Issues in DeckProvider.php (master) - Issues in master - nextcloud/deck - Measure and Improve Code Quality continuously with Scrutinizer

Issues (221)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

lib/Provider/DeckProvider.php (3 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
declare(strict_types=1);


/**
 * This file is licensed under the Affero General Public License version 3 or
 * later. See the COPYING file.
 *
 * @author Maxence Lange <[email protected]>
 * @copyright 2019
 * @license GNU AGPL version 3 or any later version
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Affero General Public License as
 * published by the Free Software Foundation, either version 3 of the
 * License, or (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Affero General Public License for more details.
 *
 * You should have received a copy of the GNU Affero General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 *
 */


namespace OCA\Deck\Provider;


use OC\FullTextSearch\Model\IndexDocument;
use OC\FullTextSearch\Model\SearchTemplate;
use OCA\Deck\Service\FullTextSearchService;
use OCP\AppFramework\Db\DoesNotExistException;
use OCP\AppFramework\Db\MultipleObjectsReturnedException;
use OCP\FullTextSearch\IFullTextSearchPlatform;
use OCP\FullTextSearch\IFullTextSearchProvider;
use OCP\FullTextSearch\Model\IIndex;
use OCP\FullTextSearch\Model\IIndexDocument;
use OCP\FullTextSearch\Model\IIndexOptions;
use OCP\FullTextSearch\Model\IRunner;
use OCP\FullTextSearch\Model\ISearchRequest;
use OCP\FullTextSearch\Model\ISearchResult;
use OCP\FullTextSearch\Model\ISearchTemplate;
use OCP\IL10N;
use OCP\IURLGenerator;


/**
 * Class DeckProvider
 *
 * @package OCA\Deck\Provider
 */
class DeckProvider implements IFullTextSearchProvider {


	const DECK_PROVIDER_ID = 'deck';


	/** @var IL10N */
	private $l10n;

	/** @var IUrlGenerator */
	private $urlGenerator;

	/** @var FullTextSearchService */
	private $fullTextSearchService;


	/** @var IRunner */
	private $runner;

	/** @var IIndexOptions */
	private $indexOptions = [];


	/**
	 * DeckProvider constructor.
	 *
	 * @param IL10N $l10n
	 * @param IUrlGenerator $urlGenerator
	 * @param FullTextSearchService $fullTextSearchService
	 */
	public function __construct(
		IL10N $l10n, IUrlGenerator $urlGenerator, FullTextSearchService $fullTextSearchService
	) {
		$this->l10n = $l10n;
		$this->urlGenerator = $urlGenerator;

		$this->fullTextSearchService = $fullTextSearchService;
	}


	/**
	 * return unique id of the provider
	 */
	public function getId(): string {
		return self::DECK_PROVIDER_ID;
	}


	/**
	 * return name of the provider
	 */
	public function getName(): string {
		return 'Deck';
	}


	/**
	 * @return array
	 */
	public function getConfiguration(): array {
		return [];
	}


	/**
	 * @param IRunner $runner
	 */
	public function setRunner(IRunner $runner) {
		$this->runner = $runner;
	}


	/**
	 * @param IIndexOptions $options
	 */
	public function setIndexOptions(IIndexOptions $options) {
		$this->indexOptions = $options;
	}


	/**
	 * @return ISearchTemplate
	 */
	public function getSearchTemplate(): ISearchTemplate {
		$template = new SearchTemplate('icon-deck', 'icons');

		return $template;
	}


	/**
	 *
	 */
	public function loadProvider() {
	}



	/**
	 * @param string $userId
	 *
	 * @return string[]
	 */
	public function generateChunks(string $userId): array {
		return [];
	}


	/**
	 * @param string $userId
	 * @param string $chunk
	 *
	 * @return IIndexDocument[]
	 */
	public function generateIndexableDocuments(string $userId, string $chunk): array {
		$cards = $this->fullTextSearchService->getCardsFromUser($userId);

		$documents = [];
		foreach ($cards as $card) {
			$documents[] = $this->fullTextSearchService->generateIndexDocumentFromCard($card);
		}

		return $documents;
	}


	/**
	 * @param IIndexDocument $document
	 *
	 * @throws DoesNotExistException
	 * @throws MultipleObjectsReturnedException
	 */
	public function fillIndexDocument(IIndexDocument $document) {
		$this->fullTextSearchService->fillIndexDocument($document);
		$this->updateRunnerInfo('info', $document->getTitle());
	}


	/**
	 * @param IIndexDocument $document
	 *
	 * @return bool
	 */
	public function isDocumentUpToDate(IIndexDocument $document): bool {
		return false;
	}


	/**
	 * @param IIndex $index
	 *
	 * @return IIndexDocument
	 * @throws DoesNotExistException
	 * @throws MultipleObjectsReturnedException
	 */
	public function updateDocument(IIndex $index): IIndexDocument {
		$document = new IndexDocument(DeckProvider::DECK_PROVIDER_ID, $index->getDocumentId());
		$document->setIndex($index);

