Issues in Meta.php (master) - Issues in master - flipbox/meta - Measure and Improve Code Quality continuously with Scrutinizer

Issues (13)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/elements/db/Meta.php (1 issue)

Labels

Severity

Minor 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/**
 * @copyright  Copyright (c) Flipbox Digital Limited
 * @license    https://flipboxfactory.com/software/meta/license
 * @link       https://www.flipboxfactory.com/software/meta/
 */

namespace flipbox\meta\elements\db;

use Craft;
use craft\base\Element;
use craft\base\ElementInterface;
use craft\db\Query;
use craft\elements\db\ElementQuery;
use craft\helpers\Db as DbHelper;
use craft\models\Site;
use flipbox\meta\elements\Meta as MetaElement;
use flipbox\meta\fields\Meta as MetaField;
use flipbox\meta\helpers\Field as FieldHelper;
use flipbox\meta\Meta as MetaPlugin;
use flipbox\meta\records\Meta as MetaRecord;
use yii\base\Exception;

/**
 * @author Flipbox Factory <[email protected]>
 * @since 1.0.0
 *
 * @property string|string[]|Site $ownerSite The handle(s) of the site(s) that the owner element should be in
 *
 * @method MetaElement[]|array all($db = null)
 * @method MetaElement|null one($db = null)
 */
class Meta extends ElementQuery
{

    /**
     * The field ID(s) that the resulting Meta must belong to.
     *
     * @var integer|integer[]
     */
    public $fieldId;

    /**
     * The owner element ID(s) that the resulting Meta must belong to.
     *
     * @var int|int[]|null
     */
    public $ownerId;

    /**
     * The site ID that the resulting Meta must have been defined in, or ':empty:' to find
     * elements without an owner site ID.
     *
     * @var int|string|null
     */
    public $ownerSiteId;

    /**
     * @inheritdoc
     */
    public function __construct($elementType, array $config = [])
    {
        // Default orderBy
        if (!isset($config['orderBy'])) {
            $config['orderBy'] = 'meta.sortOrder';
        }

        parent::__construct($elementType, $config);
    }

    /**
     * @inheritdoc
     */
    public function __set($name, $value)
    {
        switch ($name) {
            case 'ownerSite':
                $this->ownerSite($value);
                break;
            default:
                parent::__set($name, $value);
        }
    }

    /**
     * Sets the [[fieldId]] property.
     *
     * @param int|int[]|null $value The property value
     *
     * @return static self reference
     */
    public function fieldId($value)
    {
        $this->fieldId = $value;

        return $this;
    }

    /**
     * Sets the [[ownerId]] property.
     *
     * @param int|int[]|null $value The property value
     *
     * @return static self reference
     */
    public function ownerId($value)
    {
        $this->ownerId = $value;

        return $this;
    }

    /**
     * Sets the [[ownerSiteId]] and [[siteId]] properties.
     *
     * @param int|string|null $value The property value
     *
     * @return static self reference
     */
    public function ownerSiteId($value)
    {
        $this->ownerSiteId = $value;

        if ($value && strtolower($value) !== ':empty:') {
            // A meta will never exist in a site that is different than its ownerSiteId,
            // so let's set the siteId param here too.
            $this->siteId = (int)$value;
        }

        return $this;
    }

    /**
     * Sets the [[ownerSiteId]] property based on a given site(s)’s handle(s).
     *
     * @param string|string[]|Site $value The property value
     *
     * @return static self reference
     * @throws Exception if $value is an invalid site handle
     */
    public function ownerSite($value)
    {
        if ($value instanceof Site) {
            $this->ownerSiteId($value->id);
        } else {
            $site = Craft::$app->getSites()->getSiteByHandle($value);

            if (!$site) {
                throw new Exception('Invalid site handle: ' . $value);
            }

            $this->ownerSiteId($site->id);
        }

        return $this;
    }

    /**
     * Sets the [[ownerId]] and [[ownerSiteId]] properties based on a given element.
     *
     * @param ElementInterface $owner The owner element
     *
     * @return static self reference
     */
    public function owner(ElementInterface $owner)
    {
        /** @var Element $owner */
        $this->ownerId = $owner->id;
        $this->siteId = $owner->siteId;

        return $this;
    }

    /**
     * @inheritdoc
     */
    protected function beforePrepare(): bool
    {
        $this->joinElementTable(MetaRecord::tableAlias());

