Issues in Frame.php (master) - Issues in master - filp/whoops - Measure and Improve Code Quality continuously with Scrutinizer

Issues (32)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Whoops/Exception/Frame.php (2 issues)

Labels

Severity

Major 2

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Whoops - php errors for cool kids
 * @author Filipe Dobreira <http://github.com/filp>
 */

namespace Whoops\Exception;

use InvalidArgumentException;
use Serializable;

class Frame implements Serializable
{
    /**
     * @var array
     */
    protected $frame;

    /**
     * @var string
     */
    protected $fileContentsCache;

    /**
     * @var array[]
     */
    protected $comments = [];

    /**
     * @var bool
     */
    protected $application;

    /**
     * @param array[]
     */
    public function __construct(array $frame)
    {
        $this->frame = $frame;
    }

    /**
     * @param  bool        $shortened
     * @return string|null
     */
    public function getFile($shortened = false)
    {
        if (empty($this->frame['file'])) {
            return null;
        }

        $file = $this->frame['file'];

        // Check if this frame occurred within an eval().
        // @todo: This can be made more reliable by checking if we've entered
        // eval() in a previous trace, but will need some more work on the upper
        // trace collector(s).
        if (preg_match('/^(.*)\((\d+)\) : (?:eval\(\)\'d|assert) code$/', $file, $matches)) {
            $file = $this->frame['file'] = $matches[1];
            $this->frame['line'] = (int) $matches[2];
        }

        if ($shortened && is_string($file)) {
            // Replace the part of the path that all frames have in common, and add 'soft hyphens' for smoother line-breaks.
            $dirname = dirname(dirname(dirname(dirname(dirname(dirname(__DIR__))))));
            if ($dirname !== '/') {
                $file = str_replace($dirname, "&hellip;", $file);
            }
            $file = str_replace("/", "/&shy;", $file);
        }

        return $file;
    }

    /**
     * @return int|null
     */
    public function getLine()
    {
        return isset($this->frame['line']) ? $this->frame['line'] : null;
    }

    /**
     * @return string|null
     */
    public function getClass()
    {
        return isset($this->frame['class']) ? $this->frame['class'] : null;
    }

    /**
     * @return string|null
     */
    public function getFunction()
    {
        return isset($this->frame['function']) ? $this->frame['function'] : null;
    }

    /**
     * @return array
     */
    public function getArgs()
    {
        return isset($this->frame['args']) ? (array) $this->frame['args'] : [];
    }

    /**
     * Returns the full contents of the file for this frame,
     * if it's known.
     * @return string|null
     */
    public function getFileContents()
    {
        if ($this->fileContentsCache === null && $filePath = $this->getFile()) {
            // Leave the stage early when 'Unknown' or '[internal]' is passed
            // this would otherwise raise an exception when
            // open_basedir is enabled.
            if ($filePath === "Unknown" || $filePath === '[internal]') {
                return null;
            }

            try {
                $this->fileContentsCache = file_get_contents($filePath);
            } catch (ErrorException $exception) {
                // Internal file paths of PHP extensions cannot be opened
            }
        }

        return $this->fileContentsCache;
    }

    /**
     * Adds a comment to this frame, that can be received and
     * used by other handlers. For example, the PrettyPage handler
     * can attach these comments under the code for each frame.
     *
     * An interesting use for this would be, for example, code analysis
     * & annotations.
     *
     * @param string $comment
     * @param string $context Optional string identifying the origin of the comment
     */
    public function addComment($comment, $context = 'global')
    {
        $this->comments[] = [
            'comment' => $comment,
            'context' => $context,
        ];
    }

    /**
     * Returns all comments for this frame. Optionally allows
     * a filter to only retrieve comments from a specific
     * context.
     *
     * @param  string  $filter
     * @return array[]
     */
    public function getComments($filter = null)
    {
        $comments = $this->comments;

        if ($filter !== null) {
            $comments = array_filter($comments, function ($c) use ($filter) {
                return $c['context'] == $filter;
            });
        }

        return $comments;
    }

    /**
     * Returns the array containing the raw frame data from which
     * this Frame object was built
     *
     * @return array
     */
    public function getRawFrame()
    {
        return $this->frame;
    }

