Issues in itemapicontroller.php (master) - Issues in master - owncloud/news - Measure and Improve Code Quality continuously with Scrutinizer

Issues (6)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

controller/itemapicontroller.php (1 issue)

Labels

Bug 1

Severity

Major 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * ownCloud - News
 *
 * This file is licensed under the Affero General Public License version 3 or
 * later. See the COPYING file.
 *
 * @author Alessandro Cosentino <[email protected]>
 * @author Bernhard Posselt <[email protected]>
 * @copyright Alessandro Cosentino 2012
 * @copyright Bernhard Posselt 2012, 2014
 */

namespace OCA\News\Controller;

use \OCP\IRequest;
use \OCP\AppFramework\ApiController;
.
|-- OtherDir
|   |-- Bar.php
|   `-- Foo.php
`-- SomeDir
    `-- Foo.php
use \OCP\AppFramework\Http;

use \OCA\News\Service\ItemService;
use \OCA\News\Service\ServiceNotFoundException;

class ItemApiController extends ApiController {

    use JSONHttpError;

    private $itemService;
    private $userId;
    private $serializer;

    public function __construct($AppName,
                                IRequest $request,
                                ItemService $itemService,
                                $UserId){
        parent::__construct($AppName, $request);
        $this->itemService = $itemService;
        $this->userId = $UserId;
        $this->serializer = new EntityApiSerializer('items');
    }


    /**
     * @NoAdminRequired
     * @NoCSRFRequired
     * @CORS
     *
     * @param int $type
     * @param int $id
     * @param bool $getRead
     * @param int $batchSize
     * @param int $offset
     * @param bool $oldestFirst
     * @return array|mixed
     */
    public function index($type=3, $id=0, $getRead=true, $batchSize=-1,
                          $offset=0, $oldestFirst=false) {
        return $this->serializer->serialize(
            $this->itemService->findAll(
                $id, $type, $batchSize, $offset, $getRead, $oldestFirst,
                $this->userId
            )
        );
    }


    /**
     * @NoAdminRequired
     * @NoCSRFRequired
     * @CORS
     *
     * @param int $type
     * @param int $id
     * @param int $lastModified
     * @return array|mixed
     */
    public function updated($type=3, $id=0, $lastModified=0) {
        return $this->serializer->serialize(
            $this->itemService->findAllNew($id, $type, $lastModified,
                                           true, $this->userId)
        );
    }


    private function setRead($isRead, $itemId) {
        try {
            $this->itemService->read($itemId, $isRead, $this->userId);
        } catch(ServiceNotFoundException $ex){
            return $this->error($ex, Http::STATUS_NOT_FOUND);
        }

        return [];
    }


    /**
     * @NoAdminRequired
     * @NoCSRFRequired
     * @CORS
     *
     * @param int $itemId
     * @return array|\OCP\AppFramework\Http\JSONResponse
     */
    public function read($itemId) {
        return $this->setRead(true, $itemId);
    }


    /**
     * @NoAdminRequired
     * @NoCSRFRequired
     * @CORS
     *
     * @param int $itemId
     * @return array|\OCP\AppFramework\Http\JSONResponse
     */
    public function unread($itemId) {
        return $this->setRead(false, $itemId);
    }


    private function setStarred($isStarred, $feedId, $guidHash) {
        try {
            $this->itemService->star(
                $feedId, $guidHash, $isStarred, $this->userId
            );
        } catch(ServiceNotFoundException $ex){
            return $this->error($ex, Http::STATUS_NOT_FOUND);
        }

        return [];
    }


    /**
     * @NoAdminRequired
     * @NoCSRFRequired
     * @CORS
     *
     * @param int $feedId
     * @param string $guidHash
     * @return array|\OCP\AppFramework\Http\JSONResponse
     */
    public function star($feedId, $guidHash) {
        return $this->setStarred(true, $feedId, $guidHash);
    }


    /**
     * @NoAdminRequired
     * @NoCSRFRequired
     * @CORS
     *
     * @param int $feedId
     * @param string $guidHash
     * @return array|\OCP\AppFramework\Http\JSONResponse
     */
    public function unstar($feedId, $guidHash) {
        return $this->setStarred(false, $feedId, $guidHash);
    }


    /**
     * @NoAdminRequired
     * @NoCSRFRequired
     * @CORS
     *
     * @param int $newestItemId
     */
    public function readAll($newestItemId) {
        $this->itemService->readAll($newestItemId, $this->userId);
    }


    private function setMultipleRead($isRead, $items) {
        foreach($items as $id) {
            try {
                $this->itemService->read($id, $isRead, $this->userId);
            } catch(ServiceNotFoundException $ex) {
                continue;
            }
        }
    }


