Issues in Path.php (master) - Issues in master - fwk/Xml - Measure and Improve Code Quality continuously with Scrutinizer

Issues (16)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Path.php (10 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Fwk
 *
 * Copyright (c) 2011-2012, Julien Ballestracci <[email protected]>.
 * All rights reserved.
 *
 * For the full copyright and license information, please view the LICENSE
 * file that was distributed with this source code.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
 * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
 * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
 * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 *
 * PHP Version 5.3
 *
 * @category  XML
 * @package   Fwk\Xml
 * @author    Julien Ballestracci <[email protected]>
 * @copyright 2011-2014 Julien Ballestracci <[email protected]>
 * @license   http://www.opensource.org/licenses/bsd-license.php  BSD License
 * @link      http://www.nitronet.org/fwk
 */
namespace Fwk\Xml;

/**
 * Path 
 * 
 * Represents a Path (xpath) and describes how values/attributes should be used.
 * 
 * @category Library
 * @package  Fwk\Xml
 * @author   Julien Ballestracci <[email protected]>
 * @license  http://www.opensource.org/licenses/bsd-license.php  BSD License
 * @link     http://www.nitronet.org/fwk
 */
class Path
{
    /**
     * Xpath to element
     * @var string 
     */
    protected $xpath;
   
    /**
     * Default value
     * @var mixed
     */
    protected $default;
    
    /**
     * Filter function
     * @var \Closure 
     */
    protected $filter;
    
    /**
     * Key name for this Path
     * @var type 
     */
    protected $key;
    
    /**
     * Should we loop on this path ? 
     * @var type 
     */
    protected $loop = false;
    
    /**
     * Xpath to a value used as a key identifier when looping
     * @var string 
     */
    protected $loopId;
    
    /**
     * List of sub-elements (Paths)
     * @var array 
     */
    protected $childrens = array();
    
    /**
     * List of attributes to fetch
     * @var array
     */
    protected $attributes = array();
    
    /**
     * Key used for main element's value
     * @var string 
     */
    protected $valueKey;
    
    /**
     * Constructor
     * 
     * @param string   $xpath   XPath to element
     * @param string   $key     Key name
     * @param mixed    $default Default value if element not defined
     * @param callable $filter  Filtering function

     * 
     * @return void

     */
    public function __construct($xpath, $key, $default = null, 
        $filter = null
    ) {
        $this->xpath    = $xpath;
        $this->default  = $default;
        $this->filter   = $filter;
class Id
{
    public $id;

    public function __construct($id)
    {
        $this->id = $id;
    }

}

class Account
{
    /** @var  Id $id */
    public $id;
}

$account_id = false;

if (starsAreRight()) {
    $account_id = new Id(42);
}

$account = new Account();
if ($account instanceof Id)
{
    $account->id = $account_id;
}
        $this->key      = $key;

    }
    
    /**
     * Defines looping on this path
     * 
     * @param boolean $bool   Should we loop on this element ?
     * @param string  $loopId Xpath to key identifier

     * 
     * @return Path 
     */
    public function loop($bool, $loopId = null) 
    {
        $this->loop     = $bool;

        $this->loopId   = $loopId;
        
        return $this;
    }

    /**
     * Defines a filtering function applied on the value
     * 
     * @param \Closure $filter Value filtering function
     * 
     * @return Path 
     */
    public function filter($filter)
    {
        $this->filter   = $filter;
        
        return $this;
    }
    
    /**
     * Tells the Map to fetch the element's value, in $keyName
     * 
     * @param string $keyName Key name where the value will be stored
     * 
     * @return Path 
     */
    public function value($keyName)
    {
        $this->valueKey = $keyName;
        
        return $this;
    }
    
    /**
     * Defines a default value in case element is empty
     * 
     * @param mixed $default Default value
     * 
     * @return Path 
     */
    public function setDefault($default)
    {
        $this->default  = $default;
        
        return $this;
    }
    
    /**
     * Returns the Xpath to the element
     * 
     * @return string
     */
    public function getXpath()
    {
        return $this->xpath;
    }
    
    /**
     * Returns the defined default value (if any)
     * 
     * @return mixed
     */
    public function getDefault()
    {
        return $this->default;
    }

    /**
     * Returns the filter function (if any)
     * 
     * @return \Closure 
     */
    public function getFilter()
    {
        return $this->filter;
    }

    /**
     * Return the key of this Path
     * 
     * @return string 

     */
    public function getKey()
    {
        return $this->key;
    }
    
    /**
     * Tells if we should loop on this xpath
     * 
     * @return boolean 

     */
    public function isLoop()
    {
        return $this->loop;
    }
    
    /**
     * Tells if we should store the element's main value
     * 
     * @return boolean 
     */
    public function hasValueKey()
    {
        return (isset($this->valueKey) && !empty($this->valueKey));
    }
    
