Issues in ElggExtender.php (master) - Issues in master - gctools-outilsgc/gcconnex - Measure and Improve Code Quality continuously with Scrutinizer

Issues (2473)

Security Analysis no vulnerabilities found

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

engine/classes/ElggExtender.php (5 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * The base class for \ElggEntity extenders.
 *
 * Extenders allow you to attach extended information to an
 * \ElggEntity.  Core supports two: \ElggAnnotation and \ElggMetadata.
 *
 * Saving the extender data to database is handled by the child class.
 *
 * @package    Elgg.Core
 * @subpackage DataModel.Extender
 * @see        \ElggAnnotation
 * @see        \ElggMetadata
 * 
 * @property string $type         annotation or metadata (read-only after save)
 * @property int    $id           The unique identifier (read-only)
 * @property int    $entity_guid  The GUID of the entity that this extender describes
 * @property int    $owner_guid   The GUID of the owner of this extender
 * @property int    $access_id    Specifies the visibility level of this extender
 * @property string $name         The name of this extender
 * @property mixed  $value        The value of the extender (int or string)
 * @property int    $time_created A UNIX timestamp of when the extender was created (read-only, set on first save)
 * @property string $value_type   'integer' or 'text'
 * @property string $enabled      Is this extender enabled ('yes' or 'no')
 */
abstract class ElggExtender extends \ElggData {

	/**
	 * (non-PHPdoc)
	 *
	 * @see \ElggData::initializeAttributes()
	 *
	 * @return void
	 */
	protected function initializeAttributes() {
		parent::initializeAttributes();

		$this->attributes['type'] = null;
		$this->attributes['id'] = null;
		$this->attributes['entity_guid'] = null;
		$this->attributes['owner_guid'] = null;
		$this->attributes['access_id'] = ACCESS_PRIVATE;
		$this->attributes['enabled'] = 'yes';
	}

	/**
	 * Set an attribute
	 *
	 * @param string $name  Name
	 * @param mixed  $value Value
	 * @return void
	 */
	public function __set($name, $value) {
		$this->attributes[$name] = $value;
		if ($name == 'value') {
			$this->attributes['value_type'] = detect_extender_valuetype($value);
		}
	}

	/**
	 * Set the value of the extender
	 * 
	 * @param mixed  $value      The value being set
	 * @param string $value_type The type of the : 'integer' or 'text'
	 * @return void
	 * @since 1.9
	 */
	public function setValue($value, $value_type = '') {
		$this->attributes['value'] = $value;
		$this->attributes['value_type'] = detect_extender_valuetype($value, $value_type);
	}

	/**
	 * Set an attribute
	 *
	 * @param string $name       Name
	 * @param mixed  $value      Value
	 * @param string $value_type Value type
	 *
	 * @return boolean
	 * @deprecated 1.9
	 */
	protected function set($name, $value, $value_type = '') {
		elgg_deprecated_notice("Use -> instead of set()", 1.9);
		if ($name == 'value') {
			$this->setValue($value, $value_type);
		} else {
			$this->__set($name, $value);
		}

		return true;
	}

	/**
	 * Gets an attribute
	 *
	 * @param string $name Name
	 * @return mixed
	 */
	public function __get($name) {
		if (array_key_exists($name, $this->attributes)) {
			if ($name == 'value') {
				switch ($this->attributes['value_type']) {
					case 'integer' :
						return (int)$this->attributes['value'];
						break;
switch ($x) {
    case 1:
        return 'foo';
        break; // This break is not necessary and can be left off.
}
					case 'text' :
						return $this->attributes['value'];
						break;
switch ($x) {
    case 1:
        return 'foo';
        break; // This break is not necessary and can be left off.
}
					default :
						$msg = "{$this->attributes['value_type']} is not a supported \ElggExtender value type.";
						throw new \UnexpectedValueException($msg);
						break;
function fx() {
    try {
        doSomething();
        return true;
    }
    catch (\Exception $e) {
        return false;
    }

    return false;
}
				}
			}

			return $this->attributes[$name];
		}

		return null;
	}

	/**
	 * Returns an attribute
	 *
	 * @param string $name Name
	 * @return mixed
	 * @deprecated 1.9
	 */
	protected function get($name) {
		elgg_deprecated_notice("Use -> instead of get()", 1.9);
		return $this->__get($name);
	}

