Issues in HostPath.php (master) - Issues in master - consolidation/site-alias - Measure and Improve Code Quality continuously with Scrutinizer

Issues (50)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/HostPath.php (5 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
namespace Consolidation\SiteAlias;

use Consolidation\Config\Config;
use Consolidation\Config\ConfigInterface;
use Webmozart\PathUtil\Path;

/**
 * A host path is a path on some machine. The machine may be specified
 * by a label, and the label may be an @alias or a site specification.
 * If there is no label, then the local machine is assumed.
 *
 * Examples:
 *
 *   @alias
 *   @alias:/path
 *   host:/path
 *   user@host:/path
 *   user@host/drupal-root#uri:/path
 *   /path
 *
 * Note that /path does not have to begin with a '/'; it may
 * be a relative path, or it may begin with a path alias,
 * e.g. '%files'.
 *
 * It is permissible to have an alias or site specification
 * without a path, but it is not valid to have just a host
 * with no path.
 */
class HostPath
{
    /** @var SiteAlias The alias record obtained from the host path */
    protected $alias_record;

    /** @var string The entire original host path (e.g. @alias:/path) */
    protected $original_path;

    /** @var string The "path" component from the host path */
    protected $path;

    /** @var string The alias record is implicit (e.g. 'path' instead of '@self:path') */
    protected $implicit;

    /**
     * HostPath constructor
     *
     * @param SiteAlias $alias_record The alias record or site specification record
     * @param string $original_path The original host path
     * @param string $path Just the 'path' component
     */
    protected function __construct($alias_record, $original_path, $path = '', $implicit = false)
    {
        $this->alias_record = $alias_record;
        $this->original_path = $original_path;
        $this->path = $path;
        $this->implicit = $implicit;
$answer = 42;

$correct = false;

$correct = (bool) $answer;
    }

    /**
     * Factory method to create a host path.
     *
     * @param SiteAliasManager $manager We need to be provided a reference
     *   to the alias manager to create a host path
     * @param string $hostPath The path to create.
     */
    public static function create(SiteAliasManager $manager, $hostPath)
    {
        // Split the alias path up into
        //  - $parts[0]: everything before the first ":"
        //  - $parts[1]: everything after the ":", if there was one.
        $parts = explode(':', $hostPath, 2);

        // Determine whether or not $parts[0] is a site spec or an alias
        // record.  If $parts[0] is not in the right form, the result
        // will be 'false'. This will throw if $parts[0] is an @alias
        // record, but the requested alias cannot be found.
        $alias_record = $manager->get($parts[0]);

        if (!isset($parts[1])) {
            return static::determinePathOrAlias($manager, $alias_record, $hostPath, $parts[0]);
        }

        // If $parts[0] did not resolve to a site spec or alias record,
        // but there is a $parts[1], then $parts[0] must be a machine name.
        // Unless it was an alias that could not be found.
        if ($alias_record === false) {
            if (SiteAliasName::isAliasName($parts[0])) {
0   == false // true
0   == null  // true
123 == false // false
123 == null  // false

// It is often better to use strict comparison
0 === false // false
0 === null  // false
                throw new \Exception('Site alias ' . $parts[0] . ' not found.');
            }
            $alias_record = new SiteAlias(['host' => $parts[0]]);
        }

        // Create our alias path
        return new HostPath($alias_record, $hostPath, $parts[1]);
    }

    /**
     * Return the alias record portion of the host path.
     *
     * @return SiteAlias
     */
    public function getSiteAlias()
    {
        return $this->alias_record;
    }

    /**
     * @deprecated Use getSiteAlias
     */
    public function getAliasRecord()
    {
        return $this->getSiteAlias();
    }

    /**
     * Returns true if this host path points at a remote machine
     *
     * @return bool
     */
    public function isRemote()
    {
        return $this->alias_record->isRemote();
    }

    /**
     * Return just the path portion, without considering the alias root.
     *
     * @return string
     */
    public function getOriginalPath()
    {
        return $this->path;
    }

