Issues in settingscontroller.php (master) - Issues in master - nextcloud/calendar - Measure and Improve Code Quality continuously with Scrutinizer

Issues (51)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

controller/settingscontroller.php (6 issues)

Labels

Duplication 6

Severity

Informational 6

Georg Ehrke 6

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Calendar App
 *
 * @author Georg Ehrke
 * @copyright 2016 Georg Ehrke <[email protected]>
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE
 * License as published by the Free Software Foundation; either
 * version 3 of the License, or any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU AFFERO GENERAL PUBLIC LICENSE for more details.
 *
 * You should have received a copy of the GNU Affero General Public
 * License along with this library.  If not, see <http://www.gnu.org/g/>.
 *
 */
namespace OCA\Calendar\Controller;

use OCP\AppFramework\Controller;
use OCP\AppFramework\Http\JSONResponse;
use OCP\AppFramework\Http;
use OCP\IConfig;
use OCP\IRequest;
use OCP\IUserSession;

class SettingsController extends Controller {

	/**
	 * @var IConfig
	 */
	private $config;

	/**
	 * @var IUserSession
	 */
	private $userSession;

	/**
	 * @var string
	 */
	private $userId;

	/**
	 * @param string $appName
	 * @param IRequest $request an instance of the request
	 * @param IUserSession $userSession
	 * @param IConfig $config
	 */
	public function __construct($appName, IRequest $request, IUserSession $userSession,
								IConfig $config) {
		parent::__construct($appName, $request);
		$this->config = $config;
		$this->userSession = $userSession;
		$this->userId = $userSession->getUser()->getUID();
	}

	/**
	 * get a configuration item
	 *
	 * @NoAdminRequired
	 *
	 * @param string $key
	 * @return JSONResponse
	 */
	public function getConfig($key) {
		switch ($key) {
			case 'view':
				return $this->getView();
			case 'skipPopover':
				return $this->getSkipPopover();
			case 'showWeekNr':
				return $this->getShowWeekNr();
			case 'firstRun':
				return $this->getFirstRun();
			case 'timezone':
				return $this->getTimezone();
			default:
				return new JSONResponse([], Http::STATUS_BAD_REQUEST);
		}
	}

	/**
	 * set a configuration item
	 *
	 * @NoAdminRequired
	 *
	 * @param string $key
	 * @param mixed $value
	 * @return JSONResponse
	 */
	public function setConfig($key, $value) {
		switch ($key) {
			case 'view':
				return $this->setView($value);
			case 'skipPopover':
				return $this->setSkipPopover($value);
			case 'showWeekNr':
				return $this->setShowWeekNr($value);
			case 'firstRun':
				return $this->setFirstRun();
			case 'timezone':
				return $this->setTimezone($value);
			default:
				return new JSONResponse([], Http::STATUS_BAD_REQUEST);
		}
	}


	/**
	 * set a new view
	 *
	 * @param string $view
	 * @return JSONResponse
	 */
	private function setView($view) {
		if (!$this->isViewAllowed($view)) {
			return new JSONResponse([], Http::STATUS_UNPROCESSABLE_ENTITY);
		}

		try {
			$this->config->setUserValue(
				$this->userId,
				$this->appName,
				'currentView',
				$view
			);
		} catch(\Exception $e) {
			return new JSONResponse([], Http::STATUS_INTERNAL_SERVER_ERROR);
		}

		return new JSONResponse();
	}


	/**
	 * get a config value
	 *
	 * @return JSONResponse
	 */
	private function getView() {
		try {
			$view = $this->config->getUserValue(
				$this->userId,
				$this->appName,
				'currentView',
				'month'
			);
		} catch(\Exception $e) {
			return new JSONResponse([], Http::STATUS_INTERNAL_SERVER_ERROR);
		}

