Issues in PoInitSmarty.php (master) - Issues in master - geekwright/Po - Measure and Improve Code Quality continuously with Scrutinizer

Issues (6)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/PoInitSmarty.php (3 issues)

Labels

Severity

Major 3

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace Geekwright\Po;

/**
 * PoInitPHP provides 'msginit' like logic which can take a Smarty template file,
 * recognize gettext like function tokens, and capture the translatable strings
 * in a PoFile object.
 *
 * The Smarty functions are expected to be in the format:
 *   funcname(msgid="message" msgid_plural="plural message" msgctxt="context")
 * The specifics of the function ('funcname') and the argument names ('msgid',
 * 'msgid_plural', and 'msgctxt') can be specified.
 *
 * A properly initialized Smarty v3 object  is required.
 *
 * @category  Extractors
 * @package   Po
 * @author    Richard Griffith <[email protected]>
 * @copyright 2015-2018 Richard Griffith
 * @license   GNU GPL 2 or later (http://www.gnu.org/licenses/gpl-2.0.html)
 * @link      https://github.com/geekwright/Po
 */
class PoInitSmarty extends PoInitAbstract
{
    /**
     * @var \Smarty $smarty Smarty 3 object
     */
    protected $smarty = null;

    /**
     * @var string[] $gettextTags tags for gettext constructs, i.e. tag($msgid)
     */
    protected $gettextTags = array('gettext', '_');

    /**
     * @var string[] $pgettextTags tags for pgettext constructs, i.e. tag($msgctxt, $msgid)
     */
    protected $pgettextTags = array();

    /**
     * @var string[] $ngettextTags tags for ngettext constructs, i.e. tag($msgid, $msgid_plural)
     */
    protected $ngettextTags = array();

    /**
     * @var string[] $msgidArgNames names of Smarty function arguments for msgid
     */
    protected $msgidArgNames = array('msgid');

    /**
     * @var string[] $msgidPluralArgNames names of Smarty function arguments for msgid_plural
     */
    protected $msgidPluralArgNames = array('msgid_plural');

    /**
     * @var string[] $msgctxtArgNames names of Smarty function argments for msgctxt
     */
    protected $msgctxtArgNames = array('msgctxt');

    /**
     * Set the Smarty and PoObjects to use in the Init process
     *
     * @param \Smarty     $smarty a fully initialize Smarty 3 instance
     * @param PoFile|null $poFile a PoFile object to be used in msginit
     */
    public function __construct(\Smarty $smarty, ?PoFile $poFile = null)
    {
        $this->smarty = $smarty;
        $this->poFile = $poFile;
    }

    /**
     * getMsgctxtArgNames - get argument name(s) used for the msgctxt
     *
     * @return string[]
     */
    public function getMsgctxtArgNames(): array
    {
        return $this->msgctxtArgNames;
    }

    /**
     * Set argument name(s) used for the msgctxt
     *
     * @param string[] $argNames array of argument names to set
     *
     * @return void
     */
    public function setMsgctxtArgNames(array $argNames): void
    {
        $this->msgctxtArgNames = $argNames;
    }

    /**
     * Add argument name(s) used for the msgctxt
     *
     * @param string|string[] $argNames argument name(s) to add
     *
     * @return void
     */
    public function addMsgctxtArgNames($argNames): void
    {
        $this->msgctxtArgNames = array_merge($this->msgctxtArgNames, (array) $argNames);

    }

    /**
     * Get argument name(s) used for the msgid
     *
     * @return string[]
     */
    public function getMsgidArgNames(): array
    {
        return $this->msgidArgNames;
    }

    /**
     * Set argument name(s) used for the msgid
     *
     * @param string[] $argNames array of argument names to set
     *
     * @return void
     */
    public function setMsgidArgNames(array $argNames): void
    {
        $this->msgidArgNames = $argNames;
    }

    /**
     * Add argument name(s) used for the msgid
     *
     * @param string|string[] $argNames argument name(s) to add
     *
     * @return void
     */
    public function addMsgidArgNames($argNames): void
    {
        $this->msgidArgNames = array_merge($this->msgidArgNames, (array) $argNames);

    }

    /**
     * Get argument name(s) used for the msgid_plural
     *
     * @return string[]
     */
    public function getMsgidPluralArgNames(): array
    {
        return $this->msgidPluralArgNames;
    }

    /**
     * Set argument name(s) used for the msgid_plural
     *
     * @param string[] $argNames array of argument names to set
     *
     * @return void
     */
    public function setMsgidPluralArgNames(array $argNames): void
    {
        $this->msgidPluralArgNames = $argNames;
    }

    /**
     * Add argument name(s) used for the msgid_plural
     *
     * @param string|string[] $argNames argument name(s) to add
     *
     * @return void
     */
    public function addMsgidPluralArgNames($argNames): void
    {
        $this->msgidPluralArgNames = array_merge($this->msgidPluralArgNames, (array) $argNames);

