Issues in ResourceProvider.php (master) - Issues in master - m1/Vars - Measure and Improve Code Quality continuously with Scrutinizer

Issues (17)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Resource/ResourceProvider.php (2 issues)

Labels

Bug 2

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/**
 * This file is part of the m1\vars library
 *
 * (c) m1 <[email protected]>
 *
 * For the full copyright and license information, please view the LICENSE
 * file that was distributed with this source code.
 *
 * @package     m1/vars
 * @version     1.1.0
 * @author      Miles Croxford <[email protected]>
 * @copyright   Copyright (c) Miles Croxford <[email protected]>
 * @license     http://github.com/m1/vars/blob/master/LICENSE
 * @link        http://github.com/m1/vars/blob/master/README.MD Documentation
 */

namespace M1\Vars\Resource;

use M1\Vars\Loader\DirectoryLoader;
use M1\Vars\Traits\ResourceFlagsTrait;
use M1\Vars\Vars;

/**
 * Vars Resource Provider to separate the different formats of config (array/file/dir) into one resource
 *
 * @since 0.1.0
 */
class ResourceProvider extends AbstractResource
{
    use ResourceFlagsTrait;

    /**
     * The configuration entity -- could be a file, array or dir
     *
     * @var array|string
     */
    private $entity;

    /**
     * If the import was not relative then the content will be stored in this array
     *
     * @var array
     */
    private $parent_content = array();

    /**
     * Are dirs wanting to be recursively searched
     *
     * @var bool
     */
    private $recursive;

    /**
     * Is the import relative
     *
     * @var bool
     */
    private $relative;

    /**
     * Suppress file not found exceptions
     *
     * @var bool
     */
    private $suppress_file_exceptions = false;

    /**
     * The parent Vars class
     *
     * @var \M1\Vars\Vars
     */
    public $vars;

    /**
     * The ResourceProvider constructor creates the content from the entity
     *
     * @param \M1\Vars\Vars $vars      The calling Vars class
     * @param string|array  $entity    The configuration entity
     * @param bool          $relative  Is the entity relative to the calling entity or class
     * @param bool          $recursive If entity a dir, do you want to recursively check directories
     *
     * @throws \InvalidArgumentException If the entity passed is not a string or array
     */
    public function __construct(Vars $vars, $entity, $relative = true, $recursive = false)
    {
        if (!is_string($entity) && !is_array($entity)) {
            throw new \InvalidArgumentException('You can only pass strings or arrays as Resources');
        }

        $this->vars = $vars;
        $this->entity = $entity;
        $this->relative = $relative;
        $this->recursive = $recursive;
        $type = gettype($entity);

        $resources = $this->processEntity($entity, $type);

        $vars->variables->vstore->createPrefix($relative);

        if ($resources && !empty($resources)) {
            $this->createResources($resources, $type);
        }
    }

    /**
     * Creates the FileResource|ResourceProvider from the resource
     *
     * @param array  $resources The array of resources
     * @param string $type      The type of the resource
     */
    private function createResources(array $resources, $type)
    {
        foreach ($resources as $resource) {
            if ($type === "string") {
                $this->vars->pathsLoadedCheck($resource);

                if ($this->vars->cache->checkCache()) {
                    return;
                }

                if ($this->vars->resourceImported($resource)) {
                    continue;
                }

                $pos = $this->vars->addResource($resource);
                $resource = new FileResource($this, $resource);
                $this->vars->updateResource($resource, $pos);
            } else {
                $resource = new ResourceProvider($this->vars, $resource);
            }

            $this->addContent($resource->getContent());
        }
    }

    /**
     * Creates the content from the entity
     *
     * @param string|array $entity The configuration entity
     * @param string       $type   The type of entity
     *
     * @throws \InvalidArgumentException If the entity is not array|file, is readable or exists
     *
     * @returns array The array of resources
     */
    private function processEntity($entity, $type)
    {
        $resources = $entity;

        if ($type === 'string') {
            $entity = $this->parseEntity($entity);
/**
 * @return array|string
 */
function returnsDifferentValues($x) {
    if ($x) {
        return 'foo';
    }

