Issues in User.php (master) - Issues in master - liverbool/dos-user-bundle - Measure and Improve Code Quality continuously with Scrutinizer

Issues (18)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

Model/User.php (1 issue)

Labels

Severity

Major 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace DoS\UserBundle\Model;

use Doctrine\Common\Collections\ArrayCollection;
use Sylius\Component\Rbac\Model\Role;
use Sylius\Component\Rbac\Model\RoleInterface;
use Sylius\Component\User\Model\User as BaseUser;
use Symfony\Component\PropertyAccess\PropertyAccess;
use Sylius\Component\Media\Model\ImageInterface;

class User extends BaseUser implements UserInterface
{
    /**
     * @var string
     */
    protected $locale;

    /**
     * @var string
     */
    protected $displayname;

    /**
     * @var string
     */
    protected $confirmationType;

    /**
     * @var \DateTime
     */
    protected $confirmedAt;

    /**
     * @var ArrayCollection|Role[]
     */
    protected $authorizationRoles;

    /**
     * @var ImageInterface
     */
    protected $picture;

    public function __construct()
    {
        parent::__construct();

        $this->authorizationRoles = new ArrayCollection();
    }

    /**
     * @return bool
     */
    public function isLocked()
    {
        return $this->locked;
    }

    /**
     * @return string
     */
    public function getDisplayName()
    {
        $customer = $this->getCustomer();

        return $this->displayname ?:
            (
                $customer && trim($customer->getFullName())
                ? $customer->getFullName()
                : $this->username
            )
        ;
    }

    /**
     * @param null|string $displayname
     */
    public function setDisplayName($displayname = null)
    {
        $this->displayname = $displayname;
    }

    /**
     * @return string
     */
    public function getLocale()
    {
        return $this->locale;
    }

    /**
     * @param string $locale
     */
    public function setLocale($locale)
    {
        $this->locale = $locale;
    }

    /**
     * @return string|void
     */
    public function getLang()
    {
        if ($this->locale) {
            if (preg_match('/_([a-z]{2})/i', $this->locale, $match)) {
                return strtolower($match[1]);
            }
        }

        return;
    }

    /**
     * @inheritdoc
     */
    public function getMediaPath()
    {
        return '/user/' . $this->usernameCanonical;
    }

    /**
     * {@inheritdoc}
     */
    public function setPicture(ImageInterface $picture = null)
    {
        $this->picture = $picture;
    }

    /**
     * {@inheritdoc}
     */
    public function getPicture()
    {
        return $this->picture;
    }

    /**
     * {@inheritdoc}
     */
    public function getProfilePicture()
    {
        if ($this->picture) {
            return $this->picture->getMediaId();
        }

        foreach ($this->oauthAccounts as $account) {
            if ($avatar = $account->getProfilePicture()) {
                return $avatar;
            }
        }

        return;
    }

    /**
     * @inheritdoc
     */
    public function getConfirmedAt()
    {
        return $this->confirmedAt;
    }

    /**
     * @inheritdoc
     */
    public function setConfirmedAt(\DateTime $confirmedAt = null)
    {
        $this->confirmedAt = $confirmedAt;
    }

    /**
     * @inheritdoc
     */
    public function confirmed(\DateTime $confirmedAt = null)
    {
        $this->setConfirmedAt($confirmedAt ?: new \DateTime());
        $this->setEnabled(true);
        $this->setConfirmationToken(null);
        $this->setPasswordRequestedAt(null);
    }

    /**
     * @inheritdoc
     */
    public function isConfirmed()
    {
        return $this->confirmedAt || $this->enabled;
    }

    /**
     * {@inheritdoc}
     */
    public function setEnabled($boolean)
    {
        $this->enabled = (Boolean)$boolean;

        if (!$this->isConfirmed()) {
            $this->enabled = false;
        }

        return $this;
    }

    /**
     * {@inheritdoc}
     */
    public function getConfirmationChannel($propertyPath)
    {
        $accessor = PropertyAccess::createPropertyAccessor();

        return $accessor->getValue($this, $propertyPath);
    }

    /**
     * {@inheritdoc}
     */
    public function getConfirmationRequestedAt()
    {
        return $this->getPasswordRequestedAt();
    }

    /**
     * {@inheritdoc}
     */
    public function setConfirmationRequestedAt(\DateTime $dateTime = null)
    {
        $this->setPasswordRequestedAt($dateTime);
    }

    /**
     * {@inheritdoc}
     */
    public function getConfirmationConfirmedAt()
    {
        return $this->getConfirmedAt();
    }

    /**
     * {@inheritdoc}
     */
    public function setConfirmationConfirmedAt(\DateTime $dateTime = null)
    {
        $this->setConfirmedAt($dateTime);
    }

    /**
     * {@inheritdoc}
     */
    public function isConfirmationConfirmed()
    {
        return $this->isConfirmed();
    }

    /**
     * {@inheritdoc}
     */
    public function confirmationRequest($token)
    {
        $this->setConfirmationToken($token);
        $this->setConfirmationRequestedAt(new \DateTime());
        $this->setEnabled(false);
    }