    /**
     * Tells if a filter function has been defined
     * 
     * @return boolean
     */
    public function hasFilter()
    {
        return is_callable($this->filter);
    }
    
    /**
     * Factory method (helps chaining)
     * 
     * @param string   $xpath   XPath to element
     * @param string   $key     Key name
     * @param mixed    $default Default value if element not defined
     * @param callable $filter  Filtering function

     * 
     * @return Path
     */
    public static function factory($xpath, $key, $default = null, 
        $filter = null
    ) {
        return new self($xpath, $key, $default, $filter);
    }
    
    /**
     * Adds a child Path
     * 
     * @param Path $path Child Path
     * 
     * @return Path 
     */
    public function addChildren(Path $path)
    {
        $this->childrens[]  = $path;
        
        return $this;
    }
    
    /**
     * Returns all child Paths 
     * 
     * @return array
     */
    public function getChildrens()
    {
        return $this->childrens;
    }
    
    /**
     * Tells the Map to fetch an attribute of this path.
     * If no $key is defined the $attrName is used.
     * 
     * @param string $attrName Attribute name
     * @param string $key      Attribute key name

     * 
     * @return Path 
     */
    public function attribute($attrName, $key = null)
    {
        if (null === $key) {
            $key = $attrName;
        }
        
        $this->attributes[$key] = $attrName;
        
        return $this;
    }
    
    /**
     * Returns all attributes
     * 
     * @return array 
     */
    public function getAttributes()
    {
        return $this->attributes;
    }
    
    /**
     * Returns the loop key identifiers
     * 
     * @return string
     */
    public function getLoopId()
    {
        return $this->loopId;
    }
    
    /**
     * Returns the key identifier where the root value is stored
     * 
     * @return string 
     */
    public function getValueKey()
    {
        return $this->valueKey;
    }
}

