Issues in InputModel.php (master) - Issues in master - mindplay-dk/kissform - Measure and Improve Code Quality continuously with Scrutinizer

Issues (41)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/InputModel.php (1 issue)

Labels

Documentation 1

Severity

Informational 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace mindplay\kissform;

use mindplay\kissform\Facets\FieldInterface;

/**
 * This model represents form state: input values and errors.
 */
class InputModel
{
    /**
     * @var array form input (maps of strings, possibly nested)
     */
    public $input;

    /**
     * @var string[] map where field name => error message
     */
    protected $errors;

    /**
     * @var bool true, if any validation has been performed
     */
    protected $validated = false;

    /**
     * @param array    $input  map where field name => input value(s)
     * @param string[] $errors map where field name => error message
     */
    public function __construct(array $input, array $errors)
    {
        $this->input = $input;
        $this->errors = $errors;
    }

    /**
     * @param InputModel|array|null $input  map where field name => input value(s)
     * @param string[]              $errors map where field name => error message

     *
     * @return self
     */
    public static function create($input = null, $errors = null)
    {
        if ($input instanceof self) {
            return $input; // InputModel instance given
        }

        return new self($input ?: [], $errors ?: []);
    }

    /**
     * @param FieldInterface|string $field
     *
     * @return string|array|null value (or NULL, if no value exists in $input)
     */
    public function getInput($field)
    {
        $name = $field instanceof FieldInterface
            ? $field->getName()
            : (string) $field;

        if (!isset($this->input[$name]) || $this->input[$name] === '') {
            return null;
        }

        if (is_scalar($this->input[$name])) {
            return (string) $this->input[$name];
        }

        return $this->input[$name];
    }

    /**
     * @param FieldInterface|string $field
     * @param string|array|null     $value
     *
     * @return void
     */
    public function setInput($field, $value)
    {
        $name = $field instanceof FieldInterface
            ? $field->getName()
            : (string) $field;

        if ($value === null || $value === '' || $value === []) {
            unset($this->input[$name]);
        } else {
            $this->input[$name] = is_array($value)
                ? $value
                : (string) $value;
        }
    }

    /**
     * Get all accummulated error-messages, indexed by Field-name.
     *
     * @return string[] map where field-name => error message
     */
    public function getErrors()
    {
        return $this->errors;
    }

    /**
     * Get the error message for a given Field.
     *
     * @param FieldInterface|string $field
     *
     * @return string|string[]|null error-message (or NULL, if the given Field has no error)
     */
    public function getError($field)
    {
        return @$this->errors[$field instanceof FieldInterface ? $field->getName() : (string) $field];
    }

    /**
     * Set an error message for a given Field, if one is not already set for that
     * Field - we only care about the first error message for each Field, so add
     * error messages in order of importance.
     *
     * @param FieldInterface|string $field the field for which to set an error-message
     * @param string                $error error message
     *
     * @return void
     */
    public function setError($field, $error)
    {
        $name = $field instanceof FieldInterface
            ? $field->getName()
            : (string) $field;

        if (! isset($this->errors[$name])) {
            $this->errors[$name] = $error;
        }
    }

    /**
     * @param FieldInterface|string $field
     *
     * @return bool true, if the given Field has an error message
     *
     * @see $errors
     */
    public function hasError($field)
    {
        return isset($this->errors[$field instanceof FieldInterface ? $field->getName() : (string) $field]);
    }

    /**
     * Clear the current error message for a given Field
     *
     * @param FieldInterface|string $field Field to clear error message for
     *
     * @return void
     */
    public function clearError($field)
    {
        unset($this->errors[$field instanceof FieldInterface ? $field->getName(): (string) $field]);
    }

    /**
     * Check the model for errors - this does not take into account whether the
     * form has been validated or not.
     *
     * @return bool true, if the form contains any error(s)
     *
     * @see isValid()
     */
    public function hasErrors()
    {
        return count($this->errors) !== 0;
    }

    /**
     * Check if the model has been validated and contains no errors.
     *
     * @return bool true, if the form has been validated and contains no errors.
     *
     * @see hasErrors()
     */
    public function isValid()
    {
        return $this->validated && ! $this->hasErrors();
    }

    /**
     * Clears any accumulated error messages and marks the model as either
     * non-validated (default) or validated.
     *
     * @param bool $validated true, if the model has been validated
     *
     * @return void
     */
    public function clearErrors($validated = false)
    {
        $this->errors = [];

