Issues in Package.php (master) - Issues in master - netresearch/kite - Measure and Improve Code Quality continuously with Scrutinizer

Issues (120)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Service/Composer/Package.php (1 issue)

Labels

Severity

Minor 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * See class comment
 *
 * PHP Version 5
 *
 * @category Netresearch
 * @package  Netresearch\Kite\Service\Composer
 * @author   Christian Opitz <[email protected]>
 * @license  http://www.netresearch.de Netresearch Copyright
 * @link     http://www.netresearch.de
 */

namespace Netresearch\Kite\Service\Composer;
use Netresearch\Kite\Exception;
use Netresearch\Kite\Service\Composer;

/**
 * Class Package
 *
 * // Composer properties, not necessarily present:
 *
 * @property string      $name      Package name
 * @property string      $version   Package version
 * @property object      $source    Information about the source
 *                                  (may have f.i. "reference")
 *
 * // Additional properties
 *
 * @property string      $path      Package path
 * @property bool        $isRoot    Whether package is root (project)
 * @property array       $requires  The packages from $require as array
 * @property bool        $git       Whether installed package is a get repository
 * @property array       $branches  Git branches (including remote branches)
 * @property array       $upstreams Upstream branches (values) for local branches (keys)
 * @property string|null $branch    The currently checked out branch, if any
 * @property string|null $tag       The currently checked out tag, if any
 * @property string|null $remote    The remote url (no multiple urls supported)
 *
 *
 * @category Netresearch
 * @package  Netresearch\Kite\Service\Composer
 * @author   Christian Opitz <[email protected]>
 * @license  http://www.netresearch.de Netresearch Copyright
 * @link     http://www.netresearch.de
 */
class Package
{
    /**
     * @var Composer
     */
    protected $composer;

    /**
     * @var bool
     */
    protected static $forEachRefHeadSupported = true;

    /**
     * Package constructor.
     *
     * @param Composer      $composer     The parent object
     * @param string|object $composerJson The composer json
     * @param bool          $isRoot       Whether package is root
     */
    public function __construct(Composer $composer, $composerJson, $isRoot = false)
    {
        $this->composer = $composer;

        if (is_string($composerJson)) {
            $path = realpath($composerJson);
            if (!$path) {
                throw new Exception('Could not find ' . $composerJson);
            }
            $this->path = dirname($path);
            $composerJson = json_decode(file_get_contents($path));
            if (!is_object($composerJson)) {
                throw new Exception('Could not load ' . $path);
            }
        }
        foreach (get_object_vars($composerJson) as $key => $value) {
            $this->$key = $value;
        }

        $this->isRoot = $isRoot;
    }

    /**
     * Load lazy properties
     *
     * @param string $name The property name
     *
     * @return mixed
     */
    public function __get($name)
    {
        switch ($name) {
        case 'git':
            $gitDir = $this->path . '/.git';
            $this->git = file_exists($gitDir) && is_dir($gitDir);
            break;
        case 'branches':
        case 'upstreams':
        case 'branch':
            $this->loadGitInformation();
            break;
        case 'tag':
            $this->loadTag();
            break;
        case 'remote':
            $this->loadRemote();
            break;
        case 'requires':
            $this->loadRequires();
            break;
        default:
            throw new Exception('Invalid property ' . $name);

        }
        return $this->$name;
    }

    /**
     * Mark lazy properties as present
     *
     * @param string $name The name
     *
     * @return bool
     */
    public function __isset($name)
    {
        return in_array($name, ['branches', 'upstreams', 'branch', 'tag', 'git', 'remote', 'requires'], true);
    }

    /**
     * Load the requires - removes inline aliases
     *
     * @return void
     */
    protected function loadRequires()
    {
        $this->requires = isset($this->require) ? get_object_vars($this->require) : array();
        foreach ($this->requires as $package => $constraint) {
            if ($pos = strpos($constraint, ' as ')) {
                if ($hashPos = strpos($constraint, '#')) {
                    // dev-master#old-hash isn't treated by composer, so we don't as well
                    $pos = $hashPos;
                }
                $this->requires[$package] = substr($constraint, 0, $pos);
            }
        }
    }