    /**
     * {@inheritdoc}
     */
    public function confirmationConfirm()
    {
        $this->confirmed();
    }

    /**
     * {@inheritdoc}
     */
    public function getConfirmationType()
    {
        return $this->confirmationType;
    }

    /**
     * {@inheritdoc}
     */
    public function setConfirmationType($confirmationType)
    {
        $this->confirmationType = $confirmationType;
    }

    /**
     * {@inheritdoc}
     */
    public function confirmationDisableAccess()
    {
        $this->enabled = false;
    }

    /**
     * {@inheritdoc}
     */
    public function confirmationEnableAccess()
    {
        $this->enabled = true;
    }

    /**
     * {@inheritdoc}
     */
    public function getAuthorizationRoles()
    {
        return $this->authorizationRoles;

    }

    /**
     * {@inheritdoc}
     */
    public function addAuthorizationRole(RoleInterface $role)
    {
        if (!$this->hasAuthorizationRole($role)) {
            $this->authorizationRoles->add($role);
        }
    }

    /**
     * {@inheritdoc}
     */
    public function removeAuthorizationRole(RoleInterface $role)
    {
        if ($this->hasAuthorizationRole($role)) {
            $this->authorizationRoles->removeElement($role);
        }
    }

    /**
     * {@inheritdoc}
     */
    public function hasAuthorizationRole(RoleInterface $role)
    {
        return $this->authorizationRoles->contains($role);
    }

    /**
     * {@inheritdoc}
     */
    public function getRoles()
    {
        $roles = parent::getRoles();

        foreach ($this->getAuthorizationRoles() as $role) {
            $roles = array_merge($roles, $role->getSecurityRoles());
        }