1		<?php
2		/**
3		* Fwk
4		*
5		* Copyright (c) 2011-2012, Julien Ballestracci <[email protected]>.
6		* All rights reserved.
7		*
8		* For the full copyright and license information, please view the LICENSE
9		* file that was distributed with this source code.
10		*
11		* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
12		* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
13		* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
14		* FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
15		* COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
16		* INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
17		* BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
18		* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
19		* CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
20		* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
21		* ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
22		* POSSIBILITY OF SUCH DAMAGE.
23		*
24		* PHP Version 5.3
25		*
26		* @category XML
27		* @package Fwk\Xml
28		* @author Julien Ballestracci <[email protected]>
29		* @copyright 2011-2014 Julien Ballestracci <[email protected]>
30		* @license http://www.opensource.org/licenses/bsd-license.php BSD License
31		* @link http://www.nitronet.org/fwk
32		*/
33		namespace Fwk\Xml;
34
35		/**
36		* Path
37		*
38		* Represents a Path (xpath) and describes how values/attributes should be used.
39		*
40		* @category Library
41		* @package Fwk\Xml
42		* @author Julien Ballestracci <[email protected]>
43		* @license http://www.opensource.org/licenses/bsd-license.php BSD License
44		* @link http://www.nitronet.org/fwk
45		*/
46		class Path
47		{
48		/**
49		* Xpath to element
50		* @var string
51		*/
52		protected $xpath;
53
54		/**
55		* Default value
56		* @var mixed
57		*/
58		protected $default;
59
60		/**
61		* Filter function
62		* @var \Closure
63		*/
64		protected $filter;
65
66		/**
67		* Key name for this Path
68		* @var type
69		*/
70		protected $key;
71
72		/**
73		* Should we loop on this path ?
74		* @var type
75		*/
76		protected $loop = false;
77
78		/**
79		* Xpath to a value used as a key identifier when looping
80		* @var string
81		*/
82		protected $loopId;
83
84		/**
85		* List of sub-elements (Paths)
86		* @var array
87		*/
88		protected $childrens = array();
89
90		/**
91		* List of attributes to fetch
92		* @var array
93		*/
94		protected $attributes = array();
95
96		/**
97		* Key used for main element's value
98		* @var string
99		*/
100		protected $valueKey;
101
102		/**
103		* Constructor
104		*
105		* @param string $xpath XPath to element
106		* @param string $key Key name
107		* @param mixed $default Default value if element not defined
108		* @param callable $filter Filtering function
		0 ignored issues – show Documentation introduced 2016-06-28 20:44 UTC by Report Bug Copy Issue Report Show Similar Issues like this Should the type for parameter `$filter` not be `callable\|null`? Also, consider making the array more specific, something like `array<String>`, or `String[]`. This check looks for `@param` annotations where the type inferred by our type inference engine differs from the declared type. It makes a suggestion as to what type it considers more descriptive. In addition it looks for parameters that have the generic type `array` and suggests a stricter type like `array<String>`. Most often this is a case of a parameter that can be null in addition to its declared types. Loading history...
109		*
110		* @return void
		0 ignored issues – show Comprehensibility Best Practice introduced 2016-06-28 20:44 UTC by Report Bug Copy Issue Report Show Similar Issues like this Adding a `@return` annotation to constructors is generally not recommended as a constructor does not have a meaningful return value. Adding a `@return` annotation to a constructor is not recommended, since a constructor does not have a meaningful return value. Please refer to the PHP core documentation on constructors. Loading history...
111		*/
112	13	public function __construct($xpath, $key, $default = null,
113		$filter = null
114		) {
115	13	$this->xpath = $xpath;
116	13	$this->default = $default;
117	13	$this->filter = $filter;
		0 ignored issues – show Documentation Bug introduced 2016-06-28 20:44 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$filter` can also be of type `callable`. However, the property `$filter` is declared as type `object<Closure>`. Maybe add an additional type check? Our type inference engine has found a suspicous assignment of a value to a property. This check raises an issue when a value that can be of a mixed type is assigned to a property that is type hinted more strictly. For example, imagine you have a variable `$accountId` that can either hold an Id object or false (if there is no account id yet). Your code now assigns that value to the `id` property of an instance of the `Account` class. This class holds a proper account, so the id value must no longer be false. Either this assignment is in error or a type check should be added for that assignment. class Id { public $id; public function __construct($id) { $this->id = $id; } } class Account { /** @var Id $id */ public $id; } $account_id = false; if (starsAreRight()) { $account_id = new Id(42); } $account = new Account(); if ($account instanceof Id) { $account->id = $account_id; } Loading history...
118	13	$this->key = $key;
		0 ignored issues – show Documentation Bug introduced 2016-06-28 20:44 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$key` of type `string` is incompatible with the declared type `object<Fwk\Xml\type>` of property `$key`. Our type inference engine has found an assignment to a property that is incompatible with the declared type of that property. Either this assignment is in error or the assigned type should be added to the documentation/type hint for that property.. Loading history...
119	13	}
120
121		/**
122		* Defines looping on this path
123		*
124		* @param boolean $bool Should we loop on this element ?
125		* @param string $loopId Xpath to key identifier
		0 ignored issues – show Documentation introduced 2016-06-28 20:44 UTC by Report Bug Copy Issue Report Show Similar Issues like this Should the type for parameter `$loopId` not be `string\|null`? This check looks for `@param` annotations where the type inferred by our type inference engine differs from the declared type. It makes a suggestion as to what type it considers more descriptive. Most often this is a case of a parameter that can be null in addition to its declared types. Loading history...
126		*
127		* @return Path
128		*/
129	8	public function loop($bool, $loopId = null)
