Issues in admin.php (master) - Issues in master - mAAdhaTTah/wordpress-github-sync - Measure and Improve Code Quality continuously with Scrutinizer

Issues (64)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

lib/admin.php (9 issues)

Labels

Duplication 2

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Administrative UI views and callbacks
 * @package WordPress_GitHub_Sync
 */

/**
 * Class WordPress_GitHub_Sync_Admin
 */
class WordPress_GitHub_Sync_Admin {

	/**
	 * Hook into GitHub API
	 */
	public function __construct() {
		add_action( 'admin_menu', array( $this, 'add_admin_menu' ) );
		add_action( 'admin_init', array( $this, 'register_settings' ) );
		add_action( 'current_screen', array( $this, 'trigger_cron' ) );
	}

	/**
	 * Callback to render the settings page view
	 */
	public function settings_page() {
		include dirname( dirname( __FILE__ ) ) . '/views/options.php';
	}

	/**
	 * Callback to register the plugin's options
	 */
	public function register_settings() {
		add_settings_section(
			'general',
			'General Settings',
			array( $this, 'section_callback' ),
			WordPress_GitHub_Sync::$text_domain
		);

		register_setting( WordPress_GitHub_Sync::$text_domain, 'wpghs_host' );
		add_settings_field( 'wpghs_host', __( 'GitHub hostname', 'wp-github-sync' ), array( $this, 'field_callback' ), WordPress_GitHub_Sync::$text_domain, 'general', array(
				'default'   => 'https://api.github.com',
				'name'      => 'wpghs_host',
				'help_text' => __( 'The GitHub host to use. This only needs to be changed to support a GitHub Enterprise installation.', 'wp-github-sync' ),
			)
		);

		register_setting( WordPress_GitHub_Sync::$text_domain, 'wpghs_repository' );
		add_settings_field( 'wpghs_repository', __( 'Repository', 'wp-github-sync' ), array( $this, 'field_callback' ), WordPress_GitHub_Sync::$text_domain, 'general', array(
				'default'   => '',
				'name'      => 'wpghs_repository',
				'help_text' => __( 'The GitHub repository to commit to, with owner (<code>[OWNER]/[REPOSITORY]</code>), e.g., <code>github/hubot.github.com</code>. The repository should contain an initial commit, which is satisfied by including a README when you create the repository on GitHub.', 'wp-github-sync' ),
			)
		);

		register_setting( WordPress_GitHub_Sync::$text_domain, 'wpghs_oauth_token' );
		add_settings_field( 'wpghs_oauth_token', __( 'Oauth Token', 'wp-github-sync' ), array( $this, 'field_callback' ), WordPress_GitHub_Sync::$text_domain, 'general', array(
				'default'   => '',
				'name'      => 'wpghs_oauth_token',
				'help_text' => __( "A <a href='https://github.com/settings/tokens/new'>personal oauth token</a> with <code>public_repo</code> scope.", 'wp-github-sync' ),
			)
		);

		register_setting( WordPress_GitHub_Sync::$text_domain, 'wpghs_secret' );
		add_settings_field( 'wpghs_secret', __( 'Webhook Secret', 'wp-github-sync' ), array( $this, 'field_callback' ), WordPress_GitHub_Sync::$text_domain, 'general', array(
				'default'   => '',
				'name'      => 'wpghs_secret',
				'help_text' => __( "The webhook's secret phrase. This should be password strength, as it is used to verify the webhook's payload.", 'wp-github-sync' ),
			)
		);

		register_setting( WordPress_GitHub_Sync::$text_domain, 'wpghs_default_user' );
		add_settings_field( 'wpghs_default_user', __( 'Default Import User', 'wp-github-sync' ), array( &$this, 'user_field_callback' ), WordPress_GitHub_Sync::$text_domain, 'general', array(
				'default'   => '',
				'name'      => 'wpghs_default_user',
				'help_text' => __( 'The fallback user for import, in case WordPress <--> GitHub Sync cannot find the committer in the database.', 'wp-github-sync' ),
			)
		);
	}

	/**
	 * Callback to render an individual options field
	 *
	 * @param array $args Field arguments.
	 */
	public function field_callback( $args ) {
		include dirname( dirname( __FILE__ ) ) . '/views/setting-field.php';
	}