    return array();
}

$x = returnsDifferentValues($y);
if (is_array($x)) {
    // $x is an array.
}

            if (is_file($entity)) {
                $resources = array($entity);
            } elseif (is_dir($entity)) {
                $resources = $this->getSupportedFilesInDir($entity);
            } elseif ($this->suppress_file_exceptions) {
                $resources = false;
            } else {
                throw new \InvalidArgumentException(sprintf("'%s' does not exist or is not readable", $entity));
            }
        }

        return $resources;
    }

    /**
     * Creates the content from the entity
     *
     * @param string $entity The configuration entity
     *
     * @returns string The parsed entity
     */
    private function parseEntity($entity)
    {
        $files = $this->explodeResourceIfElse($entity);

        foreach ($files as $f) {
            $this->suppress_file_exceptions = $this->checkSuppression($f);
            $this->recursive = $this->checkRecursive($f);
            $f = $this->trimFlags($f);

            if (file_exists($f) || !isset($files[1])) {
                return $f;
            }
        }

        return $f;
function myFunction($a) {
    switch ($a) {
        case 'foo':
            $x = 1;
            break;

        case 'bar':
            $x = 2;
            break;
    }

    // $x is potentially undefined here.
    echo $x;
}
    }

    /**
     * Adds content to the parent contents
     *
     * @param array $content The content from the resource
     */
    private function addContent($content)
    {
        if ($this->relative) {
            $this->content = $this->mergeContents($this->content, $content);
        } else {
            $this->parent_content = $this->mergeContents($this->parent_content, $content);
        }
    }

    /**
     * Returns the supported files using the extensions from the loaders in the entity which is a directory
     *
     * @see \M1\Vars\Loader\LoaderProvider::getExtensions() \M1\Vars\Loader\LoaderProvider::getExtensions()
     * @see \M1\Vars\Loader\LoaderProvider::makeLoaders() \M1\Vars\Loader\LoaderProvider::makeLoaders()
     *
     * @param string $entity The resource entity
     *
     * @return array|bool Returns the supported files or false if no files were found
     */
    private function getSupportedFilesInDir($entity)
    {
        $dir_loader = new DirectoryLoader($entity, $this->recursive);
        $dir_loader->setSupports($this->vars->loader->getExtensions());
        $dir_loader->load();

        return $dir_loader->getContent();
    }

    /**
     * Merges various configuration contents into one array
     *
     * @return array The merged contents
     */
    private function mergeContents()
    {
        $contents = func_get_args();
        return call_user_func_array('array_replace_recursive', $contents);
    }

    /**
     * Adds content to the parent content array
     *
     * @param array $content The content to add
     */
    public function addParentContent(array $content)
    {
        $this->parent_content = array_merge_recursive($this->parent_content, $content);
    }

    /**
     * Merges the content and the parent content together
     *
     * @return \M1\Vars\Resource\ResourceProvider
     */
    public function mergeParentContent()
    {
        $this->content = $this->mergeContents($this->content, $this->parent_content);

        return $this;
    }

    /**
     * Returns the parent content
     *
     * @return mixed The parent content
     */
    public function getParentContent()
    {
        return $this->parent_content;
    }
}


GitHub Access Token became invalid

Issues (17)

Security Analysis no request data

src/Resource/ResourceProvider.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Available Fixes