    /**
     * Returns the contents of the file for this frame as an
     * array of lines, and optionally as a clamped range of lines.
     *
     * NOTE: lines are 0-indexed
     *
     * @example
     *     Get all lines for this file
     *     $frame->getFileLines(); // => array( 0 => '<?php', 1 => '...', ...)
     * @example
     *     Get one line for this file, starting at line 10 (zero-indexed, remember!)
     *     $frame->getFileLines(9, 1); // array( 9 => '...' )
     *
     * @throws InvalidArgumentException if $length is less than or equal to 0
     * @param  int                      $start
     * @param  int                      $length
     * @return string[]|null
     */
    public function getFileLines($start = 0, $length = null)
    {
        if (null !== ($contents = $this->getFileContents())) {
            $lines = explode("\n", $contents);

            // Get a subset of lines from $start to $end
            if ($length !== null) {
                $start  = (int) $start;
                $length = (int) $length;
                if ($start < 0) {
                    $start = 0;
                }

                if ($length <= 0) {
                    throw new InvalidArgumentException(
                        "\$length($length) cannot be lower or equal to 0"
                    );
                }

                $lines = array_slice($lines, $start, $length, true);
            }

            return $lines;
        }
    }

    /**
     * Implements the Serializable interface, with special
     * steps to also save the existing comments.
     *
     * @see Serializable::serialize
     * @return string
     */
    public function serialize()
    {
        $frame = $this->frame;
        if (!empty($this->comments)) {
            $frame['_comments'] = $this->comments;
        }

        return serialize($frame);
    }

    /**
     * Unserializes the frame data, while also preserving
     * any existing comment data.
     *
     * @see Serializable::unserialize
     * @param string $serializedFrame
     */
    public function unserialize($serializedFrame)
    {
        $frame = unserialize($serializedFrame);

        if (!empty($frame['_comments'])) {
            $this->comments = $frame['_comments'];
            unset($frame['_comments']);
        }

        $this->frame = $frame;
    }

    /**
     * Compares Frame against one another
     * @param  Frame $frame
     * @return bool
     */
    public function equals(Frame $frame)
    {
        if (!$this->getFile() || $this->getFile() === 'Unknown' || !$this->getLine()) {
''   == false // true
''   == null  // true
'ab' == false // false
'ab' == null  // false

// It is often better to use strict comparison
'' === false // false
'' === null  // false
            return false;
        }
        return $frame->getFile() === $this->getFile() && $frame->getLine() === $this->getLine();
    }

    /**
     * Returns whether this frame belongs to the application or not.
     *
     * @return boolean
     */
    public function isApplication()
    {
        return $this->application;
    }

    /**
     * Mark as an frame belonging to the application.
     *
     * @param boolean $application
     */
    public function setApplication($application)
    {
        $this->application = $application;
    }
}