        // Figure out which content table to use
        $this->contentTable = null;

        if (!$this->fieldId && $this->id && is_numeric($this->id)) {
            $this->fieldId = (new Query())
class Id
{
    public $id;

    public function __construct($id)
    {
        $this->id = $id;
    }

}

class Account
{
    /** @var  Id $id */
    public $id;
}

$account_id = false;

if (starsAreRight()) {
    $account_id = new Id(42);
}

$account = new Account();
if ($account instanceof Id)
{
    $account->id = $account_id;
}
                ->select('fieldId')
                ->from(MetaRecord::tableName())
                ->where(['id' => $this->id])
                ->scalar();
        }

        if ($this->fieldId && is_numeric($this->fieldId)) {
            /** @var MetaField $field */
            $field = Craft::$app->getFields()->getFieldById($this->fieldId);

            if ($field) {
                $this->contentTable = MetaPlugin::getInstance()->getField()->getContentTableName($field);
            }
        }

        $this->query->select([
            MetaRecord::tableAlias() . '.fieldId',
            MetaRecord::tableAlias() . '.ownerId',
            MetaRecord::tableAlias() . '.sortOrder',
        ]);

        if ($this->fieldId) {
            $this->subQuery->andWhere(DbHelper::parseParam(MetaRecord::tableAlias() . '.fieldId', $this->fieldId));
        }

        if ($this->ownerId) {
            $this->subQuery->andWhere(DbHelper::parseParam(MetaRecord::tableAlias() . '.ownerId', $this->ownerId));
        }

        if ($this->ownerSiteId) {
            $this->subQuery->andWhere(DbHelper::parseParam(MetaRecord::tableAlias() . '.siteId', $this->ownerSiteId));
        }

        return parent::beforePrepare();
    }

    /**
     * @inheritdoc
     */
    protected function customFields(): array
    {
        return Craft::$app->getFields()->getAllFields(
            FieldHelper::getContextById($this->fieldId)
        );
    }
}