    /**
     * Reload requires from composer.json
     *
     * @return $this
     */
    public function reloadRequires()
    {
        $file = $this->path . '/composer.json';
        if (file_exists($file)) {
            $composerJson = json_decode(file_get_contents($file));
            unset($this->require);
            if (isset($composerJson->require)) {
                $this->require = $composerJson->require;
            }
            $this->loadRequires();
        }
        return $this;
    }

    /**
     * Get the remote
     *
     * @return void
     */
    protected function loadRemote()
    {
        $this->remote = null;
        if ($this->git) {
            $remote = null;
            $remotesString = $this->composer->git('remote', $this->path, ['verbose' => true]);
            $lines = explode("\n", trim($remotesString));
            foreach ($lines as $line) {
                preg_match('/^([^\s]+)\s+(.+) \((fetch|push)\)$/', $line, $match);
                array_shift($match);
                list($name, $url) = $match;
<?php

function returnThreeValues() {
    return array('a', 'b', 'c');
}

list($a, $b, $c) = returnThreeValues();

print $a . " - " . $c;
                if ($remote && $remote !== $url) {
                    $this->composer->output("<warning>Can not handle multiple remote urls - using $remote</warning>");
                    break;
                } else {
                    $remote = $url;
                }
            }
            $this->remote = $remote;
        }
    }

    /**
     * Load 'branches', 'upstreams', 'branch', 'tag', 'git'
     *
     * @throws Exception\ProcessFailedException
     *
     * @return void
     */
    protected function loadGitInformation()
    {
        $this->branches = array();
        $this->upstreams = array();
        $this->branch = null;
        if ($this->git) {
            $this->composer->git('fetch', $this->path, array('p' => true, 'origin'));
            try {
                $format = (self::$forEachRefHeadSupported ? '%(HEAD)' : '') . '|%(refname:short)|%(upstream:short)';
                $gitBr = $this->composer->git('for-each-ref', $this->path, ['format' => $format, 'refs/heads/', 'refs/remotes/origin']);
            } catch (Exception\ProcessFailedException $e) {
                if (trim($e->getProcess()->getErrorOutput()) === 'fatal: unknown field name: HEAD') {
                    self::$forEachRefHeadSupported = false;
                    $this->loadGitInformation();
                    return;
                } else {
                    throw $e;
                }
            }
            if (!self::$forEachRefHeadSupported) {
                $this->branch = $this->composer->git('rev-parse', $this->path, ['abbrev-ref' => true, 'HEAD']) ?: null;
                if ($this->branch === 'HEAD') {
                    $this->branch = null;
                }
            }
            foreach (explode("\n", trim($gitBr)) as $line) {
                list($head, $branch, $upstream) = explode('|', $line);
                if ($branch === 'origin/HEAD') {
                    continue;
                }
                $this->branches[] = $branch;
                if ($head === '*') {
                    $this->branch = $branch;
                }
                if ($upstream) {
                    $this->upstreams[$branch] = $upstream;
                }
            }
        }
    }

    /**
     * Load the currently checked out tag
     *
     * @return void
     */
    protected function loadTag()
    {
        try {
            $this->tag = trim($this->composer->git('describe', $this->path, array('exact-match' => true, 'tags' => true)));
        } catch (Exception\ProcessFailedException $e) {
            $this->tag =  null;
        }
    }
}

?>


GitHub Access Token became invalid

Issues (120)

Security Analysis no request data

src/Service/Composer/Package.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