	/**
	 * Get the GUID of the extender's owner entity.
	 *
	 * @return int The owner GUID
	 */
	public function getOwnerGUID() {
		return $this->owner_guid;
	}

	/**
	 * Return the guid of the entity's owner.
	 *
	 * @return int The owner GUID
	 * @deprecated 1.8 Use getOwnerGUID
	 */
	public function getOwner() {
		elgg_deprecated_notice("\ElggExtender::getOwner deprecated for \ElggExtender::getOwnerGUID", 1.8);
		return $this->getOwnerGUID();
	}

	/**
	 * Get the entity that owns this extender
	 *
	 * @return \ElggEntity
	 */
	public function getOwnerEntity() {
		return get_entity($this->owner_guid);
	}

	/**
	 * Get the entity this describes.
	 *
	 * @return \ElggEntity The entity
	 */
	public function getEntity() {
		return get_entity($this->entity_guid);
	}

	/**
	 * Returns if a user can edit this entity extender.
	 *
	 * @param int $user_guid The GUID of the user doing the editing
	 *                      (defaults to currently logged in user)
	 *
	 * @return bool
	 * @see elgg_set_ignore_access()
	 */
	abstract public function canEdit($user_guid = 0);

	/**
	 * {@inheritdoc}
	 */
	public function toObject() {
		$object = new \stdClass();
		$object->id = $this->id;
		$object->entity_guid = $this->entity_guid;
		$object->owner_guid = $this->owner_guid;
		$object->name = $this->name;
		$object->value = $this->value;
		$object->time_created = date('c', $this->getTimeCreated());
		$object->read_access = $this->access_id;
		$params = array($this->getSubtype() => $this);
		return _elgg_services()->hooks->trigger('to:object', $this->getSubtype(), $params, $object);
	}

	/*
	 * EXPORTABLE INTERFACE
	 */

	/**
	 * Return an array of fields which can be exported.
	 *
	 * @return array
	 * @deprecated 1.9 Use toObject()
	 */
	public function getExportableValues() {
		elgg_deprecated_notice(__METHOD__ . ' has been deprecated by toObject()', 1.9);
		return array(
			'id',
			'entity_guid',
			'name',
			'value',
			'value_type',
			'owner_guid',
			'type',
		);
	}

	/**
	 * Export this object
	 *
	 * @return array
	 * @deprecated 1.9 Use toObject()
	 */
	public function export() {
		elgg_deprecated_notice(__METHOD__ . ' has been deprecated', 1.9);
		$uuid = get_uuid_from_object($this);

		$meta = new ODDMetaData($uuid, guid_to_uuid($this->entity_guid), $this->attributes['name'],
<?php

function getDate($date)
{
    if ($date !== null) {
        return new DateTime($date);
    }

    return false;
}
			$this->attributes['value'], $this->attributes['type'], guid_to_uuid($this->owner_guid));
		$meta->setAttribute('published', date("r", $this->time_created));

		return $meta;
	}

	/*
	 * SYSTEM LOG INTERFACE
	 */

	/**
	 * Return an identification for the object for storage in the system log.
	 * This id must be an integer.
	 *
	 * @return int
	 */
	public function getSystemLogID() {
		return $this->id;
	}

	/**
	 * Return a type of extension.
	 *
	 * @return string
	 */
	public function getType() {
		return $this->type;
	}

	/**
	 * Return a subtype. For metadata & annotations this is the 'name' and
	 * for relationship this is the relationship type.
	 *
	 * @return string
	 */
	public function getSubtype() {
		return $this->name;
	}

	/**
	 * Get a url for this extender.
	 *
	 * Plugins can register for the 'extender:url', <type> plugin hook to
	 * customize the url for an annotation or metadata.
	 *
	 * @return string
	 */
	public function getURL() {

		$url = "";
		$type = $this->getType();
		$subtype = $this->getSubtype();

		// @todo remove when elgg_register_extender_url_handler() has been removed
		if ($this->id) {
			global $CONFIG;

