Issues in timber-menu.php (master) - Issues in master - jarednova/timber - Measure and Improve Code Quality continuously with Scrutinizer

Issues (311)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

lib/timber-menu.php (3 issues)

Labels

Best Practice 3

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/**
 * In Timber, you can use TimberMenu() to make a standard Wordpress menu available to the Twig template as an object you can loop through. And once the menu becomes available to the context, you can get items from it in a way that is a little smoother and more versatile than Wordpress's wp_nav_menu. (You need never again rely on a crazy "Walker Function!"). The first thing to do is to initialize the menu using TimberMenu(). This will make the menu available as an object to work with in the context. (TimberMenu can include a Wordpress menu slug or ID, or it can be sent with no parameter--and guess the right menu.)
 * @example
 * ```php
 * <?php
 * # functions.php
 * add_filter('timber/context', 'add_to_context');
 * function add_to_context($data){
 *		// So here you are adding data to Timber's context object, i.e...
 *  	$data['foo'] = 'I am some other typical value set in your functions.php file, unrelated to the menu';
 *	  	// Now, in similar fashion, you add a Timber menu and send it along to the context.
 * 	  	$data['menu'] = new TimberMenu(); // This is where you can also send a WordPress menu slug or ID
 *	    return $data;
 * }
 *
 * # index.php (or any PHP file)
 * // Since you want a menu object available on every page, I added it to the universal Timber context via the functions.php file. You could also this in each PHP file if you find that too confusing.
 * $context = Timber::get_context();
 * $context['posts'] = Timber::get_posts();
 * Timber::render('index.twig', $context);
 * ?>
 * ```
 *
 * ```twig
 * <nav>
 * 	<ul class="main-nav">
 *		{% for item in menu.get_items %}
 *      	<li class="nav-main-item {{item.classes | join(' ')}}"><a class="nav-main-link" href="{{item.get_link}}">{{item.title}}</a>
 *         	{% if item.get_children %}
 *           	<ul class="nav-drop">
 *               {% for child in item.get_children %}
 *               	<li class="nav-drop-item"><a href="{{child.get_link}}">{{child.title}}</a></li>
 *               {% endfor %}
 *              </ul>
 *           {% endif %}
 *           </li>
 *    {% endfor %}
 *    </ul>
 * </nav>
 * ```
 */
class TimberMenu extends TimberCore {

	public $MenuItemClass = 'TimberMenuItem';
	public $PostClass = 'TimberPost';

	/**
	 * @api
	 * @var TimberMenuItem[]|null $items you need to iterate through
	 */
	public $items = null;
	/**
	 * @api
	 * @var integer $id the ID# of the menu, corresponding to the wp_terms table
	 */
	public $id;
	public $ID;
	/**
	 * @api
	 * @var string $name of the menu (ex: `Main Navigation`)
	 */
	public $name;
	/**
	 * @var integer $id the ID# of the menu, corresponding to the wp_terms table
	 */
	public $term_id;
	/**
	 * @api
	 * @var string $name of the menu (ex: `Main Navigation`)
	 */
	public $title;

	/**
	 * @param int|string $slug
	 */
	function __construct($slug = 0) {

		$locations = get_nav_menu_locations();
		if ($slug != 0 && is_numeric($slug)) {
			$menu_id = $slug;
		} else if (is_array($locations) && count($locations)) {
			$menu_id = $this->get_menu_id_from_locations($slug, $locations);
		} else if ($slug === false) {
			$menu_id = false;
		} else {
			$menu_id = $this->get_menu_id_from_terms($slug);
		}
		if ($menu_id) {
			$this->init($menu_id);
		} else {
			$this->init_as_page_menu();
		}
	}

	/**
	 * @internal
	 * @param int $menu_id
	 */
	protected function init($menu_id) {
		$menu = wp_get_nav_menu_items($menu_id);
		if ($menu) {
			_wp_menu_item_classes_by_context($menu);
			if (is_array($menu)){
				$menu = self::order_children($menu);
			}
			$this->items = $menu;
			$menu_info = wp_get_nav_menu_object($menu_id);
			$this->import($menu_info);
			$this->ID = $this->term_id;
			$this->id = $this->term_id;
			$this->title = $this->name;
		}
	}