    }

    /**
     * Inspect the supplied source, capture gettext references as a PoFile object.
     *
     * @param string $source  php source code
     * @param string $refname source identification used for PO reference comments
     *
     * @return PoFile
     */
    public function msginitString(string $source, string $refname): PoFile
    {
        if (!($this->poFile instanceof PoFile)) {
            $this->poFile = new PoFile;
        }

        $tpl = $this->smarty->createTemplate('eval:'.$source);
        $tags = $this->smarty->getTags($tpl);

        $translateTags = array_merge($this->gettextTags, $this->pgettextTags, $this->ngettextTags);
        foreach ($tags as $tag) {
            if (in_array($tag[0], $translateTags)) {
                $entry = new PoEntry;
                $haveEntry = false;
                $entry->add(PoTokens::REFERENCE, $refname);
                foreach ($tag[1] as $temp) {
                    foreach ($temp as $key => $value) {
                        if ($value[0]=="'" || $value[0]=='"') {
                            if (in_array($key, $this->msgidArgNames)) {
                                $entry->set(PoTokens::MESSAGE, $this->escapeForPo($value));
                                $haveEntry = true;
                            } elseif (in_array($key, $this->msgidPluralArgNames)) {
                                $entry->set(PoTokens::PLURAL, $this->escapeForPo($value));
                            } elseif (in_array($key, $this->msgctxtArgNames)) {
                                $entry->set(PoTokens::CONTEXT, $this->escapeForPo($value));
                            }
                        }
                    }
                }
                if ($haveEntry) {
                    $this->checkPhpFormatFlag($entry);
                    $this->poFile->mergeEntry($entry);
                }
            }
        }
        return $this->poFile;
    }
}


