Issues in PoInitAbstract.php (master) - Issues in master - geekwright/Po - Measure and Improve Code Quality continuously with Scrutinizer

Issues (6)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/PoInitAbstract.php (3 issues)

Labels

Severity

Major 3

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace Geekwright\Po;

use Geekwright\Po\Exceptions\FileNotReadableException;

/**
 * PoInitAbstract provides a structure for 'msginit' like logic which can take
 * a source PHP file, recognize gettext like function tokens, and capture the
 * translatable strings in a PoFile object.
 *
 * @category  Extractors
 * @package   Po
 * @author    Richard Griffith <[email protected]>
 * @copyright 2015-2018 Richard Griffith
 * @license   GNU GPL 2 or later (http://www.gnu.org/licenses/gpl-2.0.html)
 * @link      https://github.com/geekwright/Po
 */
abstract class PoInitAbstract
{
    /**
     * @var PoFile $poFile object to be used in msginit
     */
    protected $poFile = null;

    /**
     * @var string[] $gettextTags tags for gettext constructs, i.e. tag($msgid)
     */
    protected $gettextTags = array('gettext', 'gettext_noop', '_');

    /**
     * @var string[] $pgettextTags tags for pgettext constructs, i.e. tag($msgctxt, $msgid)
     */
    protected $pgettextTags = array('pgettext');

    /**
     * @var string[] $ngettextTags tags for ngettext constructs, i.e. tag($msgid, $msgid_plural)
     */
    protected $ngettextTags = array('ngettext');

    /**
     * Get the PoFile object used in msginit process
     *
     * @return PoFile
     */
    public function getPoFile(): PoFile
    {
        return $this->poFile;
    }

    /**
     * Set the PoFile object to use in msginit process
     *
     * @param PoFile $poFile a PoFile object
     *
     * @return void
     */
    public function setPoFile(PoFile $poFile): void
    {
        $this->poFile = $poFile;
    }

    /**
     * Get tags used for gettext like functions
     *
     * @return string[]
     */
    public function getGettextTags(): array
    {
        return $this->gettextTags;
    }

    /**
     * Set tags used for gettext like functions
     *
     * @param string[] $tags array of tags to set
     *
     * @return void
     */
    public function setGettextTags(array $tags): void
    {
        $this->gettextTags = $tags;
    }

    /**
     * Add tags used for gettext like functions
     *
     * @param string|string[] $tags tag, or array of tags to add
     *
     * @return void
     */
    public function addGettextTags($tags): void
    {
        $this->gettextTags = array_merge($this->gettextTags, (array) $tags);

    }

    /**
     * Get tags used for ngettext like functions
     *
     * @return string[]
     */
    public function getNgettextTags(): array
    {
        return $this->ngettextTags;
    }

    /**
     * setNgettextTags - set tags used for ngettext like functions
     * @param string[] $tags array of tags to set
     *
     * @return void
     */
    public function setNgettextTags(array $tags): void
    {
        $this->ngettextTags = $tags;
    }

    /**
     * Add tags used for ngettext like functions
     *
     * @param string|string[] $tags tag, or array of tags to add
     *
     * @return void
     */
    public function addNgettextTags($tags): void
    {
        $this->ngettextTags = array_merge($this->ngettextTags, (array) $tags);

    }

    /**
     * Get tags used for pgettext like functions
     *
     * @return string[]
     */
    public function getPgettextTags(): array
    {
        return $this->pgettextTags;
    }

    /**
     * Set tags used for pgettext like functions
     *
     * @param string[] $tags array of tags to set
     *
     * @return void
     */
    public function setPgettextTags(array $tags): void
    {
        $this->pgettextTags = $tags;
    }

    /**
     * Add tags used for pgettext like functions
     *
     * @param string|string[] $tags tag, or array of tags to add
     *
     * @return void
     */
    public function addPgettextTags($tags): void
    {
        $this->pgettextTags = array_merge($this->pgettextTags, (array) $tags);

    }

    /**
     * Inspect the supplied source file, capture gettext references as a PoFile object
     *
     * @param string $filename name of source file
     *
     * @return PoFile
     *
     * @throws FileNotReadableException
     */
    public function msginitFile(string $filename): PoFile
    {
        if (!is_readable($filename)) {
            $source = false;
        } else {
            $source = file_get_contents($filename);
        }
        if (false===$source) {
            throw new FileNotReadableException($filename);
        }
        return $this->msginitString($source, $filename);
    }

    /**
     * Inspect the supplied source, capture gettext references as a PoFile object
     *
     * @param string $source  php source code
     * @param string $refname source identification used for PO reference comments
     *
     * @return PoFile
     */
    abstract public function msginitString(string $source, string $refname): PoFile;