    /**
     * Return the original host path string, as provided to the create() method.
     *
     * @return string
     */
    public function getOriginal()
    {
        return $this->original_path;
    }

    /**
     * Return just the path portion of the host path
     *
     * @return string
     */
    public function getPath()
    {
        if (empty($this->path)) {
            return $this->alias_record->root();
        }
        if ($this->alias_record->hasRoot() && !$this->implicit) {
            return Path::makeAbsolute($this->path, $this->alias_record->root());
        }
        return $this->path;
    }

    /**
     * Returns 'true' if the path portion of the host path begins with a
     * path alias (e.g. '%files'). Path aliases must appear at the beginning
     * of the path.
     *
     * @return bool
     */
    public function hasPathAlias()
    {
        $pathAlias = $this->getPathAlias();
        return !empty($pathAlias);
    }

    /**
     * Return just the path alias portion of the path (e.g. '%files'), or
     * empty if there is no alias in the path.
     *
     * @return string
     */
    public function getPathAlias()
    {
        if (preg_match('#%([^/]*).*#', $this->path, $matches)) {
            return $matches[1];
        }
        return '';
    }

    /**
     * Replaces the path alias portion of the path with the resolved path.
     *
     * @param string $resolvedPath The converted path alias (e.g. 'sites/default/files')
     * @return $this
     */
    public function replacePathAlias($resolvedPath)
    {
        $pathAlias = $this->getPathAlias();
        if (empty($pathAlias)) {
            return $this;
        }
        // Make sure that the resolved path always ends in a '\'.
        $resolvedPath .= '/';
        // Avoid double / in path.
        //   $this->path: %files/foo
        //   $pathAlias:   files
        // We add one to the length of $pathAlias to account for the '%' in $this->path.
        if (strlen($this->path) > (strlen($pathAlias) + 1)) {
            $resolvedPath = rtrim($resolvedPath, '/');
        }
        // Once the path alias is resolved, replace the alias in the $path with the result.
        $this->path = $resolvedPath . substr($this->path, strlen($pathAlias) + 1);

        // Using a path alias such as %files is equivalent to making explicit
        // use of @self:%files. We set implicit to false here so that the resolved
        // path will be returned as an absolute path rather than a relative path.
        $this->implicit = false;
$answer = 42;

$correct = false;

$correct = (bool) $answer;

        return $this;
    }

    /**
     * Return the host portion of the host path, including the user.
     *
     * @return string
     */
    public function getHost()
    {
        return $this->alias_record->remoteHostWithUser();
    }

    /**
     * Return the fully resolved path, e.g. user@server:/path/to/drupalroot/sites/default/files
     *
     * @return string
     */
    public function fullyQualifiedPath()
    {
        $host = $this->getHost();
        if (!empty($host)) {
            return $host . ':' . $this->getPath();
        }
        return $this->getPath();
    }

    /**
     * Our fully qualified path passes the result through Path::makeAbsolute()
     * which canonicallizes the path, removing any trailing slashes.
     * That is what we want most of the time; however, the trailing slash is
     * sometimes significant, e.g. for rsync, so we provide a separate API
     * for those cases where the trailing slash should be preserved.
     *
     * @return string
     */
    public function fullyQualifiedPathPreservingTrailingSlash()
    {
        $fqp = $this->fullyQualifiedPath();
        if ((substr($this->path, strlen($this->path) - 1) == '/') && (substr($fqp, strlen($fqp) - 1) != '/')) {
            $fqp .= '/';
        }
        return $fqp;
    }

    /**
     * Helper method for HostPath::create(). When the host path contains no
     * ':', this method determines whether the string that was provided is
     * a host or a path.
     *
     * @param SiteAliasManager $manager
     * @param SiteAlias|bool $alias_record
     * @param string $hostPath
     * @param string $single_part
     */
    protected static function determinePathOrAlias(SiteAliasManager $manager, $alias_record, $hostPath, $single_part)
    {
        // If $alias_record is false, then $single_part must be a path.
        if ($alias_record === false) {
            return new HostPath($manager->getSelf(), $hostPath, $single_part, true);
        }