	/**
	 * @internal
	 */
	protected function init_as_page_menu() {
		$menu = get_pages();
		if ($menu) {
			foreach($menu as $mi) {
				$mi->__title = $mi->post_title;
			}
			_wp_menu_item_classes_by_context($menu);
			if (is_array($menu)){
				$menu = self::order_children($menu);
			}
			$this->items = $menu;
		}
	}

	/**
	 * @internal
	 * @param string $slug
	 * @param array $locations
	 * @return integer
	 */
	protected function get_menu_id_from_locations($slug, $locations) {
		if ($slug === 0) {
			$slug = $this->get_menu_id_from_terms($slug);
		}
		if (is_numeric($slug)) {
			$slug = array_search($slug, $locations);
		}
		if (isset($locations[$slug])) {
			$menu_id = $locations[$slug];
			return $menu_id;
		}
	}

	/**
	 * @internal
	 * @param int $slug
	 * @return int
	 */
	protected function get_menu_id_from_terms($slug = 0) {
		if (!is_numeric($slug) && is_string($slug)) {
			//we have a string so lets search for that
			$menu_id = get_term_by('slug', $slug, 'nav_menu');
			if ($menu_id) {
				return $menu_id;
			}
			$menu_id = get_term_by('name', $slug, 'nav_menu');
			if ($menu_id) {
				return $menu_id;
			}
		}
		$menus = get_terms('nav_menu', array('hide_empty' => true));
		if (is_array($menus) && count($menus)) {
			if (isset($menus[0]->term_id)) {
				return $menus[0]->term_id;
			}
		}
		return 0;
	}

	/**
	 * @param array $menu_items
	 * @param int $parent_id
	 * @return TimberMenuItem|null
	 */
	function find_parent_item_in_menu($menu_items, $parent_id) {

		foreach ($menu_items as &$item) {
			if ($item->ID == $parent_id) {
				return $item;
			}
		}
	}

	/**
	 * @internal
	 * @param array $items
	 * @return array
	 */
	protected function order_children($items) {
		$index = array();
		$menu = array();
		foreach ($items as $item) {
			if (isset($item->title)) {
				//items from wp can come with a $title property which conflicts with methods
				$item->__title = $item->title;
				unset($item->title);
			}
			if(isset($item->ID)){
				if (is_object($item) && get_class($item) == 'WP_Post'){
					$old_menu_item = $item;
					$item = new $this->PostClass($item);
				}
				$menu_item = new $this->MenuItemClass($item);
				if (isset($old_menu_item)){
					$menu_item->import_classes($old_menu_item);
				}
				$index[$item->ID] = $menu_item;
			}
		}
		foreach ($index as $item) {
			if (isset($item->menu_item_parent) && $item->menu_item_parent && isset($index[$item->menu_item_parent])) {
				$index[$item->menu_item_parent]->add_child($item);
			} else {
				$menu[] = $item;
			}
		}
		return $menu;
	}