		return new JSONResponse([
			'value' => $view,
		]);
	}

	/**
	 * check if view is allowed
	 *
	 * @param $view
	 * @return bool
	 */
	private function isViewAllowed($view) {
		$allowedViews = [
			'agendaDay',
			'agendaWeek',
			'month',
		];

		return in_array($view, $allowedViews);
	}

	/**
	 * set if popover shall be skipped
	 *
	 * @param $value
	 * @return JSONResponse
	 */
	private function setSkipPopover($value) {

		if (!$this->isSkipPopoverValueAllowed($value)) {
			return new JSONResponse([], Http::STATUS_UNPROCESSABLE_ENTITY);
		}

		try {
			$this->config->setUserValue(
				$this->userId,
				$this->appName,
				'skipPopover',
				$value
			);
		} catch(\Exception $e) {
			return new JSONResponse([], Http::STATUS_INTERNAL_SERVER_ERROR);
		}

		return new JSONResponse();
	}

	/**
	 * get if popover shall be skipped
	 *
	 * @return JSONResponse
	 */
	private function getSkipPopover() {

		try {
			$view = $this->config->getUserValue(
				$this->userId,
				$this->appName,
				'skipPopover',
				'no'
			);
		} catch(\Exception $e) {
			return new JSONResponse([], Http::STATUS_INTERNAL_SERVER_ERROR);
		}

		return new JSONResponse([
			'value' => $view,
		]);
	}

	/**
	 * check if value for skipPopover is allowed
	 *
	 * @param $value
	 * @return bool
	 */
	private function isSkipPopoverValueAllowed($value) {
		$allowedValues = [
			'yes',
			'no'
		];

		return in_array($value, $allowedValues);
	}

	/**
	 * set config value for showing week numbers
	 *
	 * @param $value
	 * @return JSONResponse
	 */
	private function setShowWeekNr($value) {
		if (!$this->isShowWeekNrValueAllowed($value)) {
			return new JSONResponse([], Http::STATUS_UNPROCESSABLE_ENTITY);
		}

		try {
			$this->config->setUserValue(
				$this->userId,
				$this->appName,
				'showWeekNr',
				$value
			);
		} catch(\Exception $e) {
			return new JSONResponse([], Http::STATUS_INTERNAL_SERVER_ERROR);
		}

		return new JSONResponse();
	}

	/**
	 * get config value for showing week numbers
	 *
	 * @return JSONResponse
	 */
	private function getShowWeekNr() {
		try {
			$value = $this->config->getUserValue(
				$this->userId,
				$this->appName,
				'showWeekNr',
				'no'
			);
		} catch(\Exception $e) {
			return new JSONResponse([], Http::STATUS_INTERNAL_SERVER_ERROR);
		}

		return new JSONResponse([
			'value' => $value,
		]);
	}

	/**
	 * check if value for showWeekNr is allowed
	 *
	 * @param $value
	 * @return bool
	 */
	private function isShowWeekNrValueAllowed($value) {
		$allowedValues = [
			'yes',
			'no'
		];

		return in_array($value, $allowedValues);
	}

	/**
	 * remember that first run routines executed
	 *
	 * @return JSONResponse
	 */
	private function setFirstRun() {

		try {
			$this->config->setUserValue(
				$this->userId,
				$this->appName,
				'firstRun',
				'no'
			);
		} catch(\Exception $e) {
			return new JSONResponse([], Http::STATUS_INTERNAL_SERVER_ERROR);
		}

		return new JSONResponse();
	}

	/**
	 * get stored value for first run
	 *
	 * @return JSONResponse
	 */
	private function getFirstRun() {

		try {
			$value = $this->config->getUserValue(
				$this->userId,
				$this->appName,
				'firstRun',
				'yes'
			);
		} catch(\Exception $e) {
			return new JSONResponse([], Http::STATUS_INTERNAL_SERVER_ERROR);
		}

		return new JSONResponse([
			'value' => $value,
		]);
	}

	/**
	 * sets display timezone for user
	 *
	 * @param string $value
	 * @return JSONResponse
	 */
	private function setTimezone($value) {