		$this->fullTextSearchService->fillIndexDocument($document);

		return $document;
	}


	/**
	 * @param IFullTextSearchPlatform $platform
	 */
	public function onInitializingIndex(IFullTextSearchPlatform $platform) {
	}


	/**
	 * @param IFullTextSearchPlatform $platform
	 */
	public function onResettingIndex(IFullTextSearchPlatform $platform) {
	}


	/**
	 * not used yet
	 */
	public function unloadProvider() {
	}


	/**
	 * before a search, improve the request
	 *
	 * @param ISearchRequest $request
	 */
	public function improveSearchRequest(ISearchRequest $request) {
	}


	/**
	 * after a search, improve results
	 *
	 * @param ISearchResult $searchResult
	 */
	public function improveSearchResult(ISearchResult $searchResult) {
		foreach ($searchResult->getDocuments() as $document) {
			try {
				$board =
					$this->fullTextSearchService->getBoardFromCardId((int)$document->getId());
				$path = '#!/board/' . $board->getId() . '//card/' . $document->getId();
				$document->setLink($this->urlGenerator->linkToRoute('deck.page.index') . $path);
			} catch (DoesNotExistException $e) {

			} catch (MultipleObjectsReturnedException $e) {

			}
		}
	}


	/**
	 * @param string $info
	 * @param string $value
	 */
	private function updateRunnerInfo(string $info, string $value) {
		if ($this->runner === null) {
			return;
		}

