Issues in Plugin.php (master) - Issues in master - hiqdev/composer-extension-plugin - Measure and Improve Code Quality continuously with Scrutinizer

Issues (4)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Plugin.php (1 issue)

Labels

Severity

Major 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/*
 * Composer plugin for pluggable extensions
 *
 * @link      https://github.com/hiqdev/composer-extension-plugin
 * @package   composer-extension-plugin
 * @license   BSD-3-Clause
 * @copyright Copyright (c) 2016, HiQDev (http://hiqdev.com/)
 */

namespace hiqdev\composerextensionplugin;

use Composer\Composer;
use Composer\EventDispatcher\EventSubscriberInterface;
use Composer\IO\IOInterface;
use Composer\Package\PackageInterface;
use Composer\Package\RootPackageInterface;
use Composer\Plugin\PluginInterface;
use Composer\Script\Event;
use Composer\Script\ScriptEvents;
use Composer\Util\Filesystem;

/**
 * Plugin class.
 *
 * @author Andrii Vasyliev <[email protected]>
 */
class Plugin implements PluginInterface, EventSubscriberInterface
{
    const PACKAGE_TYPE          = 'yii2-extension';
    const EXTRA_OPTION_NAME     = 'extension-plugin';
    const OUTPUT_PATH           = 'hiqdev';
    const BASE_DIR_SAMPLE       = '<base-dir>';
    const VENDOR_DIR_SAMPLE     = '<base-dir>/vendor';

    /**
     * @var PackageInterface[] the array of active composer packages
     */
    protected $packages;

    /**
     * @var string absolute path to the package base directory.
     */
    protected $baseDir;

    /**
     * @var string absolute path to vendor directory.
     */
    protected $vendorDir;

    /**
     * @var Filesystem utility
     */
    protected $filesystem;

    /**
     * @var array whole data
     */
    protected $data = [
        'aliases'    => [],
        'extensions' => [],
    ];

    /**
     * @var Composer instance
     */
    protected $composer;

    /**
     * @var IOInterface
     */
    public $io;

    /**
     * Initializes the plugin object with the passed $composer and $io.
     * @param Composer $composer
     * @param IOInterface $io
     */
    public function activate(Composer $composer, IOInterface $io)
    {
        $this->composer = $composer;
        $this->io = $io;
    }

    /**
     * Returns list of events the plugin is subscribed to.
     * @return array list of events
     */
    public static function getSubscribedEvents()
    {
        return [
            ScriptEvents::POST_AUTOLOAD_DUMP => [
                ['onPostAutoloadDump', 0],
            ],
        ];
    }

    /**
     * Simply rewrites extensions file from scratch.
     * @param Event $event
     */
    public function onPostAutoloadDump(Event $event)
    {
        $this->io->writeError('<info>Generating extensions files</info>');
        foreach ($this->getPackages() as $package) {
            if ($package instanceof \Composer\Package\CompletePackageInterface) {
                $this->processPackage($package);
            }
        }
        $this->processPackage($this->composer->getPackage());

        foreach ($this->data as $name => $data) {
            $this->saveFile($this->buildOutputPath($name), $data);
        }
    }

    public function buildOutputPath($name)
    {
        return static::OUTPUT_PATH . DIRECTORY_SEPARATOR . $name . '.php';
    }

    /**
     * Writes file.
     * @param string $file
     * @param array $data
     */
    protected function saveFile($file, array $data)
    {
        $path = $this->getVendorDir() . '/' . $file;
        if (!file_exists(dirname($path))) {
            mkdir(dirname($path), 0777, true);
        }
        $array = str_replace("'" . self::BASE_DIR_SAMPLE, '$baseDir . \'', Helper::exportVar($data));
        file_put_contents($path, "<?php\n\n\$baseDir = dirname(dirname(__DIR__));\n\nreturn $array;\n");
    }

    /**
     * Scans the given package and collects extensions data.
     * @param PackageInterface $package
     */
    public function processPackage(PackageInterface $package)
    {
        $extra = $package->getExtra();
        $files = isset($extra[self::EXTRA_OPTION_NAME]) ? $extra[self::EXTRA_OPTION_NAME] : null;
        if ($package->getType() !== self::PACKAGE_TYPE && is_null($files)) {
            return;
        }

        $extension = [
            'name'    => $package->getName(),
            'version' => $package->getVersion(),
        ];
        if ($package->getVersion() === '9999999-dev') {
            $reference = $package->getSourceReference() ?: $package->getDistReference();
            if ($reference) {
                $extension['reference'] = $reference;
            }
        }
        $this->data['extensions'][$package->getName()] = $extension;

