Issues in MainCommand.php (master) - Issues in master - matteosister/GitElephant - Measure and Improve Code Quality continuously with Scrutinizer

Issues (106)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/GitElephant/Command/MainCommand.php (1 issue)

Labels

Bug 1

Severity

Major 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/**
 * GitElephant - An abstraction layer for git written in PHP
 * Copyright (C) 2013  Matteo Giachino
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see [http://www.gnu.org/licenses/].
 */

namespace GitElephant\Command;

use GitElephant\Objects\Author;
use GitElephant\Objects\Branch;
use GitElephant\Objects\TreeishInterface;
use GitElephant\Repository;

/**
 * Main command generator (init, status, add, commit, checkout)
 *
 * @author Matteo Giachino <[email protected]>
 */
class MainCommand extends BaseCommand
{
    public const GIT_INIT = 'init';
    public const GIT_STATUS = 'status';
    public const GIT_ADD = 'add';
    public const GIT_COMMIT = 'commit';
    public const GIT_CHECKOUT = 'checkout';
    public const GIT_MOVE = 'mv';
    public const GIT_REMOVE = 'rm';
    public const GIT_RESET = 'reset';

    /**
     * constructor
     *
     * @param \GitElephant\Repository $repo The repository object this command
     *                                      will interact with
     */
    public function __construct(Repository $repo = null)
    {
        parent::__construct($repo);
    }

    /**
     * Init the repository
     *
     * @param bool $bare
     *
     * @throws \RuntimeException
     * @return string
     */
    public function init($bare = false): string
    {
        $this->clearAll();
        if ($bare) {
            $this->addCommandArgument('--bare');
        }
        $this->addCommandName(self::GIT_INIT);

        return $this->getCommand();
    }

    /**
     * Get the repository status
     *
     * @param bool $porcelain
     *
     * @throws \RuntimeException
     * @return string
     */
    public function status($porcelain = false): string
    {
        $this->clearAll();
        $this->addCommandName(self::GIT_STATUS);
        if ($porcelain) {
            $this->addCommandArgument('--porcelain');
        } else {
            $this->addConfigs(['color.status' => 'false']);
        }

        return $this->getCommand();
    }

    /**
     * Add a node to the stage
     *
     * @param string $what what should be added to the repository
     *
     * @throws \RuntimeException
     * @return string
     */
    public function add($what = '.'): string
    {
        $this->clearAll();
        $this->addCommandName(self::GIT_ADD);
        $this->addCommandArgument('--all');
        $this->addCommandSubject($what);

        return $this->getCommand();
    }

    /**
     * Remove a node from the stage and put in the working tree
     *
     * @param string $what what should be removed from the stage
     *
     * @throws \RuntimeException
     * @return string
     */
    public function unstage($what): string
    {
        $this->clearAll();
        $this->addCommandName(self::GIT_RESET);
        $this->addCommandArgument('HEAD');
        $this->addPath($what);

        return $this->getCommand();
    }

    /**
     * Commit
     *
     * @param string|null             $message the commit message
     * @param bool                    $stageAll commit all changes
     * @param string|Author           $author override the author for this commit
     * @param bool                    $allowEmpty whether to add param `--allow-empty` to commit command
     * @param \DateTimeInterface|null $date
     *
     * @throws \RuntimeException
     * @throws \InvalidArgumentException
     * @return string
     */
    public function commit(
        ?string $message,
        bool $stageAll = false,
        $author = null,
        bool $allowEmpty = false,
        \DateTimeInterface $date = null
    ): string {
        $this->clearAll();

        if (trim($message) === '' || is_null($message)) {
            throw new \InvalidArgumentException(sprintf('You can\'t commit without message'));
        }
        $this->addCommandName(self::GIT_COMMIT);

        if ($stageAll) {
            $this->addCommandArgument('-a');
        }

        if ($author !== null) {
            $this->addCommandArgument('--author');
            $this->addCommandArgument($author);

        }

        if ($allowEmpty) {
            $this->addCommandArgument('--allow-empty');
        }
        
        if (null !== $date) {
            $this->addCommandArgument('--date');
            $this->addCommandArgument($date->format(\DateTimeInterface::RFC822));
        }

        $this->addCommandArgument('-m');
        $this->addCommandSubject($message);

        return $this->getCommand();
    }

    /**
     * Checkout a treeish reference
     *
     * @param string|Branch|TreeishInterface $ref the reference to checkout
     *
     * @throws \RuntimeException
     * @return string
     */
    public function checkout($ref): string
    {
        $this->clearAll();

        $what = $ref;
        if ($ref instanceof Branch) {
            $what = $ref->getName();
        } elseif ($ref instanceof TreeishInterface) {
            $what = $ref->getSha();
        }

        $this->addCommandName(self::GIT_CHECKOUT);
        $this->addCommandArgument('-q');
        $this->addCommandSubject($what);

        return $this->getCommand();
    }

    /**
     * Move a file/directory
     *
     * @param string|Object $from source path
     * @param string|Object $to   destination path
     *
     * @throws \RuntimeException
     * @throws \InvalidArgumentException
     * @return string
     */
    public function move($from, $to): string
    {
        $this->clearAll();