		$this->runner->setInfo($info, $value);
	}

}



1			<?php
2			declare(strict_types=1);
3
4
5			/**
6			* This file is licensed under the Affero General Public License version 3 or
7			* later. See the COPYING file.
8			*
9			* @author Maxence Lange <[email protected]>
10			* @copyright 2019
11			* @license GNU AGPL version 3 or any later version
12			*
13			* This program is free software: you can redistribute it and/or modify
14			* it under the terms of the GNU Affero General Public License as
15			* published by the Free Software Foundation, either version 3 of the
16			* License, or (at your option) any later version.
17			*
18			* This program is distributed in the hope that it will be useful,
19			* but WITHOUT ANY WARRANTY; without even the implied warranty of
20			* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
21			* GNU Affero General Public License for more details.
22			*
23			* You should have received a copy of the GNU Affero General Public License
24			* along with this program. If not, see <http://www.gnu.org/licenses/>.
25			*
26			*/
27
28
29			namespace OCA\Deck\Provider;
30
31
32			use OC\FullTextSearch\Model\IndexDocument;
33			use OC\FullTextSearch\Model\SearchTemplate;
34			use OCA\Deck\Service\FullTextSearchService;
35			use OCP\AppFramework\Db\DoesNotExistException;
36			use OCP\AppFramework\Db\MultipleObjectsReturnedException;
37			use OCP\FullTextSearch\IFullTextSearchPlatform;
38			use OCP\FullTextSearch\IFullTextSearchProvider;
39			use OCP\FullTextSearch\Model\IIndex;
40			use OCP\FullTextSearch\Model\IIndexDocument;
41			use OCP\FullTextSearch\Model\IIndexOptions;
42			use OCP\FullTextSearch\Model\IRunner;
43			use OCP\FullTextSearch\Model\ISearchRequest;
44			use OCP\FullTextSearch\Model\ISearchResult;
45			use OCP\FullTextSearch\Model\ISearchTemplate;
46			use OCP\IL10N;
47			use OCP\IURLGenerator;
48
49
50			/**
51			* Class DeckProvider
52			*
53			* @package OCA\Deck\Provider
54			*/
55			class DeckProvider implements IFullTextSearchProvider {
56
57
58			const DECK_PROVIDER_ID = 'deck';
59
60
61			/** @var IL10N */
62			private $l10n;
63
64			/** @var IUrlGenerator */
65			private $urlGenerator;
66
67			/** @var FullTextSearchService */
68			private $fullTextSearchService;
69
70
71			/** @var IRunner */
72			private $runner;
73
74			/** @var IIndexOptions */
75			private $indexOptions = [];
76
77
78			/**
79			* DeckProvider constructor.
80			*
81			* @param IL10N $l10n
82			* @param IUrlGenerator $urlGenerator
83			* @param FullTextSearchService $fullTextSearchService
84			*/
85			public function __construct(
86			IL10N $l10n, IUrlGenerator $urlGenerator, FullTextSearchService $fullTextSearchService
87			) {
88			$this->l10n = $l10n;
89			$this->urlGenerator = $urlGenerator;
			0 ignored issues – show Documentation Bug introduced 2019-02-11 11:35 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$urlGenerator` of type `object<OCP\IURLGenerator>` is incompatible with the declared type `object<OCA\Deck\Provider\IUrlGenerator>` of property `$urlGenerator`. Our type inference engine has found an assignment to a property that is incompatible with the declared type of that property. Either this assignment is in error or the assigned type should be added to the documentation/type hint for that property.. Loading history...
90			$this->fullTextSearchService = $fullTextSearchService;
91			}
92
93
94			/**
95			* return unique id of the provider
96			*/
97			public function getId(): string {
98			return self::DECK_PROVIDER_ID;
99			}
100
101
102			/**
103			* return name of the provider
104			*/
105			public function getName(): string {
106			return 'Deck';
107			}
108
109
110			/**
111			* @return array
112			*/
113			public function getConfiguration(): array {
114			return [];
115			}
116
117
118			/**
119			* @param IRunner $runner
120			*/
121			public function setRunner(IRunner $runner) {
122			$this->runner = $runner;
123			}
124
125
126			/**
127			* @param IIndexOptions $options
128			*/
129			public function setIndexOptions(IIndexOptions $options) {
130			$this->indexOptions = $options;
131			}
132
133
134			/**
135			* @return ISearchTemplate
136			*/
137			public function getSearchTemplate(): ISearchTemplate {
138			$template = new SearchTemplate('icon-deck', 'icons');
139
140			return $template;
141			}
142
143
144			/**
145			*
146			*/
147			public function loadProvider() {
148			}
149
150
151
152			/**
153			* @param string $userId
154			*
155			* @return string[]
156			*/
157			public function generateChunks(string $userId): array {
158			return [];
159			}
160
161
162			/**
163			* @param string $userId
164			* @param string $chunk
165			*
166			* @return IIndexDocument[]
167			*/
168			public function generateIndexableDocuments(string $userId, string $chunk): array {
169			$cards = $this->fullTextSearchService->getCardsFromUser($userId);
170
171			$documents = [];
172			foreach ($cards as $card) {
173			$documents[] = $this->fullTextSearchService->generateIndexDocumentFromCard($card);
174			}
175
176			return $documents;
177			}
178
179
180			/**
181			* @param IIndexDocument $document
182			*
183			* @throws DoesNotExistException
184			* @throws MultipleObjectsReturnedException
185			*/
186			public function fillIndexDocument(IIndexDocument $document) {
187			$this->fullTextSearchService->fillIndexDocument($document);
188			$this->updateRunnerInfo('info', $document->getTitle());
189			}
190
191
192			/**
193			* @param IIndexDocument $document
194			*
195			* @return bool
196			*/
197			public function isDocumentUpToDate(IIndexDocument $document): bool {
198			return false;
199			}
200
201
202			/**
203			* @param IIndex $index
204			*
205			* @return IIndexDocument
206			* @throws DoesNotExistException
207			* @throws MultipleObjectsReturnedException
208			*/
209			public function updateDocument(IIndex $index): IIndexDocument {
210			$document = new IndexDocument(DeckProvider::DECK_PROVIDER_ID, $index->getDocumentId());
211			$document->setIndex($index);
212
213			$this->fullTextSearchService->fillIndexDocument($document);
214
215			return $document;
216			}
217
218
219			/**
220			* @param IFullTextSearchPlatform $platform
221			*/
222			public function onInitializingIndex(IFullTextSearchPlatform $platform) {
223			}
224
225
226			/**
227			* @param IFullTextSearchPlatform $platform
228			*/
229			public function onResettingIndex(IFullTextSearchPlatform $platform) {
230			}
231
232
233			/**
234			* not used yet
235			*/
236			public function unloadProvider() {
237			}
238
239
240			/**
241			* before a search, improve the request
242			*
243			* @param ISearchRequest $request
244			*/
245			public function improveSearchRequest(ISearchRequest $request) {
246			}
247
248
249			/**
250			* after a search, improve results
251			*
252			* @param ISearchResult $searchResult
253			*/
254			public function improveSearchResult(ISearchResult $searchResult) {
255			foreach ($searchResult->getDocuments() as $document) {
256			try {
257			$board =
258			$this->fullTextSearchService->getBoardFromCardId((int)$document->getId());
259			$path = '#!/board/' . $board->getId() . '//card/' . $document->getId();
260			$document->setLink($this->urlGenerator->linkToRoute('deck.page.index') . $path);
261			} catch (DoesNotExistException $e) {
			0 ignored issues – show Coding Style Comprehensibility introduced 2019-02-12 10:20 UTC by Report Bug Copy Issue Report Show Similar Issues like this Consider adding a comment why this CATCH block is empty. Loading history...
262			} catch (MultipleObjectsReturnedException $e) {
			0 ignored issues – show Coding Style Comprehensibility introduced 2019-02-12 10:20 UTC by Report Bug Copy Issue Report Show Similar Issues like this Consider adding a comment why this CATCH block is empty. Loading history...
263			}
264			}
265			}
266
267
268			/**
269			* @param string $info
270			* @param string $value
271			*/
272			private function updateRunnerInfo(string $info, string $value) {
273			if ($this->runner === null) {
274			return;
275			}
276
277			$this->runner->setInfo($info, $value);
278			}
279
280			}
281
282

nextcloud / deck

Issues (221)

Security Analysis no request data

lib/Provider/DeckProvider.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like