        // Otherwise, we have a alias record without a path.
        // In this instance, the alias record _must_ have a root.
        if (!$alias_record->hasRoot()) {
function someFunction(A $objectMaybe = null)
{
    if ($objectMaybe instanceof A) {
        $objectMaybe->doSomething();
    }
}
            throw new \Exception("$hostPath does not define a path.");
        }
        return new HostPath($alias_record, $hostPath);

    }
}


1			<?php
2			namespace Consolidation\SiteAlias;
3
4			use Consolidation\Config\Config;
5			use Consolidation\Config\ConfigInterface;
6			use Webmozart\PathUtil\Path;
7
8			/**
9			* A host path is a path on some machine. The machine may be specified
10			* by a label, and the label may be an @alias or a site specification.
11			* If there is no label, then the local machine is assumed.
12			*
13			* Examples:
14			*
15			* @alias
16			* @alias:/path
17			* host:/path
18			* user@host:/path
19			* user@host/drupal-root#uri:/path
20			* /path
21			*
22			* Note that /path does not have to begin with a '/'; it may
23			* be a relative path, or it may begin with a path alias,
24			* e.g. '%files'.
25			*
26			* It is permissible to have an alias or site specification
27			* without a path, but it is not valid to have just a host
28			* with no path.
29			*/
30			class HostPath
31			{
32			/** @var SiteAlias The alias record obtained from the host path */
33			protected $alias_record;
34
35			/** @var string The entire original host path (e.g. @alias:/path) */
36			protected $original_path;
37
38			/** @var string The "path" component from the host path */
39			protected $path;
40
41			/** @var string The alias record is implicit (e.g. 'path' instead of '@self:path') */
42			protected $implicit;
43
44			/**
45			* HostPath constructor
46			*
47			* @param SiteAlias $alias_record The alias record or site specification record
48			* @param string $original_path The original host path
49			* @param string $path Just the 'path' component
50			*/
51			protected function __construct($alias_record, $original_path, $path = '', $implicit = false)
52			{
53			$this->alias_record = $alias_record;
54			$this->original_path = $original_path;
55			$this->path = $path;
56			$this->implicit = $implicit;
			0 ignored issues – show Documentation Bug introduced 2018-06-17 05:26 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `$implicit` was declared of type `string`, but `$implicit` is of type `boolean`. Maybe add a type cast? This check looks for assignments to scalar types that may be of the wrong type. To ensure the code behaves as expected, it may be a good idea to add an explicit type cast. $answer = 42; $correct = false; $correct = (bool) $answer; Loading history...
57			}
58
59			/**
60			* Factory method to create a host path.
61			*
62			* @param SiteAliasManager $manager We need to be provided a reference
63			* to the alias manager to create a host path
64			* @param string $hostPath The path to create.
65			*/
66			public static function create(SiteAliasManager $manager, $hostPath)
67			{
68			// Split the alias path up into
69			// - $parts[0]: everything before the first ":"
70			// - $parts[1]: everything after the ":", if there was one.
71			$parts = explode(':', $hostPath, 2);
72
73			// Determine whether or not $parts[0] is a site spec or an alias
74			// record. If $parts[0] is not in the right form, the result
75			// will be 'false'. This will throw if $parts[0] is an @alias
76			// record, but the requested alias cannot be found.
77			$alias_record = $manager->get($parts[0]);
78
79			if (!isset($parts[1])) {
80			return static::determinePathOrAlias($manager, $alias_record, $hostPath, $parts[0]);
81			}
82
83			// If $parts[0] did not resolve to a site spec or alias record,
84			// but there is a $parts[1], then $parts[0] must be a machine name.
85			// Unless it was an alias that could not be found.
86			if ($alias_record === false) {
87			if (SiteAliasName::isAliasName($parts[0])) {
