Issues in ElggUpgrade.php (master) - Issues in master - gctools-outilsgc/gcconnex - Measure and Improve Code Quality continuously with Scrutinizer

Issues (2473)

Security Analysis no vulnerabilities found

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

engine/classes/ElggUpgrade.php (3 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Upgrade object for upgrades that need to be tracked
 * and listed in the admin area.
 *
 * @todo Expand for all upgrades to be \ElggUpgrade subclasses.
 */

/**
 * Represents an upgrade that runs outside of the upgrade.php script.
 * These are listed in admin/upgrades and allow for ajax upgrades.
 *
 * @note The "upgrade_url" private setting originally stored the full URL, but
 *       was changed to hold the relative path from the site URL for #6838
 *
 * @package Elgg.Admin
 * @access private
 */
class ElggUpgrade extends \ElggObject {
	private $requiredProperties = array(
		'title',
		'description',
		'upgrade_url',
	);

	/**
	 * Do not use.
	 *
	 * @access private
	 * @var callable
	 */
	public $_callable_egefps = 'elgg_get_entities_from_private_settings';

	/**
	 * Set subtype to upgrade
	 *
	 * @return null
	 */
	public function initializeAttributes() {
		parent::initializeAttributes();

		$this->attributes['subtype'] = 'elgg_upgrade';

		// unowned
		$this->attributes['site_guid'] = 0;
		$this->attributes['container_guid'] = 0;
		$this->attributes['owner_guid'] = 0;

		$this->is_completed = 0;
	}

	/**
	 * Mark this upgrade as completed
	 *
	 * @return bool
	 */
	public function setCompleted() {
		$this->setCompletedTime();
		return $this->is_completed = true;
	}

	/**
	 * Has this upgrade completed?
	 *
	 * @return bool
	 */
	public function isCompleted() {
		return (bool) $this->is_completed;
	}

	/**
	 * Sets an upgrade URL path
	 *
	 * @param string $path Set the URL path (without site URL) for the upgrade page
	 * @return void
	 * @throws InvalidArgumentException
	 */
	public function setPath($path) {
		if (!$path) {
			throw new InvalidArgumentException('Invalid value for URL path.');
		}

		$path = ltrim($path, '/');

		if ($this->getUpgradeFromPath($path)) {
			throw new InvalidArgumentException('Upgrade URL paths must be unique.');
		}

		$this->upgrade_url = $path;
	}

	/**
	 * Returns a normalized URL for the upgrade page.
	 *
	 * @return string
	 */
	public function getURL() {
		return elgg_normalize_url($this->upgrade_url);
	}

	/**
	 * Sets the timestamp for when the upgrade completed.
	 *
	 * @param int $time Timestamp when upgrade finished. Defaults to now.
	 * @return bool
	 */
	public function setCompletedTime($time = null) {
		if (!$time) {
0   == false // true
0   == null  // true
123 == false // false
123 == null  // false

// It is often better to use strict comparison
0 === false // false
0 === null  // false
			$time = time();
		}

		return $this->completed_time = $time;
	}

	/**
	 * Gets the time when the upgrade completed.
	 *
	 * @return string
	 */
	public function getCompletedTime() {
		return $this->completed_time;
	}

	/**
	 * Require an upgrade page.
	 *
	 * @return mixed
	 * @throws UnexpectedValueException
	 */
	public function save() {
		foreach ($this->requiredProperties as $prop) {
			if (!$this->$prop) {
				throw new UnexpectedValueException("ElggUpgrade objects must have a value for the $prop property.");
			}
		}

		return parent::save();

	}

	/**
	 * Set a value as private setting or attribute.
	 *
	 * Attributes include title and description.
	 *
	 * @param string $name  Name of the attribute or private_setting
	 * @param mixed  $value Value to be set
	 * @return void
	 */
	public function __set($name, $value) {
		if (array_key_exists($name, $this->attributes)) {
			parent::__set($name, $value);
		} else {
			$this->setPrivateSetting($name, $value);
		}
	}