        $aliases = array_merge(
            $this->prepareAliases($package, 'psr-0'),
            $this->prepareAliases($package, 'psr-4')
        );
        $this->data['aliases'] = array_merge($this->data['aliases'], $aliases);
        foreach ((array) $files as $name => $path) {
            $config = $this->readExtensionConfig($package, $path);
            $config['aliases'] = array_merge(
                $aliases,
                isset($config['aliases']) ? (array) $config['aliases'] : []
            );
            $this->data['aliases'] = array_merge($this->data['aliases'], $config['aliases']);
            $this->data[$name] = isset($this->data[$name]) ? Helper::mergeConfig($this->data[$name], $config) : $config;
        }
    }

    /**
     * Read extra config.
     * @param string $file
     * @return array
     */
    protected function readExtensionConfig(PackageInterface $package, $file)
    {
        $path = $this->preparePath($package, $file);
        if (!file_exists($path)) {
            $this->io->writeError('<error>Non existent extension config file</error> ' . $file . ' in ' . $package->getName());
            exit(1);

        }
        return require $path;
    }

    /**
     * Prepare aliases.
     *
     * @param PackageInterface $package
     * @param string 'psr-0' or 'psr-4'
     * @return array
     */
    protected function prepareAliases(PackageInterface $package, $psr)
    {
        $autoload = $package->getAutoload();
        if (empty($autoload[$psr])) {
            return [];
        }

        $aliases = [];
        foreach ($autoload[$psr] as $name => $path) {
            if (is_array($path)) {
                // ignore psr-4 autoload specifications with multiple search paths
                // we can not convert them into aliases as they are ambiguous
                continue;
            }
            $name = str_replace('\\', '/', trim($name, '\\'));
            $path = $this->preparePath($package, $path);
            $path = $this->substitutePath($path, $this->getBaseDir(), self::BASE_DIR_SAMPLE);
            if ('psr-0' === $psr) {
                $path .= '/' . $name;
            }
            $aliases["@$name"] = $path;
        }

        return $aliases;
    }

    /**
     * Substitute path with alias if applicable.
     * @param string $path
     * @param string $dir
     * @param string $alias
     * @return string
     */
    public function substitutePath($path, $dir, $alias)
    {
        return (substr($path, 0, strlen($dir) + 1) === $dir . '/') ? $alias . substr($path, strlen($dir)) : $path;
    }

    public function preparePath(PackageInterface $package, $path)
    {
        if (!$this->getFilesystem()->isAbsolutePath($path)) {
            $prefix = $package instanceof RootPackageInterface ? $this->getBaseDir() : $this->getVendorDir() . '/' . $package->getPrettyName();
            $path = $prefix . '/' . $path;
        }

        return $this->getFilesystem()->normalizePath($path);
    }

    /**
     * Sets [[packages]].
     * @param PackageInterface[] $packages
     */
    public function setPackages(array $packages)
    {
        $this->packages = $packages;
    }

    /**
     * Gets [[packages]].
     * @return \Composer\Package\PackageInterface[]
     */
    public function getPackages()
    {
        if ($this->packages === null) {
            $this->packages = $this->composer->getRepositoryManager()->getLocalRepository()->getCanonicalPackages();
        }

        return $this->packages;
    }

    /**
     * Get absolute path to package base dir.
     * @return string
     */
    public function getBaseDir()
    {
        if ($this->baseDir === null) {
            $this->baseDir = dirname($this->getVendorDir());
        }

        return $this->baseDir;
    }

    /**
     * Get absolute path to composer vendor dir.
     * @return string
     */
    public function getVendorDir()
    {
        if ($this->vendorDir === null) {
            $dir = $this->composer->getConfig()->get('vendor-dir', '/');
            $this->vendorDir = $this->getFilesystem()->normalizePath($dir);
        }

        return $this->vendorDir;
    }

    /**
     * Getter for filesystem utility.
     * @return Filesystem
     */
    public function getFilesystem()
    {
        if ($this->filesystem === null) {
            $this->filesystem = new Filesystem();
        }