			$function = "";
			if (isset($CONFIG->extender_url_handler[$type][$subtype])) {
				$function = $CONFIG->extender_url_handler[$type][$subtype];
			}
			if (isset($CONFIG->extender_url_handler[$type]['all'])) {
				$function = $CONFIG->extender_url_handler[$type]['all'];
			}
			if (isset($CONFIG->extender_url_handler['all']['all'])) {
				$function = $CONFIG->extender_url_handler['all']['all'];
			}
			if (is_callable($function)) {
				$url = call_user_func($function, $this);
			}

			if ($url) {
				$url = elgg_normalize_url($url);
			}
		}

		$params = array('extender' => $this);
		$url = _elgg_services()->hooks->trigger('extender:url', $type, $params, $url);

		return elgg_normalize_url($url);
	}

}


1			<?php
2			/**
3			* The base class for \ElggEntity extenders.
4			*
5			* Extenders allow you to attach extended information to an
6			* \ElggEntity. Core supports two: \ElggAnnotation and \ElggMetadata.
7			*
8			* Saving the extender data to database is handled by the child class.
9			*
10			* @package Elgg.Core
11			* @subpackage DataModel.Extender
12			* @see \ElggAnnotation
13			* @see \ElggMetadata
14			*
15			* @property string $type annotation or metadata (read-only after save)
16			* @property int $id The unique identifier (read-only)
17			* @property int $entity_guid The GUID of the entity that this extender describes
18			* @property int $owner_guid The GUID of the owner of this extender
19			* @property int $access_id Specifies the visibility level of this extender
20			* @property string $name The name of this extender
21			* @property mixed $value The value of the extender (int or string)
22			* @property int $time_created A UNIX timestamp of when the extender was created (read-only, set on first save)
23			* @property string $value_type 'integer' or 'text'
24			* @property string $enabled Is this extender enabled ('yes' or 'no')
25			*/
26			abstract class ElggExtender extends \ElggData {
27
28			/**
29			* (non-PHPdoc)
30			*
31			* @see \ElggData::initializeAttributes()
32			*
33			* @return void
34			*/
35			protected function initializeAttributes() {
36			parent::initializeAttributes();
37
38			$this->attributes['type'] = null;
39			$this->attributes['id'] = null;
40			$this->attributes['entity_guid'] = null;
41			$this->attributes['owner_guid'] = null;
42			$this->attributes['access_id'] = ACCESS_PRIVATE;
43			$this->attributes['enabled'] = 'yes';
44			}
45
46			/**
47			* Set an attribute
48			*
49			* @param string $name Name
50			* @param mixed $value Value
51			* @return void
52			*/
53	2		public function __set($name, $value) {
54	2		$this->attributes[$name] = $value;
55	2		if ($name == 'value') {
56	1		$this->attributes['value_type'] = detect_extender_valuetype($value);
57	1		}
58	2		}
59
60			/**
61			* Set the value of the extender
62			*
63			* @param mixed $value The value being set
64			* @param string $value_type The type of the : 'integer' or 'text'
65			* @return void
66			* @since 1.9
67			*/
68	1		public function setValue($value, $value_type = '') {
69	1		$this->attributes['value'] = $value;
70	1		$this->attributes['value_type'] = detect_extender_valuetype($value, $value_type);
71	1		}
72
73			/**
74			* Set an attribute
75			*
76			* @param string $name Name
77			* @param mixed $value Value
78			* @param string $value_type Value type
79			*
80			* @return boolean
81			* @deprecated 1.9
82			*/
83			protected function set($name, $value, $value_type = '') {
84			elgg_deprecated_notice("Use -> instead of set()", 1.9);
85			if ($name == 'value') {
86			$this->setValue($value, $value_type);
87			} else {
88			$this->__set($name, $value);
89			}
90
91			return true;
92			}
93
94			/**
95			* Gets an attribute
96			*
97			* @param string $name Name
98			* @return mixed
99			*/
100	4		public function __get($name) {
101	4		if (array_key_exists($name, $this->attributes)) {
102	3		if ($name == 'value') {
103	2		switch ($this->attributes['value_type']) {
104	2		case 'integer' :
105	2		return (int)$this->attributes['value'];
106			break;
			0 ignored issues – show Unused Code introduced 2017-09-27 16:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this `break` is not strictly necessary here and could be removed. The `break` statement is not necessary if it is preceded for example by a `return` statement: switch ($x) { case 1: return 'foo'; break; // This break is not necessary and can be left off. } If you would like to keep this construct to be consistent with other `case` statements, you can safely mark this issue as a false-positive. Loading history...