1		<?php
2
3		/**
4		* This file is part of the m1\vars library
5		*
6		* (c) m1 <[email protected]>
7		*
8		* For the full copyright and license information, please view the LICENSE
9		* file that was distributed with this source code.
10		*
11		* @package m1/vars
12		* @version 1.1.0
13		* @author Miles Croxford <[email protected]>
14		* @copyright Copyright (c) Miles Croxford <[email protected]>
15		* @license http://github.com/m1/vars/blob/master/LICENSE
16		* @link http://github.com/m1/vars/blob/master/README.MD Documentation
17		*/
18
19		namespace M1\Vars\Resource;
20
21		use M1\Vars\Loader\DirectoryLoader;
22		use M1\Vars\Traits\ResourceFlagsTrait;
23		use M1\Vars\Vars;
24
25		/**
26		* Vars Resource Provider to separate the different formats of config (array/file/dir) into one resource
27		*
28		* @since 0.1.0
29		*/
30		class ResourceProvider extends AbstractResource
31		{
32		use ResourceFlagsTrait;
33
34		/**
35		* The configuration entity -- could be a file, array or dir
36		*
37		* @var array\|string
38		*/
39		private $entity;
40
41		/**
42		* If the import was not relative then the content will be stored in this array
43		*
44		* @var array
45		*/
46		private $parent_content = array();
47
48		/**
49		* Are dirs wanting to be recursively searched
50		*
51		* @var bool
52		*/
53		private $recursive;
54
55		/**
56		* Is the import relative
57		*
58		* @var bool
59		*/
60		private $relative;
61
62		/**
63		* Suppress file not found exceptions
64		*
65		* @var bool
66		*/
67		private $suppress_file_exceptions = false;
68
69		/**
70		* The parent Vars class
71		*
72		* @var \M1\Vars\Vars
73		*/
74		public $vars;
75
76		/**
77		* The ResourceProvider constructor creates the content from the entity
78		*
79		* @param \M1\Vars\Vars $vars The calling Vars class
80		* @param string\|array $entity The configuration entity
81		* @param bool $relative Is the entity relative to the calling entity or class
82		* @param bool $recursive If entity a dir, do you want to recursively check directories
83		*
84		* @throws \InvalidArgumentException If the entity passed is not a string or array
85		*/
86	81	public function __construct(Vars $vars, $entity, $relative = true, $recursive = false)
87		{
88	81	if (!is_string($entity) && !is_array($entity)) {
89	1	throw new \InvalidArgumentException('You can only pass strings or arrays as Resources');
90		}
91
92	80	$this->vars = $vars;
93	80	$this->entity = $entity;
94	80	$this->relative = $relative;
95	80	$this->recursive = $recursive;
96	80	$type = gettype($entity);
97
98	80	$resources = $this->processEntity($entity, $type);
99
100	77	$vars->variables->vstore->createPrefix($relative);
101
102	77	if ($resources && !empty($resources)) {
103	75	$this->createResources($resources, $type);
104		}
105	66	}
106
107		/**
108		* Creates the FileResource\|ResourceProvider from the resource
109		*
110		* @param array $resources The array of resources
111		* @param string $type The type of the resource
112		*/
113	75	private function createResources(array $resources, $type)
114		{
115	75	foreach ($resources as $resource) {
116	75	if ($type === "string") {
117	75	$this->vars->pathsLoadedCheck($resource);
118
119	75	if ($this->vars->cache->checkCache()) {
120	1	return;
121		}
122
123	75	if ($this->vars->resourceImported($resource)) {
124	1	continue;
125		}
126
127	75	$pos = $this->vars->addResource($resource);
128	75	$resource = new FileResource($this, $resource);
129	64	$this->vars->updateResource($resource, $pos);
130		} else {
131	1	$resource = new ResourceProvider($this->vars, $resource);
132		}
133
134	64	$this->addContent($resource->getContent());
135		}
136	64	}
137
138		/**
139		* Creates the content from the entity
140		*
141		* @param string\|array $entity The configuration entity
142		* @param string $type The type of entity
143		*
144		* @throws \InvalidArgumentException If the entity is not array\|file, is readable or exists
145		*
146		* @returns array The array of resources
147		*/
148	80	private function processEntity($entity, $type)
149		{
150	80	$resources = $entity;
151
152	80	if ($type === 'string') {
153	80	$entity = $this->parseEntity($entity);
		0 ignored issues – show Bug introduced 2015-12-18 22:33 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$entity` can also be of type `array`; however, `M1\Vars\Resource\ResourceProvider::parseEntity()` does only seem to accept `string`, maybe add an additional type check? If a method or function can return multiple different values and unless you are sure that you only can receive a single value in this context, we recommend to add an additional type check: /** * @return array\|string */ function returnsDifferentValues($x) { if ($x) { return 'foo'; } return array(); } $x = returnsDifferentValues($y); if (is_array($x)) { // $x is an array. } If this a common case that PHP Analyzer should handle natively, please let us know by opening an issue. Loading history...