    /**
     * Prepare a string from tokenized output for use in a po file. Remove any
     * surrounding quotes, escape control characters and double quotes.
     *
     * @param string $string raw string (T_STRING) identified by php token_get_all
     *
     * @return string
     */
    public function escapeForPo(string $string): string
    {
        if ($string[0]=='"' || $string[0]=="'") {
            $string = substr($string, 1, -1);
        }
        $string = str_replace("\r\n", "\n", $string);
        $string = stripcslashes($string);
        return addcslashes($string, "\0..\37\"");
    }

    /**
     * Check the supplied entry for sprintf directives and set php-format flag if found
     *
     * @param PoEntry $entry entry to check
     *
     * @return void
     */
    public function checkPhpFormatFlag(PoEntry $entry): void
    {
        if (preg_match(
            '#(?<!%)%(?:\d+\$)?[+-]?(?:[ 0]|\'.{1})?-?\d*(?:\.\d+)?[bcdeEufFgGosxX]#',
            $entry->get(PoTokens::MESSAGE) . $entry->get(PoTokens::PLURAL)
        )) {
            $entry->addFlag('php-format');
        }
    }
}


1		<?php
2
3		namespace Geekwright\Po;
4
5		use Geekwright\Po\Exceptions\FileNotReadableException;
6
7		/**
8		* PoInitAbstract provides a structure for 'msginit' like logic which can take
9		* a source PHP file, recognize gettext like function tokens, and capture the
10		* translatable strings in a PoFile object.
11		*
12		* @category Extractors
13		* @package Po
14		* @author Richard Griffith <[email protected]>
15		* @copyright 2015-2018 Richard Griffith
16		* @license GNU GPL 2 or later (http://www.gnu.org/licenses/gpl-2.0.html)
17		* @link https://github.com/geekwright/Po
18		*/
19		abstract class PoInitAbstract
20		{
21		/**
22		* @var PoFile $poFile object to be used in msginit
23		*/
24		protected $poFile = null;
25
26		/**
27		* @var string[] $gettextTags tags for gettext constructs, i.e. tag($msgid)
28		*/
29		protected $gettextTags = array('gettext', 'gettext_noop', '_');
30
31		/**
32		* @var string[] $pgettextTags tags for pgettext constructs, i.e. tag($msgctxt, $msgid)
33		*/
34		protected $pgettextTags = array('pgettext');
35
36		/**
37		* @var string[] $ngettextTags tags for ngettext constructs, i.e. tag($msgid, $msgid_plural)
38		*/
39		protected $ngettextTags = array('ngettext');
40
41		/**
42		* Get the PoFile object used in msginit process
43		*
44		* @return PoFile
45		*/
46	4	public function getPoFile(): PoFile
47		{
48	4	return $this->poFile;
49		}
50
51		/**
52		* Set the PoFile object to use in msginit process
53		*
54		* @param PoFile $poFile a PoFile object
55		*
56		* @return void
57		*/
58	3	public function setPoFile(PoFile $poFile): void
59		{
60	3	$this->poFile = $poFile;
61	3	}
62
63		/**
64		* Get tags used for gettext like functions
65		*
66		* @return string[]
67		*/
68	3	public function getGettextTags(): array
69		{
70	3	return $this->gettextTags;
71		}
72
73		/**
74		* Set tags used for gettext like functions
75		*
76		* @param string[] $tags array of tags to set
77		*
78		* @return void
79		*/
80	3	public function setGettextTags(array $tags): void
81		{
82	3	$this->gettextTags = $tags;
83	3	}
84
85		/**
86		* Add tags used for gettext like functions
87		*
88		* @param string\|string[] $tags tag, or array of tags to add
89		*
90		* @return void
91		*/
92	3	public function addGettextTags($tags): void
93		{
94	3	$this->gettextTags = array_merge($this->gettextTags, (array) $tags);
		0 ignored issues – show Documentation Bug introduced 2016-08-24 20:51 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `array_merge($this->gettextTags, (array) $tags)` of type `array` is incompatible with the declared type `array<integer,string>` of property `$gettextTags`. Our type inference engine has found an assignment to a property that is incompatible with the declared type of that property. Either this assignment is in error or the assigned type should be added to the documentation/type hint for that property.. Loading history...
95	3	}
96
97		/**
98		* Get tags used for ngettext like functions
99		*
100		* @return string[]
101		*/
102	3	public function getNgettextTags(): array
103		{
104	3	return $this->ngettextTags;
105		}
106
107		/**
108		* setNgettextTags - set tags used for ngettext like functions
109		* @param string[] $tags array of tags to set
110		*
111		* @return void
112		*/
113	3	public function setNgettextTags(array $tags): void