        $from = trim($from);
        if (!$this->validatePath($from)) {
            throw new \InvalidArgumentException('Invalid source path');
        }

        $to = trim($to);
        if (!$this->validatePath($to)) {
            throw new \InvalidArgumentException('Invalid destination path');
        }

        $this->addCommandName(self::GIT_MOVE);
        $this->addCommandSubject($from);
        $this->addCommandSubject2($to);

        return $this->getCommand();
    }

    /**
     * Remove a file/directory
     *
     * @param string|Object $path      the path to remove
     * @param bool          $recursive recurse
     * @param bool          $force     force
     *
     * @throws \RuntimeException
     * @throws \InvalidArgumentException
     * @return string
     */
    public function remove($path, $recursive, $force): string
    {
        $this->clearAll();

        $path = trim($path);
        if (!$this->validatePath($path)) {
            throw new \InvalidArgumentException('Invalid path');
        }

        $this->addCommandName(self::GIT_REMOVE);

        if ($recursive) {
            $this->addCommandArgument('-r');
        }

        if ($force) {
            $this->addCommandArgument('-f');
        }

        $this->addPath($path);

        return $this->getCommand();
    }

    /**
     * Validates a path
     *
     * @param string $path path
     *
     * @return bool
     */
    protected function validatePath($path): bool
    {
        if (empty($path)) {
            return false;
        }

        // we are always operating from root directory
        // so forbid relative paths
        if (false !== strpos($path, '..')) {
            return false;
        }