	/**
	 * Callback to render the default import user field.
	 *
	 * @param array $args Field arguments.
	 */
	public function user_field_callback( $args ) {
		include dirname( dirname( __FILE__ ) ) . '/views/user-setting-field.php';
	}

	/**
	 * Displays settings messages from background processes
	 */
	public function section_callback() {
		if ( get_current_screen()->id !== 'settings_page_' . WordPress_GitHub_Sync::$text_domain ) {

			return;
		}

		if ( 'yes' === get_option( '_wpghs_export_started' ) ) { ?>
			<div class="updated">
				<p><?php esc_html_e( 'Export to GitHub started.', 'wp-github-sync' ); ?></p>
			</div><?php
			delete_option( '_wpghs_export_started' );
		}

		if ( $message = get_option( '_wpghs_export_error' ) ) { ?>

			<div class="error">
				<p><?php esc_html_e( 'Export to GitHub failed with error:', 'wp-github-sync' ); ?> <?php echo esc_html( $message );?></p>
			</div><?php
			delete_option( '_wpghs_export_error' );
		}

		if ( 'yes' === get_option( '_wpghs_export_complete' ) ) { ?>
			<div class="updated">
				<p><?php esc_html_e( 'Export to GitHub completed successfully.', 'wp-github-sync' );?></p>
			</div><?php
			delete_option( '_wpghs_export_complete' );
		}

		if ( 'yes' === get_option( '_wpghs_import_started' ) ) { ?>
			<div class="updated">
			<p><?php esc_html_e( 'Import from GitHub started.', 'wp-github-sync' ); ?></p>
			</div><?php
			delete_option( '_wpghs_import_started' );
		}

		if ( $message = get_option( '_wpghs_import_error' ) ) { ?>

			<div class="error">
			<p><?php esc_html_e( 'Import from GitHub failed with error:', 'wp-github-sync' ); ?> <?php echo esc_html( $message );?></p>
			</div><?php
			delete_option( '_wpghs_import_error' );
		}

		if ( 'yes' === get_option( '_wpghs_import_complete' ) ) { ?>
			<div class="updated">
			<p><?php esc_html_e( 'Import from GitHub completed successfully.', 'wp-github-sync' );?></p>
			</div><?php
			delete_option( '_wpghs_import_complete' );
		}
	}

	/**
	 * Add options menu to admin navbar
	 */
	public function add_admin_menu() {
		add_options_page(
			__( 'WordPress <--> GitHub Sync', 'wp-github-sync' ),
			__( 'GitHub Sync', 'wp-github-sync' ),
			'manage_options',
			WordPress_GitHub_Sync::$text_domain,
			array( $this, 'settings_page' )
		);
	}

	/**
	 * Admin callback to trigger import/export because WordPress admin routing lol
	 */
	public function trigger_cron() {
		if ( ! current_user_can( 'manage_options' ) ) {
			return;
		}

		if ( get_current_screen()->id !== 'settings_page_' . WordPress_GitHub_Sync::$text_domain ) {

			return;
		}

		if ( ! isset( $_GET['action'] ) ) {

			return;
		}

		if ( 'export' === $_GET['action'] ) {

			WordPress_GitHub_Sync::$instance->start_export();
		}

		if ( 'import' === $_GET['action'] ) {

			WordPress_GitHub_Sync::$instance->start_import();
		}

		wp_redirect( admin_url( 'options-general.php?page=wp-github-sync' ) );
		die;
	}
}