107	1		case 'text' :
108	1		return $this->attributes['value'];
109			break;
			0 ignored issues – show Unused Code introduced 2017-09-27 16:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this `break` is not strictly necessary here and could be removed. The `break` statement is not necessary if it is preceded for example by a `return` statement: switch ($x) { case 1: return 'foo'; break; // This break is not necessary and can be left off. } If you would like to keep this construct to be consistent with other `case` statements, you can safely mark this issue as a false-positive. Loading history...
110			default :
111			$msg = "{$this->attributes['value_type']} is not a supported \ElggExtender value type.";
112			throw new \UnexpectedValueException($msg);
113			break;
			0 ignored issues – show Unused Code introduced 2017-09-27 16:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this `break;` does not seem to be reachable. This check looks for unreachable code. It uses sophisticated control flow analysis techniques to find statements which will never be executed. Unreachable code is most often the result of `return`, `die` or `exit` statements that have been added for debug purposes. function fx() { try { doSomething(); return true; } catch (\Exception $e) { return false; } return false; } In the above example, the last `return false` will never be executed, because a return statement has already been met in every possible execution path. Loading history...
114			}
115			}
116
117	3		return $this->attributes[$name];
118			}
119
120	1		return null;
121			}
122
123			/**
124			* Returns an attribute
125			*
126			* @param string $name Name
127			* @return mixed
128			* @deprecated 1.9
129			*/
130			protected function get($name) {
131			elgg_deprecated_notice("Use -> instead of get()", 1.9);
132			return $this->__get($name);
133			}
134
135			/**
136			* Get the GUID of the extender's owner entity.
137			*
138			* @return int The owner GUID
139			*/
140			public function getOwnerGUID() {
141			return $this->owner_guid;
142			}
143
144			/**
145			* Return the guid of the entity's owner.
146			*
147			* @return int The owner GUID
148			* @deprecated 1.8 Use getOwnerGUID
149			*/
150			public function getOwner() {
151			elgg_deprecated_notice("\ElggExtender::getOwner deprecated for \ElggExtender::getOwnerGUID", 1.8);
152			return $this->getOwnerGUID();
153			}
154
155			/**
156			* Get the entity that owns this extender
157			*
158			* @return \ElggEntity
159			*/
160			public function getOwnerEntity() {
161			return get_entity($this->owner_guid);
162			}
163
164			/**
165			* Get the entity this describes.
166			*
167			* @return \ElggEntity The entity
168			*/
169			public function getEntity() {
170			return get_entity($this->entity_guid);
171			}
172
173			/**
174			* Returns if a user can edit this entity extender.
175			*
176			* @param int $user_guid The GUID of the user doing the editing
177			* (defaults to currently logged in user)
178			*
179			* @return bool
180			* @see elgg_set_ignore_access()
181			*/
182			abstract public function canEdit($user_guid = 0);
183
184			/**
185			* {@inheritdoc}
186			*/
187			public function toObject() {
188			$object = new \stdClass();
189			$object->id = $this->id;
190			$object->entity_guid = $this->entity_guid;
191			$object->owner_guid = $this->owner_guid;
192			$object->name = $this->name;
193			$object->value = $this->value;
194			$object->time_created = date('c', $this->getTimeCreated());
195			$object->read_access = $this->access_id;
196			$params = array($this->getSubtype() => $this);
197			return _elgg_services()->hooks->trigger('to:object', $this->getSubtype(), $params, $object);
198			}
199
200			/*
201			* EXPORTABLE INTERFACE
202			*/
203
204			/**
205			* Return an array of fields which can be exported.
206			*
207			* @return array
208			* @deprecated 1.9 Use toObject()
209			*/
210			public function getExportableValues() {
211			elgg_deprecated_notice(__METHOD__ . ' has been deprecated by toObject()', 1.9);
212			return array(