	/**
	 * Get an attribute or private setting value
	 *
	 * @param string $name Name of the attribute or private setting
	 * @return mixed
	 */
	public function __get($name) {
		// See if its in our base attribute
		if (array_key_exists($name, $this->attributes)) {
			return parent::__get($name);
		}

		return $this->getPrivateSetting($name);
	}

	/**
	 * Find an ElggUpgrade object by the unique URL path
	 *
	 * @param string $path The Upgrade URL path (after site URL)
	 * @return ElggUpgrade|false
	 */
	public function getUpgradeFromPath($path) {
		$path = ltrim($path, '/');

		if (!$path) {
			return false;
		}

		// test for full URL values (used at 1.9.0)
		$options = array(
			'type' => 'object',
			'subtype' => 'elgg_upgrade',
			'private_setting_name' => 'upgrade_url',
			'private_setting_value' => elgg_normalize_url($path),
		);
		$upgrades = call_user_func($this->_callable_egefps, $options);
		/* @var ElggUpgrade[] $upgrades */

		if ($upgrades) {

			// replace URL with path (we can't use setPath due to recursion)
			$upgrades[0]->upgrade_url = $path;
			return $upgrades[0];
		}

		$options['private_setting_value'] = $path;
		$upgrades = call_user_func($this->_callable_egefps, $options);