1		<?php
2		/**
3		* Whoops - php errors for cool kids
4		* @author Filipe Dobreira <http://github.com/filp>
5		*/
6
7		namespace Whoops\Exception;
8
9		use InvalidArgumentException;
10		use Serializable;
11
12		class Frame implements Serializable
13		{
14		/**
15		* @var array
16		*/
17		protected $frame;
18
19		/**
20		* @var string
21		*/
22		protected $fileContentsCache;
23
24		/**
25		* @var array[]
26		*/
27		protected $comments = [];
28
29		/**
30		* @var bool
31		*/
32		protected $application;
33
34		/**
35		* @param array[]
36		*/
37	1	public function __construct(array $frame)
38		{
39	1	$this->frame = $frame;
40	1	}
41
42		/**
43		* @param bool $shortened
44		* @return string\|null
45		*/
46	2	public function getFile($shortened = false)
47		{
48	2	if (empty($this->frame['file'])) {
49		return null;
50		}
51
52	2	$file = $this->frame['file'];
53
54		// Check if this frame occurred within an eval().
55		// @todo: This can be made more reliable by checking if we've entered
56		// eval() in a previous trace, but will need some more work on the upper
57		// trace collector(s).
58	2	if (preg_match('/^(.*)\((\d+)\) : (?:eval\(\)\'d\|assert) code$/', $file, $matches)) {
59		$file = $this->frame['file'] = $matches[1];
60		$this->frame['line'] = (int) $matches[2];
61		}
62
63	2	if ($shortened && is_string($file)) {
64		// Replace the part of the path that all frames have in common, and add 'soft hyphens' for smoother line-breaks.
65		$dirname = dirname(dirname(dirname(dirname(dirname(dirname(__DIR__))))));
66		if ($dirname !== '/') {
67		$file = str_replace($dirname, "…", $file);
68		}
69		$file = str_replace("/", "/", $file);
70		}
71
72	2	return $file;
73		}
74
75		/**
76		* @return int\|null
77		*/
78	2	public function getLine()
79		{
80	2	return isset($this->frame['line']) ? $this->frame['line'] : null;
81		}
82
83		/**
84		* @return string\|null
85		*/
86	2	public function getClass()
87		{
88	2	return isset($this->frame['class']) ? $this->frame['class'] : null;
89		}
90
91		/**
92		* @return string\|null
93		*/
94	2	public function getFunction()
95		{
96	2	return isset($this->frame['function']) ? $this->frame['function'] : null;
97		}
98
99		/**
100		* @return array
101		*/
102	1	public function getArgs()
103		{
104	1	return isset($this->frame['args']) ? (array) $this->frame['args'] : [];
105		}
106
107		/**
108		* Returns the full contents of the file for this frame,
109		* if it's known.
110		* @return string\|null
111		*/
112	3	public function getFileContents()
113		{
114	3	if ($this->fileContentsCache === null && $filePath = $this->getFile()) {
115		// Leave the stage early when 'Unknown' or '[internal]' is passed
116		// this would otherwise raise an exception when
117		// open_basedir is enabled.
118	3	if ($filePath === "Unknown" \|\| $filePath === '[internal]') {
119	2	return null;
120		}
121
122		try {
123	1	$this->fileContentsCache = file_get_contents($filePath);
124	1	} catch (ErrorException $exception) {
125		// Internal file paths of PHP extensions cannot be opened
126		}
127	1	}
128
129	1	return $this->fileContentsCache;
130		}
131
132		/**
133		* Adds a comment to this frame, that can be received and
134		* used by other handlers. For example, the PrettyPage handler
135		* can attach these comments under the code for each frame.
136		*
137		* An interesting use for this would be, for example, code analysis
138		* & annotations.
139		*
140		* @param string $comment
141		* @param string $context Optional string identifying the origin of the comment
142		*/
143	2	public function addComment($comment, $context = 'global')
144		{
145	2	$this->comments[] = [
146	2	'comment' => $comment,
147	2	'context' => $context,
148		];
149	2	}
150
151		/**
152		* Returns all comments for this frame. Optionally allows
153		* a filter to only retrieve comments from a specific
154		* context.
155		*
156		* @param string $filter
157		* @return array[]
158		*/
159	2	public function getComments($filter = null)
160		{
161	2	$comments = $this->comments;
162
163	2	if ($filter !== null) {
164	1	$comments = array_filter($comments, function ($c) use ($filter) {
165	1	return $c['context'] == $filter;
166	1	});
167	1	}
168
169	2	return $comments;
170		}
171
172		/**
173		* Returns the array containing the raw frame data from which
174		* this Frame object was built
175		*
176		* @return array
177		*/
178		public function getRawFrame()
179		{
180		return $this->frame;
181		}
182
183		/**
