Issues (2473)

Branch: master

Security Analysis    no vulnerabilities found

This project does not seem to handle request data directly as such no vulnerable execution paths were found.

  Cross-Site Scripting
Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.
  File Exposure
File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.
  File Manipulation
File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.
  Object Injection
Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.
  Code Injection
Code Injection enables an attacker to execute arbitrary code on the server.
  Response Splitting
Response Splitting can be used to send arbitrary responses.
  File Inclusion
File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.
  Command Injection
Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.
  SQL Injection
SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.
  XPath Injection
XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.
  LDAP Injection
LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.
  Header Injection
  Other Vulnerability
This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.
  Regex Injection
Regex Injection enables an attacker to execute arbitrary code in your PHP process.
  XML Injection
XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.
  Variable Injection
Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.
Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

engine/classes/ElggMetadata.php (9 issues)

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

1
<?php
2
3
/**
4
 * \ElggMetadata
5
 *
6
 * This class describes metadata that can be attached to an \ElggEntity. It is
7
 * rare that a plugin developer needs to use this API for metadata. Almost all
8
 * interaction with metadata occurs through the methods of \ElggEntity. See its
9
 * __set(), __get(), and setMetadata() methods.
10
 *
11
 * @package    Elgg.Core
12
 * @subpackage Metadata
13
 */
14
class ElggMetadata extends \ElggExtender {
15
16
	/**
17
	 * (non-PHPdoc)
18
	 *
19
	 * @see \ElggData::initializeAttributes()
20
	 *
21
	 * @return void
22
	 */
23
	protected function initializeAttributes() {
24
		parent::initializeAttributes();
25
26
		$this->attributes['type'] = "metadata";
27
	}
28
29
	/**
30
	 * Construct a metadata object
31
	 *
32
	 * Plugin developers will probably never need to use this API. See \ElggEntity
33
	 * for its API for setting and getting metadata.
34
	 *
35
	 * @param \stdClass $row Database row as \stdClass object
36
	 */
37 View Code Duplication
	public function __construct($row = null) {
0 ignored issues
show
This method seems to be duplicated in your project.

Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation.

You can also find more detailed suggestions in the “Code” section of your repository.

Loading history...
38
		$this->initializeAttributes();
39
40
		if (!empty($row)) {
41
			// Create from db row
42
			if ($row instanceof \stdClass) {
43
				$metadata = $row;
44
				
45
				$objarray = (array) $metadata;
46
				foreach ($objarray as $key => $value) {
47
					$this->attributes[$key] = $value;
48
				}
49
			} else {
50
				// get an \ElggMetadata object and copy its attributes
51
				elgg_deprecated_notice('Passing an ID to constructor is deprecated. Use elgg_get_metadata_from_id()', 1.9);
52
				$metadata = elgg_get_metadata_from_id($row);
53
				$this->attributes = $metadata->attributes;
54
			}
55
		}
56
	}
57
58
	/**
59
	 * Determines whether or not the user can edit this piece of metadata
60
	 *
61
	 * @param int $user_guid The GUID of the user (defaults to currently logged in user)
62
	 *
63
	 * @return bool
64
	 * @see elgg_set_ignore_access()
65
	 */
66
	public function canEdit($user_guid = 0) {
67
		if ($entity = get_entity($this->entity_guid)) {
68
			return $entity->canEditMetadata($this, $user_guid);
69
		}
70
		return false;
71
	}
72
73
	/**
74
	 * Save metadata object
75
	 *
76
	 * @return int|bool the metadata object id or true if updated
77
	 *
78
	 * @throws IOException
79
	 */
80 View Code Duplication
	public function save() {
0 ignored issues
show
This method seems to be duplicated in your project.

Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation.

You can also find more detailed suggestions in the “Code” section of your repository.

Loading history...
81
		if ($this->id > 0) {
82
			return update_metadata($this->id, $this->name, $this->value,
0 ignored issues
show
Bug Compatibility introduced by
The expression update_metadata($this->i...uid, $this->access_id); of type integer|boolean adds the type integer to the return on line 82 which is incompatible with the return type declared by the abstract method ElggData::save of type boolean.
Loading history...
83
				$this->value_type, $this->owner_guid, $this->access_id);
84
		} else {
85
			$this->id = create_metadata($this->entity_guid, $this->name, $this->value,
86
				$this->value_type, $this->owner_guid, $this->access_id);
87
88
			if (!$this->id) {
0 ignored issues
show
Bug Best Practice introduced by
The expression $this->id of type false|integer is loosely compared to false; this is ambiguous if the integer can be zero. You might want to explicitly use === null instead.

In PHP, under loose comparison (like ==, or !=, or switch conditions), values of different types might be equal.

For integer values, zero is a special case, in particular the following results might be unexpected:

0   == false // true
0   == null  // true
123 == false // false
123 == null  // false

// It is often better to use strict comparison
0 === false // false
0 === null  // false
Loading history...
89
				throw new \IOException("Unable to save new " . get_class());
90
			}
91
			return $this->id;
0 ignored issues
show
Bug Best Practice introduced by
The return type of return $this->id; (integer) is incompatible with the return type declared by the abstract method ElggData::save of type boolean.