		if ($upgrades) {
			return $upgrades[0];
		}

		return false;
	}
}

1		<?php
2		/**
3		* Upgrade object for upgrades that need to be tracked
4		* and listed in the admin area.
5		*
6		* @todo Expand for all upgrades to be \ElggUpgrade subclasses.
7		*/
8
9		/**
10		* Represents an upgrade that runs outside of the upgrade.php script.
11		* These are listed in admin/upgrades and allow for ajax upgrades.
12		*
13		* @note The "upgrade_url" private setting originally stored the full URL, but
14		* was changed to hold the relative path from the site URL for #6838
15		*
16		* @package Elgg.Admin
17		* @access private
18		*/
19		class ElggUpgrade extends \ElggObject {
20		private $requiredProperties = array(
21		'title',
22		'description',
23		'upgrade_url',
24		);
25
26		/**
27		* Do not use.
28		*
29		* @access private
30		* @var callable
31		*/
32		public $_callable_egefps = 'elgg_get_entities_from_private_settings';
33
34		/**
35		* Set subtype to upgrade
36		*
37		* @return null
38		*/
39	9	public function initializeAttributes() {
40	9	parent::initializeAttributes();
41
42	9	$this->attributes['subtype'] = 'elgg_upgrade';
43
44		// unowned
45	9	$this->attributes['site_guid'] = 0;
46	9	$this->attributes['container_guid'] = 0;
47	9	$this->attributes['owner_guid'] = 0;
48
49	9	$this->is_completed = 0;
50	9	}
51
52		/**
53		* Mark this upgrade as completed
54		*
55		* @return bool
56		*/
57		public function setCompleted() {
58		$this->setCompletedTime();
59		return $this->is_completed = true;
60		}
61
62		/**
63		* Has this upgrade completed?
64		*
65		* @return bool
66		*/
67		public function isCompleted() {
68		return (bool) $this->is_completed;
69		}
70
71		/**
72		* Sets an upgrade URL path
73		*
74		* @param string $path Set the URL path (without site URL) for the upgrade page
75		* @return void
76		* @throws InvalidArgumentException
77		*/
78	5	public function setPath($path) {
79	5	if (!$path) {
80	1	throw new InvalidArgumentException('Invalid value for URL path.');
81		}
82
83	4	$path = ltrim($path, '/');
84
85	4	if ($this->getUpgradeFromPath($path)) {
86	1	throw new InvalidArgumentException('Upgrade URL paths must be unique.');
87		}
88
89	3	$this->upgrade_url = $path;
90	3	}
91
92		/**
93		* Returns a normalized URL for the upgrade page.
94		*
95		* @return string
96		*/
97	1	public function getURL() {
98	1	return elgg_normalize_url($this->upgrade_url);
99		}
100
101		/**
102		* Sets the timestamp for when the upgrade completed.
103		*
104		* @param int $time Timestamp when upgrade finished. Defaults to now.
105		* @return bool
106		*/
107		public function setCompletedTime($time = null) {
108		if (!$time) {
		0 ignored issues – show Bug Best Practice introduced 2017-09-27 16:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$time` of type `integer\|null` is loosely compared to `false`; this is ambiguous if the integer can be zero. You might want to explicitly use `=== null` instead. In PHP, under loose comparison (like `==`, or `!=`, or `switch` conditions), values of different types might be equal. For `integer` values, zero is a special case, in particular the following results might be unexpected: 0 == false // true 0 == null // true 123 == false // false 123 == null // false // It is often better to use strict comparison 0 === false // false 0 === null // false Loading history...
109		$time = time();
110		}
111
112		return $this->completed_time = $time;
113		}
114
115		/**
116		* Gets the time when the upgrade completed.
117		*
118		* @return string
119		*/
120		public function getCompletedTime() {
121		return $this->completed_time;
122		}
123
124		/**
125		* Require an upgrade page.
126		*
127		* @return mixed
128		* @throws UnexpectedValueException
129		*/
130	3	public function save() {
131	3	foreach ($this->requiredProperties as $prop) {
132	3	if (!$this->$prop) {
133	3	throw new UnexpectedValueException("ElggUpgrade objects must have a value for the $prop property.");
134		}
135	2	}
136
137		return parent::save();
		0 ignored issues – show Bug Compatibility introduced 2017-09-27 16:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `parent::save();` of type `boolean\|integer` adds the type `integer` to the return on line 137 which is incompatible with the return type declared by the abstract method `ElggData::save` of type `boolean`. Loading history...
138		}
139
140		/**
141		* Set a value as private setting or attribute.
142		*
143		* Attributes include title and description.
144		*
145		* @param string $name Name of the attribute or private_setting
146		* @param mixed $value Value to be set
147		* @return void
148		*/
149	9	public function __set($name, $value) {
150	9	if (array_key_exists($name, $this->attributes)) {
151	3	parent::__set($name, $value);
152	3	} else {
153	9	$this->setPrivateSetting($name, $value);
154		}
155	9	}
156
157		/**
158		* Get an attribute or private setting value
159		*
160		* @param string $name Name of the attribute or private setting
161		* @return mixed
162		*/
163	9	public function __get($name) {
164		// See if its in our base attribute
165	9	if (array_key_exists($name, $this->attributes)) {
166	9	return parent::__get($name);
167		}
168
169	3	return $this->getPrivateSetting($name);
170		}
171
172		/**
173		* Find an ElggUpgrade object by the unique URL path
174		*
175		* @param string $path The Upgrade URL path (after site URL)
176		* @return ElggUpgrade\|false
177		*/
178	6	public function getUpgradeFromPath($path) {
179	6	$path = ltrim($path, '/');
180
181	6	if (!$path) {
182		return false;
183		}
184
185		// test for full URL values (used at 1.9.0)
186		$options = array(
187	6	'type' => 'object',
188	6	'subtype' => 'elgg_upgrade',
189	6	'private_setting_name' => 'upgrade_url',
190	6	'private_setting_value' => elgg_normalize_url($path),
191	6	);
192	6	$upgrades = call_user_func($this->_callable_egefps, $options);
193		/* @var ElggUpgrade[] $upgrades */
194
195	6	if ($upgrades) {
		0 ignored issues – show Bug Best Practice introduced 2017-09-27 16:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$upgrades` of type `ElggUpgrade[]` is implicitly converted to a boolean; are you sure this is intended? If so, consider using `! empty($expr)` instead to make it clear that you intend to check for an array without elements. This check marks implicit conversions of arrays to boolean values in a comparison. While in PHP an empty array is considered to be equal (but not identical) to false, this is not always apparent. Consider making the comparison explicit by using `empty(..)` or `! empty(...)` instead. Loading history...
196		// replace URL with path (we can't use setPath due to recursion)
197	2	$upgrades[0]->upgrade_url = $path;
198	5	return $upgrades[0];
199		}
200
201	4	$options['private_setting_value'] = $path;
202	4	$upgrades = call_user_func($this->_callable_egefps, $options);
203
204	4	if ($upgrades) {
205	1	return $upgrades[0];
206		}
207
208	3	return false;
209		}
210		}

gctools-outilsgc / gcconnex

Issues (2473)

Security Analysis no vulnerabilities found

engine/classes/ElggUpgrade.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like