        return $this->filesystem;
    }
}


1		<?php
2
3		/*
4		* Composer plugin for pluggable extensions
5		*
6		* @link https://github.com/hiqdev/composer-extension-plugin
7		* @package composer-extension-plugin
8		* @license BSD-3-Clause
9		* @copyright Copyright (c) 2016, HiQDev (http://hiqdev.com/)
10		*/
11
12		namespace hiqdev\composerextensionplugin;
13
14		use Composer\Composer;
15		use Composer\EventDispatcher\EventSubscriberInterface;
16		use Composer\IO\IOInterface;
17		use Composer\Package\PackageInterface;
18		use Composer\Package\RootPackageInterface;
19		use Composer\Plugin\PluginInterface;
20		use Composer\Script\Event;
21		use Composer\Script\ScriptEvents;
22		use Composer\Util\Filesystem;
23
24		/**
25		* Plugin class.
26		*
27		* @author Andrii Vasyliev <[email protected]>
28		*/
29		class Plugin implements PluginInterface, EventSubscriberInterface
30		{
31		const PACKAGE_TYPE = 'yii2-extension';
32		const EXTRA_OPTION_NAME = 'extension-plugin';
33		const OUTPUT_PATH = 'hiqdev';
34		const BASE_DIR_SAMPLE = '<base-dir>';
35		const VENDOR_DIR_SAMPLE = '<base-dir>/vendor';
36
37		/**
38		* @var PackageInterface[] the array of active composer packages
39		*/
40		protected $packages;
41
42		/**
43		* @var string absolute path to the package base directory.
44		*/
45		protected $baseDir;
46
47		/**
48		* @var string absolute path to vendor directory.
49		*/
50		protected $vendorDir;
51
52		/**
53		* @var Filesystem utility
54		*/
55		protected $filesystem;
56
57		/**
58		* @var array whole data
59		*/
60		protected $data = [
61		'aliases' => [],
62		'extensions' => [],
63		];
64
65		/**
66		* @var Composer instance
67		*/
68		protected $composer;
69
70		/**
71		* @var IOInterface
72		*/
73		public $io;
74
75		/**
76		* Initializes the plugin object with the passed $composer and $io.
77		* @param Composer $composer
78		* @param IOInterface $io
79		*/
80	2	public function activate(Composer $composer, IOInterface $io)
81		{
82	2	$this->composer = $composer;
83	2	$this->io = $io;
84	2	}
85
86		/**
87		* Returns list of events the plugin is subscribed to.
88		* @return array list of events
89		*/
90	1	public static function getSubscribedEvents()
91		{
92		return [
93	1	ScriptEvents::POST_AUTOLOAD_DUMP => [
94	1	['onPostAutoloadDump', 0],
95	1	],
96	1	];
97		}
98
99		/**
100		* Simply rewrites extensions file from scratch.
101		* @param Event $event
102		*/
103		public function onPostAutoloadDump(Event $event)
104		{
105		$this->io->writeError('<info>Generating extensions files</info>');
106		foreach ($this->getPackages() as $package) {
107		if ($package instanceof \Composer\Package\CompletePackageInterface) {
108		$this->processPackage($package);
109		}
110		}
111		$this->processPackage($this->composer->getPackage());
112
113		foreach ($this->data as $name => $data) {
114		$this->saveFile($this->buildOutputPath($name), $data);
115		}
116		}
117
118		public function buildOutputPath($name)
119		{
120		return static::OUTPUT_PATH . DIRECTORY_SEPARATOR . $name . '.php';
121		}
122
123		/**
124		* Writes file.
125		* @param string $file
126		* @param array $data
127		*/
128		protected function saveFile($file, array $data)
129		{
130		$path = $this->getVendorDir() . '/' . $file;
131		if (!file_exists(dirname($path))) {
132		mkdir(dirname($path), 0777, true);
133		}
134		$array = str_replace("'" . self::BASE_DIR_SAMPLE, '$baseDir . \'', Helper::exportVar($data));
135		file_put_contents($path, "<?php\n\n\$baseDir = dirname(dirname(__DIR__));\n\nreturn $array;\n");
136		}
137
138		/**
139		* Scans the given package and collects extensions data.
140		* @param PackageInterface $package
141		*/
142		public function processPackage(PackageInterface $package)
143		{
144		$extra = $package->getExtra();
145		$files = isset($extra[self::EXTRA_OPTION_NAME]) ? $extra[self::EXTRA_OPTION_NAME] : null;
146		if ($package->getType() !== self::PACKAGE_TYPE && is_null($files)) {
147		return;
148		}
149
150		$extension = [
151		'name' => $package->getName(),
152		'version' => $package->getVersion(),
153		];
154		if ($package->getVersion() === '9999999-dev') {
155		$reference = $package->getSourceReference() ?: $package->getDistReference();
156		if ($reference) {
157		$extension['reference'] = $reference;
158		}
159		}
160		$this->data['extensions'][$package->getName()] = $extension;
161
162		$aliases = array_merge(
163		$this->prepareAliases($package, 'psr-0'),
164		$this->prepareAliases($package, 'psr-4')
165		);
166		$this->data['aliases'] = array_merge($this->data['aliases'], $aliases);
167		foreach ((array) $files as $name => $path) {