1			<?php
2
3			/**
4			* @copyright Copyright (c) Flipbox Digital Limited
5			* @license https://flipboxfactory.com/software/meta/license
6			* @link https://www.flipboxfactory.com/software/meta/
7			*/
8
9			namespace flipbox\meta\elements\db;
10
11			use Craft;
12			use craft\base\Element;
13			use craft\base\ElementInterface;
14			use craft\db\Query;
15			use craft\elements\db\ElementQuery;
16			use craft\helpers\Db as DbHelper;
17			use craft\models\Site;
18			use flipbox\meta\elements\Meta as MetaElement;
19			use flipbox\meta\fields\Meta as MetaField;
20			use flipbox\meta\helpers\Field as FieldHelper;
21			use flipbox\meta\Meta as MetaPlugin;
22			use flipbox\meta\records\Meta as MetaRecord;
23			use yii\base\Exception;
24
25			/**
26			* @author Flipbox Factory <[email protected]>
27			* @since 1.0.0
28			*
29			* @property string\|string[]\|Site $ownerSite The handle(s) of the site(s) that the owner element should be in
30			*
31			* @method MetaElement[]\|array all($db = null)
32			* @method MetaElement\|null one($db = null)
33			*/
34			class Meta extends ElementQuery
35			{
36
37			/**
38			* The field ID(s) that the resulting Meta must belong to.
39			*
40			* @var integer\|integer[]
41			*/
42			public $fieldId;
43
44			/**
45			* The owner element ID(s) that the resulting Meta must belong to.
46			*
47			* @var int\|int[]\|null
48			*/
49			public $ownerId;
50
51			/**
52			* The site ID that the resulting Meta must have been defined in, or ':empty:' to find
53			* elements without an owner site ID.
54			*
55			* @var int\|string\|null
56			*/
57			public $ownerSiteId;
58
59			/**
60			* @inheritdoc
61			*/
62			public function __construct($elementType, array $config = [])
63			{
64			// Default orderBy
65			if (!isset($config['orderBy'])) {
66			$config['orderBy'] = 'meta.sortOrder';
67			}
68
69			parent::__construct($elementType, $config);
70			}
71
72			/**
73			* @inheritdoc
74			*/
75			public function __set($name, $value)
76			{
77			switch ($name) {
78			case 'ownerSite':
79			$this->ownerSite($value);
80			break;
81			default:
82			parent::__set($name, $value);
83			}
84			}
85
86			/**
87			* Sets the [[fieldId]] property.
88			*
89			* @param int\|int[]\|null $value The property value
90			*
91			* @return static self reference
92			*/
93			public function fieldId($value)
94			{
95			$this->fieldId = $value;
96
97			return $this;
98			}
99
100			/**
101			* Sets the [[ownerId]] property.
102			*
103			* @param int\|int[]\|null $value The property value
104			*
105			* @return static self reference
106			*/
107			public function ownerId($value)
108			{
109			$this->ownerId = $value;
110
111			return $this;
112			}
113
114			/**
115			* Sets the [[ownerSiteId]] and [[siteId]] properties.
116			*
117			* @param int\|string\|null $value The property value
118			*
119			* @return static self reference
120			*/
121			public function ownerSiteId($value)
122			{
123			$this->ownerSiteId = $value;
124
125			if ($value && strtolower($value) !== ':empty:') {
126			// A meta will never exist in a site that is different than its ownerSiteId,
127			// so let's set the siteId param here too.
128			$this->siteId = (int)$value;
129			}
130
131			return $this;
132			}
133
134			/**
135			* Sets the [[ownerSiteId]] property based on a given site(s)’s handle(s).
136			*
137			* @param string\|string[]\|Site $value The property value
138			*
139			* @return static self reference
140			* @throws Exception if $value is an invalid site handle
141			*/
142			public function ownerSite($value)
143			{
144			if ($value instanceof Site) {
145			$this->ownerSiteId($value->id);
146			} else {
147			$site = Craft::$app->getSites()->getSiteByHandle($value);
148
149			if (!$site) {
150			throw new Exception('Invalid site handle: ' . $value);
151			}
152
153			$this->ownerSiteId($site->id);
154			}
155
156			return $this;
157			}
158
159			/**
160			* Sets the [[ownerId]] and [[ownerSiteId]] properties based on a given element.
161			*
162			* @param ElementInterface $owner The owner element
163			*
164			* @return static self reference
165			*/
166			public function owner(ElementInterface $owner)
167			{
168			/** @var Element $owner */
169			$this->ownerId = $owner->id;
170			$this->siteId = $owner->siteId;
171
172			return $this;
173			}
174
175			/**
176			* @inheritdoc
177			*/
178			protected function beforePrepare(): bool
179			{
180			$this->joinElementTable(MetaRecord::tableAlias());
181
182			// Figure out which content table to use
183			$this->contentTable = null;
184
185			if (!$this->fieldId && $this->id && is_numeric($this->id)) {
186			$this->fieldId = (new Query())
			0 ignored issues – show Documentation Bug introduced 2017-06-11 20:52 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `(new \craft\db\Query())-...> $this->id))->scalar()` can also be of type `string` or `false`. However, the property `$fieldId` is declared as type `integer\|array<integer,integer>`. Maybe add an additional type check? Our type inference engine has found a suspicous assignment of a value to a property. This check raises an issue when a value that can be of a mixed type is assigned to a property that is type hinted more strictly. For example, imagine you have a variable `$accountId` that can either hold an Id object or false (if there is no account id yet). Your code now assigns that value to the `id` property of an instance of the `Account` class. This class holds a proper account, so the id value must no longer be false. Either this assignment is in error or a type check should be added for that assignment. class Id { public $id; public function __construct($id) { $this->id = $id; } } class Account { /** @var Id $id */ public $id; } $account_id = false; if (starsAreRight()) { $account_id = new Id(42); } $account = new Account(); if ($account instanceof Id) { $account->id = $account_id; } Loading history...
187			->select('fieldId')
188			->from(MetaRecord::tableName())
189			->where(['id' => $this->id])
190			->scalar();
191			}
192
193			if ($this->fieldId && is_numeric($this->fieldId)) {
194			/** @var MetaField $field */
195			$field = Craft::$app->getFields()->getFieldById($this->fieldId);
196
197			if ($field) {
198			$this->contentTable = MetaPlugin::getInstance()->getField()->getContentTableName($field);
199			}
200			}
201
202			$this->query->select([
203			MetaRecord::tableAlias() . '.fieldId',
204			MetaRecord::tableAlias() . '.ownerId',
205			MetaRecord::tableAlias() . '.sortOrder',
206			]);
207
208			if ($this->fieldId) {
209			$this->subQuery->andWhere(DbHelper::parseParam(MetaRecord::tableAlias() . '.fieldId', $this->fieldId));
210			}
211
212			if ($this->ownerId) {
213			$this->subQuery->andWhere(DbHelper::parseParam(MetaRecord::tableAlias() . '.ownerId', $this->ownerId));
214			}
215
216			if ($this->ownerSiteId) {
217			$this->subQuery->andWhere(DbHelper::parseParam(MetaRecord::tableAlias() . '.siteId', $this->ownerSiteId));
218			}
219
220			return parent::beforePrepare();
221			}
222
223			/**
224			* @inheritdoc
225			*/
226			protected function customFields(): array
227			{
228			return Craft::$app->getFields()->getAllFields(
229			FieldHelper::getContextById($this->fieldId)
230			);
231			}
232			}
233

flipbox / meta

Issues (13)

Security Analysis not enabled

src/elements/db/Meta.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like