        return true;
    }
}


1		<?php
2
3		/**
4		* GitElephant - An abstraction layer for git written in PHP
5		* Copyright (C) 2013 Matteo Giachino
6		*
7		* This program is free software: you can redistribute it and/or modify
8		* it under the terms of the GNU General Public License as published by
9		* the Free Software Foundation, either version 3 of the License, or
10		* (at your option) any later version.
11		*
12		* This program is distributed in the hope that it will be useful,
13		* but WITHOUT ANY WARRANTY; without even the implied warranty of
14		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15		* GNU General Public License for more details.
16		*
17		* You should have received a copy of the GNU General Public License
18		* along with this program. If not, see [http://www.gnu.org/licenses/].
19		*/
20
21		namespace GitElephant\Command;
22
23		use GitElephant\Objects\Author;
24		use GitElephant\Objects\Branch;
25		use GitElephant\Objects\TreeishInterface;
26		use GitElephant\Repository;
27
28		/**
29		* Main command generator (init, status, add, commit, checkout)
30		*
31		* @author Matteo Giachino <[email protected]>
32		*/
33		class MainCommand extends BaseCommand
34		{
35		public const GIT_INIT = 'init';
36		public const GIT_STATUS = 'status';
37		public const GIT_ADD = 'add';
38		public const GIT_COMMIT = 'commit';
39		public const GIT_CHECKOUT = 'checkout';
40		public const GIT_MOVE = 'mv';
41		public const GIT_REMOVE = 'rm';
42		public const GIT_RESET = 'reset';
43
44		/**
45		* constructor
46		*
47		* @param \GitElephant\Repository $repo The repository object this command
48		* will interact with
49		*/
50	105	public function __construct(Repository $repo = null)
51		{
52	105	parent::__construct($repo);
53	105	}
54
55		/**
56		* Init the repository
57		*
58		* @param bool $bare
59		*
60		* @throws \RuntimeException
61		* @return string
62		*/
63	100	public function init($bare = false): string
64		{
65	100	$this->clearAll();
66	100	if ($bare) {
67	5	$this->addCommandArgument('--bare');
68		}
69	100	$this->addCommandName(self::GIT_INIT);
70
71	100	return $this->getCommand();
72		}
73
74		/**
75		* Get the repository status
76		*
77		* @param bool $porcelain
78		*
79		* @throws \RuntimeException
80		* @return string
81		*/
82	13	public function status($porcelain = false): string
83		{
84	13	$this->clearAll();
85	13	$this->addCommandName(self::GIT_STATUS);
86	13	if ($porcelain) {
87	10	$this->addCommandArgument('--porcelain');
88		} else {
89	3	$this->addConfigs(['color.status' => 'false']);
90		}
91
92	13	return $this->getCommand();
93		}
94
95		/**
96		* Add a node to the stage
97		*
98		* @param string $what what should be added to the repository
99		*
100		* @throws \RuntimeException
101		* @return string
102		*/
103	95	public function add($what = '.'): string
104		{
105	95	$this->clearAll();
106	95	$this->addCommandName(self::GIT_ADD);
107	95	$this->addCommandArgument('--all');
108	95	$this->addCommandSubject($what);
109
110	95	return $this->getCommand();
111		}
112
113		/**
114		* Remove a node from the stage and put in the working tree
115		*
116		* @param string $what what should be removed from the stage
117		*
118		* @throws \RuntimeException
119		* @return string
120		*/
121	2	public function unstage($what): string
122		{
123	2	$this->clearAll();
124	2	$this->addCommandName(self::GIT_RESET);
125	2	$this->addCommandArgument('HEAD');
126	2	$this->addPath($what);
127
128	2	return $this->getCommand();
129		}
130
131		/**
132		* Commit
133		*
134		* @param string\|null $message the commit message
135		* @param bool $stageAll commit all changes
136		* @param string\|Author $author override the author for this commit
137		* @param bool $allowEmpty whether to add param `--allow-empty` to commit command
138		* @param \DateTimeInterface\|null $date
139		*
140		* @throws \RuntimeException
141		* @throws \InvalidArgumentException
142		* @return string
143		*/
144	95	public function commit(
145		?string $message,
146		bool $stageAll = false,
147		$author = null,
148		bool $allowEmpty = false,
149		\DateTimeInterface $date = null
150		): string {
151	95	$this->clearAll();
152
153	95	if (trim($message) === '' \|\| is_null($message)) {
154		throw new \InvalidArgumentException(sprintf('You can\'t commit without message'));
155		}
156	95	$this->addCommandName(self::GIT_COMMIT);
157
158	95	if ($stageAll) {
159	89	$this->addCommandArgument('-a');
160		}
161
162	95	if ($author !== null) {
163	1	$this->addCommandArgument('--author');
164	1	$this->addCommandArgument($author);
		0 ignored issues – show Bug introduced 2016-03-02 13:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$author` defined by parameter `$author` on line 147 can also be of type `object<GitElephant\Objects\Author>`; however, `GitElephant\Command\Base...d::addCommandArgument()` does only seem to accept `string`, maybe add an additional type check? This check looks at variables that have been passed in as parameters and are passed out again to other methods. If the outgoing method call has stricter type requirements than the method itself, an issue is raised. An additional type check may prevent trouble. Loading history...
165		}
166
167	95	if ($allowEmpty) {
168	1	$this->addCommandArgument('--allow-empty');
169		}
170
171	95	if (null !== $date) {
172		$this->addCommandArgument('--date');
173		$this->addCommandArgument($date->format(\DateTimeInterface::RFC822));
174		}
175
176	95	$this->addCommandArgument('-m');
177	95	$this->addCommandSubject($message);
178
179	95	return $this->getCommand();
180		}
181
182		/**
183		* Checkout a treeish reference
184		*
185		* @param string\|Branch\|TreeishInterface $ref the reference to checkout
186		*
187		* @throws \RuntimeException
188		* @return string
189		*/
190	23	public function checkout($ref): string
191		{
192	23	$this->clearAll();
193
194	23	$what = $ref;
195	23	if ($ref instanceof Branch) {
196	2	$what = $ref->getName();
197	22	} elseif ($ref instanceof TreeishInterface) {
198		$what = $ref->getSha();
199		}
200
201	23	$this->addCommandName(self::GIT_CHECKOUT);
202	23	$this->addCommandArgument('-q');
203	23	$this->addCommandSubject($what);
204
205	23	return $this->getCommand();
206		}
207
208		/**
209		* Move a file/directory
210		*
211		* @param string\|Object $from source path
212		* @param string\|Object $to destination path
213		*
214		* @throws \RuntimeException
215		* @throws \InvalidArgumentException
216		* @return string
217		*/
218	1	public function move($from, $to): string
219		{
220	1	$this->clearAll();
221
222	1	$from = trim($from);
223	1	if (!$this->validatePath($from)) {
224		throw new \InvalidArgumentException('Invalid source path');
225		}
226
227	1	$to = trim($to);
228	1	if (!$this->validatePath($to)) {
229		throw new \InvalidArgumentException('Invalid destination path');
230		}
231
232	1	$this->addCommandName(self::GIT_MOVE);
233	1	$this->addCommandSubject($from);
234	1	$this->addCommandSubject2($to);
235
236	1	return $this->getCommand();
237		}
238
239		/**
240		* Remove a file/directory
241		*
242		* @param string\|Object $path the path to remove
243		* @param bool $recursive recurse
244		* @param bool $force force
245		*
246		* @throws \RuntimeException
247		* @throws \InvalidArgumentException
248		* @return string
249		*/
250	1	public function remove($path, $recursive, $force): string
251		{
252	1	$this->clearAll();
253
254	1	$path = trim($path);
255	1	if (!$this->validatePath($path)) {
256		throw new \InvalidArgumentException('Invalid path');
257		}
258
259	1	$this->addCommandName(self::GIT_REMOVE);
260
261	1	if ($recursive) {
262		$this->addCommandArgument('-r');
263		}
264
265	1	if ($force) {
266		$this->addCommandArgument('-f');
267		}
268
269	1	$this->addPath($path);
270
271	1	return $this->getCommand();
272		}
273
274		/**
275		* Validates a path
276		*
277		* @param string $path path
278		*
279		* @return bool
280		*/
281	2	protected function validatePath($path): bool
282		{
283	2	if (empty($path)) {
284		return false;
285		}
286
287		// we are always operating from root directory
288		// so forbid relative paths
289	2	if (false !== strpos($path, '..')) {
290		return false;
291		}
292
293	2	return true;
294		}
295		}
296

matteosister / GitElephant

Issues (106)

Security Analysis no request data

src/GitElephant/Command/MainCommand.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like