		try {
			$this->config->setUserValue(
				$this->userId,
				$this->appName,
				'timezone',
				$value
			);
		} catch(\Exception $e) {
			return new JSONResponse([], Http::STATUS_INTERNAL_SERVER_ERROR);
		}

		return new JSONResponse();
	}

	/**
	 * gets display timezone for user
	 *
	 * @return JSONResponse
	 */
	private function getTimezone() {

		try {
			$value = $this->config->getUserValue(
				$this->userId,
				$this->appName,
				'timezone',
				'automatic'
			);
		} catch(\Exception $e) {
			return new JSONResponse([], Http::STATUS_INTERNAL_SERVER_ERROR);
		}

		return new JSONResponse([
			'value' => $value,
		]);
	}
}


1			<?php
2			/**
3			* Calendar App
4			*
5			* @author Georg Ehrke
6			* @copyright 2016 Georg Ehrke <[email protected]>
7			*
8			* This library is free software; you can redistribute it and/or
9			* modify it under the terms of the GNU AFFERO GENERAL PUBLIC LICENSE
10			* License as published by the Free Software Foundation; either
11			* version 3 of the License, or any later version.
12			*
13			* This library is distributed in the hope that it will be useful,
14			* but WITHOUT ANY WARRANTY; without even the implied warranty of
15			* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16			* GNU AFFERO GENERAL PUBLIC LICENSE for more details.
17			*
18			* You should have received a copy of the GNU Affero General Public
19			* License along with this library. If not, see <http://www.gnu.org/g/>.
20			*
21			*/
22			namespace OCA\Calendar\Controller;
23
24			use OCP\AppFramework\Controller;
25			use OCP\AppFramework\Http\JSONResponse;
26			use OCP\AppFramework\Http;
27			use OCP\IConfig;
28			use OCP\IRequest;
29			use OCP\IUserSession;
30
31			class SettingsController extends Controller {
32
33			/**
34			* @var IConfig
35			*/
36			private $config;
37
38			/**
39			* @var IUserSession
40			*/
41			private $userSession;
42
43			/**
44			* @var string
45			*/
46			private $userId;
47
48			/**
49			* @param string $appName
50			* @param IRequest $request an instance of the request
51			* @param IUserSession $userSession
52			* @param IConfig $config
53			*/
54	23		public function __construct($appName, IRequest $request, IUserSession $userSession,
55			IConfig $config) {
56	23		parent::__construct($appName, $request);
57	23		$this->config = $config;
58	23		$this->userSession = $userSession;
59	23		$this->userId = $userSession->getUser()->getUID();
60	23		}
61
62			/**
63			* get a configuration item
64			*
65			* @NoAdminRequired
66			*
67			* @param string $key
68			* @return JSONResponse
69			*/
70	9		public function getConfig($key) {
71			switch ($key) {
72	9		case 'view':
73	2		return $this->getView();
74	7		case 'skipPopover':
75	2		return $this->getSkipPopover();
76	5		case 'showWeekNr':
77			return $this->getShowWeekNr();
78	5		case 'firstRun':
79	2		return $this->getFirstRun();
80	3		case 'timezone':
81	2		return $this->getTimezone();
82			default:
83	1		return new JSONResponse([], Http::STATUS_BAD_REQUEST);
84			}
85			}
86
87			/**
88			* set a configuration item
89			*
90			* @NoAdminRequired
91			*
92			* @param string $key
93			* @param mixed $value
94			* @return JSONResponse
95			*/
96	14		public function setConfig($key, $value) {
97			switch ($key) {
98	14		case 'view':
99	5		return $this->setView($value);
100	9		case 'skipPopover':
101	4		return $this->setSkipPopover($value);
102	5		case 'showWeekNr':
103			return $this->setShowWeekNr($value);
104	5		case 'firstRun':
105	2		return $this->setFirstRun();
106	3		case 'timezone':
107	2		return $this->setTimezone($value);
