Issues in Graph.php (develop) - Issues in develop - librenms/librenmsv2 - Measure and Improve Code Quality continuously with Scrutinizer

Issues (111)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

app/Graphs/Graph.php (3 issues)

Labels

Bug 3

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * BaseGraph.php
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 *
 * @package    LibreNMS
 * @link       http://librenms.org
 * @copyright  2016 Neil Lathwood
 * @author     Neil Lathwood <[email protected]>
 */

namespace App\Graphs;

use App\Data\RRDGraph;
use App\Data\RRDXport;
use App\Exceptions\UnknownDataSourceException;
use App\Models\Device;
use Illuminate\Database\Eloquent\Collection;
use Illuminate\Http\Request;
use stdClass;

abstract class Graph
{
    protected $device;
    protected $type;
    protected $request;
    protected $input;
    protected $headers = [];

    /**
     * BaseGraph constructor.
     *
     * @param string $type
     * @param Request $request
     * @param stdClass $input
     */
    public function __construct($type, Request $request, $input = null)

    {
        $this->type = $type;
        $this->request = $request;
        if (is_null($input)) {
            $this->input = json_decode($request->{'input'});
        } else {
            $this->input = $input;
        }
        $this->device = $this->fetchDevice();
    }

    /**
     * Get the data for this graph in the requested format
     *
     * @param string $format png, json, or rrd
     * @return string
     * @throws UnknownDataSourceException
     */
    public function getGraph($format)
    {
        $sourceName = $this->request->source;
        $source = null;
        if ($sourceName === 'rrd') {
            if ($format == 'png') {
                $source = $this->createRRDGraph();
            } else {
                $source = $this->createRRDXport();
            }
        } else {
            throw new UnknownDataSourceException("Source type $source is not supported");
        }

        return $source->fetch($format);
    }

    /**
     * @return RRDXport
     */
    protected function createRRDXport()
    {
        return new RRDXport(
            $this->getRRDXportDefinition(),
            $this->getHeaders(),
            $this->input->start,
            $this->input->end
        );
    }

    /**
     * @return RRDGraph
     */
    protected function createRRDGraph()
    {
        return new RRDGraph(
            $this->getRRDGraphDefinition(),
            $this->input->start,
            $this->input->end,
            $this->input->width,
            $this->input->height
        );
    }

    /**
     * Check if there are request specific IDs
     *
     * @return bool
     */
    protected function hasIDs()
    {
        return isset($this->input->id) && (is_numeric($this->input->id) || str_contains($this->input->id, ','));
    }

    /**
     * Get the requested ID(s)
     *
     * @return array
     */
    protected function getIDs()
    {
        return explode(',', $this->input->id);
    }

    /**
     * Fetch the device with data
     * We use eager loading so we can load both at once
     *
     * @return mixed
     */
    protected function fetchDevice()
    {
        if ($this->hasIDs()) {
            $ids = explode(',', $this->input->id);
            return Device::with($this->getRelation())->findMany($ids);
class A
{
    public function foo() { }
}

class B extends A
{
    public function bar() { }
}

/**
 * @param A|B $x
 */
function someFunction($x)
{
    $x->foo(); // This call is fine as the method exists in A and B.
    $x->bar(); // This method only exists in B and might cause an error.
}
        }

        return Device::with($this->getRelation())->find($this->input->device_id);
class A
{
    public function foo() { }
}

class B extends A
{
    public function bar() { }
}

/**
 * @param A|B $x
 */
function someFunction($x)
{
    $x->foo(); // This call is fine as the method exists in A and B.
    $x->bar(); // This method only exists in B and might cause an error.
}
    }

    /**
     * Get the class name of a graph type for a give string
     *
     * @param string $graph_type This will be in the format 'device_ucd_memory'
     * @return string
     * @throws \Exception
     */
    public static function getClass($graph_type)
    {
        $name = ucwords(str_replace('_', '\\', $graph_type), '\\');
        $class = 'App\Graphs\\'.$name;
        if (class_exists($class)) {
            return $class;
        }
        throw new \Exception("Graph type $graph_type ($class) not found");
    }


