Issues in ElggData.php (master) - Issues in master - gctools-outilsgc/gcconnex - Measure and Improve Code Quality continuously with Scrutinizer

Issues (2473)

Security Analysis no vulnerabilities found

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

engine/classes/ElggData.php (3 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * A generic class that contains shared code among
 * \ElggExtender, \ElggEntity, and \ElggRelationship
 *
 * @package    Elgg.Core
 * @subpackage DataModel
 */
abstract class ElggData implements
	Loggable,    // Can events related to this object class be logged
	Iterator,    // Override foreach behaviour
	\ArrayAccess, // Override for array access
	Exportable   // (deprecated 1.9)

{

	/**
	 * The main attributes of an entity.
	 * Holds attributes to save to database
	 * Blank entries for all database fields should be created by the constructor.
	 * Subclasses should add to this in their constructors.
	 * Any field not appearing in this will be viewed as metadata
	 */
	protected $attributes = array();

	// @codingStandardsIgnoreStart
	/**
	 * Initialise the attributes array.
	 *
	 * This is vital to distinguish between metadata and base parameters.
	 *
	 * @param bool $pre18_api Compatibility for subclassing in 1.7 -> 1.8 change.
	 *                        Passing true (default) emits a deprecation notice.
	 *                        Passing false returns false.  Core constructors always pass false.
	 *                        Does nothing either way since attributes are initialized by the time
	 *                        this is called.
	 * @return void
	 * @deprecated 1.8 Use initializeAttributes()
	 */
	protected function initialise_attributes($pre18_api = true) {
		if ($pre18_api) {
			elgg_deprecated_notice('initialise_attributes() is deprecated by initializeAttributes()', 1.8);
		}
	}
	// @codingStandardsIgnoreEnd

	/**
	 * Initialize the attributes array.
	 *
	 * This is vital to distinguish between metadata and base parameters.
	 *
	 * @return void
	 */
	protected function initializeAttributes() {
		// Create attributes array if not already created
		if (!is_array($this->attributes)) {
			$this->attributes = array();
		}

		$this->attributes['time_created'] = null;
	}

	/**
	 * Provides a pointer to the database object.
	 *
	 * @return \Elgg\Database The database where this data is (will be) stored.
	 */
	protected function getDatabase() {
		return _elgg_services()->db;
	}

	/**
	 * Test if property is set either as an attribute or metadata.
	 *
	 * @tip Use isset($entity->property)
	 *
	 * @param string $name The name of the attribute or metadata.
	 *
	 * @return bool
	 */
	public function __isset($name) {
		return $this->$name !== null;
	}

	/**
	 * Fetch the specified attribute
	 *
	 * @param string $name The attribute to fetch
	 *
	 * @return mixed The attribute, if it exists.  Otherwise, null.
	 * @deprecated 1.9
	 */
	abstract protected function get($name);

	/**
	 * Set the specified attribute
	 *
	 * @param string $name  The attribute to set
	 * @param mixed  $value The value to set it to
	 *
	 * @return bool The success of your set function?
	 * @deprecated 1.9
	 */
	abstract protected function set($name, $value);

	/**
	 * Get a URL for this object
	 *
	 * @return string
	 */
	abstract public function getURL();

	/**
	 * Save this data to the appropriate database table.
	 *
	 * @return bool
	 */
	abstract public function save();
	
	/**
	 * Delete this data.
	 *
	 * @return bool
	 */
	abstract public function delete();

	/**
	 * Returns the UNIX epoch time that this entity was created
	 *
	 * @return int UNIX epoch time
	 */
	public function getTimeCreated() {
		return $this->time_created;
class MyClass { }

$x = new MyClass();
$x->foo = true;
	}

	/**
	 * Get a plain old object copy for public consumption
	 * 
	 * @return \stdClass
	 */
	abstract public function toObject();