130		{
131	8	$this->loop = $bool;
		0 ignored issues – show Documentation Bug introduced 2016-06-28 20:44 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$bool` of type `boolean` is incompatible with the declared type `object<Fwk\Xml\type>` of property `$loop`. Our type inference engine has found an assignment to a property that is incompatible with the declared type of that property. Either this assignment is in error or the assigned type should be added to the documentation/type hint for that property.. Loading history...
132	8	$this->loopId = $loopId;
133
134	8	return $this;
135		}
136
137		/**
138		* Defines a filtering function applied on the value
139		*
140		* @param \Closure $filter Value filtering function
141		*
142		* @return Path
143		*/
144	1	public function filter($filter)
145		{
146	1	$this->filter = $filter;
147
148	1	return $this;
149		}
150
151		/**
152		* Tells the Map to fetch the element's value, in $keyName
153		*
154		* @param string $keyName Key name where the value will be stored
155		*
156		* @return Path
157		*/
158	4	public function value($keyName)
159		{
160	4	$this->valueKey = $keyName;
161
162	4	return $this;
163		}
164
165		/**
166		* Defines a default value in case element is empty
167		*
168		* @param mixed $default Default value
169		*
170		* @return Path
171		*/
172	2	public function setDefault($default)
173		{
174	2	$this->default = $default;
175
176	2	return $this;
177		}
178
179		/**
180		* Returns the Xpath to the element
181		*
182		* @return string
183		*/
184	12	public function getXpath()
185		{
186	12	return $this->xpath;
187		}
188
189		/**
190		* Returns the defined default value (if any)
191		*
192		* @return mixed
193		*/
194	12	public function getDefault()
195		{
196	12	return $this->default;
197		}
198
199		/**
200		* Returns the filter function (if any)
201		*
202		* @return \Closure
203		*/
204	1	public function getFilter()
205		{
206	1	return $this->filter;
207		}
208
209		/**
210		* Return the key of this Path
211		*
212		* @return string
		0 ignored issues – show Documentation introduced 2016-06-28 20:44 UTC by Report Bug Copy Issue Report Show Similar Issues like this Should the return type not be `type`? This check compares the return type specified in the `@return` annotation of a function or method doc comment with the types returned by the function and raises an issue if they mismatch. Loading history...
213		*/
214	12	public function getKey()
215		{
216	12	return $this->key;
217		}
218
219		/**
220		* Tells if we should loop on this xpath
221		*
222		* @return boolean
		0 ignored issues – show Documentation introduced 2016-06-28 20:44 UTC by Report Bug Copy Issue Report Show Similar Issues like this Should the return type not be `type`? This check compares the return type specified in the `@return` annotation of a function or method doc comment with the types returned by the function and raises an issue if they mismatch. Loading history...
223		*/
224	11	public function isLoop()
225		{
226	11	return $this->loop;
227		}
228
229		/**
230		* Tells if we should store the element's main value
231		*
232		* @return boolean
233		*/
234	5	public function hasValueKey()
235		{
236	5	return (isset($this->valueKey) && !empty($this->valueKey));
237		}
238
239		/**
240		* Tells if a filter function has been defined
241		*
242		* @return boolean
243		*/
244	9	public function hasFilter()
245		{
246	9	return is_callable($this->filter);
247		}
248
249		/**
250		* Factory method (helps chaining)
251		*
252		* @param string $xpath XPath to element
253		* @param string $key Key name
254		* @param mixed $default Default value if element not defined
255		* @param callable $filter Filtering function
		0 ignored issues – show Documentation introduced 2016-06-28 20:44 UTC by Report Bug Copy Issue Report Show Similar Issues like this Should the type for parameter `$filter` not be `callable\|null`? Also, consider making the array more specific, something like `array<String>`, or `String[]`. This check looks for `@param` annotations where the type inferred by our type inference engine differs from the declared type. It makes a suggestion as to what type it considers more descriptive. In addition it looks for parameters that have the generic type `array` and suggests a stricter type like `array<String>`. Most often this is a case of a parameter that can be null in addition to its declared types. Loading history...
256		*
257		* @return Path
258		*/
259	13	public static function factory($xpath, $key, $default = null,
260		$filter = null
261		) {
262	13	return new self($xpath, $key, $default, $filter);
263		}
264
265		/**
266		* Adds a child Path
267		*
268		* @param Path $path Child Path
269		*
270		* @return Path
271		*/
272	5	public function addChildren(Path $path)
273		{
274	5	$this->childrens[] = $path;
275
276	5	return $this;
277		}
278
279		/**
280		* Returns all child Paths
281		*
282		* @return array
283		*/
284	11	public function getChildrens()
285		{
286	11	return $this->childrens;
287		}
288
289		/**
290		* Tells the Map to fetch an attribute of this path.
291		* If no $key is defined the $attrName is used.
292		*
293		* @param string $attrName Attribute name
294		* @param string $key Attribute key name
		0 ignored issues – show Documentation introduced 2016-06-28 20:44 UTC by Report Bug Copy Issue Report Show Similar Issues like this Should the type for parameter `$key` not be `string\|null`? This check looks for `@param` annotations where the type inferred by our type inference engine differs from the declared type. It makes a suggestion as to what type it considers more descriptive. Most often this is a case of a parameter that can be null in addition to its declared types. Loading history...
295		*
296		* @return Path
297		*/
298	4	public function attribute($attrName, $key = null)
299		{
300	4	if (null === $key) {
301	4	$key = $attrName;
302		}
303
304	4	$this->attributes[$key] = $attrName;
305
306	4	return $this;
307		}
308
309		/**
310		* Returns all attributes
311		*
312		* @return array
313		*/
314	11	public function getAttributes()
315		{
316	11	return $this->attributes;
317		}
318
319		/**
320		* Returns the loop key identifiers
321		*
322		* @return string
323		*/
324	7	public function getLoopId()
325		{
326	7	return $this->loopId;
327		}
328
329		/**
330		* Returns the key identifier where the root value is stored
331		*
332		* @return string
333		*/
334	4	public function getValueKey()
335		{
336	4	return $this->valueKey;
337		}
338		}

fwk / Xml

Issues (16)

Security Analysis no request data

src/Path.php (10 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like