Issues in RRD.php (develop) - Issues in develop - librenms/librenmsv2 - Measure and Improve Code Quality continuously with Scrutinizer

Issues (111)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

app/Data/RRD.php (3 issues)

Labels

Coding Style 3

Severity

Informational 3

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * RRD.php
 *
 * Fetch data from RRD files
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 *
 * @package    LibreNMS
 * @link       http://librenms.org
 * @copyright  2016 Tony Murray
 * @author     Tony Murray <[email protected]>
 */

namespace App\Data;

use App\Exceptions\UnsupportedOutputFormatException;
use App\Models\Device;
use Settings;
use Symfony\Component\Process\Exception\ProcessFailedException;
use Symfony\Component\Process\Process;

abstract class RRD implements Source
{
    /** @var array Array of formats this RRD Source supports */
    protected $supported_formats = [];

    /** @var string Holds the rrdtool command that will be run */
    protected $command;

    /**
     * RRD constructor.
     *
     * @param $args
     */
    public function __construct($args)
    {
        $this->command = $this->buildCommand($args);
    }

    /**
     * Run rrdtool and return the output
     *
     * @return string
     */
    protected function run()
    {
        $process = new Process($this->command);
        $process->run();
        if (!$process->isSuccessful()) {
            throw new ProcessFailedException($process);
        }
        return $process->getOutput();
    }

    /**
     * Check if the requested format is supported
     *
     * @param $format
     * @return bool
     */
    protected function isFormatSupported($format)
    {
        return in_array($format, $this->supported_formats);
    }

    /**
     * Throw an exception if the requested format isn't supported
     *
     * @param $format
     * @throws UnsupportedOutputFormatException
     */
    protected function checkFormatSupported($format)
    {
        if (!$this->isFormatSupported($format)) {
            throw new UnsupportedOutputFormatException("Format ($format) is not supported by the chosen data source ".get_class($this));
        }
    }


    /**
     * Generate an rrdtool command with the supplied arguments
     *
     * @param string $args rrdtool arguments
     * @return string
     */
    private function buildCommand($args)
    {
        $rrd_cmd = Settings::get('rrdtool').' ';

        // if using rrdcached append --daemon and replace rrd_dir with rrdcached if it is set
        if (Settings::has('rrdcached')) {
            if (Settings::has('rrdcached_dir')) {
                $rrdcached_dir = Settings::get('rrdcached_dir');
                if ($rrdcached_dir !== false) {
                    $rrd_dir = Settings::get('rrd_dir');
                    $args = str_replace(array($rrd_dir.'/', $rrd_dir), './'.$rrdcached_dir.'/', $args);
                }
            }
            $rrdcached = Settings::get('rrdcached');
            $rrd_cmd .= "--daemon $rrdcached ";
        }
        return $rrd_cmd.$args;
    }

    /**
     * Generates a filename based on the hostname (or IP) and some extra items
     *
     * @param Device $device Device
     * @param array|string $extra Components of RRD filename - will be separated with "-", or a pre-formed rrdname
     * @param string $extension File extension (default is .rrd)
     * @return string the name of the rrd file for $host's $extra component
     */
    public static function getFileName($device, $extra, $extension = '.rrd')
    {
        $filename = safename(is_array($extra) ? implode("-", $extra) : $extra);
        return implode("/", array(Settings::get('rrd_dir'), $device->hostname, $filename.$extension));
    }

    /**
     * Get the name of this ports rrd file
     *
     * @param $port_id
     * @param string $suffix
     * @return string
     */
    public static function getPortName($port_id, $suffix = '')
    {
        if (!empty($suffix)) {
            $suffix = '-'.$suffix;
        }

        return "port-id$port_id$suffix";
    }

    /**
     * Get the full rrd path to this port on this device
     *
     * @param Device $device
     * @param $port_id
     * @param string $suffix
     * @return string
     */
    public static function getPortFileName($device, $port_id, $suffix = '')
    {
        return self::getFileName($device, self::getPortName($port_id, $suffix));
    }

    /**
     * Escapes strings for rrdtool
     *
     * @param string $string the string to escape
     * @param integer $length if passed, string will be padded and trimmed to exactly this length (after rrdtool unescapes it)
     * @return string
     */
    public static function escape($string, $length = null)
    {
        $result = shorten_interface_type($string);
        $result = str_replace("'", '', $result);            # remove quotes

        $result = str_replace('%', '%%', $result);          # double percent signs

        if (is_numeric($length) && strlen($string) > $length) {
            $extra = substr_count($string, ':', 0, $length);
            $result = substr(str_pad($result, $length), 0, ($length + $extra));
            if ($extra > 0) {
                $result = substr($result, 0, (-1 * $extra));
            }
        }