	/*
	 *  SYSTEM LOG INTERFACE
	 */

	/**
	 * Return the class name of the object.
	 *
	 * @return string
	 * @deprecated 1.9 Use get_class()
	 */
	public function getClassName() {
		elgg_deprecated_notice("getClassName() is deprecated. Use get_class().", 1.9);
		return get_class($this);
	}

	/**
	 * Return the GUID of the owner of this object.
	 *
	 * @return int
	 * @deprecated 1.8 Use getOwnerGUID() instead
	 */
	public function getObjectOwnerGUID() {
		elgg_deprecated_notice("getObjectOwnerGUID() was deprecated.  Use getOwnerGUID().", 1.8);
		return $this->owner_guid;
class MyClass { }

$x = new MyClass();
$x->foo = true;
	}

	/*
	 * ITERATOR INTERFACE
	 */

	protected $valid = false;

	/**
	 * Iterator interface
	 *
	 * @see Iterator::rewind()
	 *
	 * @return void
	 */
	public function rewind() {
		$this->valid = (false !== reset($this->attributes));
	}

	/**
	 * Iterator interface
	 *
	 * @see Iterator::current()
	 *
	 * @return mixed
	 */
	public function current() {
		return current($this->attributes);
	}

	/**
	 * Iterator interface
	 *
	 * @see Iterator::key()
	 *
	 * @return string
	 */
	public function key() {
		return key($this->attributes);
	}

	/**
	 * Iterator interface
	 *
	 * @see Iterator::next()
	 *
	 * @return void
	 */
	public function next() {
		$this->valid = (false !== next($this->attributes));
	}

	/**
	 * Iterator interface
	 *
	 * @see Iterator::valid()
	 *
	 * @return bool
	 */
	public function valid() {
		return $this->valid;
	}

	/*
	 * ARRAY ACCESS INTERFACE
	 */

	/**
	 * Array access interface
	 *
	 * @see \ArrayAccess::offsetSet()
	 *
	 * @param mixed $key   Name
	 * @param mixed $value Value
	 *
	 * @return void
	 */
	public function offsetSet($key, $value) {
		if (array_key_exists($key, $this->attributes)) {
			$this->attributes[$key] = $value;
		}
	}

	/**
	 * Array access interface
	 *
	 * @see \ArrayAccess::offsetGet()
	 *
	 * @param mixed $key Name
	 *
	 * @return mixed
	 */
	public function offsetGet($key) {
		if (array_key_exists($key, $this->attributes)) {
			return $this->attributes[$key];
		}
		return null;
	}

	/**
	 * Array access interface
	 *
	 * @see \ArrayAccess::offsetUnset()
	 *
	 * @param mixed $key Name
	 *
	 * @return void
	 */
	public function offsetUnset($key) {
		if (array_key_exists($key, $this->attributes)) {
			// Full unsetting is dangerous for our objects
			$this->attributes[$key] = "";
		}
	}

	/**
	 * Array access interface
	 *
	 * @see \ArrayAccess::offsetExists()
	 *
	 * @param int $offset Offset
	 *
	 * @return int
	 */
	public function offsetExists($offset) {
		return array_key_exists($offset, $this->attributes);
	}
}