108			default:
109	1		return new JSONResponse([], Http::STATUS_BAD_REQUEST);
110			}
111			}
112
113
114			/**
115			* set a new view
116			*
117			* @param string $view
118			* @return JSONResponse
119			*/
120	5	View Code Duplication	private function setView($view) {
121	5		if (!$this->isViewAllowed($view)) {
122	1		return new JSONResponse([], Http::STATUS_UNPROCESSABLE_ENTITY);
123			}
124
125			try {
126	4		$this->config->setUserValue(
127	4		$this->userId,
128	4		$this->appName,
129	4		'currentView',
130	4		$view
131			);
132	1		} catch(\Exception $e) {
133	1		return new JSONResponse([], Http::STATUS_INTERNAL_SERVER_ERROR);
134			}
135
136	3		return new JSONResponse();
137			}
138
139
140			/**
141			* get a config value
142			*
143			* @return JSONResponse
144			*/
145	2	View Code Duplication	private function getView() {
146			try {
147	2		$view = $this->config->getUserValue(
148	2		$this->userId,
149	2		$this->appName,
150	2		'currentView',
151	2		'month'
152			);
153	1		} catch(\Exception $e) {
154	1		return new JSONResponse([], Http::STATUS_INTERNAL_SERVER_ERROR);
155			}
156
157	1		return new JSONResponse([
158	1		'value' => $view,
159			]);
160			}
161
162			/**
163			* check if view is allowed
164			*
165			* @param $view
166			* @return bool
167			*/
168	5		private function isViewAllowed($view) {
169			$allowedViews = [
170	5		'agendaDay',
171			'agendaWeek',
172			'month',
173			];
174
175	5		return in_array($view, $allowedViews);
176			}
177
178			/**
179			* set if popover shall be skipped
180			*
181			* @param $value
182			* @return JSONResponse
183			*/
184	4	View Code Duplication	private function setSkipPopover($value) {
			0 ignored issues – show Duplication introduced 2017-08-01 00:26 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
185	4		if (!$this->isSkipPopoverValueAllowed($value)) {
186	1		return new JSONResponse([], Http::STATUS_UNPROCESSABLE_ENTITY);
187			}
188
189			try {
190	3		$this->config->setUserValue(
191	3		$this->userId,
192	3		$this->appName,
193	3		'skipPopover',
194	3		$value
195			);
196	1		} catch(\Exception $e) {
197	1		return new JSONResponse([], Http::STATUS_INTERNAL_SERVER_ERROR);
198			}
199
200	2		return new JSONResponse();
201			}
202
203			/**
204			* get if popover shall be skipped
205			*
206			* @return JSONResponse
207			*/
208	2	View Code Duplication	private function getSkipPopover() {
			0 ignored issues – show Duplication introduced 2017-08-01 00:26 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
209			try {
210	2		$view = $this->config->getUserValue(
211	2		$this->userId,
212	2		$this->appName,
213	2		'skipPopover',
214	2		'no'
215			);
216	1		} catch(\Exception $e) {
217	1		return new JSONResponse([], Http::STATUS_INTERNAL_SERVER_ERROR);
218			}
219
220	1		return new JSONResponse([
221	1		'value' => $view,
222			]);
223			}
224
225			/**
226			* check if value for skipPopover is allowed
227			*
228			* @param $value
229			* @return bool
230			*/
231	4		private function isSkipPopoverValueAllowed($value) {
232			$allowedValues = [
233	4		'yes',
234			'no'
235			];
236
237	4		return in_array($value, $allowedValues);
238			}
239
240			/**
241			* set config value for showing week numbers
242			*
243			* @param $value
244			* @return JSONResponse
245			*/
246		View Code Duplication	private function setShowWeekNr($value) {
247			if (!$this->isShowWeekNrValueAllowed($value)) {
248			return new JSONResponse([], Http::STATUS_UNPROCESSABLE_ENTITY);
249			}
250
251			try {
252			$this->config->setUserValue(
253			$this->userId,
254			$this->appName,
255			'showWeekNr',