    /**
     * @NoAdminRequired
     * @NoCSRFRequired
     * @CORS
     *
     * @param int[] item ids
     */
    public function readMultiple($items) {
        $this->setMultipleRead(true, $items);
    }


    /**
     * @NoAdminRequired
     * @NoCSRFRequired
     * @CORS
     *
     * @param int[] item ids
     */
    public function unreadMultiple($items) {
        $this->setMultipleRead(false, $items);
    }


    private function setMultipleStarred($isStarred, $items) {
        foreach($items as $item) {
            try {
                $this->itemService->star($item['feedId'], $item['guidHash'],
                                               $isStarred, $this->userId);
            } catch(ServiceNotFoundException $ex) {
                continue;
            }
        }
    }


    /**
     * @NoAdminRequired
     * @NoCSRFRequired
     * @CORS
     *
     * @param int[] item ids
     */
    public function starMultiple($items) {
        $this->setMultipleStarred(true, $items);
    }


    /**
     * @NoAdminRequired
     * @NoCSRFRequired
     * @CORS
     *
     * @param int[] item ids
     */
    public function unstarMultiple($items) {
        $this->setMultipleStarred(false, $items);
    }


}


1			<?php
2			/**
3			* ownCloud - News
4			*
5			* This file is licensed under the Affero General Public License version 3 or
6			* later. See the COPYING file.
7			*
8			* @author Alessandro Cosentino <[email protected]>
9			* @author Bernhard Posselt <[email protected]>
10			* @copyright Alessandro Cosentino 2012
11			* @copyright Bernhard Posselt 2012, 2014
12			*/
13
14			namespace OCA\News\Controller;
15
16			use \OCP\IRequest;
17			use \OCP\AppFramework\ApiController;
			0 ignored issues – show Bug introduced 2016-05-10 20:56 UTC by Report Bug Copy Issue Report Show Similar Issues like this This use statement conflicts with another class in this namespace, `OCA\News\Controller\ApiController`. Let’s assume that you have a directory layout like this: . \|-- OtherDir \| \|-- Bar.php \| `-- Foo.php `-- SomeDir `-- Foo.php and let’s assume the following content of `Bar.php`: // Bar.php namespace OtherDir; use SomeDir\Foo; // This now conflicts the class OtherDir\Foo If both files `OtherDir/Foo.php` and `SomeDir/Foo.php` are loaded in the same runtime, you will see a PHP error such as the following: PHP Fatal error: Cannot use SomeDir\Foo as Foo because the name is already in use in OtherDir/Foo.php However, as `OtherDir/Foo.php` does not necessarily have to be loaded and the error is only triggered if it is loaded before `OtherDir/Bar.php`, this problem might go unnoticed for a while. In order to prevent this error from surfacing, you must import the namespace with a different alias: // Bar.php namespace OtherDir; use SomeDir\Foo as SomeDirFoo; // There is no conflict anymore. Loading history...
18			use \OCP\AppFramework\Http;
19
20			use \OCA\News\Service\ItemService;
21			use \OCA\News\Service\ServiceNotFoundException;
22
23			class ItemApiController extends ApiController {
24
25			use JSONHttpError;
26
27			private $itemService;
28			private $userId;
29			private $serializer;
30
31			public function __construct($AppName,
32			IRequest $request,
33			ItemService $itemService,
34			$UserId){
35			parent::__construct($AppName, $request);
36			$this->itemService = $itemService;
37			$this->userId = $UserId;
38			$this->serializer = new EntityApiSerializer('items');
39			}
40
41
42			/**
43			* @NoAdminRequired
44			* @NoCSRFRequired
45			* @CORS
46			*
47			* @param int $type
48			* @param int $id
49			* @param bool $getRead
50			* @param int $batchSize
51			* @param int $offset
52			* @param bool $oldestFirst
53			* @return array\|mixed
54			*/
55			public function index($type=3, $id=0, $getRead=true, $batchSize=-1,
56			$offset=0, $oldestFirst=false) {
57			return $this->serializer->serialize(
58			$this->itemService->findAll(
59			$id, $type, $batchSize, $offset, $getRead, $oldestFirst,
60			$this->userId
61			)
62			);
63			}
64
65
66			/**
67			* @NoAdminRequired