168		$config = $this->readExtensionConfig($package, $path);
169		$config['aliases'] = array_merge(
170		$aliases,
171		isset($config['aliases']) ? (array) $config['aliases'] : []
172		);
173		$this->data['aliases'] = array_merge($this->data['aliases'], $config['aliases']);
174		$this->data[$name] = isset($this->data[$name]) ? Helper::mergeConfig($this->data[$name], $config) : $config;
175		}
176		}
177
178		/**
179		* Read extra config.
180		* @param string $file
181		* @return array
182		*/
183		protected function readExtensionConfig(PackageInterface $package, $file)
184		{
185		$path = $this->preparePath($package, $file);
186		if (!file_exists($path)) {
187		$this->io->writeError('<error>Non existent extension config file</error> ' . $file . ' in ' . $package->getName());
188		exit(1);
		0 ignored issues – show Coding Style Compatibility introduced 2016-04-15 10:09 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `readExtensionConfig()` contains an exit expression. An exit expression should only be used in rare cases. For example, if you write a short command line script. In most cases however, using an `exit` expression makes the code untestable and often causes incompatibilities with other libraries. Thus, unless you are absolutely sure it is required here, we recommend to refactor your code to avoid its usage. Loading history...
189		}
190		return require $path;
191		}
192
193		/**
194		* Prepare aliases.
195		*
196		* @param PackageInterface $package
197		* @param string 'psr-0' or 'psr-4'
198		* @return array
199		*/
200		protected function prepareAliases(PackageInterface $package, $psr)
201		{
202		$autoload = $package->getAutoload();
203		if (empty($autoload[$psr])) {
204		return [];
205		}
206
207		$aliases = [];
208		foreach ($autoload[$psr] as $name => $path) {
209		if (is_array($path)) {
210		// ignore psr-4 autoload specifications with multiple search paths
211		// we can not convert them into aliases as they are ambiguous
212		continue;
213		}
214		$name = str_replace('\\', '/', trim($name, '\\'));
215		$path = $this->preparePath($package, $path);
216		$path = $this->substitutePath($path, $this->getBaseDir(), self::BASE_DIR_SAMPLE);
217		if ('psr-0' === $psr) {
218		$path .= '/' . $name;
219		}
220		$aliases["@$name"] = $path;
221		}
222
223		return $aliases;
224		}
225
226		/**
227		* Substitute path with alias if applicable.
228		* @param string $path
229		* @param string $dir
230		* @param string $alias
231		* @return string
232		*/
233		public function substitutePath($path, $dir, $alias)
234		{
235		return (substr($path, 0, strlen($dir) + 1) === $dir . '/') ? $alias . substr($path, strlen($dir)) : $path;
236		}
237
238		public function preparePath(PackageInterface $package, $path)
239		{
240		if (!$this->getFilesystem()->isAbsolutePath($path)) {
241		$prefix = $package instanceof RootPackageInterface ? $this->getBaseDir() : $this->getVendorDir() . '/' . $package->getPrettyName();
242		$path = $prefix . '/' . $path;
243		}
244
245		return $this->getFilesystem()->normalizePath($path);
246		}
247
248		/**
249		* Sets [[packages]].
250		* @param PackageInterface[] $packages
251		*/
252	2	public function setPackages(array $packages)
253		{
254	2	$this->packages = $packages;
255	2	}
256
257		/**
258		* Gets [[packages]].
259		* @return \Composer\Package\PackageInterface[]
260		*/
261	1	public function getPackages()
262		{
263	1	if ($this->packages === null) {
264		$this->packages = $this->composer->getRepositoryManager()->getLocalRepository()->getCanonicalPackages();
265		}
266
267	1	return $this->packages;
268		}
269
270		/**
271		* Get absolute path to package base dir.
272		* @return string
273		*/
274		public function getBaseDir()
275		{
276		if ($this->baseDir === null) {
277		$this->baseDir = dirname($this->getVendorDir());
278		}
279
280		return $this->baseDir;
281		}
282
283		/**
284		* Get absolute path to composer vendor dir.
285		* @return string
286		*/
287		public function getVendorDir()
288		{
289		if ($this->vendorDir === null) {
290		$dir = $this->composer->getConfig()->get('vendor-dir', '/');
291		$this->vendorDir = $this->getFilesystem()->normalizePath($dir);
292		}
293
294		return $this->vendorDir;
295		}
296
297		/**
298		* Getter for filesystem utility.
299		* @return Filesystem
300		*/
301		public function getFilesystem()
302		{
303		if ($this->filesystem === null) {
304		$this->filesystem = new Filesystem();
305		}
306
307		return $this->filesystem;
308		}
309		}
310

hiqdev / composer-extension-plugin

Issues (4)

Security Analysis no request data

src/Plugin.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like