			0 ignored issues – show Bug Best Practice introduced 2018-06-17 05:26 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `\Consolidation\SiteAlias...:isAliasName($parts[0])` of type `false\|integer` is loosely compared to `true`; this is ambiguous if the integer can be zero. You might want to explicitly use `!== null` instead. In PHP, under loose comparison (like `==`, or `!=`, or `switch` conditions), values of different types might be equal. For `integer` values, zero is a special case, in particular the following results might be unexpected: 0 == false // true 0 == null // true 123 == false // false 123 == null // false // It is often better to use strict comparison 0 === false // false 0 === null // false Loading history...
88			throw new \Exception('Site alias ' . $parts[0] . ' not found.');
89			}
90			$alias_record = new SiteAlias(['host' => $parts[0]]);
91			}
92
93			// Create our alias path
94			return new HostPath($alias_record, $hostPath, $parts[1]);
95			}
96
97			/**
98			* Return the alias record portion of the host path.
99			*
100			* @return SiteAlias
101			*/
102			public function getSiteAlias()
103			{
104			return $this->alias_record;
105			}
106
107			/**
108			* @deprecated Use getSiteAlias
109			*/
110			public function getAliasRecord()
111			{
112			return $this->getSiteAlias();
113			}
114
115			/**
116			* Returns true if this host path points at a remote machine
117			*
118			* @return bool
119			*/
120			public function isRemote()
121			{
122			return $this->alias_record->isRemote();
123			}
124
125			/**
126			* Return just the path portion, without considering the alias root.
127			*
128			* @return string
129			*/
130			public function getOriginalPath()
131			{
132			return $this->path;
133			}
134
135			/**
136			* Return the original host path string, as provided to the create() method.
137			*
138			* @return string
139			*/
140			public function getOriginal()
141			{
142			return $this->original_path;
143			}
144
145			/**
146			* Return just the path portion of the host path
147			*
148			* @return string
149			*/
150			public function getPath()
151			{
152			if (empty($this->path)) {
153			return $this->alias_record->root();
154			}
155			if ($this->alias_record->hasRoot() && !$this->implicit) {
156			return Path::makeAbsolute($this->path, $this->alias_record->root());
157			}
158			return $this->path;
159			}
160
161			/**
162			* Returns 'true' if the path portion of the host path begins with a
163			* path alias (e.g. '%files'). Path aliases must appear at the beginning
164			* of the path.
165			*
166			* @return bool
167			*/
168			public function hasPathAlias()
169			{
170			$pathAlias = $this->getPathAlias();
171			return !empty($pathAlias);
172			}
173
174			/**
175			* Return just the path alias portion of the path (e.g. '%files'), or
176			* empty if there is no alias in the path.
177			*
178			* @return string
179			*/
180			public function getPathAlias()
181			{
182			if (preg_match('#%([^/]).#', $this->path, $matches)) {
183			return $matches[1];
184			}
185			return '';
186			}
187
188			/**
189			* Replaces the path alias portion of the path with the resolved path.
190			*
191			* @param string $resolvedPath The converted path alias (e.g. 'sites/default/files')
192			* @return $this
193			*/
194			public function replacePathAlias($resolvedPath)
195			{
196			$pathAlias = $this->getPathAlias();
197			if (empty($pathAlias)) {
198			return $this;
199			}
200			// Make sure that the resolved path always ends in a '\'.
201			$resolvedPath .= '/';
202			// Avoid double / in path.
203			// $this->path: %files/foo
204			// $pathAlias: files
205			// We add one to the length of $pathAlias to account for the '%' in $this->path.
206			if (strlen($this->path) > (strlen($pathAlias) + 1)) {
207			$resolvedPath = rtrim($resolvedPath, '/');
208			}
209			// Once the path alias is resolved, replace the alias in the $path with the result.
210			$this->path = $resolvedPath . substr($this->path, strlen($pathAlias) + 1);
211
212			// Using a path alias such as %files is equivalent to making explicit
213			// use of @self:%files. We set implicit to false here so that the resolved
214			// path will be returned as an absolute path rather than a relative path.