	/**
	 * @return array
	 */
	function get_items() {

		if (is_array($this->items)) {
			return $this->items;
		}
		return array();
	}
}




1			<?php
2
3			/**
4			* In Timber, you can use TimberMenu() to make a standard Wordpress menu available to the Twig template as an object you can loop through. And once the menu becomes available to the context, you can get items from it in a way that is a little smoother and more versatile than Wordpress's wp_nav_menu. (You need never again rely on a crazy "Walker Function!"). The first thing to do is to initialize the menu using TimberMenu(). This will make the menu available as an object to work with in the context. (TimberMenu can include a Wordpress menu slug or ID, or it can be sent with no parameter--and guess the right menu.)
5			* @example
6			* ```php
7			* <?php
8			* # functions.php
9			* add_filter('timber/context', 'add_to_context');
10			* function add_to_context($data){
11			* // So here you are adding data to Timber's context object, i.e...
12			* $data['foo'] = 'I am some other typical value set in your functions.php file, unrelated to the menu';
13			* // Now, in similar fashion, you add a Timber menu and send it along to the context.
14			* $data['menu'] = new TimberMenu(); // This is where you can also send a WordPress menu slug or ID
15			* return $data;
16			* }
17			*
18			* # index.php (or any PHP file)
19			* // Since you want a menu object available on every page, I added it to the universal Timber context via the functions.php file. You could also this in each PHP file if you find that too confusing.
20			* $context = Timber::get_context();
21			* $context['posts'] = Timber::get_posts();
22			* Timber::render('index.twig', $context);
23			* ?>
24			* ```
25			*
26			* ```twig
27			* <nav>
28			* <ul class="main-nav">
29			* {% for item in menu.get_items %}
30			* <li class="nav-main-item {{item.classes \| join(' ')}}"><a class="nav-main-link" href="{{item.get_link}}">{{item.title}}</a>
31			* {% if item.get_children %}
32			* <ul class="nav-drop">
33			* {% for child in item.get_children %}
34			* <li class="nav-drop-item"><a href="{{child.get_link}}">{{child.title}}</a></li>
35			* {% endfor %}
36			* </ul>
37			* {% endif %}
38			* </li>
39			* {% endfor %}
40			* </ul>
41			* </nav>
42			* ```
43			*/
44			class TimberMenu extends TimberCore {
45
46			public $MenuItemClass = 'TimberMenuItem';
47			public $PostClass = 'TimberPost';
48
49			/**
50			* @api
51			* @var TimberMenuItem[]\|null $items you need to iterate through
52			*/
53			public $items = null;
54			/**
55			* @api
56			* @var integer $id the ID# of the menu, corresponding to the wp_terms table
57			*/
58			public $id;
59			public $ID;
60			/**
61			* @api
62			* @var string $name of the menu (ex: `Main Navigation`)
63			*/
64			public $name;
65			/**
66			* @var integer $id the ID# of the menu, corresponding to the wp_terms table
67			*/
68			public $term_id;
69			/**
70			* @api
71			* @var string $name of the menu (ex: `Main Navigation`)
72			*/
73			public $title;
74
75			/**
76			* @param int\|string $slug
77			*/
78			function __construct($slug = 0) {
			0 ignored issues – show Best Practice introduced 2015-11-23 18:11 UTC by Report Bug Copy Issue Report Show Similar Issues like this It is generally recommended to explicitly declare the visibility for methods. Adding explicit visibility (`private`, `protected`, or `public`) is generally recommend to communicate to other developers how, and from where this method is intended to be used. Loading history...
79			$locations = get_nav_menu_locations();
80			if ($slug != 0 && is_numeric($slug)) {
81			$menu_id = $slug;
82			} else if (is_array($locations) && count($locations)) {
83			$menu_id = $this->get_menu_id_from_locations($slug, $locations);
84			} else if ($slug === false) {
85			$menu_id = false;
86			} else {
87			$menu_id = $this->get_menu_id_from_terms($slug);
88			}
89			if ($menu_id) {
90			$this->init($menu_id);
91			} else {
92			$this->init_as_page_menu();
93			}
94			}
95
96			/**
97			* @internal
98			* @param int $menu_id
99			*/
100			protected function init($menu_id) {
101			$menu = wp_get_nav_menu_items($menu_id);
102			if ($menu) {
103			_wp_menu_item_classes_by_context($menu);
104			if (is_array($menu)){
105			$menu = self::order_children($menu);