1			<?php
2			/**
3			* See class comment
4			*
5			* PHP Version 5
6			*
7			* @category Netresearch
8			* @package Netresearch\Kite\Service\Composer
9			* @author Christian Opitz <[email protected]>
10			* @license http://www.netresearch.de Netresearch Copyright
11			* @link http://www.netresearch.de
12			*/
13
14			namespace Netresearch\Kite\Service\Composer;
15			use Netresearch\Kite\Exception;
16			use Netresearch\Kite\Service\Composer;
17
18			/**
19			* Class Package
20			*
21			* // Composer properties, not necessarily present:
22			*
23			* @property string $name Package name
24			* @property string $version Package version
25			* @property object $source Information about the source
26			* (may have f.i. "reference")
27			*
28			* // Additional properties
29			*
30			* @property string $path Package path
31			* @property bool $isRoot Whether package is root (project)
32			* @property array $requires The packages from $require as array
33			* @property bool $git Whether installed package is a get repository
34			* @property array $branches Git branches (including remote branches)
35			* @property array $upstreams Upstream branches (values) for local branches (keys)
36			* @property string\|null $branch The currently checked out branch, if any
37			* @property string\|null $tag The currently checked out tag, if any
38			* @property string\|null $remote The remote url (no multiple urls supported)
39			*
40			*
41			* @category Netresearch
42			* @package Netresearch\Kite\Service\Composer
43			* @author Christian Opitz <[email protected]>
44			* @license http://www.netresearch.de Netresearch Copyright
45			* @link http://www.netresearch.de
46			*/
47			class Package
48			{
49			/**
50			* @var Composer
51			*/
52			protected $composer;
53
54			/**
55			* @var bool
56			*/
57			protected static $forEachRefHeadSupported = true;
58
59			/**
60			* Package constructor.
61			*
62			* @param Composer $composer The parent object
63			* @param string\|object $composerJson The composer json
64			* @param bool $isRoot Whether package is root
65			*/
66			public function __construct(Composer $composer, $composerJson, $isRoot = false)
67			{
68			$this->composer = $composer;
69
70			if (is_string($composerJson)) {
71			$path = realpath($composerJson);
72			if (!$path) {
73			throw new Exception('Could not find ' . $composerJson);
74			}
75			$this->path = dirname($path);
76			$composerJson = json_decode(file_get_contents($path));
77			if (!is_object($composerJson)) {
78			throw new Exception('Could not load ' . $path);
79			}
80			}
81			foreach (get_object_vars($composerJson) as $key => $value) {
82			$this->$key = $value;
83			}
84
85			$this->isRoot = $isRoot;
86			}
87
88			/**
89			* Load lazy properties
90			*
91			* @param string $name The property name
92			*
93			* @return mixed
94			*/
95			public function __get($name)
96			{
97			switch ($name) {
98			case 'git':
99			$gitDir = $this->path . '/.git';
100			$this->git = file_exists($gitDir) && is_dir($gitDir);
101			break;
102			case 'branches':
103			case 'upstreams':
104			case 'branch':
105			$this->loadGitInformation();
106			break;
107			case 'tag':
108			$this->loadTag();
109			break;
110			case 'remote':
111			$this->loadRemote();
112			break;
113			case 'requires':
114			$this->loadRequires();
115			break;
116			default:
117			throw new Exception('Invalid property ' . $name);
118
119			}
120			return $this->$name;
121			}
122
123			/**
124			* Mark lazy properties as present
125			*
126			* @param string $name The name
127			*
128			* @return bool
129			*/
130			public function __isset($name)
131			{
132			return in_array($name, ['branches', 'upstreams', 'branch', 'tag', 'git', 'remote', 'requires'], true);
133			}
134
135			/**
136			* Load the requires - removes inline aliases
137			*
138			* @return void
139			*/
140			protected function loadRequires()
141			{
142			$this->requires = isset($this->require) ? get_object_vars($this->require) : array();
143			foreach ($this->requires as $package => $constraint) {
144			if ($pos = strpos($constraint, ' as ')) {
145			if ($hashPos = strpos($constraint, '#')) {
146			// dev-master#old-hash isn't treated by composer, so we don't as well