215			$this->implicit = false;
			0 ignored issues – show Documentation Bug introduced 2018-06-17 05:26 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `$implicit` was declared of type `string`, but `false` is of type `false`. Maybe add a type cast? This check looks for assignments to scalar types that may be of the wrong type. To ensure the code behaves as expected, it may be a good idea to add an explicit type cast. $answer = 42; $correct = false; $correct = (bool) $answer; Loading history...
216
217			return $this;
218			}
219
220			/**
221			* Return the host portion of the host path, including the user.
222			*
223			* @return string
224			*/
225			public function getHost()
226			{
227			return $this->alias_record->remoteHostWithUser();
228			}
229
230			/**
231			* Return the fully resolved path, e.g. user@server:/path/to/drupalroot/sites/default/files
232			*
233			* @return string
234			*/
235			public function fullyQualifiedPath()
236			{
237			$host = $this->getHost();
238			if (!empty($host)) {
239			return $host . ':' . $this->getPath();
240			}
241			return $this->getPath();
242			}
243
244			/**
245			* Our fully qualified path passes the result through Path::makeAbsolute()
246			* which canonicallizes the path, removing any trailing slashes.
247			* That is what we want most of the time; however, the trailing slash is
248			* sometimes significant, e.g. for rsync, so we provide a separate API
249			* for those cases where the trailing slash should be preserved.
250			*
251			* @return string
252			*/
253			public function fullyQualifiedPathPreservingTrailingSlash()
254			{
255			$fqp = $this->fullyQualifiedPath();
256			if ((substr($this->path, strlen($this->path) - 1) == '/') && (substr($fqp, strlen($fqp) - 1) != '/')) {
257			$fqp .= '/';
258			}
259			return $fqp;
260			}
261
262			/**
263			* Helper method for HostPath::create(). When the host path contains no
264			* ':', this method determines whether the string that was provided is
265			* a host or a path.
266			*
267			* @param SiteAliasManager $manager
268			* @param SiteAlias\|bool $alias_record
269			* @param string $hostPath
270			* @param string $single_part
271			*/
272			protected static function determinePathOrAlias(SiteAliasManager $manager, $alias_record, $hostPath, $single_part)
273			{
274			// If $alias_record is false, then $single_part must be a path.
275			if ($alias_record === false) {
276			return new HostPath($manager->getSelf(), $hostPath, $single_part, true);
277			}
278
279			// Otherwise, we have a alias record without a path.
280			// In this instance, the alias record _must_ have a root.
281			if (!$alias_record->hasRoot()) {
			0 ignored issues – show Bug introduced 2018-06-17 05:26 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$alias_record` is not always an object, but can also be of type `boolean`. Maybe add an additional type check? If a variable is not always an object, we recommend to add an additional type check to ensure your method call is safe: function someFunction(A $objectMaybe = null) { if ($objectMaybe instanceof A) { $objectMaybe->doSomething(); } } Loading history...
282			throw new \Exception("$hostPath does not define a path.");
283			}
284			return new HostPath($alias_record, $hostPath);
			0 ignored issues – show Bug introduced 2019-03-03 17:53 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$alias_record` defined by parameter `$alias_record` on line 272 can also be of type `boolean`; however, `Consolidation\SiteAlias\HostPath::__construct()` does only seem to accept `object<Consolidation\SiteAlias\SiteAlias>`, maybe add an additional type check? This check looks at variables that have been passed in as parameters and are passed out again to other methods. If the outgoing method call has stricter type requirements than the method itself, an issue is raised. An additional type check may prevent trouble. Loading history...
285			}
286			}
287

consolidation / site-alias

Issues (50)

Security Analysis no request data

src/HostPath.php (5 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like