106			}
107			$this->items = $menu;
108			$menu_info = wp_get_nav_menu_object($menu_id);
109			$this->import($menu_info);
110			$this->ID = $this->term_id;
111			$this->id = $this->term_id;
112			$this->title = $this->name;
113			}
114			}
115
116			/**
117			* @internal
118			*/
119			protected function init_as_page_menu() {
120			$menu = get_pages();
121			if ($menu) {
122			foreach($menu as $mi) {
123			$mi->__title = $mi->post_title;
124			}
125			_wp_menu_item_classes_by_context($menu);
126			if (is_array($menu)){
127			$menu = self::order_children($menu);
128			}
129			$this->items = $menu;
130			}
131			}
132
133			/**
134			* @internal
135			* @param string $slug
136			* @param array $locations
137			* @return integer
138			*/
139			protected function get_menu_id_from_locations($slug, $locations) {
140			if ($slug === 0) {
141			$slug = $this->get_menu_id_from_terms($slug);
142			}
143			if (is_numeric($slug)) {
144			$slug = array_search($slug, $locations);
145			}
146			if (isset($locations[$slug])) {
147			$menu_id = $locations[$slug];
148			return $menu_id;
149			}
150			}
151
152			/**
153			* @internal
154			* @param int $slug
155			* @return int
156			*/
157			protected function get_menu_id_from_terms($slug = 0) {
158			if (!is_numeric($slug) && is_string($slug)) {
159			//we have a string so lets search for that
160			$menu_id = get_term_by('slug', $slug, 'nav_menu');
161			if ($menu_id) {
162			return $menu_id;
163			}
164			$menu_id = get_term_by('name', $slug, 'nav_menu');
165			if ($menu_id) {
166			return $menu_id;
167			}
168			}
169			$menus = get_terms('nav_menu', array('hide_empty' => true));
170			if (is_array($menus) && count($menus)) {
171			if (isset($menus[0]->term_id)) {
172			return $menus[0]->term_id;
173			}
174			}
175			return 0;
176			}
177
178			/**
179			* @param array $menu_items
180			* @param int $parent_id
181			* @return TimberMenuItem\|null
182			*/
183			function find_parent_item_in_menu($menu_items, $parent_id) {
			0 ignored issues – show Best Practice introduced 2015-11-23 18:11 UTC by Report Bug Copy Issue Report Show Similar Issues like this It is generally recommended to explicitly declare the visibility for methods. Adding explicit visibility (`private`, `protected`, or `public`) is generally recommend to communicate to other developers how, and from where this method is intended to be used. Loading history...
184			foreach ($menu_items as &$item) {
185			if ($item->ID == $parent_id) {
186			return $item;
187			}
188			}
189			}
190
191			/**
192			* @internal
193			* @param array $items
194			* @return array
195			*/
196			protected function order_children($items) {
197			$index = array();
198			$menu = array();
199			foreach ($items as $item) {
200			if (isset($item->title)) {
201			//items from wp can come with a $title property which conflicts with methods
202			$item->__title = $item->title;
203			unset($item->title);
204			}
205			if(isset($item->ID)){
206			if (is_object($item) && get_class($item) == 'WP_Post'){
207			$old_menu_item = $item;
208			$item = new $this->PostClass($item);
209			}
210			$menu_item = new $this->MenuItemClass($item);
211			if (isset($old_menu_item)){
212			$menu_item->import_classes($old_menu_item);
213			}
214			$index[$item->ID] = $menu_item;
215			}
216			}
217			foreach ($index as $item) {
218			if (isset($item->menu_item_parent) && $item->menu_item_parent && isset($index[$item->menu_item_parent])) {
219			$index[$item->menu_item_parent]->add_child($item);
220			} else {
221			$menu[] = $item;
222			}
223			}
224			return $menu;
225			}
226
227			/**
228			* @return array
229			*/
230			function get_items() {
			0 ignored issues – show Best Practice introduced 2015-11-23 18:11 UTC by Report Bug Copy Issue Report Show Similar Issues like this It is generally recommended to explicitly declare the visibility for methods. Adding explicit visibility (`private`, `protected`, or `public`) is generally recommend to communicate to other developers how, and from where this method is intended to be used. Loading history...
231			if (is_array($this->items)) {
232			return $this->items;
233			}
234			return array();
235			}
236			}
237
238
239

jarednova / timber

Issues (311)

Security Analysis not enabled

lib/timber-menu.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like