184		* Returns the contents of the file for this frame as an
185		* array of lines, and optionally as a clamped range of lines.
186		*
187		* NOTE: lines are 0-indexed
188		*
189		* @example
190		* Get all lines for this file
191		* $frame->getFileLines(); // => array( 0 => '<?php', 1 => '...', ...)
192		* @example
193		* Get one line for this file, starting at line 10 (zero-indexed, remember!)
194		* $frame->getFileLines(9, 1); // array( 9 => '...' )
195		*
196		* @throws InvalidArgumentException if $length is less than or equal to 0
197		* @param int $start
198		* @param int $length
199		* @return string[]\|null
200		*/
201	2	public function getFileLines($start = 0, $length = null)
202		{
203	2	if (null !== ($contents = $this->getFileContents())) {
204	2	$lines = explode("\n", $contents);
205
206		// Get a subset of lines from $start to $end
207	2	if ($length !== null) {
208	1	$start = (int) $start;
209	1	$length = (int) $length;
210	1	if ($start < 0) {
211		$start = 0;
212		}
213
214	1	if ($length <= 0) {
215		throw new InvalidArgumentException(
216		"\$length($length) cannot be lower or equal to 0"
217		);
218		}
219
220	1	$lines = array_slice($lines, $start, $length, true);
221	1	}
222
223	2	return $lines;
224		}
225		}
226
227		/**
228		* Implements the Serializable interface, with special
229		* steps to also save the existing comments.
230		*
231		* @see Serializable::serialize
232		* @return string
233		*/
234	1	public function serialize()
235		{
236	1	$frame = $this->frame;
237	1	if (!empty($this->comments)) {
238	1	$frame['_comments'] = $this->comments;
239	1	}
240
241	1	return serialize($frame);
242		}
243
244		/**
245		* Unserializes the frame data, while also preserving
246		* any existing comment data.
247		*
248		* @see Serializable::unserialize
249		* @param string $serializedFrame
250		*/
251	1	public function unserialize($serializedFrame)
252		{
253	1	$frame = unserialize($serializedFrame);
254
255	1	if (!empty($frame['_comments'])) {
256	1	$this->comments = $frame['_comments'];
257	1	unset($frame['_comments']);
258	1	}
259
260	1	$this->frame = $frame;
261	1	}
262
263		/**
264		* Compares Frame against one another
265		* @param Frame $frame
266		* @return bool
267		*/
268	1	public function equals(Frame $frame)
269		{
270	1	if (!$this->getFile() \|\| $this->getFile() === 'Unknown' \|\| !$this->getLine()) {
		0 ignored issues – show Bug Best Practice introduced 2015-11-21 13:08 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$this->getFile()` of type `string\|null` is loosely compared to `false`; this is ambiguous if the string can be empty. You might want to explicitly use `=== null` instead. In PHP, under loose comparison (like `==`, or `!=`, or `switch` conditions), values of different types might be equal. For `string` values, the empty string `''` is a special case, in particular the following results might be unexpected: '' == false // true '' == null // true 'ab' == false // false 'ab' == null // false // It is often better to use strict comparison '' === false // false '' === null // false Loading history... Bug Best Practice introduced 2015-11-21 13:08 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$this->getLine()` of type `integer\|null` is loosely compared to `false`; this is ambiguous if the integer can be zero. You might want to explicitly use `=== null` instead. In PHP, under loose comparison (like `==`, or `!=`, or `switch` conditions), values of different types might be equal. For `integer` values, zero is a special case, in particular the following results might be unexpected: 0 == false // true 0 == null // true 123 == false // false 123 == null // false // It is often better to use strict comparison 0 === false // false 0 === null // false Loading history...
271		return false;
272		}
273	1	return $frame->getFile() === $this->getFile() && $frame->getLine() === $this->getLine();
274		}
275
276		/**
277		* Returns whether this frame belongs to the application or not.
278		*
279		* @return boolean
280		*/
281		public function isApplication()
282		{
283		return $this->application;
284		}
285
286		/**
287		* Mark as an frame belonging to the application.
288		*
289		* @param boolean $application
290		*/
291		public function setApplication($application)
292		{
293		$this->application = $application;
294		}
295		}
296

filp / whoops

Issues (32)

Security Analysis not enabled

src/Whoops/Exception/Frame.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like