1		<?php
2		/**
3		* A generic class that contains shared code among
4		* \ElggExtender, \ElggEntity, and \ElggRelationship
5		*
6		* @package Elgg.Core
7		* @subpackage DataModel
8		*/
9		abstract class ElggData implements
10		Loggable, // Can events related to this object class be logged
11		Iterator, // Override foreach behaviour
12		\ArrayAccess, // Override for array access
13		Exportable // (deprecated 1.9)
		0 ignored issues – show Deprecated Code introduced 2017-09-27 16:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this The interface `Exportable` has been deprecated with message: 1.9 This class, trait or interface has been deprecated. The supplier of the file has supplied an explanatory message. The explanatory message should give you some clue as to whether and when the type will be removed from the class and what other constant to use instead. Loading history...
14		{
15
16		/**
17		* The main attributes of an entity.
18		* Holds attributes to save to database
19		* Blank entries for all database fields should be created by the constructor.
20		* Subclasses should add to this in their constructors.
21		* Any field not appearing in this will be viewed as metadata
22		*/
23		protected $attributes = array();
24
25		// @codingStandardsIgnoreStart
26		/**
27		* Initialise the attributes array.
28		*
29		* This is vital to distinguish between metadata and base parameters.
30		*
31		* @param bool $pre18_api Compatibility for subclassing in 1.7 -> 1.8 change.
32		* Passing true (default) emits a deprecation notice.
33		* Passing false returns false. Core constructors always pass false.
34		* Does nothing either way since attributes are initialized by the time
35		* this is called.
36		* @return void
37		* @deprecated 1.8 Use initializeAttributes()
38		*/
39	19	protected function initialise_attributes($pre18_api = true) {
40	19	if ($pre18_api) {
41		elgg_deprecated_notice('initialise_attributes() is deprecated by initializeAttributes()', 1.8);
42		}
43	19	}
44		// @codingStandardsIgnoreEnd
45
46		/**
47		* Initialize the attributes array.
48		*
49		* This is vital to distinguish between metadata and base parameters.
50		*
51		* @return void
52		*/
53	32	protected function initializeAttributes() {
54		// Create attributes array if not already created
55	32	if (!is_array($this->attributes)) {
56		$this->attributes = array();
57		}
58
59	32	$this->attributes['time_created'] = null;
60	32	}
61
62		/**
63		* Provides a pointer to the database object.
64		*
65		* @return \Elgg\Database The database where this data is (will be) stored.
66		*/
67	1	protected function getDatabase() {
68	1	return _elgg_services()->db;
69		}
70
71		/**
72		* Test if property is set either as an attribute or metadata.
73		*
74		* @tip Use isset($entity->property)
75		*
76		* @param string $name The name of the attribute or metadata.
77		*
78		* @return bool
79		*/
80		public function __isset($name) {
81		return $this->$name !== null;
82		}
83
84		/**
85		* Fetch the specified attribute
86		*
87		* @param string $name The attribute to fetch
88		*
89		* @return mixed The attribute, if it exists. Otherwise, null.
90		* @deprecated 1.9
91		*/
92		abstract protected function get($name);
93
94		/**
95		* Set the specified attribute
96		*
97		* @param string $name The attribute to set
98		* @param mixed $value The value to set it to
99		*
100		* @return bool The success of your set function?
101		* @deprecated 1.9
102		*/
103		abstract protected function set($name, $value);
104
105		/**
106		* Get a URL for this object
107		*
108		* @return string
109		*/
110		abstract public function getURL();
111
112		/**
113		* Save this data to the appropriate database table.
114		*
115		* @return bool
116		*/
117		abstract public function save();
118
119		/**
120		* Delete this data.
121		*
122		* @return bool
123		*/
124		abstract public function delete();
125
126		/**
127		* Returns the UNIX epoch time that this entity was created
128		*
129		* @return int UNIX epoch time
130		*/
131	2	public function getTimeCreated() {
132	2	return $this->time_created;