114		{
115	3	$this->ngettextTags = $tags;
116	3	}
117
118		/**
119		* Add tags used for ngettext like functions
120		*
121		* @param string\|string[] $tags tag, or array of tags to add
122		*
123		* @return void
124		*/
125	3	public function addNgettextTags($tags): void
126		{
127	3	$this->ngettextTags = array_merge($this->ngettextTags, (array) $tags);
		0 ignored issues – show Documentation Bug introduced 2016-08-24 20:51 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `array_merge($this->ngettextTags, (array) $tags)` of type `array` is incompatible with the declared type `array<integer,string>` of property `$ngettextTags`. Our type inference engine has found an assignment to a property that is incompatible with the declared type of that property. Either this assignment is in error or the assigned type should be added to the documentation/type hint for that property.. Loading history...
128	3	}
129
130		/**
131		* Get tags used for pgettext like functions
132		*
133		* @return string[]
134		*/
135	3	public function getPgettextTags(): array
136		{
137	3	return $this->pgettextTags;
138		}
139
140		/**
141		* Set tags used for pgettext like functions
142		*
143		* @param string[] $tags array of tags to set
144		*
145		* @return void
146		*/
147	3	public function setPgettextTags(array $tags): void
148		{
149	3	$this->pgettextTags = $tags;
150	3	}
151
152		/**
153		* Add tags used for pgettext like functions
154		*
155		* @param string\|string[] $tags tag, or array of tags to add
156		*
157		* @return void
158		*/
159	3	public function addPgettextTags($tags): void
160		{
161	3	$this->pgettextTags = array_merge($this->pgettextTags, (array) $tags);
		0 ignored issues – show Documentation Bug introduced 2016-08-24 20:51 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `array_merge($this->pgettextTags, (array) $tags)` of type `array` is incompatible with the declared type `array<integer,string>` of property `$pgettextTags`. Our type inference engine has found an assignment to a property that is incompatible with the declared type of that property. Either this assignment is in error or the assigned type should be added to the documentation/type hint for that property.. Loading history...
162	3	}
163
164		/**
165		* Inspect the supplied source file, capture gettext references as a PoFile object
166		*
167		* @param string $filename name of source file
168		*
169		* @return PoFile
170		*
171		* @throws FileNotReadableException
172		*/
173	5	public function msginitFile(string $filename): PoFile
174		{
175	5	if (!is_readable($filename)) {
176	2	$source = false;
177		} else {
178	3	$source = file_get_contents($filename);
179		}
180	5	if (false===$source) {
181	2	throw new FileNotReadableException($filename);
182		}
183	3	return $this->msginitString($source, $filename);
184		}
185
186		/**
187		* Inspect the supplied source, capture gettext references as a PoFile object
188		*
189		* @param string $source php source code
190		* @param string $refname source identification used for PO reference comments
191		*
192		* @return PoFile
193		*/
194		abstract public function msginitString(string $source, string $refname): PoFile;
195
196		/**
197		* Prepare a string from tokenized output for use in a po file. Remove any
198		* surrounding quotes, escape control characters and double quotes.
199		*
200		* @param string $string raw string (T_STRING) identified by php token_get_all
201		*
202		* @return string
203		*/
204	7	public function escapeForPo(string $string): string
205		{
206	7	if ($string[0]=='"' \|\| $string[0]=="'") {
207	7	$string = substr($string, 1, -1);
208		}
209	7	$string = str_replace("\r\n", "\n", $string);
210	7	$string = stripcslashes($string);
211	7	return addcslashes($string, "\0..\37\"");
212		}
213
214		/**
215		* Check the supplied entry for sprintf directives and set php-format flag if found
216		*
217		* @param PoEntry $entry entry to check
218		*
219		* @return void
220		*/
221	7	public function checkPhpFormatFlag(PoEntry $entry): void
222		{
223	7	if (preg_match(
224	7	'#(?<!%)%(?:\d+\$)?[+-]?(?:[ 0]\|\'.{1})?-?\d*(?:\.\d+)?[bcdeEufFgGosxX]#',
225	7	$entry->get(PoTokens::MESSAGE) . $entry->get(PoTokens::PLURAL)
226		)) {
227	3	$entry->addFlag('php-format');
228		}
229	7	}
230		}
231

geekwright / Po

Issues (6)

Security Analysis no request data

src/PoInitAbstract.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like