1		<?php
2		/**
3		* Administrative UI views and callbacks
4		* @package WordPress_GitHub_Sync
5		*/
6
7		/**
8		* Class WordPress_GitHub_Sync_Admin
9		*/
10		class WordPress_GitHub_Sync_Admin {
11
12		/**
13		* Hook into GitHub API
14		*/
15		public function __construct() {
16		add_action( 'admin_menu', array( $this, 'add_admin_menu' ) );
17		add_action( 'admin_init', array( $this, 'register_settings' ) );
18		add_action( 'current_screen', array( $this, 'trigger_cron' ) );
19		}
20
21		/**
22		* Callback to render the settings page view
23		*/
24		public function settings_page() {
25		include dirname( dirname( __FILE__ ) ) . '/views/options.php';
26		}
27
28		/**
29		* Callback to register the plugin's options
30		*/
31		public function register_settings() {
32		add_settings_section(
33		'general',
34		'General Settings',
35		array( $this, 'section_callback' ),
36		WordPress_GitHub_Sync::$text_domain
37		);
38
39		register_setting( WordPress_GitHub_Sync::$text_domain, 'wpghs_host' );
40		add_settings_field( 'wpghs_host', __( 'GitHub hostname', 'wp-github-sync' ), array( $this, 'field_callback' ), WordPress_GitHub_Sync::$text_domain, 'general', array(
41		'default' => 'https://api.github.com',
42		'name' => 'wpghs_host',
43		'help_text' => __( 'The GitHub host to use. This only needs to be changed to support a GitHub Enterprise installation.', 'wp-github-sync' ),
44		)
45		);
46
47		register_setting( WordPress_GitHub_Sync::$text_domain, 'wpghs_repository' );
48		add_settings_field( 'wpghs_repository', __( 'Repository', 'wp-github-sync' ), array( $this, 'field_callback' ), WordPress_GitHub_Sync::$text_domain, 'general', array(
49		'default' => '',
50		'name' => 'wpghs_repository',
51		'help_text' => __( 'The GitHub repository to commit to, with owner (<code>[OWNER]/[REPOSITORY]</code>), e.g., <code>github/hubot.github.com</code>. The repository should contain an initial commit, which is satisfied by including a README when you create the repository on GitHub.', 'wp-github-sync' ),
52		)
53		);
54
55		register_setting( WordPress_GitHub_Sync::$text_domain, 'wpghs_oauth_token' );
56		add_settings_field( 'wpghs_oauth_token', __( 'Oauth Token', 'wp-github-sync' ), array( $this, 'field_callback' ), WordPress_GitHub_Sync::$text_domain, 'general', array(
57		'default' => '',
58		'name' => 'wpghs_oauth_token',
59		'help_text' => __( "A <a href='https://github.com/settings/tokens/new'>personal oauth token</a> with <code>public_repo</code> scope.", 'wp-github-sync' ),
60		)
61		);
62
63		register_setting( WordPress_GitHub_Sync::$text_domain, 'wpghs_secret' );
64		add_settings_field( 'wpghs_secret', __( 'Webhook Secret', 'wp-github-sync' ), array( $this, 'field_callback' ), WordPress_GitHub_Sync::$text_domain, 'general', array(
65		'default' => '',
66		'name' => 'wpghs_secret',
67		'help_text' => __( "The webhook's secret phrase. This should be password strength, as it is used to verify the webhook's payload.", 'wp-github-sync' ),
68		)
69		);
70
71		register_setting( WordPress_GitHub_Sync::$text_domain, 'wpghs_default_user' );
72		add_settings_field( 'wpghs_default_user', __( 'Default Import User', 'wp-github-sync' ), array( &$this, 'user_field_callback' ), WordPress_GitHub_Sync::$text_domain, 'general', array(
73		'default' => '',
74		'name' => 'wpghs_default_user',
75		'help_text' => __( 'The fallback user for import, in case WordPress <--> GitHub Sync cannot find the committer in the database.', 'wp-github-sync' ),
76		)
77		);
78		}
79
80		/**
81		* Callback to render an individual options field
82		*
83		* @param array $args Field arguments.
84		*/
85		public function field_callback( $args ) {
86		include dirname( dirname( __FILE__ ) ) . '/views/setting-field.php';
87		}
88
89		/**
90		* Callback to render the default import user field.
91		*
92		* @param array $args Field arguments.
93		*/
94		public function user_field_callback( $args ) {
95		include dirname( dirname( __FILE__ ) ) . '/views/user-setting-field.php';
96		}
97
98		/**
99		* Displays settings messages from background processes
100		*/
101		public function section_callback() {
102		if ( get_current_screen()->id !== 'settings_page_' . WordPress_GitHub_Sync::$text_domain ) {
		0 ignored issues – show introduced 2015-11-21 17:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this Found "!== '". Use Yoda Condition checks, you must Loading history...