256			$value
257			);
258			} catch(\Exception $e) {
259			return new JSONResponse([], Http::STATUS_INTERNAL_SERVER_ERROR);
260			}
261
262			return new JSONResponse();
263			}
264
265			/**
266			* get config value for showing week numbers
267			*
268			* @return JSONResponse
269			*/
270		View Code Duplication	private function getShowWeekNr() {
271			try {
272			$value = $this->config->getUserValue(
273			$this->userId,
274			$this->appName,
275			'showWeekNr',
276			'no'
277			);
278			} catch(\Exception $e) {
279			return new JSONResponse([], Http::STATUS_INTERNAL_SERVER_ERROR);
280			}
281
282			return new JSONResponse([
283			'value' => $value,
284			]);
285			}
286
287			/**
288			* check if value for showWeekNr is allowed
289			*
290			* @param $value
291			* @return bool
292			*/
293			private function isShowWeekNrValueAllowed($value) {
294			$allowedValues = [
295			'yes',
296			'no'
297			];
298
299			return in_array($value, $allowedValues);
300			}
301
302			/**
303			* remember that first run routines executed
304			*
305			* @return JSONResponse
306			*/
307	2	View Code Duplication	private function setFirstRun() {
			0 ignored issues – show Duplication introduced 2017-08-01 00:26 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
308			try {
309	2		$this->config->setUserValue(
310	2		$this->userId,
311	2		$this->appName,
312	2		'firstRun',
313	2		'no'
314			);
315	1		} catch(\Exception $e) {
316	1		return new JSONResponse([], Http::STATUS_INTERNAL_SERVER_ERROR);
317			}
318
319	1		return new JSONResponse();
320			}
321
322			/**
323			* get stored value for first run
324			*
325			* @return JSONResponse
326			*/
327	2	View Code Duplication	private function getFirstRun() {
			0 ignored issues – show Duplication introduced 2017-08-01 00:26 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
328			try {
329	2		$value = $this->config->getUserValue(
330	2		$this->userId,
331	2		$this->appName,
332	2		'firstRun',
333	2		'yes'
334			);
335	1		} catch(\Exception $e) {
336	1		return new JSONResponse([], Http::STATUS_INTERNAL_SERVER_ERROR);
337			}
338
339	1		return new JSONResponse([
340	1		'value' => $value,
341			]);
342			}
343
344			/**
345			* sets display timezone for user
346			*
347			* @param string $value
348			* @return JSONResponse
349			*/
350	2	View Code Duplication	private function setTimezone($value) {
			0 ignored issues – show Duplication introduced 2018-02-26 11:30 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
351			try {
352	2		$this->config->setUserValue(
353	2		$this->userId,
354	2		$this->appName,
355	2		'timezone',
356	2		$value
357			);
358	1		} catch(\Exception $e) {
359	1		return new JSONResponse([], Http::STATUS_INTERNAL_SERVER_ERROR);
360			}
361
362	1		return new JSONResponse();
363			}
364
365			/**
366			* gets display timezone for user
367			*
368			* @return JSONResponse
369			*/
370	2	View Code Duplication	private function getTimezone() {
			0 ignored issues – show Duplication introduced 2018-02-26 11:30 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
371			try {
372	2		$value = $this->config->getUserValue(
373	2		$this->userId,
374	2		$this->appName,
375	2		'timezone',
376	2		'automatic'
377			);
378	1		} catch(\Exception $e) {
379	1		return new JSONResponse([], Http::STATUS_INTERNAL_SERVER_ERROR);
380			}
381
382	1		return new JSONResponse([
383	1		'value' => $value,
384			]);
385			}
386			}
387

nextcloud / calendar

Issues (51)

Security Analysis no request data

controller/settingscontroller.php (6 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like