Issues in DoctrineExtension.php (master) - Issues in master - doctrine/DoctrineBundle - Measure and Improve Code Quality continuously with Scrutinizer

Issues (220)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

Twig/DoctrineExtension.php (1 issue)

Labels

Severity

Major 1

Robin Chalas 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace Doctrine\Bundle\DoctrineBundle\Twig;

use Doctrine\SqlFormatter\HtmlHighlighter;
use Doctrine\SqlFormatter\NullHighlighter;
use Doctrine\SqlFormatter\SqlFormatter;
use Symfony\Component\VarDumper\Cloner\Data;
use Twig\Extension\AbstractExtension;
use Twig\TwigFilter;

/**
 * This class contains the needed functions in order to do the query highlighting
 */
class DoctrineExtension extends AbstractExtension
{
    /** @var SqlFormatter */
    private $sqlFormatter;

    /**
     * Define our functions
     *
     * @return TwigFilter[]
     */
    public function getFilters()
    {
        return [
            new TwigFilter('doctrine_pretty_query', [$this, 'formatQuery'], ['is_safe' => ['html'], 'deprecated' => true]),
            new TwigFilter('doctrine_prettify_sql', [$this, 'prettifySql'], ['is_safe' => ['html']]),
            new TwigFilter('doctrine_format_sql', [$this, 'formatSql'], ['is_safe' => ['html']]),
            new TwigFilter('doctrine_replace_query_parameters', [$this, 'replaceQueryParameters']),
        ];
    }

    /**
     * Get the possible combinations of elements from the given array
     */
    private function getPossibleCombinations(array $elements, int $combinationsLevel) : array
    {
        $baseCount = count($elements);
        $result    = [];

        if ($combinationsLevel === 1) {
            foreach ($elements as $element) {
                $result[] = [$element];
            }

            return $result;
        }

        $nextLevelElements = $this->getPossibleCombinations($elements, $combinationsLevel - 1);

        foreach ($nextLevelElements as $nextLevelElement) {
            $lastElement = $nextLevelElement[$combinationsLevel - 2];
            $found       = false;

            foreach ($elements as $key => $element) {
                if ($element === $lastElement) {
                    $found = true;
                    continue;
                }

                if ($found !== true || $key >= $baseCount) {
                    continue;
                }

                $tmp              = $nextLevelElement;
                $newCombination   = array_slice($tmp, 0);
                $newCombination[] = $element;
                $result[]         = array_slice($newCombination, 0);
            }
        }

        return $result;
    }

    /**
     * Escape parameters of a SQL query
     * DON'T USE THIS FUNCTION OUTSIDE ITS INTENDED SCOPE
     *
     * @internal
     *
     * @param mixed $parameter
     *
     * @return string
     */
    public static function escapeFunction($parameter)
    {
        $result = $parameter;

        switch (true) {
            // Check if result is non-unicode string using PCRE_UTF8 modifier
            case is_string($result) && ! preg_match('//u', $result):
                $result = '0x' . strtoupper(bin2hex($result));
                break;

            case is_string($result):
                $result = "'" . addslashes($result) . "'";
                break;

            case is_array($result):
                foreach ($result as &$value) {
                    $value = static::escapeFunction($value);
                }

                $result = implode(', ', $result) ?: 'NULL';
                break;

            case is_object($result):
                $result = addslashes((string) $result);
                break;

            case $result === null:
                $result = 'NULL';
                break;

            case is_bool($result):
                $result = $result ? '1' : '0';
                break;
        }

        return $result;
    }

    /**
     * Return a query with the parameters replaced
     *
     * @param string     $query
     * @param array|Data $parameters
     *
     * @return string
     */
    public function replaceQueryParameters($query, $parameters)
    {
        if ($parameters instanceof Data) {
            $parameters = $parameters->getValue(true);
        }

        $i = 0;

        if (! array_key_exists(0, $parameters) && array_key_exists(1, $parameters)) {
            $i = 1;
        }

        return preg_replace_callback(
            '/\?|((?<!:):[a-z0-9_]+)/i',
            static function ($matches) use ($parameters, &$i) {
                $key = substr($matches[0], 1);

                if (! array_key_exists($i, $parameters) && ($key === false || ! array_key_exists($key, $parameters))) {
                    return $matches[0];
                }

                $value  = array_key_exists($i, $parameters) ? $parameters[$i] : $parameters[$key];
                $result = DoctrineExtension::escapeFunction($value);
                $i++;

                return $result;
            },
            $query
        );
    }

    /**
     * Formats and/or highlights the given SQL statement.
     *
     * @param  string $sql
     * @param  bool   $highlightOnly If true the query is not formatted, just highlighted
     *
     * @return string
     */
    public function formatQuery($sql, $highlightOnly = false)
    {
        @trigger_error(sprintf('The "%s()" method is deprecated and will be removed in DoctrineBundle 3.0.', __METHOD__), E_USER_DEPRECATED);
// For example instead of
@mkdir($dir);

