Issues in Menu.php (master) - Issues in master - hiqdev/yii2-menus - Measure and Improve Code Quality continuously with Scrutinizer

Issues (5)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Menu.php (3 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Menus for Yii2.
 *
 * @link      https://github.com/hiqdev/yii2-menus
 * @package   yii2-menus
 * @license   BSD-3-Clause
 * @copyright Copyright (c) 2016-2017, HiQDev (http://hiqdev.com/)
 */

namespace hiqdev\yii2\menus;

use hiqdev\yii2\menus\widgets\Menu as MenuWidget;
use ReflectionClass;
use Yii;
use yii\base\View;

/**
 * Menu is a manageable collection of child [[Menu]]s.
 *
 * @property array $add array of menus that will be added to the [[Menu]]
 * @property array $merge array of menus that will be merged into the [[Menu]]
 */
class Menu extends \hiqdev\yii2\collection\BaseObject implements \yii\base\ViewContextInterface
{
    /**
     * {@inheritdoc}
     */
    protected $_itemClass = self::class;

    public $label;
    public $url;
    public $icon;
    public $active;
    public $visible;
    public $options = [];

    /**
     * @var array
     */
    protected $_add;

    /**
     * @var array
     */
    protected $_merge;

    /**
     * @var string parent menu
     */
    public $_parent;

    /**
     * Getter for addTo.
     * @return string add to
     */
    public function getParent()
    {
        return $this->_parent;
    }

    /**
     * Adds $items to the Menu.
     *
     * @param array $items
     * @see addItems()
     */
    public function addMenus(array $items)
    {
        foreach ($items as $item) {
            /// XXX ugly crutch, but no better ideas for the moment
            $config = $item['menu'];
            if (is_array($config) && empty($config['class'])) {
                continue;
            }

            $menu = Yii::createObject($item['menu']);
            $this->addItems($menu->getItems(), isset($item['where']) ? $item['where'] : null);
        }
    }

    /**
     * Merges $items to the Menu.
     *
     * @param array $items
     * @see mergeItems()
     */
    public function mergeMenus(array $items)
    {
        foreach ($items as $item) {
            $menu = Yii::createObject($item['menu']);
            $this->mergeItems($menu->getItems());
        }
    }

    /**
     * Returns default items defined in class.
     * @return array
     */
    public function items()
    {
        return [];
    }

    /**
     * {@inheritdoc}
     * Implements adding and merging.
     */
    public function init()
    {
        parent::init();

        $this->addItems($this->items());

        if (($add = $this->getAdd()) !== null) {
            $this->addMenus($add);
        }

        if (($merge = $this->getMerge()) !== null) {
            $this->mergeMenus($merge);
        }
    }

    public $widgetConfig = [
        'class' => MenuWidget::class,
    ];

    public static function widget($menuConfig = [], $widgetConfig = [])
    {
        $menu = static::create($menuConfig);

        return $menu->run($widgetConfig);
    }

    /**
     * Renders menu widget with given config.
     * @param mixed $config
     * @return string rendered menu
     */
    public function run($config = [])
    {
        if (!is_array($config)) {
            $config = ['class' => $config];
        }
        $config = array_merge($this->widgetConfig, $config);
        if (!empty($config['options']) || !empty($this->options)) {
            $config['options'] = array_merge(
                isset($this->options) ? $this->options : [],
                isset($config['options']) ? $config['options'] : []
            );
        }
        $config['items'] = $this->getItems();

        return call_user_func([$config['class'], 'widget'], $config);
    }

    /**
     * Creates menu and sets $config.
     * @param array $config
     * @return static
     */
    public static function create(array $config = [])
    {
        $config['class'] = get_called_class();

        return Yii::createObject($config);
    }

    /**
     * Renders a view.
     * @param string $view the view name
     * @param array $params the parameters (name-value pairs) to be available in the view
     * @return string the rendering result
     */
    public function render($view, $params = [])
    {
        return $this->getView()->render($view, $params, $this);
    }

    /**
     * @var View the view object to be used to render views
     */
    private $_view;

    /**
     * Returns the view object to be used to render views or view files.
     * If not set, it will default to the "view" application component.
     * @return View|\yii\web\View the view object to be used to render views
     */
    public function getView()
    {
        if ($this->_view === null) {
            $this->_view = Yii::$app->getView();
        }
        return $this->_view;
    }

    /**
     * Sets the view object to be used by this menu.
     * @param View $view the view object to be used to render views
     */
    public function setView($view)
    {
        $this->_view = $view;
    }

    /**
     * @var string the root directory that contains view files for this menu
     */
    protected $_viewPath;

