61		{
62		if (file_exists($input)) {
63		$this->fromFile($input);
64		return;
65		}
66
67		$this->fromText($input);
68		}
69
70		/**
71		* Sets destination. Tries to guess type from it.
72		*
73		* @param string $dst
74		*
75		* @return $this
76		*/
77		public function to($dst)
78		{
79		$this->dst = $dst;
80
81		if (!empty($this->dst) && empty($this->type)) {
82		$this->type($this->getExtension($this->dst));
83		}
84
85		return $this;
86		}
87
88		/**
89		* Sets type with validation.
90		*
91		* @param string $type
92		* Allowed values: "css", "js".
93		*
94		* @return $this
95		*/
96		public function type($type)
97		{
98		$type = strtolower($type);
99
100		if (in_array($type, $this->types)) {
101		$this->type = $type;
102		}
103
104		return $this;
105		}
106
107		/**
108		* Sets text from string source.
109		*
110		* @param string $text
111		*
112		* @return $this
113		*/
114		protected function fromText($text)
115		{
116		$this->text = (string)$text;
117		unset($this->type);
118
119		return $this;
120		}
121
122		/**
123		* Sets text from asset file path. Tries to guess type and set default destination.
124		*
125		* @param string $path
126		*
127		* @return $this
128		*/
129		protected function fromFile($path)
130		{
131		$this->text = file_get_contents($path);
132
133		unset($this->type);
134		$this->type($this->getExtension($path));
135
136		if (empty($this->dst) && !empty($this->type)) {
137		$ext_length = strlen($this->type) + 1;
138		$this->dst = substr($path, 0, -$ext_length) . '.min.' . $this->type;
139		}
140
141		return $this;
142		}
143
144		/**
145		* Gets file extension from path.
146		*
147		* @param string $path
148		*
149		* @return string
150		*/
151		protected function getExtension($path)
152		{
153		return pathinfo($path, PATHINFO_EXTENSION);
154		}
155
156		/**
157		* Minifies and returns text.
158		*
159		* @return string\|bool
160		*/
161		protected function getMinifiedText()
162		{
163		switch ($this->type) {
164		case 'css':
165		if (!class_exists('\CssMin')) {
166		return Result::errorMissingPackage($this, 'CssMin', 'natxet/cssmin');
		0 ignored issues – show Bug Best Practice introduced 2019-06-06 12:14 UTC by Report Bug Copy Issue Report Show Similar Issues like this The return type of `return \Robo\Result::err...Min', 'natxet/cssmin');` (`Robo\Result`) is incompatible with the return type documented by `Robo\Task\Assets\Minify::getMinifiedText` of type `string\|boolean`. If you return a value from a function or method, it should be a sub-type of the type that is given by the parent type f.e. an interface, or abstract method. This is more formally defined by the Lizkov substitution principle, and guarantees that classes that depend on the parent type can use any instance of a child type interchangably. This principle also belongs to the SOLID principles for object oriented design. Let’s take a look at an example: class Author { private $name; public function __construct($name) { $this->name = $name; } public function getName() { return $this->name; } } abstract class Post { public function getAuthor() { return 'Johannes'; } } class BlogPost extends Post { public function getAuthor() { return new Author('Johannes'); } } class ForumPost extends Post { /* ... */ } function my_function(Post $post) { echo strtoupper($post->getAuthor()); } Our function `my_function` expects a `Post` object, and outputs the author of the post. The base class `Post` returns a simple string and outputting a simple string will work just fine. However, the child class `BlogPost` which is a sub-type of `Post` instead decided to return an `object`, and is therefore violating the SOLID principles. If a `BlogPost` were passed to `my_function`, PHP would not complain, but ultimately fail when executing the `strtoupper` call in its body. Loading history...
167		}
168
169		return \CssMin::minify($this->text);
170		break;
171
172		case 'js':
173		if (!class_exists('\JSqueeze') && !class_exists('\Patchwork\JSqueeze')) {
174		return Result::errorMissingPackage($this, 'Patchwork\JSqueeze', 'patchwork/jsqueeze');
175		}
176
177		if (class_exists('\JSqueeze')) {
178		$jsqueeze = new \JSqueeze();
179		} else {
180		$jsqueeze = new \Patchwork\JSqueeze();
181		}
182
183		return $jsqueeze->squeeze(
184		$this->text,
185		$this->squeezeOptions['singleLine'],
186		$this->squeezeOptions['keepImportantComments'],
187		$this->squeezeOptions['specialVarRx']
188		);
189		break;
190		}
191
192		return false;
193		}
194
195		/**
196		* Single line option for the JS minimisation.
197		*
198		* @param bool $singleLine
199		*
200		* @return $this
201		*/
202		public function singleLine($singleLine)
203		{
204		$this->squeezeOptions['singleLine'] = (bool)$singleLine;
205		return $this;
206		}
207
208		/**
209		* keepImportantComments option for the JS minimisation.
210		*
211		* @param bool $keepImportantComments
212		*
213		* @return $this
214		*/
215		public function keepImportantComments($keepImportantComments)
216		{
217		$this->squeezeOptions['keepImportantComments'] = (bool)$keepImportantComments;
218		return $this;
219		}
220
221		/**
222		* Set specialVarRx option for the JS minimisation.
223		*
224		* @param bool $specialVarRx
225		*
226		* @return $this
227		*/
228		public function specialVarRx($specialVarRx)
229		{
230		$this->squeezeOptions['specialVarRx'] = (bool)$specialVarRx;
231		return $this;
232		}
233
234		/**
235		* @return string
236		*/
237		public function __toString()
238		{
239		return (string) $this->getMinifiedText();
240		}
241
242		/**
243		* {@inheritdoc}
244		*/
245		public function run()
246		{
247		if (empty($this->type)) {
248		return Result::error($this, 'Unknown asset type.');
249		}
250
251		if (empty($this->dst)) {
252		return Result::error($this, 'Unknown file destination.');
253		}
254
255	View Code Duplication	if (file_exists($this->dst) && !is_writable($this->dst)) {
256		return Result::error($this, 'Destination already exists and cannot be overwritten.');
257		}
258
259		$size_before = strlen($this->text);
260		$minified = $this->getMinifiedText();
261
262		if ($minified instanceof Result) {
263		return $minified;
264		} elseif (false === $minified) {
265		return Result::error($this, 'Minification failed.');
266		}
267
268		$size_after = strlen($minified);
269
270		// Minification did not reduce file size, so use original file.
271		if ($size_after > $size_before) {
272		$minified = $this->text;
273		$size_after = $size_before;
274		}
275
276		$dst = $this->dst . '.part';
277		$write_result = file_put_contents($dst, $minified);
278
279		if (false === $write_result) {
280		@unlink($dst);
281		return Result::error($this, 'File write failed.');
282		}
283		// Cannot be cross-volume; should always succeed.
284		@rename($dst, $this->dst);
285		if ($size_before === 0) {
286		$minified_percent = 0;
287		} else {
288		$minified_percent = number_format(100 - ($size_after / $size_before * 100), 1);
289		}
290		$this->printTaskSuccess('Wrote {filepath}', ['filepath' => $this->dst]);
291		$context = [
292		'bytes' => $this->formatBytes($size_after),
293		'reduction' => $this->formatBytes(($size_before - $size_after)),
294		'percentage' => $minified_percent,
295		];
296		$this->printTaskSuccess('Wrote {bytes} (reduced by {reduction} / {percentage})', $context);
297		return Result::success($this, 'Asset minified.');
298		}
299		}
300

consolidation / robo

Issues (569)

Security Analysis not enabled

src/Task/Assets/Minify.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like