68			* @NoCSRFRequired
69			* @CORS
70			*
71			* @param int $type
72			* @param int $id
73			* @param int $lastModified
74			* @return array\|mixed
75			*/
76			public function updated($type=3, $id=0, $lastModified=0) {
77			return $this->serializer->serialize(
78			$this->itemService->findAllNew($id, $type, $lastModified,
79			true, $this->userId)
80			);
81			}
82
83
84			private function setRead($isRead, $itemId) {
85			try {
86			$this->itemService->read($itemId, $isRead, $this->userId);
87			} catch(ServiceNotFoundException $ex){
88			return $this->error($ex, Http::STATUS_NOT_FOUND);
89			}
90
91			return [];
92			}
93
94
95			/**
96			* @NoAdminRequired
97			* @NoCSRFRequired
98			* @CORS
99			*
100			* @param int $itemId
101			* @return array\|\OCP\AppFramework\Http\JSONResponse
102			*/
103			public function read($itemId) {
104			return $this->setRead(true, $itemId);
105			}
106
107
108			/**
109			* @NoAdminRequired
110			* @NoCSRFRequired
111			* @CORS
112			*
113			* @param int $itemId
114			* @return array\|\OCP\AppFramework\Http\JSONResponse
115			*/
116			public function unread($itemId) {
117			return $this->setRead(false, $itemId);
118			}
119
120
121			private function setStarred($isStarred, $feedId, $guidHash) {
122			try {
123			$this->itemService->star(
124			$feedId, $guidHash, $isStarred, $this->userId
125			);
126			} catch(ServiceNotFoundException $ex){
127			return $this->error($ex, Http::STATUS_NOT_FOUND);
128			}
129
130			return [];
131			}
132
133
134			/**
135			* @NoAdminRequired
136			* @NoCSRFRequired
137			* @CORS
138			*
139			* @param int $feedId
140			* @param string $guidHash
141			* @return array\|\OCP\AppFramework\Http\JSONResponse
142			*/
143			public function star($feedId, $guidHash) {
144			return $this->setStarred(true, $feedId, $guidHash);
145			}
146
147
148			/**
149			* @NoAdminRequired
150			* @NoCSRFRequired
151			* @CORS
152			*
153			* @param int $feedId
154			* @param string $guidHash
155			* @return array\|\OCP\AppFramework\Http\JSONResponse
156			*/
157			public function unstar($feedId, $guidHash) {
158			return $this->setStarred(false, $feedId, $guidHash);
159			}
160
161
162			/**
163			* @NoAdminRequired
164			* @NoCSRFRequired
165			* @CORS
166			*
167			* @param int $newestItemId
168			*/
169			public function readAll($newestItemId) {
170			$this->itemService->readAll($newestItemId, $this->userId);
171			}
172
173
174			private function setMultipleRead($isRead, $items) {
175			foreach($items as $id) {
176			try {
177			$this->itemService->read($id, $isRead, $this->userId);
178			} catch(ServiceNotFoundException $ex) {
179			continue;
180			}
181			}
182			}
183
184
185			/**
186			* @NoAdminRequired
187			* @NoCSRFRequired
188			* @CORS
189			*
190			* @param int[] item ids
191			*/
192			public function readMultiple($items) {
193			$this->setMultipleRead(true, $items);
194			}
195
196
197			/**
198			* @NoAdminRequired
199			* @NoCSRFRequired
200			* @CORS
201			*
202			* @param int[] item ids
203			*/
204			public function unreadMultiple($items) {
205			$this->setMultipleRead(false, $items);
206			}
207
208
209			private function setMultipleStarred($isStarred, $items) {
210			foreach($items as $item) {
211			try {
212			$this->itemService->star($item['feedId'], $item['guidHash'],
213			$isStarred, $this->userId);
214			} catch(ServiceNotFoundException $ex) {
215			continue;
216			}
217			}
218			}
219
220
221			/**
222			* @NoAdminRequired
223			* @NoCSRFRequired
224			* @CORS
225			*
226			* @param int[] item ids
227			*/
228			public function starMultiple($items) {
229			$this->setMultipleStarred(true, $items);
230			}
231
232
233			/**
234			* @NoAdminRequired
235			* @NoCSRFRequired
236			* @CORS
237			*
238			* @param int[] item ids
239			*/
240			public function unstarMultiple($items) {
241			$this->setMultipleStarred(false, $items);
242			}
243
244
245			}
246

owncloud / news

Issues (6)

Security Analysis no request data

controller/itemapicontroller.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like