    /**
     * Sets the directory that contains the view files.
     * @param string $path the root directory of view files
     */
    public function setViewPath($path)
    {
        $this->_viewPath = Yii::getAlias($path);
class Id
{
    public $id;

    public function __construct($id)
    {
        $this->id = $id;
    }

}

class Account
{
    /** @var  Id $id */
    public $id;
}

$account_id = false;

if (starsAreRight()) {
    $account_id = new Id(42);
}

$account = new Account();
if ($account instanceof Id)
{
    $account->id = $account_id;
}
    }

    /**
     * Returns the directory containing view files for this menu.
     * The default implementation returns `views/menus` in the current module.
     * @return string the directory containing the view files for this controller
     */
    public function getViewPath()
    {
        if ($this->_viewPath === null) {
            $ref = new ReflectionClass($this);
            $this->_viewPath = dirname(dirname($ref->getFileName())) . '/views/menus';
        }
        return $this->_viewPath;
    }

    /**
     * @return mixed
     */
    public function getAdd()
    {
        return $this->_add;
    }

    /**
     * @param mixed $add
     */
    public function setAdd($add)
    {
        $this->_add = $add;

    }

    /**
     * @return mixed
     */
    public function getMerge()
    {
        return $this->_merge;
    }

    /**
     * @param mixed $merge
     */
    public function setMerge($merge)
    {
        $this->_merge = $merge;