103		return;
104		}
105
106		if ( 'yes' === get_option( '_wpghs_export_started' ) ) { ?>
107		<div class="updated">
108		<p><?php esc_html_e( 'Export to GitHub started.', 'wp-github-sync' ); ?></p>
109		</div><?php
110		delete_option( '_wpghs_export_started' );
111		}
112
113	View Code Duplication	if ( $message = get_option( '_wpghs_export_error' ) ) { ?>
		0 ignored issues – show Duplication introduced 2016-01-18 01:42 UTC by Report Bug Copy Issue Report Show Similar Issues like this This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
114		<div class="error">
115		<p><?php esc_html_e( 'Export to GitHub failed with error:', 'wp-github-sync' ); ?> <?php echo esc_html( $message );?></p>
116		</div><?php
117		delete_option( '_wpghs_export_error' );
118		}
119
120		if ( 'yes' === get_option( '_wpghs_export_complete' ) ) { ?>
121		<div class="updated">
122		<p><?php esc_html_e( 'Export to GitHub completed successfully.', 'wp-github-sync' );?></p>
123		</div><?php
124		delete_option( '_wpghs_export_complete' );
125		}
126
127		if ( 'yes' === get_option( '_wpghs_import_started' ) ) { ?>
128		<div class="updated">
129		<p><?php esc_html_e( 'Import from GitHub started.', 'wp-github-sync' ); ?></p>
130		</div><?php
131		delete_option( '_wpghs_import_started' );
132		}
133
134	View Code Duplication	if ( $message = get_option( '_wpghs_import_error' ) ) { ?>
		0 ignored issues – show Duplication introduced 2016-01-18 01:42 UTC by Report Bug Copy Issue Report Show Similar Issues like this This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
135		<div class="error">
136		<p><?php esc_html_e( 'Import from GitHub failed with error:', 'wp-github-sync' ); ?> <?php echo esc_html( $message );?></p>
137		</div><?php
138		delete_option( '_wpghs_import_error' );
139		}
140
141		if ( 'yes' === get_option( '_wpghs_import_complete' ) ) { ?>
142		<div class="updated">
143		<p><?php esc_html_e( 'Import from GitHub completed successfully.', 'wp-github-sync' );?></p>
144		</div><?php
145		delete_option( '_wpghs_import_complete' );
146		}
147		}
148
149		/**
150		* Add options menu to admin navbar
151		*/
152		public function add_admin_menu() {
153		add_options_page(
154		__( 'WordPress <--> GitHub Sync', 'wp-github-sync' ),
155		__( 'GitHub Sync', 'wp-github-sync' ),
156		'manage_options',
157		WordPress_GitHub_Sync::$text_domain,
158		array( $this, 'settings_page' )
159		);
160		}
161
162		/**
163		* Admin callback to trigger import/export because WordPress admin routing lol
164		*/
165		public function trigger_cron() {
166		if ( ! current_user_can( 'manage_options' ) ) {
167		return;
168		}
169
170		if ( get_current_screen()->id !== 'settings_page_' . WordPress_GitHub_Sync::$text_domain ) {
		0 ignored issues – show introduced 2015-11-21 17:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this Found "!== '". Use Yoda Condition checks, you must Loading history...
171		return;
172		}
173
174		if ( ! isset( $_GET['action'] ) ) {
		0 ignored issues – show introduced 2015-11-21 17:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this Detected access of super global var $_GET, probably need manual inspection. Loading history...
175		return;
176		}
177
178		if ( 'export' === $_GET['action'] ) {
		0 ignored issues – show introduced 2015-11-21 17:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this Detected access of super global var $_GET, probably need manual inspection. Loading history... introduced 2015-11-21 17:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this Detected usage of a non-sanitized input variable: $_GET Loading history...
179		WordPress_GitHub_Sync::$instance->start_export();
180		}
181
182		if ( 'import' === $_GET['action'] ) {
		0 ignored issues – show introduced 2015-11-21 17:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this Detected access of super global var $_GET, probably need manual inspection. Loading history... introduced 2015-11-21 17:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this Detected usage of a non-sanitized input variable: $_GET Loading history...
183		WordPress_GitHub_Sync::$instance->start_import();
184		}
185
186		wp_redirect( admin_url( 'options-general.php?page=wp-github-sync' ) );
187		die;
188		}
189		}
190

mAAdhaTTah / wordpress-github-sync

Issues (64)

Security Analysis not enabled

lib/admin.php (9 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like