If you return a value from a function or method, it should be a sub-type of the type that is given by the parent type f.e. an interface, or abstract method. This is more formally defined by the Lizkov substitution principle, and guarantees that classes that depend on the parent type can use any instance of a child type interchangably. This principle also belongs to the SOLID principles for object oriented design.

Let’s take a look at an example:

class Author {
    private $name;

    public function __construct($name) {
        $this->name = $name;
    }

    public function getName() {
        return $this->name;
    }
}

abstract class Post {
    public function getAuthor() {
        return 'Johannes';
    }
}

class BlogPost extends Post {
    public function getAuthor() {
        return new Author('Johannes');
    }
}

class ForumPost extends Post { /* ... */ }

function my_function(Post $post) {
    echo strtoupper($post->getAuthor());
}

Our function my_function expects a Post object, and outputs the author of the post. The base class Post returns a simple string and outputting a simple string will work just fine. However, the child class BlogPost which is a sub-type of Post instead decided to return an object, and is therefore violating the SOLID principles. If a BlogPost were passed to my_function, PHP would not complain, but ultimately fail when executing the strtoupper call in its body.

Loading history...
92
		}
93
	}
94
95
	/**
96
	 * Delete the metadata
97
	 *
98
	 * @return bool
99
	 */
100 View Code Duplication
	public function delete() {
0 ignored issues
show
This method seems to be duplicated in your project.

Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation.

You can also find more detailed suggestions in the “Code” section of your repository.

Loading history...
101
		$success = _elgg_delete_metastring_based_object_by_id($this->id, 'metadata');
102
		if ($success) {
103
			_elgg_services()->metadataCache->clear($this->entity_guid);
104
		}
105
		return $success;
106
	}
107
108
	/**
109
	 * Disable the metadata
110
	 *
111
	 * @return bool
112
	 * @since 1.8
113
	 */
114 View Code Duplication
	public function disable() {
0 ignored issues
show
This method seems to be duplicated in your project.

Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation.

You can also find more detailed suggestions in the “Code” section of your repository.

Loading history...
115
		$success = _elgg_set_metastring_based_object_enabled_by_id($this->id, 'no', 'metadata');
116
		if ($success) {
117
			_elgg_services()->metadataCache->clear($this->entity_guid);
118
		}
119
		return $success;
120
	}
121
122
	/**
123
	 * Enable the metadata
124
	 *
125
	 * @return bool
126
	 * @since 1.8
127
	 */
128 View Code Duplication
	public function enable() {
0 ignored issues
show
This method seems to be duplicated in your project.

Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation.

You can also find more detailed suggestions in the “Code” section of your repository.

Loading history...
129
		$success = _elgg_set_metastring_based_object_enabled_by_id($this->id, 'yes', 'metadata');
130
		if ($success) {
131
			_elgg_services()->metadataCache->clear($this->entity_guid);
132
		}
133
		return $success;
134
	}
135
136
	// SYSTEM LOG INTERFACE ////////////////////////////////////////////////////////////
137
138
	/**
139
	 * For a given ID, return the object associated with it.
140
	 * This is used by the river functionality primarily.
141
	 * This is useful for checking access permissions etc on objects.
142
	 *
143
	 * @param int $id Metadata ID
144
	 *
145
	 * @return \ElggMetadata
146
	 */
147
	public function getObjectFromID($id) {
148
		return elgg_get_metadata_from_id($id);
0 ignored issues
show
Bug Best Practice introduced by
The return type of return elgg_get_metadata_from_id($id); (ElggExtender) is incompatible with the return type declared by the interface Loggable::getObjectFromID of type ElggEntity.

If you return a value from a function or method, it should be a sub-type of the type that is given by the parent type f.e. an interface, or abstract method. This is more formally defined by the Lizkov substitution principle, and guarantees that classes that depend on the parent type can use any instance of a child type interchangably. This principle also belongs to the SOLID principles for object oriented design.

Let’s take a look at an example:

class Author {
    private $name;

    public function __construct($name) {
        $this->name = $name;
    }

    public function getName() {
        return $this->name;
    }
}

abstract class Post {
    public function getAuthor() {
        return 'Johannes';
    }
}

class BlogPost extends Post {
    public function getAuthor() {
        return new Author('Johannes');
    }
}

class ForumPost extends Post { /* ... */ }

function my_function(Post $post) {
    echo strtoupper($post->getAuthor());
}

Our function my_function expects a Post object, and outputs the author of the post. The base class Post returns a simple string and outputting a simple string will work just fine. However, the child class BlogPost which is a sub-type of Post instead decided to return an object, and is therefore violating the SOLID principles. If a BlogPost were passed to my_function, PHP would not complain, but ultimately fail when executing the strtoupper call in its body.

Loading history...
149
	}
150
}
151