147			$pos = $hashPos;
148			}
149			$this->requires[$package] = substr($constraint, 0, $pos);
150			}
151			}
152			}
153
154			/**
155			* Reload requires from composer.json
156			*
157			* @return $this
158			*/
159			public function reloadRequires()
160			{
161			$file = $this->path . '/composer.json';
162			if (file_exists($file)) {
163			$composerJson = json_decode(file_get_contents($file));
164			unset($this->require);
165			if (isset($composerJson->require)) {
166			$this->require = $composerJson->require;
167			}
168			$this->loadRequires();
169			}
170			return $this;
171			}
172
173			/**
174			* Get the remote
175			*
176			* @return void
177			*/
178			protected function loadRemote()
179			{
180			$this->remote = null;
181			if ($this->git) {
182			$remote = null;
183			$remotesString = $this->composer->git('remote', $this->path, ['verbose' => true]);
184			$lines = explode("\n", trim($remotesString));
185			foreach ($lines as $line) {
186			preg_match('/^([^\s]+)\s+(.+) \((fetch\|push)\)$/', $line, $match);
187			array_shift($match);
188			list($name, $url) = $match;
			0 ignored issues – show Unused Code introduced 2016-03-18 14:36 UTC by Report Bug Copy Issue Report Show Similar Issues like this The assignment to `$name` is unused. Consider omitting it like so `list($first,,$third)`. This checks looks for assignemnts to variables using the `list(...)` function, where not all assigned variables are subsequently used. Consider the following code example. <?php function returnThreeValues() { return array('a', 'b', 'c'); } list($a, $b, $c) = returnThreeValues(); print $a . " - " . $c; Only the variables `$a` and `$c` are used. There was no need to assign `$b`. Instead, the list call could have been. list($a,, $c) = returnThreeValues(); Loading history...
189			if ($remote && $remote !== $url) {
190			$this->composer->output("<warning>Can not handle multiple remote urls - using $remote</warning>");
191			break;
192			} else {
193			$remote = $url;
194			}
195			}
196			$this->remote = $remote;
197			}
198			}
199
200			/**
201			* Load 'branches', 'upstreams', 'branch', 'tag', 'git'
202			*
203			* @throws Exception\ProcessFailedException
204			*
205			* @return void
206			*/
207			protected function loadGitInformation()
208			{
209			$this->branches = array();
210			$this->upstreams = array();
211			$this->branch = null;
212			if ($this->git) {
213			$this->composer->git('fetch', $this->path, array('p' => true, 'origin'));
214			try {
215			$format = (self::$forEachRefHeadSupported ? '%(HEAD)' : '') . '\|%(refname:short)\|%(upstream:short)';
216			$gitBr = $this->composer->git('for-each-ref', $this->path, ['format' => $format, 'refs/heads/', 'refs/remotes/origin']);
217			} catch (Exception\ProcessFailedException $e) {
218			if (trim($e->getProcess()->getErrorOutput()) === 'fatal: unknown field name: HEAD') {
219			self::$forEachRefHeadSupported = false;
220			$this->loadGitInformation();
221			return;
222			} else {
223			throw $e;
224			}
225			}
226			if (!self::$forEachRefHeadSupported) {
227			$this->branch = $this->composer->git('rev-parse', $this->path, ['abbrev-ref' => true, 'HEAD']) ?: null;
228			if ($this->branch === 'HEAD') {
229			$this->branch = null;
230			}
231			}
232			foreach (explode("\n", trim($gitBr)) as $line) {
233			list($head, $branch, $upstream) = explode('\|', $line);
234			if ($branch === 'origin/HEAD') {
235			continue;
236			}
237			$this->branches[] = $branch;
238			if ($head === '*') {
239			$this->branch = $branch;
240			}
241			if ($upstream) {
242			$this->upstreams[$branch] = $upstream;
243			}
244			}
245			}
246			}
247
248			/**
249			* Load the currently checked out tag
250			*
251			* @return void
252			*/
253			protected function loadTag()
254			{
255			try {
256			$this->tag = trim($this->composer->git('describe', $this->path, array('exact-match' => true, 'tags' => true)));
257			} catch (Exception\ProcessFailedException $e) {
258			$this->tag = null;
259			}
260			}
261			}
262
263			?>
264

netresearch / kite

GitHub Access Token became invalid

Issues (120)

Security Analysis no request data

src/Service/Composer/Package.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like