213			'id',
214			'entity_guid',
215			'name',
216			'value',
217			'value_type',
218			'owner_guid',
219			'type',
220			);
221			}
222
223			/**
224			* Export this object
225			*
226			* @return array
227			* @deprecated 1.9 Use toObject()
228			*/
229			public function export() {
230			elgg_deprecated_notice(__METHOD__ . ' has been deprecated', 1.9);
231			$uuid = get_uuid_from_object($this);
232
233			$meta = new ODDMetaData($uuid, guid_to_uuid($this->entity_guid), $this->attributes['name'],
			0 ignored issues – show Security Bug introduced 2017-09-27 16:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$uuid` defined by `get_uuid_from_object($this)` on line `231` can also be of type `false`; however, `ODDMetaData::__construct()` does only seem to accept `string`, did you maybe forget to handle an error condition? This check looks for type mismatches where the missing type is `false`. This is usually indicative of an error condtion. Consider the follow example <?php function getDate($date) { if ($date !== null) { return new DateTime($date); } return false; } This function either returns a new `DateTime` object or false, if there was an error. This is a typical pattern in PHP programming to show that an error has occurred without raising an exception. The calling code should check for this returned `false` before passing on the value to another function or method that may not be able to handle a `false`. Loading history... Deprecated Code introduced 2017-09-27 16:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this The class `ODDMetaData` has been deprecated with message: 1.9 This class, trait or interface has been deprecated. The supplier of the file has supplied an explanatory message. The explanatory message should give you some clue as to whether and when the type will be removed from the class and what other constant to use instead. Loading history...
234			$this->attributes['value'], $this->attributes['type'], guid_to_uuid($this->owner_guid));
235			$meta->setAttribute('published', date("r", $this->time_created));
236
237			return $meta;
238			}
239
240			/*
241			* SYSTEM LOG INTERFACE
242			*/
243
244			/**
245			* Return an identification for the object for storage in the system log.
246			* This id must be an integer.
247			*
248			* @return int
249			*/
250			public function getSystemLogID() {
251			return $this->id;
252			}
253
254			/**
255			* Return a type of extension.
256			*
257			* @return string
258			*/
259			public function getType() {
260			return $this->type;
261			}
262
263			/**
264			* Return a subtype. For metadata & annotations this is the 'name' and
265			* for relationship this is the relationship type.
266			*
267			* @return string
268			*/
269			public function getSubtype() {
270			return $this->name;
271			}
272
273			/**
274			* Get a url for this extender.
275			*
276			* Plugins can register for the 'extender:url', <type> plugin hook to
277			* customize the url for an annotation or metadata.
278			*
279			* @return string
280			*/
281			public function getURL() {
282
283			$url = "";
284			$type = $this->getType();
285			$subtype = $this->getSubtype();
286
287			// @todo remove when elgg_register_extender_url_handler() has been removed
288			if ($this->id) {
289			global $CONFIG;
290
291			$function = "";
292			if (isset($CONFIG->extender_url_handler[$type][$subtype])) {
293			$function = $CONFIG->extender_url_handler[$type][$subtype];
294			}
295		View Code Duplication	if (isset($CONFIG->extender_url_handler[$type]['all'])) {
296			$function = $CONFIG->extender_url_handler[$type]['all'];
297			}
298		View Code Duplication	if (isset($CONFIG->extender_url_handler['all']['all'])) {
299			$function = $CONFIG->extender_url_handler['all']['all'];
300			}
301			if (is_callable($function)) {
302			$url = call_user_func($function, $this);
303			}
304
305			if ($url) {
306			$url = elgg_normalize_url($url);
307			}
308			}
309
310			$params = array('extender' => $this);
311			$url = _elgg_services()->hooks->trigger('extender:url', $type, $params, $url);
312
313			return elgg_normalize_url($url);
314			}
315
316			}
317

gctools-outilsgc / gcconnex

Issues (2473)

Security Analysis no vulnerabilities found

engine/classes/ElggExtender.php (5 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like