		0 ignored issues – show Bug introduced 2017-09-27 16:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `time_created` does not exist. Did you maybe forget to declare it? In PHP it is possible to write to properties without declaring them. For example, the following is perfectly valid PHP code: class MyClass { } $x = new MyClass(); $x->foo = true; Generally, it is a good practice to explictly declare properties to avoid accidental typos and provide IDE auto-completion: class MyClass { public $foo; } $x = new MyClass(); $x->foo = true; Loading history...
133		}
134
135		/**
136		* Get a plain old object copy for public consumption
137		*
138		* @return \stdClass
139		*/
140		abstract public function toObject();
141
142		/*
143		* SYSTEM LOG INTERFACE
144		*/
145
146		/**
147		* Return the class name of the object.
148		*
149		* @return string
150		* @deprecated 1.9 Use get_class()
151		*/
152		public function getClassName() {
153		elgg_deprecated_notice("getClassName() is deprecated. Use get_class().", 1.9);
154		return get_class($this);
155		}
156
157		/**
158		* Return the GUID of the owner of this object.
159		*
160		* @return int
161		* @deprecated 1.8 Use getOwnerGUID() instead
162		*/
163		public function getObjectOwnerGUID() {
164		elgg_deprecated_notice("getObjectOwnerGUID() was deprecated. Use getOwnerGUID().", 1.8);
165		return $this->owner_guid;
		0 ignored issues – show Bug introduced 2017-09-27 16:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `owner_guid` does not exist. Did you maybe forget to declare it? In PHP it is possible to write to properties without declaring them. For example, the following is perfectly valid PHP code: class MyClass { } $x = new MyClass(); $x->foo = true; Generally, it is a good practice to explictly declare properties to avoid accidental typos and provide IDE auto-completion: class MyClass { public $foo; } $x = new MyClass(); $x->foo = true; Loading history...
166		}
167
168		/*
169		* ITERATOR INTERFACE
170		*/
171
172		protected $valid = false;
173
174		/**
175		* Iterator interface
176		*
177		* @see Iterator::rewind()
178		*
179		* @return void
180		*/
181		public function rewind() {
182		$this->valid = (false !== reset($this->attributes));
183		}
184
185		/**
186		* Iterator interface
187		*
188		* @see Iterator::current()
189		*
190		* @return mixed
191		*/
192		public function current() {
193		return current($this->attributes);
194		}
195
196		/**
197		* Iterator interface
198		*
199		* @see Iterator::key()
200		*
201		* @return string
202		*/
203		public function key() {
204		return key($this->attributes);
205		}
206
207		/**
208		* Iterator interface
209		*
210		* @see Iterator::next()
211		*
212		* @return void
213		*/
214		public function next() {
215		$this->valid = (false !== next($this->attributes));
216		}
217
218		/**
219		* Iterator interface
220		*
221		* @see Iterator::valid()
222		*
223		* @return bool
224		*/
225		public function valid() {
226		return $this->valid;
227		}
228
229		/*
230		* ARRAY ACCESS INTERFACE
231		*/
232
233		/**
234		* Array access interface
235		*
236		* @see \ArrayAccess::offsetSet()
237		*
238		* @param mixed $key Name
239		* @param mixed $value Value
240		*
241		* @return void
242		*/
243		public function offsetSet($key, $value) {
244		if (array_key_exists($key, $this->attributes)) {
245		$this->attributes[$key] = $value;
246		}
247		}
248
249		/**
250		* Array access interface
251		*
252		* @see \ArrayAccess::offsetGet()
253		*
254		* @param mixed $key Name
255		*
256		* @return mixed
257		*/
258		public function offsetGet($key) {
259		if (array_key_exists($key, $this->attributes)) {
260		return $this->attributes[$key];
261		}
262		return null;
263		}
264
265		/**
266		* Array access interface
267		*
268		* @see \ArrayAccess::offsetUnset()
269		*
270		* @param mixed $key Name
271		*
272		* @return void
273		*/
274		public function offsetUnset($key) {
275		if (array_key_exists($key, $this->attributes)) {
276		// Full unsetting is dangerous for our objects
277		$this->attributes[$key] = "";
278		}
279		}
280
281		/**
282		* Array access interface
283		*
284		* @see \ArrayAccess::offsetExists()
285		*
286		* @param int $offset Offset
287		*
288		* @return int
289		*/
290		public function offsetExists($offset) {
291		return array_key_exists($offset, $this->attributes);
292		}
293		}
294

gctools-outilsgc / gcconnex

Issues (2473)

Security Analysis no vulnerabilities found

engine/classes/ElggData.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like