    // -- Overrride these methods --

    /**
     * Returns the name(s) of the relationships to load for this graph
     * This may also be an associative array with a closure that accepts a query object
     * If you do not want to load any relationships, pass an empty array
     *
     * @return string|array
     */
    protected function getRelation()
    {
        return [];
    }


    /**
     * Get a Collection of db data for this graph
     * This is a helper function to the correct data related to Device
     *
     * @return Collection
     */
    protected function getData()
    {
        return new Collection();
    }

    /**
     * Get the chart headers for this graph
     * One string for each data set
     *
     * @return array
     */
    abstract protected function getHeaders();

    /**
     * Return the RRD definition string for Xport
     *
     * @return string
     */
    abstract protected function getRRDXportDefinition();

    /**
     * Return the RRD definition string for Graph creation
     *
     * @return string
     */
    abstract protected function getRRDGraphDefinition();
}


Issues (111)

Security Analysis not enabled

app/Graphs/Graph.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Available Fixes

Available Fixes

1			<?php
2			/**
3			* BaseGraph.php
4			*
5			* This program is free software: you can redistribute it and/or modify
6			* it under the terms of the GNU General Public License as published by
7			* the Free Software Foundation, either version 3 of the License, or
8			* (at your option) any later version.
9			*
10			* This program is distributed in the hope that it will be useful,
11			* but WITHOUT ANY WARRANTY; without even the implied warranty of
12			* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the
13			* GNU General Public License for more details.
14			*
15			* You should have received a copy of the GNU General Public License
16			* along with this program. If not, see <http://www.gnu.org/licenses/>.
17			*
18			* @package LibreNMS
19			* @link http://librenms.org
20			* @copyright 2016 Neil Lathwood
21			* @author Neil Lathwood <[email protected]>
22			*/
23
24			namespace App\Graphs;
25
26			use App\Data\RRDGraph;
27			use App\Data\RRDXport;
28			use App\Exceptions\UnknownDataSourceException;
29			use App\Models\Device;
30			use Illuminate\Database\Eloquent\Collection;
31			use Illuminate\Http\Request;
32			use stdClass;
33
34			abstract class Graph
35			{
36			protected $device;
37			protected $type;
38			protected $request;
39			protected $input;
40			protected $headers = [];
41
42			/**
43			* BaseGraph constructor.
44			*
45			* @param string $type
46			* @param Request $request
47			* @param stdClass $input
48			*/
49			public function __construct($type, Request $request, $input = null)
			0 ignored issues – show Bug introduced 2016-11-17 02:54 UTC by Report Bug Copy Issue Report Show Similar Issues like this You have injected the Request via parameter `$request`. This is generally not recommended as there might be multiple instances during a request cycle (f.e. when using sub-requests). Instead, it is recommended to inject the RequestStack and retrieve the current request each time you need it via `getCurrentRequest()`. Loading history...
50			{
51			$this->type = $type;
52			$this->request = $request;
53			if (is_null($input)) {
54			$this->input = json_decode($request->{'input'});
55			} else {
56			$this->input = $input;
57			}
58			$this->device = $this->fetchDevice();
59			}
60
61			/**
62			* Get the data for this graph in the requested format
63			*
64			* @param string $format png, json, or rrd
65			* @return string
66			* @throws UnknownDataSourceException
67			*/
68			public function getGraph($format)
69			{
70			$sourceName = $this->request->source;
71			$source = null;
72			if ($sourceName === 'rrd') {
73			if ($format == 'png') {
74			$source = $this->createRRDGraph();
75			} else {
76			$source = $this->createRRDXport();
77			}
78			} else {
79			throw new UnknownDataSourceException("Source type $source is not supported");
80			}
81
82			return $source->fetch($format);
83			}
84
85			/**
86			* @return RRDXport
87			*/
88			protected function createRRDXport()
89			{
90			return new RRDXport(
91			$this->getRRDXportDefinition(),
92			$this->getHeaders(),
93			$this->input->start,
94			$this->input->end
95			);
96			}
97
98			/**
99			* @return RRDGraph
100			*/
101			protected function createRRDGraph()
102			{
103			return new RRDGraph(
104			$this->getRRDGraphDefinition(),
105			$this->input->start,
106			$this->input->end,
107			$this->input->width,
108			$this->input->height
109			);