154
155	80	if (is_file($entity)) {
156	75	$resources = array($entity);
157	14	} elseif (is_dir($entity)) {
158	7	$resources = $this->getSupportedFilesInDir($entity);
159	7	} elseif ($this->suppress_file_exceptions) {
160	2	$resources = false;
161		} else {
162	5	throw new \InvalidArgumentException(sprintf("'%s' does not exist or is not readable", $entity));
163		}
164		}
165
166	77	return $resources;
167		}
168
169		/**
170		* Creates the content from the entity
171		*
172		* @param string $entity The configuration entity
173		*
174		* @returns string The parsed entity
175		*/
176	80	private function parseEntity($entity)
177		{
178	80	$files = $this->explodeResourceIfElse($entity);
179
180	80	foreach ($files as $f) {
181	80	$this->suppress_file_exceptions = $this->checkSuppression($f);
182	80	$this->recursive = $this->checkRecursive($f);
183	80	$f = $this->trimFlags($f);
184
185	80	if (file_exists($f) \|\| !isset($files[1])) {
186	80	return $f;
187		}
188		}
189
190	2	return $f;
		0 ignored issues – show Bug introduced 2015-12-18 22:33 UTC by Report Bug Copy Issue Report Show Similar Issues like this The variable `$f` does not seem to be defined for all execution paths leading up to this point. If you define a variable conditionally, it can happen that it is not defined for all execution paths. Let’s take a look at an example: function myFunction($a) { switch ($a) { case 'foo': $x = 1; break; case 'bar': $x = 2; break; } // $x is potentially undefined here. echo $x; } In the above example, the variable `$x` is defined if you pass “foo” or “bar” as argument for `$a`. However, since the `switch` statement has no default case statement, if you pass any other value, the variable `$x` would be undefined. Available Fixes Check for existence of the variable explicitly: function myFunction($a) { switch ($a) { case 'foo': $x = 1; break; case 'bar': $x = 2; break; } if (isset($x)) { // Make sure it's always set. echo $x; } } Define a default value for the variable: function myFunction($a) { $x = ''; // Set a default which gets overridden for certain paths. switch ($a) { case 'foo': $x = 1; break; case 'bar': $x = 2; break; } echo $x; } Add a value for the missing path: function myFunction($a) { switch ($a) { case 'foo': $x = 1; break; case 'bar': $x = 2; break; // We add support for the missing case. default: $x = ''; break; } echo $x; } Loading history...
191		}
192
193		/**
194		* Adds content to the parent contents
195		*
196		* @param array $content The content from the resource
197		*/
198	64	private function addContent($content)
199		{
200	64	if ($this->relative) {
201	64	$this->content = $this->mergeContents($this->content, $content);
202		} else {
203	7	$this->parent_content = $this->mergeContents($this->parent_content, $content);
204		}
205	64	}
206
207		/**
208		* Returns the supported files using the extensions from the loaders in the entity which is a directory
209		*
210		* @see \M1\Vars\Loader\LoaderProvider::getExtensions() \M1\Vars\Loader\LoaderProvider::getExtensions()
211		* @see \M1\Vars\Loader\LoaderProvider::makeLoaders() \M1\Vars\Loader\LoaderProvider::makeLoaders()
212		*
213		* @param string $entity The resource entity
214		*
215		* @return array\|bool Returns the supported files or false if no files were found
216		*/
217	7	private function getSupportedFilesInDir($entity)
218		{
219	7	$dir_loader = new DirectoryLoader($entity, $this->recursive);
220	7	$dir_loader->setSupports($this->vars->loader->getExtensions());
221	7	$dir_loader->load();
222
223	7	return $dir_loader->getContent();
224		}
225
226		/**
227		* Merges various configuration contents into one array
228		*
229		* @return array The merged contents
230		*/
231	66	private function mergeContents()
232		{
233	66	$contents = func_get_args();
234	66	return call_user_func_array('array_replace_recursive', $contents);
235		}
236
237		/**
238		* Adds content to the parent content array
239		*
240		* @param array $content The content to add
241		*/
242	7	public function addParentContent(array $content)
243		{
244	7	$this->parent_content = array_merge_recursive($this->parent_content, $content);
245	7	}
246
247		/**
248		* Merges the content and the parent content together
249		*
250		* @return \M1\Vars\Resource\ResourceProvider
251		*/
252	66	public function mergeParentContent()
253		{
254	66	$this->content = $this->mergeContents($this->content, $this->parent_content);
255
256	66	return $this;
257		}
258
259		/**
260		* Returns the parent content
261		*
262		* @return mixed The parent content
263		*/
264	51	public function getParentContent()
265		{
266	51	return $this->parent_content;
267		}
268		}
269

m1 / Vars

GitHub Access Token became invalid

Issues (17)

Security Analysis no request data

src/Resource/ResourceProvider.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Available Fixes

Duplication Side-by-Side

Filter issues like