// Better use
if (@mkdir($dir) === false) {
    throw new \RuntimeException('The directory '.$dir.' could not be created.');
}

        $this->setUpSqlFormatter(true, true);

        if ($highlightOnly) {
            return $this->sqlFormatter->highlight($sql);
        }

        return sprintf(
            '<div class="highlight highlight-sql"><pre>%s</pre></div>',
            $this->sqlFormatter->format($sql)
        );
    }

    public function prettifySql(string $sql) : string
    {
        $this->setUpSqlFormatter();

        return $this->sqlFormatter->highlight($sql);
    }

    public function formatSql(string $sql, bool $highlight) : string
    {
        $this->setUpSqlFormatter($highlight);

        return $this->sqlFormatter->format($sql);
    }

    private function setUpSqlFormatter(bool $highlight = true, bool $legacy = false) : void
    {
        $this->sqlFormatter = new SqlFormatter($highlight ? new HtmlHighlighter([
            HtmlHighlighter::HIGHLIGHT_PRE            => 'class="highlight highlight-sql"',
            HtmlHighlighter::HIGHLIGHT_QUOTE          => 'class="string"',
            HtmlHighlighter::HIGHLIGHT_BACKTICK_QUOTE => 'class="string"',
            HtmlHighlighter::HIGHLIGHT_RESERVED       => 'class="keyword"',
            HtmlHighlighter::HIGHLIGHT_BOUNDARY       => 'class="symbol"',
            HtmlHighlighter::HIGHLIGHT_NUMBER         => 'class="number"',
            HtmlHighlighter::HIGHLIGHT_WORD           => 'class="word"',
            HtmlHighlighter::HIGHLIGHT_ERROR          => 'class="error"',
            HtmlHighlighter::HIGHLIGHT_COMMENT        => 'class="comment"',
            HtmlHighlighter::HIGHLIGHT_VARIABLE       => 'class="variable"',
        ], ! $legacy) : new NullHighlighter());
    }

    /**
     * Get the name of the extension
     *
     * @return string
     */
    public function getName()
    {
        return 'doctrine_extension';
    }
}