        $this->validated = $validated;
    }
}


1		<?php
2
3		namespace mindplay\kissform;
4
5		use mindplay\kissform\Facets\FieldInterface;
6
7		/**
8		* This model represents form state: input values and errors.
9		*/
10		class InputModel
11		{
12		/**
13		* @var array form input (maps of strings, possibly nested)
14		*/
15		public $input;
16
17		/**
18		* @var string[] map where field name => error message
19		*/
20		protected $errors;
21
22		/**
23		* @var bool true, if any validation has been performed
24		*/
25		protected $validated = false;
26
27		/**
28		* @param array $input map where field name => input value(s)
29		* @param string[] $errors map where field name => error message
30		*/
31	48	public function __construct(array $input, array $errors)
32		{
33	48	$this->input = $input;
34	48	$this->errors = $errors;
35	48	}
36
37		/**
38		* @param InputModel\|array\|null $input map where field name => input value(s)
39		* @param string[] $errors map where field name => error message
		0 ignored issues – show Documentation introduced 2016-04-15 12:37 UTC by Report Bug Copy Issue Report Show Similar Issues like this Should the type for parameter `$errors` not be `string[]\|null`? This check looks for `@param` annotations where the type inferred by our type inference engine differs from the declared type. It makes a suggestion as to what type it considers more descriptive. Most often this is a case of a parameter that can be null in addition to its declared types. Loading history...
40		*
41		* @return self
42		*/
43	48	public static function create($input = null, $errors = null)
44		{
45	48	if ($input instanceof self) {
46	18	return $input; // InputModel instance given
47		}
48
49	48	return new self($input ?: [], $errors ?: []);
50		}
51
52		/**
53		* @param FieldInterface\|string $field
54		*
55		* @return string\|array\|null value (or NULL, if no value exists in $input)
56		*/
57	40	public function getInput($field)
58		{
59	40	$name = $field instanceof FieldInterface
60	40	? $field->getName()
61	40	: (string) $field;
62
63	40	if (!isset($this->input[$name]) \|\| $this->input[$name] === '') {
64	28	return null;
65		}
66
67	34	if (is_scalar($this->input[$name])) {
68	34	return (string) $this->input[$name];
69		}
70
71	1	return $this->input[$name];
72		}
73
74		/**
75		* @param FieldInterface\|string $field
76		* @param string\|array\|null $value
77		*
78		* @return void
79		*/
80	15	public function setInput($field, $value)
81		{
82	15	$name = $field instanceof FieldInterface
83	15	? $field->getName()
84	15	: (string) $field;
85
86	15	if ($value === null \|\| $value === '' \|\| $value === []) {
87	5	unset($this->input[$name]);
88		} else {
89	15	$this->input[$name] = is_array($value)
90	1	? $value
91	14	: (string) $value;
92		}
93	15	}
94
95		/**
96		* Get all accummulated error-messages, indexed by Field-name.
97		*
98		* @return string[] map where field-name => error message
99		*/
100	3	public function getErrors()
101		{
102	3	return $this->errors;
103		}
104
105		/**
106		* Get the error message for a given Field.
107		*
108		* @param FieldInterface\|string $field
109		*
110		* @return string\|string[]\|null error-message (or NULL, if the given Field has no error)
111		*/
112	19	public function getError($field)
113		{
114	19	return @$this->errors[$field instanceof FieldInterface ? $field->getName() : (string) $field];
115		}
116
117		/**
118		* Set an error message for a given Field, if one is not already set for that
119		* Field - we only care about the first error message for each Field, so add
120		* error messages in order of importance.
121		*
122		* @param FieldInterface\|string $field the field for which to set an error-message
123		* @param string $error error message
124		*
125		* @return void
126		*/
127	24	public function setError($field, $error)
128		{
129	24	$name = $field instanceof FieldInterface
130	24	? $field->getName()
131	24	: (string) $field;
132
133	24	if (! isset($this->errors[$name])) {
134	24	$this->errors[$name] = $error;
135		}
136	24	}
137
138		/**
139		* @param FieldInterface\|string $field
140		*
141		* @return bool true, if the given Field has an error message
142		*
143		* @see $errors
144		*/
145	21	public function hasError($field)
146		{
147	21	return isset($this->errors[$field instanceof FieldInterface ? $field->getName() : (string) $field]);
148		}
149
150		/**
151		* Clear the current error message for a given Field
152		*
153		* @param FieldInterface\|string $field Field to clear error message for
154		*
155		* @return void
156		*/
157	2	public function clearError($field)
158		{
159	2	unset($this->errors[$field instanceof FieldInterface ? $field->getName(): (string) $field]);
160	2	}
161
162		/**
163		* Check the model for errors - this does not take into account whether the
164		* form has been validated or not.
165		*
166		* @return bool true, if the form contains any error(s)
167		*
168		* @see isValid()
169		*/
170	6	public function hasErrors()
171		{
172	6	return count($this->errors) !== 0;
173		}
174
175		/**
176		* Check if the model has been validated and contains no errors.
177		*
178		* @return bool true, if the form has been validated and contains no errors.
179		*
180		* @see hasErrors()
181		*/
182	3	public function isValid()
183		{
184	3	return $this->validated && ! $this->hasErrors();
185		}
186
187		/**
188		* Clears any accumulated error messages and marks the model as either
189		* non-validated (default) or validated.
190		*
191		* @param bool $validated true, if the model has been validated
192		*
193		* @return void
194		*/
195	20	public function clearErrors($validated = false)
196		{
197	20	$this->errors = [];
198
199	20	$this->validated = $validated;
200	20	}
201		}
202

mindplay-dk / kissform

Issues (41)

Security Analysis no request data

src/InputModel.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like