        return $roles;
    }
}


1			<?php
2
3			namespace DoS\UserBundle\Model;
4
5			use Doctrine\Common\Collections\ArrayCollection;
6			use Sylius\Component\Rbac\Model\Role;
7			use Sylius\Component\Rbac\Model\RoleInterface;
8			use Sylius\Component\User\Model\User as BaseUser;
9			use Symfony\Component\PropertyAccess\PropertyAccess;
10			use Sylius\Component\Media\Model\ImageInterface;
11
12			class User extends BaseUser implements UserInterface
13			{
14			/**
15			* @var string
16			*/
17			protected $locale;
18
19			/**
20			* @var string
21			*/
22			protected $displayname;
23
24			/**
25			* @var string
26			*/
27			protected $confirmationType;
28
29			/**
30			* @var \DateTime
31			*/
32			protected $confirmedAt;
33
34			/**
35			* @var ArrayCollection\|Role[]
36			*/
37			protected $authorizationRoles;
38
39			/**
40			* @var ImageInterface
41			*/
42			protected $picture;
43
44			public function __construct()
45			{
46			parent::__construct();
47
48			$this->authorizationRoles = new ArrayCollection();
49			}
50
51			/**
52			* @return bool
53			*/
54			public function isLocked()
55			{
56			return $this->locked;
57			}
58
59			/**
60			* @return string
61			*/
62			public function getDisplayName()
63			{
64			$customer = $this->getCustomer();
65
66			return $this->displayname ?:
67			(
68			$customer && trim($customer->getFullName())
69			? $customer->getFullName()
70			: $this->username
71			)
72			;
73			}
74
75			/**
76			* @param null\|string $displayname
77			*/
78			public function setDisplayName($displayname = null)
79			{
80			$this->displayname = $displayname;
81			}
82
83			/**
84			* @return string
85			*/
86			public function getLocale()
87			{
88			return $this->locale;
89			}
90
91			/**
92			* @param string $locale
93			*/
94			public function setLocale($locale)
95			{
96			$this->locale = $locale;
97			}
98
99			/**
100			* @return string\|void
101			*/
102			public function getLang()
103			{
104			if ($this->locale) {
105			if (preg_match('/_([a-z]{2})/i', $this->locale, $match)) {
106			return strtolower($match[1]);
107			}
108			}
109
110			return;
111			}
112
113			/**
114			* @inheritdoc
115			*/
116			public function getMediaPath()
117			{
118			return '/user/' . $this->usernameCanonical;
119			}
120
121			/**
122			* {@inheritdoc}
123			*/
124			public function setPicture(ImageInterface $picture = null)
125			{
126			$this->picture = $picture;
127			}
128
129			/**
130			* {@inheritdoc}
131			*/
132			public function getPicture()
133			{
134			return $this->picture;
135			}
136
137			/**
138			* {@inheritdoc}
139			*/
140			public function getProfilePicture()
141			{
142			if ($this->picture) {
143			return $this->picture->getMediaId();
144			}
145
146			foreach ($this->oauthAccounts as $account) {
147			if ($avatar = $account->getProfilePicture()) {
148			return $avatar;
149			}
150			}
151
152			return;
153			}
154
155			/**
156			* @inheritdoc
157			*/
158			public function getConfirmedAt()
159			{
160			return $this->confirmedAt;
161			}
162
163			/**
164			* @inheritdoc
165			*/
166			public function setConfirmedAt(\DateTime $confirmedAt = null)
167			{
168			$this->confirmedAt = $confirmedAt;
169			}
170
171			/**
172			* @inheritdoc
173			*/
174			public function confirmed(\DateTime $confirmedAt = null)
175			{
176			$this->setConfirmedAt($confirmedAt ?: new \DateTime());
177			$this->setEnabled(true);
178			$this->setConfirmationToken(null);
179			$this->setPasswordRequestedAt(null);
180			}
181
182			/**
183			* @inheritdoc
184			*/
185			public function isConfirmed()
186			{
187			return $this->confirmedAt \|\| $this->enabled;
188			}
189
190			/**
191			* {@inheritdoc}
192			*/
193			public function setEnabled($boolean)
194			{
195			$this->enabled = (Boolean)$boolean;
196
197			if (!$this->isConfirmed()) {
198			$this->enabled = false;
199			}
200
201			return $this;
202			}
203
204			/**
205			* {@inheritdoc}
206			*/
207			public function getConfirmationChannel($propertyPath)
208			{
209			$accessor = PropertyAccess::createPropertyAccessor();
210
211			return $accessor->getValue($this, $propertyPath);
212			}
213
214			/**
215			* {@inheritdoc}
216			*/
217			public function getConfirmationRequestedAt()
218			{
219			return $this->getPasswordRequestedAt();
220			}
221
222			/**
223			* {@inheritdoc}
224			*/
225			public function setConfirmationRequestedAt(\DateTime $dateTime = null)
226			{
227			$this->setPasswordRequestedAt($dateTime);
228			}
229
230			/**
231			* {@inheritdoc}
232			*/
233			public function getConfirmationConfirmedAt()
234			{
235			return $this->getConfirmedAt();
236			}
237
238			/**
239			* {@inheritdoc}
240			*/
241			public function setConfirmationConfirmedAt(\DateTime $dateTime = null)
242			{
243			$this->setConfirmedAt($dateTime);
244			}
245
246			/**
247			* {@inheritdoc}
248			*/
249			public function isConfirmationConfirmed()
250			{
251			return $this->isConfirmed();
252			}
253
254			/**
255			* {@inheritdoc}
256			*/
257			public function confirmationRequest($token)
258			{
259			$this->setConfirmationToken($token);
260			$this->setConfirmationRequestedAt(new \DateTime());
261			$this->setEnabled(false);
262			}
263
264			/**
265			* {@inheritdoc}
266			*/
267			public function confirmationConfirm()
268			{
269			$this->confirmed();
270			}
271
272			/**
273			* {@inheritdoc}
274			*/
275			public function getConfirmationType()
276			{
277			return $this->confirmationType;
278			}
279
280			/**
281			* {@inheritdoc}
282			*/
283			public function setConfirmationType($confirmationType)
284			{
285			$this->confirmationType = $confirmationType;
286			}
287
288			/**
289			* {@inheritdoc}
290			*/
291			public function confirmationDisableAccess()
292			{
293			$this->enabled = false;
294			}
295
296			/**
297			* {@inheritdoc}
298			*/
299			public function confirmationEnableAccess()
300			{
301			$this->enabled = true;
302			}
303
304			/**
305			* {@inheritdoc}
306			*/
307			public function getAuthorizationRoles()
308			{
309			return $this->authorizationRoles;
			0 ignored issues – show Bug Compatibility introduced 2016-03-11 09:34 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$this->authorizationRoles;` of type `Doctrine\Common\Collecti...onent\Rbac\Model\Role[]` adds the type `Doctrine\Common\Collections\ArrayCollection` to the return on line 309 which is incompatible with the return type declared by the interface `Sylius\Component\Rbac\Mo...::getAuthorizationRoles` of type `Sylius\Component\Rbac\Model\RoleInterface[]`. Loading history...
310			}
311
312			/**
313			* {@inheritdoc}
314			*/
315			public function addAuthorizationRole(RoleInterface $role)
316			{
317			if (!$this->hasAuthorizationRole($role)) {
318			$this->authorizationRoles->add($role);
319			}
320			}
321
322			/**
323			* {@inheritdoc}
324			*/
325			public function removeAuthorizationRole(RoleInterface $role)
326			{
327			if ($this->hasAuthorizationRole($role)) {
328			$this->authorizationRoles->removeElement($role);
329			}
330			}
331
332			/**
333			* {@inheritdoc}
334			*/
335			public function hasAuthorizationRole(RoleInterface $role)
336			{
337			return $this->authorizationRoles->contains($role);
338			}
339
340			/**
341			* {@inheritdoc}
342			*/
343			public function getRoles()
344			{
345			$roles = parent::getRoles();
346
347			foreach ($this->getAuthorizationRoles() as $role) {
348			$roles = array_merge($roles, $role->getSecurityRoles());
349			}
350
351			return $roles;
352			}
353			}
354

liverbool / dos-user-bundle

Issues (18)

Security Analysis not enabled

Model/User.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like