1			<?php
2
3			namespace Doctrine\Bundle\DoctrineBundle\Twig;
4
5			use Doctrine\SqlFormatter\HtmlHighlighter;
6			use Doctrine\SqlFormatter\NullHighlighter;
7			use Doctrine\SqlFormatter\SqlFormatter;
8			use Symfony\Component\VarDumper\Cloner\Data;
9			use Twig\Extension\AbstractExtension;
10			use Twig\TwigFilter;
11
12			/**
13			* This class contains the needed functions in order to do the query highlighting
14			*/
15			class DoctrineExtension extends AbstractExtension
16			{
17			/** @var SqlFormatter */
18			private $sqlFormatter;
19
20			/**
21			* Define our functions
22			*
23			* @return TwigFilter[]
24			*/
25			public function getFilters()
26			{
27			return [
28			new TwigFilter('doctrine_pretty_query', [$this, 'formatQuery'], ['is_safe' => ['html'], 'deprecated' => true]),
29			new TwigFilter('doctrine_prettify_sql', [$this, 'prettifySql'], ['is_safe' => ['html']]),
30			new TwigFilter('doctrine_format_sql', [$this, 'formatSql'], ['is_safe' => ['html']]),
31			new TwigFilter('doctrine_replace_query_parameters', [$this, 'replaceQueryParameters']),
32			];
33			}
34
35			/**
36			* Get the possible combinations of elements from the given array
37			*/
38			private function getPossibleCombinations(array $elements, int $combinationsLevel) : array
39			{
40			$baseCount = count($elements);
41			$result = [];
42
43			if ($combinationsLevel === 1) {
44			foreach ($elements as $element) {
45			$result[] = [$element];
46			}
47
48			return $result;
49			}
50
51			$nextLevelElements = $this->getPossibleCombinations($elements, $combinationsLevel - 1);
52
53			foreach ($nextLevelElements as $nextLevelElement) {
54			$lastElement = $nextLevelElement[$combinationsLevel - 2];
55			$found = false;
56
57			foreach ($elements as $key => $element) {
58			if ($element === $lastElement) {
59			$found = true;
60			continue;
61			}
62
63			if ($found !== true \|\| $key >= $baseCount) {
64			continue;
65			}
66
67			$tmp = $nextLevelElement;
68			$newCombination = array_slice($tmp, 0);
69			$newCombination[] = $element;
70			$result[] = array_slice($newCombination, 0);
71			}
72			}
73
74			return $result;
75			}
76
77			/**
78			* Escape parameters of a SQL query
79			* DON'T USE THIS FUNCTION OUTSIDE ITS INTENDED SCOPE
80			*
81			* @internal
82			*
83			* @param mixed $parameter
84			*
85			* @return string
86			*/
87			public static function escapeFunction($parameter)
88			{
89			$result = $parameter;
90
91			switch (true) {
92			// Check if result is non-unicode string using PCRE_UTF8 modifier
93			case is_string($result) && ! preg_match('//u', $result):
94			$result = '0x' . strtoupper(bin2hex($result));
95			break;
96
97			case is_string($result):
98			$result = "'" . addslashes($result) . "'";
99			break;
100
101			case is_array($result):
102			foreach ($result as &$value) {
103			$value = static::escapeFunction($value);
104			}
105
106			$result = implode(', ', $result) ?: 'NULL';
107			break;
108
109			case is_object($result):
110			$result = addslashes((string) $result);
111			break;
112
113			case $result === null:
114			$result = 'NULL';
115			break;
116
117			case is_bool($result):
118			$result = $result ? '1' : '0';
119			break;
120			}
121
122			return $result;
123			}
124
125			/**
126			* Return a query with the parameters replaced
127			*
128			* @param string $query
129			* @param array\|Data $parameters
130			*
131			* @return string
132			*/
133			public function replaceQueryParameters($query, $parameters)
134			{
135			if ($parameters instanceof Data) {
136			$parameters = $parameters->getValue(true);
137			}
138
139			$i = 0;
140
141			if (! array_key_exists(0, $parameters) && array_key_exists(1, $parameters)) {
142			$i = 1;
143			}
144
145			return preg_replace_callback(
146			'/\?\|((?<!:):[a-z0-9_]+)/i',
147			static function ($matches) use ($parameters, &$i) {
148			$key = substr($matches[0], 1);
149
150			if (! array_key_exists($i, $parameters) && ($key === false \|\| ! array_key_exists($key, $parameters))) {
151			return $matches[0];
152			}
153
154			$value = array_key_exists($i, $parameters) ? $parameters[$i] : $parameters[$key];
155			$result = DoctrineExtension::escapeFunction($value);
156			$i++;
157
158			return $result;
159			},
160			$query
161			);
162			}
163
164			/**
165			* Formats and/or highlights the given SQL statement.
166			*
167			* @param string $sql
168			* @param bool $highlightOnly If true the query is not formatted, just highlighted
169			*
170			* @return string
171			*/
172			public function formatQuery($sql, $highlightOnly = false)
173			{
174			@trigger_error(sprintf('The "%s()" method is deprecated and will be removed in DoctrineBundle 3.0.', __METHOD__), E_USER_DEPRECATED);
			0 ignored issues – show Security Best Practice introduced 2018-11-30 11:53 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you do not handle an error condition here. This can introduce security issues, and is generally not recommended. If you suppress an error, we recommend checking for the error condition explicitly: // For example instead of @mkdir($dir); // Better use if (@mkdir($dir) === false) { throw new \RuntimeException('The directory '.$dir.' could not be created.'); } Loading history...
175
176			$this->setUpSqlFormatter(true, true);
177
178			if ($highlightOnly) {
179			return $this->sqlFormatter->highlight($sql);
180			}
181
182			return sprintf(
183			'<div class="highlight highlight-sql"><pre>%s</pre></div>',
184			$this->sqlFormatter->format($sql)
185			);
186			}
187
188			public function prettifySql(string $sql) : string
189			{
190			$this->setUpSqlFormatter();
191
192			return $this->sqlFormatter->highlight($sql);
193			}
194
195			public function formatSql(string $sql, bool $highlight) : string
196			{
197			$this->setUpSqlFormatter($highlight);
198
199			return $this->sqlFormatter->format($sql);
200			}
201
202			private function setUpSqlFormatter(bool $highlight = true, bool $legacy = false) : void
203			{
204			$this->sqlFormatter = new SqlFormatter($highlight ? new HtmlHighlighter([
205			HtmlHighlighter::HIGHLIGHT_PRE => 'class="highlight highlight-sql"',
206			HtmlHighlighter::HIGHLIGHT_QUOTE => 'class="string"',
207			HtmlHighlighter::HIGHLIGHT_BACKTICK_QUOTE => 'class="string"',
208			HtmlHighlighter::HIGHLIGHT_RESERVED => 'class="keyword"',
209			HtmlHighlighter::HIGHLIGHT_BOUNDARY => 'class="symbol"',
210			HtmlHighlighter::HIGHLIGHT_NUMBER => 'class="number"',
211			HtmlHighlighter::HIGHLIGHT_WORD => 'class="word"',
212			HtmlHighlighter::HIGHLIGHT_ERROR => 'class="error"',
213			HtmlHighlighter::HIGHLIGHT_COMMENT => 'class="comment"',
214			HtmlHighlighter::HIGHLIGHT_VARIABLE => 'class="variable"',
215			], ! $legacy) : new NullHighlighter());
216			}
217
218			/**
219			* Get the name of the extension
220			*
221			* @return string
222			*/
223			public function getName()
224			{
225			return 'doctrine_extension';
226			}
227			}
228

doctrine / DoctrineBundle

Issues (220)

Security Analysis not enabled

Twig/DoctrineExtension.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like