1		<?php
2
3		namespace Geekwright\Po;
4
5		/**
6		* PoInitPHP provides 'msginit' like logic which can take a Smarty template file,
7		* recognize gettext like function tokens, and capture the translatable strings
8		* in a PoFile object.
9		*
10		* The Smarty functions are expected to be in the format:
11		* funcname(msgid="message" msgid_plural="plural message" msgctxt="context")
12		* The specifics of the function ('funcname') and the argument names ('msgid',
13		* 'msgid_plural', and 'msgctxt') can be specified.
14		*
15		* A properly initialized Smarty v3 object is required.
16		*
17		* @category Extractors
18		* @package Po
19		* @author Richard Griffith <[email protected]>
20		* @copyright 2015-2018 Richard Griffith
21		* @license GNU GPL 2 or later (http://www.gnu.org/licenses/gpl-2.0.html)
22		* @link https://github.com/geekwright/Po
23		*/
24		class PoInitSmarty extends PoInitAbstract
25		{
26		/**
27		* @var \Smarty $smarty Smarty 3 object
28		*/
29		protected $smarty = null;
30
31		/**
32		* @var string[] $gettextTags tags for gettext constructs, i.e. tag($msgid)
33		*/
34		protected $gettextTags = array('gettext', '_');
35
36		/**
37		* @var string[] $pgettextTags tags for pgettext constructs, i.e. tag($msgctxt, $msgid)
38		*/
39		protected $pgettextTags = array();
40
41		/**
42		* @var string[] $ngettextTags tags for ngettext constructs, i.e. tag($msgid, $msgid_plural)
43		*/
44		protected $ngettextTags = array();
45
46		/**
47		* @var string[] $msgidArgNames names of Smarty function arguments for msgid
48		*/
49		protected $msgidArgNames = array('msgid');
50
51		/**
52		* @var string[] $msgidPluralArgNames names of Smarty function arguments for msgid_plural
53		*/
54		protected $msgidPluralArgNames = array('msgid_plural');
55
56		/**
57		* @var string[] $msgctxtArgNames names of Smarty function argments for msgctxt
58		*/
59		protected $msgctxtArgNames = array('msgctxt');
60
61		/**
62		* Set the Smarty and PoObjects to use in the Init process
63		*
64		* @param \Smarty $smarty a fully initialize Smarty 3 instance
65		* @param PoFile\|null $poFile a PoFile object to be used in msginit
66		*/
67	14	public function __construct(\Smarty $smarty, ?PoFile $poFile = null)
68		{
69	14	$this->smarty = $smarty;
70	14	$this->poFile = $poFile;
71	14	}
72
73		/**
74		* getMsgctxtArgNames - get argument name(s) used for the msgctxt
75		*
76		* @return string[]
77		*/
78	1	public function getMsgctxtArgNames(): array
79		{
80	1	return $this->msgctxtArgNames;
81		}
82
83		/**
84		* Set argument name(s) used for the msgctxt
85		*
86		* @param string[] $argNames array of argument names to set
87		*
88		* @return void
89		*/
90	1	public function setMsgctxtArgNames(array $argNames): void
91		{
92	1	$this->msgctxtArgNames = $argNames;
93	1	}
94
95		/**
96		* Add argument name(s) used for the msgctxt
97		*
98		* @param string\|string[] $argNames argument name(s) to add
99		*
100		* @return void
101		*/
102	1	public function addMsgctxtArgNames($argNames): void
103		{
104	1	$this->msgctxtArgNames = array_merge($this->msgctxtArgNames, (array) $argNames);
		0 ignored issues – show Documentation Bug introduced 2016-08-24 20:51 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `array_merge($this->msgct...mes, (array) $argNames)` of type `array` is incompatible with the declared type `array<integer,string>` of property `$msgctxtArgNames`. Our type inference engine has found an assignment to a property that is incompatible with the declared type of that property. Either this assignment is in error or the assigned type should be added to the documentation/type hint for that property.. Loading history...
105	1	}
106
107		/**
108		* Get argument name(s) used for the msgid
109		*
110		* @return string[]
111		*/
112	1	public function getMsgidArgNames(): array
113		{
114	1	return $this->msgidArgNames;
115		}
116
117		/**
118		* Set argument name(s) used for the msgid
119		*
120		* @param string[] $argNames array of argument names to set
121		*
122		* @return void
123		*/
124	1	public function setMsgidArgNames(array $argNames): void
125		{
126	1	$this->msgidArgNames = $argNames;
127	1	}
128
129		/**
130		* Add argument name(s) used for the msgid
131		*
132		* @param string\|string[] $argNames argument name(s) to add
133		*
134		* @return void
135		*/
136	1	public function addMsgidArgNames($argNames): void
137		{
138	1	$this->msgidArgNames = array_merge($this->msgidArgNames, (array) $argNames);
		0 ignored issues – show Documentation Bug introduced 2016-08-24 20:51 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `array_merge($this->msgid...mes, (array) $argNames)` of type `array` is incompatible with the declared type `array<integer,string>` of property `$msgidArgNames`. Our type inference engine has found an assignment to a property that is incompatible with the declared type of that property. Either this assignment is in error or the assigned type should be added to the documentation/type hint for that property.. Loading history...
139	1	}
140
141		/**
142		* Get argument name(s) used for the msgid_plural
143		*
144		* @return string[]
145		*/
146	1	public function getMsgidPluralArgNames(): array
147		{
148	1	return $this->msgidPluralArgNames;
149		}
150
151		/**
152		* Set argument name(s) used for the msgid_plural
153		*
154		* @param string[] $argNames array of argument names to set
155		*
156		* @return void
157		*/
158	1	public function setMsgidPluralArgNames(array $argNames): void
159		{
160	1	$this->msgidPluralArgNames = $argNames;
161	1	}
162
163		/**
164		* Add argument name(s) used for the msgid_plural
165		*
166		* @param string\|string[] $argNames argument name(s) to add
167		*
168		* @return void
169		*/
170	1	public function addMsgidPluralArgNames($argNames): void
171		{
172	1	$this->msgidPluralArgNames = array_merge($this->msgidPluralArgNames, (array) $argNames);
		0 ignored issues – show Documentation Bug introduced 2016-08-24 20:51 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `array_merge($this->msgid...mes, (array) $argNames)` of type `array` is incompatible with the declared type `array<integer,string>` of property `$msgidPluralArgNames`. Our type inference engine has found an assignment to a property that is incompatible with the declared type of that property. Either this assignment is in error or the assigned type should be added to the documentation/type hint for that property.. Loading history...
173	1	}
174
175		/**
176		* Inspect the supplied source, capture gettext references as a PoFile object.
177		*
178		* @param string $source php source code
179		* @param string $refname source identification used for PO reference comments
180		*
181		* @return PoFile
182		*/
183	6	public function msginitString(string $source, string $refname): PoFile
184		{
185	6	if (!($this->poFile instanceof PoFile)) {
186	1	$this->poFile = new PoFile;
187		}
188
189	6	$tpl = $this->smarty->createTemplate('eval:'.$source);
190	6	$tags = $this->smarty->getTags($tpl);
191
192	5	$translateTags = array_merge($this->gettextTags, $this->pgettextTags, $this->ngettextTags);
193	5	foreach ($tags as $tag) {
194	5	if (in_array($tag[0], $translateTags)) {
195	5	$entry = new PoEntry;
196	5	$haveEntry = false;
197	5	$entry->add(PoTokens::REFERENCE, $refname);
198	5	foreach ($tag[1] as $temp) {
199	5	foreach ($temp as $key => $value) {
200	5	if ($value[0]=="'" \|\| $value[0]=='"') {
201	5	if (in_array($key, $this->msgidArgNames)) {
202	5	$entry->set(PoTokens::MESSAGE, $this->escapeForPo($value));
203	5	$haveEntry = true;
204	3	} elseif (in_array($key, $this->msgidPluralArgNames)) {
205	2	$entry->set(PoTokens::PLURAL, $this->escapeForPo($value));
206	1	} elseif (in_array($key, $this->msgctxtArgNames)) {
207	5	$entry->set(PoTokens::CONTEXT, $this->escapeForPo($value));
208		}
209		}
210		}
211		}
212	5	if ($haveEntry) {
213	5	$this->checkPhpFormatFlag($entry);
214	5	$this->poFile->mergeEntry($entry);
215		}
216		}
217		}
218	5	return $this->poFile;
219		}
220		}
221

geekwright / Po

Issues (6)

Security Analysis no request data

src/PoInitSmarty.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like