    }
}


1			<?php
2			/**
3			* Menus for Yii2.
4			*
5			* @link https://github.com/hiqdev/yii2-menus
6			* @package yii2-menus
7			* @license BSD-3-Clause
8			* @copyright Copyright (c) 2016-2017, HiQDev (http://hiqdev.com/)
9			*/
10
11			namespace hiqdev\yii2\menus;
12
13			use hiqdev\yii2\menus\widgets\Menu as MenuWidget;
14			use ReflectionClass;
15			use Yii;
16			use yii\base\View;
17
18			/**
19			* Menu is a manageable collection of child [[Menu]]s.
20			*
21			* @property array $add array of menus that will be added to the [[Menu]]
22			* @property array $merge array of menus that will be merged into the [[Menu]]
23			*/
24			class Menu extends \hiqdev\yii2\collection\BaseObject implements \yii\base\ViewContextInterface
25			{
26			/**
27			* {@inheritdoc}
28			*/
29			protected $_itemClass = self::class;
30
31			public $label;
32			public $url;
33			public $icon;
34			public $active;
35			public $visible;
36			public $options = [];
37
38			/**
39			* @var array
40			*/
41			protected $_add;
42
43			/**
44			* @var array
45			*/
46			protected $_merge;
47
48			/**
49			* @var string parent menu
50			*/
51			public $_parent;
52
53			/**
54			* Getter for addTo.
55			* @return string add to
56			*/
57			public function getParent()
58			{
59			return $this->_parent;
60			}
61
62			/**
63			* Adds $items to the Menu.
64			*
65			* @param array $items
66			* @see addItems()
67			*/
68			public function addMenus(array $items)
69			{
70			foreach ($items as $item) {
71			/// XXX ugly crutch, but no better ideas for the moment
72			$config = $item['menu'];
73			if (is_array($config) && empty($config['class'])) {
74			continue;
75			}
76
77			$menu = Yii::createObject($item['menu']);
78			$this->addItems($menu->getItems(), isset($item['where']) ? $item['where'] : null);
79			}
80			}
81
82			/**
83			* Merges $items to the Menu.
84			*
85			* @param array $items
86			* @see mergeItems()
87			*/
88			public function mergeMenus(array $items)
89			{
90			foreach ($items as $item) {
91			$menu = Yii::createObject($item['menu']);
92			$this->mergeItems($menu->getItems());
93			}
94			}
95
96			/**
97			* Returns default items defined in class.
98			* @return array
99			*/
100			public function items()
101			{
102			return [];
103			}
104
105			/**
106			* {@inheritdoc}
107			* Implements adding and merging.
108			*/
109			public function init()
110			{
111			parent::init();
112
113			$this->addItems($this->items());
114
115			if (($add = $this->getAdd()) !== null) {
116			$this->addMenus($add);
117			}
118
119			if (($merge = $this->getMerge()) !== null) {
120			$this->mergeMenus($merge);
121			}
122			}
123
124			public $widgetConfig = [
125			'class' => MenuWidget::class,
126			];
127
128			public static function widget($menuConfig = [], $widgetConfig = [])
129			{
130			$menu = static::create($menuConfig);
131
132			return $menu->run($widgetConfig);
133			}
134
135			/**
136			* Renders menu widget with given config.
137			* @param mixed $config
138			* @return string rendered menu
139			*/
140			public function run($config = [])
141			{
142			if (!is_array($config)) {
143			$config = ['class' => $config];
144			}
145			$config = array_merge($this->widgetConfig, $config);
146			if (!empty($config['options']) \|\| !empty($this->options)) {
147			$config['options'] = array_merge(
148			isset($this->options) ? $this->options : [],
149			isset($config['options']) ? $config['options'] : []
150			);
151			}
152			$config['items'] = $this->getItems();
153
154			return call_user_func([$config['class'], 'widget'], $config);
155			}
156
157			/**
158			* Creates menu and sets $config.
159			* @param array $config
160			* @return static
161			*/
162			public static function create(array $config = [])
163			{
164			$config['class'] = get_called_class();
165
166			return Yii::createObject($config);
167			}
168
169			/**
170			* Renders a view.
171			* @param string $view the view name
172			* @param array $params the parameters (name-value pairs) to be available in the view
173			* @return string the rendering result
174			*/
175			public function render($view, $params = [])
176			{
177			return $this->getView()->render($view, $params, $this);
178			}
179
180			/**
181			* @var View the view object to be used to render views
182			*/
183			private $_view;
184
185			/**
186			* Returns the view object to be used to render views or view files.
187			* If not set, it will default to the "view" application component.
188			* @return View\|\yii\web\View the view object to be used to render views
189			*/
190			public function getView()
191			{
192			if ($this->_view === null) {
193			$this->_view = Yii::$app->getView();
194			}
195			return $this->_view;
196			}
197
198			/**
199			* Sets the view object to be used by this menu.
200			* @param View $view the view object to be used to render views
201			*/
202			public function setView($view)
203			{
204			$this->_view = $view;
205			}
206
207			/**
208			* @var string the root directory that contains view files for this menu
209			*/
210			protected $_viewPath;
211
212			/**
213			* Sets the directory that contains the view files.
214			* @param string $path the root directory of view files
215			*/
216			public function setViewPath($path)
217			{
218			$this->_viewPath = Yii::getAlias($path);
			0 ignored issues – show Documentation Bug introduced 2017-08-12 15:40 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `\Yii::getAlias($path)` can also be of type `boolean`. However, the property `$_viewPath` is declared as type `string`. Maybe add an additional type check? Our type inference engine has found a suspicous assignment of a value to a property. This check raises an issue when a value that can be of a mixed type is assigned to a property that is type hinted more strictly. For example, imagine you have a variable `$accountId` that can either hold an Id object or false (if there is no account id yet). Your code now assigns that value to the `id` property of an instance of the `Account` class. This class holds a proper account, so the id value must no longer be false. Either this assignment is in error or a type check should be added for that assignment. class Id { public $id; public function __construct($id) { $this->id = $id; } } class Account { /** @var Id $id */ public $id; } $account_id = false; if (starsAreRight()) { $account_id = new Id(42); } $account = new Account(); if ($account instanceof Id) { $account->id = $account_id; } Loading history...
219			}
220
221			/**
222			* Returns the directory containing view files for this menu.
223			* The default implementation returns `views/menus` in the current module.
224			* @return string the directory containing the view files for this controller
225			*/
226			public function getViewPath()
227			{
228			if ($this->_viewPath === null) {
229			$ref = new ReflectionClass($this);
230			$this->_viewPath = dirname(dirname($ref->getFileName())) . '/views/menus';
231			}
232			return $this->_viewPath;
233			}
234
235			/**
236			* @return mixed
237			*/
238			public function getAdd()
239			{
240			return $this->_add;
241			}
242
243			/**
244			* @param mixed $add
245			*/
246			public function setAdd($add)
247			{
248			$this->_add = $add;
			0 ignored issues – show Documentation Bug introduced 2017-04-25 07:13 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$add` of type `*` is incompatible with the declared type `array` of property `$_add`. Our type inference engine has found an assignment to a property that is incompatible with the declared type of that property. Either this assignment is in error or the assigned type should be added to the documentation/type hint for that property.. Loading history...
249			}
250
251			/**
252			* @return mixed
253			*/
254			public function getMerge()
255			{
256			return $this->_merge;
257			}
258
259			/**
260			* @param mixed $merge
261			*/
262			public function setMerge($merge)
263			{
264			$this->_merge = $merge;
			0 ignored issues – show Documentation Bug introduced 2017-04-25 07:13 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$merge` of type `*` is incompatible with the declared type `array` of property `$_merge`. Our type inference engine has found an assignment to a property that is incompatible with the declared type of that property. Either this assignment is in error or the assigned type should be added to the documentation/type hint for that property.. Loading history...
265			}
266			}
267

hiqdev / yii2-menus

Issues (5)

Security Analysis no request data

src/Menu.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like