        $result = str_replace(':', '\:', $result);          # escape colons

        return $result.' ';
    }
}


1			<?php
2			/**
3			* RRD.php
4			*
5			* Fetch data from RRD files
6			*
7			* This program is free software: you can redistribute it and/or modify
8			* it under the terms of the GNU General Public License as published by
9			* the Free Software Foundation, either version 3 of the License, or
10			* (at your option) any later version.
11			*
12			* This program is distributed in the hope that it will be useful,
13			* but WITHOUT ANY WARRANTY; without even the implied warranty of
14			* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the
15			* GNU General Public License for more details.
16			*
17			* You should have received a copy of the GNU General Public License
18			* along with this program. If not, see <http://www.gnu.org/licenses/>.
19			*
20			* @package LibreNMS
21			* @link http://librenms.org
22			* @copyright 2016 Tony Murray
23			* @author Tony Murray <[email protected]>
24			*/
25
26			namespace App\Data;
27
28			use App\Exceptions\UnsupportedOutputFormatException;
29			use App\Models\Device;
30			use Settings;
31			use Symfony\Component\Process\Exception\ProcessFailedException;
32			use Symfony\Component\Process\Process;
33
34			abstract class RRD implements Source
35			{
36			/** @var array Array of formats this RRD Source supports */
37			protected $supported_formats = [];
38
39			/** @var string Holds the rrdtool command that will be run */
40			protected $command;
41
42			/**
43			* RRD constructor.
44			*
45			* @param $args
46			*/
47			public function __construct($args)
48			{
49			$this->command = $this->buildCommand($args);
50			}
51
52			/**
53			* Run rrdtool and return the output
54			*
55			* @return string
56			*/
57			protected function run()
58			{
59			$process = new Process($this->command);
60			$process->run();
61			if (!$process->isSuccessful()) {
62			throw new ProcessFailedException($process);
63			}
64			return $process->getOutput();
65			}
66
67			/**
68			* Check if the requested format is supported
69			*
70			* @param $format
71			* @return bool
72			*/
73			protected function isFormatSupported($format)
74			{
75			return in_array($format, $this->supported_formats);
76			}
77
78			/**
79			* Throw an exception if the requested format isn't supported
80			*
81			* @param $format
82			* @throws UnsupportedOutputFormatException
83			*/
84			protected function checkFormatSupported($format)
85			{
86			if (!$this->isFormatSupported($format)) {
87			throw new UnsupportedOutputFormatException("Format ($format) is not supported by the chosen data source ".get_class($this));
88			}
89			}
90
91
92			/**
93			* Generate an rrdtool command with the supplied arguments
94			*
95			* @param string $args rrdtool arguments
96			* @return string
97			*/
98			private function buildCommand($args)
99			{
100			$rrd_cmd = Settings::get('rrdtool').' ';
101
102			// if using rrdcached append --daemon and replace rrd_dir with rrdcached if it is set
103			if (Settings::has('rrdcached')) {
104			if (Settings::has('rrdcached_dir')) {
105			$rrdcached_dir = Settings::get('rrdcached_dir');
106			if ($rrdcached_dir !== false) {
107			$rrd_dir = Settings::get('rrd_dir');
108			$args = str_replace(array($rrd_dir.'/', $rrd_dir), './'.$rrdcached_dir.'/', $args);
109			}
110			}
111			$rrdcached = Settings::get('rrdcached');
112			$rrd_cmd .= "--daemon $rrdcached ";
113			}
114			return $rrd_cmd.$args;
115			}
116
117			/**
118			* Generates a filename based on the hostname (or IP) and some extra items
119			*
120			* @param Device $device Device
121			* @param array\|string $extra Components of RRD filename - will be separated with "-", or a pre-formed rrdname
122			* @param string $extension File extension (default is .rrd)
123			* @return string the name of the rrd file for $host's $extra component
124			*/
125			public static function getFileName($device, $extra, $extension = '.rrd')
126			{
127			$filename = safename(is_array($extra) ? implode("-", $extra) : $extra);
128			return implode("/", array(Settings::get('rrd_dir'), $device->hostname, $filename.$extension));
129			}
130
131			/**
132			* Get the name of this ports rrd file
133			*
134			* @param $port_id
135			* @param string $suffix
136			* @return string
137			*/
138			public static function getPortName($port_id, $suffix = '')
139			{
140			if (!empty($suffix)) {
141			$suffix = '-'.$suffix;
142			}
143
144			return "port-id$port_id$suffix";
145			}
146
147			/**
148			* Get the full rrd path to this port on this device
149			*
150			* @param Device $device
151			* @param $port_id
152			* @param string $suffix
153			* @return string
154			*/
155			public static function getPortFileName($device, $port_id, $suffix = '')
156			{
157			return self::getFileName($device, self::getPortName($port_id, $suffix));
158			}
159
160			/**
161			* Escapes strings for rrdtool
162			*
163			* @param string $string the string to escape
164			* @param integer $length if passed, string will be padded and trimmed to exactly this length (after rrdtool unescapes it)
165			* @return string
166			*/
167			public static function escape($string, $length = null)
168			{
169			$result = shorten_interface_type($string);
170			$result = str_replace("'", '', $result); # remove quotes
			0 ignored issues – show Coding Style introduced 2016-11-17 08:49 UTC by Report Bug Copy Issue Report Show Similar Issues like this Perl-style comments are not allowed. Use "// Comment." or "/* comment */" instead. Loading history...
171			$result = str_replace('%', '%%', $result); # double percent signs
			0 ignored issues – show Coding Style introduced 2016-11-17 08:49 UTC by Report Bug Copy Issue Report Show Similar Issues like this Perl-style comments are not allowed. Use "// Comment." or "/* comment */" instead. Loading history...
172			if (is_numeric($length) && strlen($string) > $length) {
173			$extra = substr_count($string, ':', 0, $length);
174			$result = substr(str_pad($result, $length), 0, ($length + $extra));
175			if ($extra > 0) {
176			$result = substr($result, 0, (-1 * $extra));
177			}
178			}
179
180			$result = str_replace(':', '\:', $result); # escape colons
			0 ignored issues – show Coding Style introduced 2016-11-17 08:49 UTC by Report Bug Copy Issue Report Show Similar Issues like this Perl-style comments are not allowed. Use "// Comment." or "/* comment */" instead. Loading history...
181			return $result.' ';
182			}
183			}
184

librenms / librenmsv2

Issues (111)

Security Analysis not enabled

app/Data/RRD.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like