110			}
111
112			/**
113			* Check if there are request specific IDs
114			*
115			* @return bool
116			*/
117			protected function hasIDs()
118			{
119			return isset($this->input->id) && (is_numeric($this->input->id) \|\| str_contains($this->input->id, ','));
120			}
121
122			/**
123			* Get the requested ID(s)
124			*
125			* @return array
126			*/
127			protected function getIDs()
128			{
129			return explode(',', $this->input->id);
130			}
131
132			/**
133			* Fetch the device with data
134			* We use eager loading so we can load both at once
135			*
136			* @return mixed
137			*/
138			protected function fetchDevice()
139			{
140			if ($this->hasIDs()) {
141			$ids = explode(',', $this->input->id);
142			return Device::with($this->getRelation())->findMany($ids);
			0 ignored issues – show Bug introduced 2016-11-17 08:49 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `findMany` does only exist in `Illuminate\Database\Eloquent\Builder`, but not in `Illuminate\Database\Eloquent\Model`. It seems like the method you are trying to call exists only in some of the possible types. Let’s take a look at an example: class A { public function foo() { } } class B extends A { public function bar() { } } /** * @param A\|B $x / function someFunction($x) { $x->foo(); // This call is fine as the method exists in A and B. $x->bar(); // This method only exists in B and might cause an error. } Available Fixes Add an additional type-check: /* * @param A\|B $x / function someFunction($x) { $x->foo(); if ($x instanceof B) { $x->bar(); } } Only allow a single type to be passed if the variable comes from a parameter: function someFunction(B $x) { /* ... */ } Loading history...
143			}
144
145			return Device::with($this->getRelation())->find($this->input->device_id);
			0 ignored issues – show Bug introduced 2016-11-17 08:49 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `find` does only exist in `Illuminate\Database\Eloquent\Builder`, but not in `Illuminate\Database\Eloquent\Model`. It seems like the method you are trying to call exists only in some of the possible types. Let’s take a look at an example: class A { public function foo() { } } class B extends A { public function bar() { } } /** * @param A\|B $x / function someFunction($x) { $x->foo(); // This call is fine as the method exists in A and B. $x->bar(); // This method only exists in B and might cause an error. } Available Fixes Add an additional type-check: /* * @param A\|B $x / function someFunction($x) { $x->foo(); if ($x instanceof B) { $x->bar(); } } Only allow a single type to be passed if the variable comes from a parameter: function someFunction(B $x) { /* ... */ } Loading history...
146			}
147
148			/**
149			* Get the class name of a graph type for a give string
150			*
151			* @param string $graph_type This will be in the format 'device_ucd_memory'
152			* @return string
153			* @throws \Exception
154			*/
155			public static function getClass($graph_type)
156			{
157			$name = ucwords(str_replace('_', '\\', $graph_type), '\\');
158			$class = 'App\Graphs\\'.$name;
159			if (class_exists($class)) {
160			return $class;
161			}
162			throw new \Exception("Graph type $graph_type ($class) not found");
163			}
164
165
166			// -- Overrride these methods --
167
168			/**
169			* Returns the name(s) of the relationships to load for this graph
170			* This may also be an associative array with a closure that accepts a query object
171			* If you do not want to load any relationships, pass an empty array
172			*
173			* @return string\|array
174			*/
175			protected function getRelation()
176			{
177			return [];
178			}
179
180
181			/**
182			* Get a Collection of db data for this graph
183			* This is a helper function to the correct data related to Device
184			*
185			* @return Collection
186			*/
187			protected function getData()
188			{
189			return new Collection();
190			}
191
192			/**
193			* Get the chart headers for this graph
194			* One string for each data set
195			*
196			* @return array
197			*/
198			abstract protected function getHeaders();
199
200			/**
201			* Return the RRD definition string for Xport
202			*
203			* @return string
204			*/
205			abstract protected function getRRDXportDefinition();
206
207			/**
208			* Return the RRD definition string for Graph creation
209			*
210			* @return string
211			*/
212			abstract protected function getRRDGraphDefinition();
213			}
214

librenms / librenmsv2

Issues (111)

Security Analysis not enabled

app/Graphs/Graph.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Available Fixes

Available Fixes

Duplication Side-by-Side

Filter issues like