Issues in Bootstrap.php (master) - Issues in master - pH7Software/pH7-Social-Dating-CMS - Measure and Improve Code Quality continuously with Scrutinizer

Issues (3445)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

_protected/app/Bootstrap.php (8 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/**
 * @author         Pierre-Henry Soria <[email protected]>
 * @copyright      (c) 2012-2019, Pierre-Henry Soria. All Rights Reserved.
 * @license        GNU General Public License; See PH7.LICENSE.txt and PH7.COPYRIGHT.txt in the root directory.
 * @link           http://ph7cms.com
 * @package        PH7 / App / Core
 */

namespace PH7;

defined('PH7') or exit('Restricted access');

use Exception;
use PH7\App\Includes\Classes\Loader\Autoloader as AppLoader;
use PH7\Framework\Config\Config;
use PH7\Framework\Config\FileNotFoundException;
use PH7\Framework\Core\Kernel;
use PH7\Framework\Error\CException as Except;
use PH7\Framework\File\Import;
.
|-- OtherDir
|   |-- Bar.php
|   `-- Foo.php
`-- SomeDir
    `-- Foo.php
use PH7\Framework\Loader\Autoloader as FrameworkLoader;
use PH7\Framework\Mvc\Router\FrontController;
use PH7\Framework\Navigation\Browser;
use PH7\Framework\Registry\Registry;
use PH7\Framework\Server\Environment as Env;
use PH7\Framework\Server\Server;

/*** Begin Loading Files ***/
require 'configs/constants.php';
require 'includes/helpers/misc.php';

class Bootstrap
{
    /**
     * @var Bootstrap $oInstance
     */
    private static $oInstance = null;

    /**
     * Set constructor/cloning to private since it's a singleton class.
     */
    private function __construct() {}
    private function __clone() {}

    /**
     * Get instance of class.
     *
     * @return Bootstrap Returns the instance class or create initial instance of the class.
     */
    public static function getInstance()
    {
        return null === static::$oInstance ? static::$oInstance = new static : static::$oInstance;
class YourClass
{
    private static $someVariable;

    public static function getSomeVariable()
    {
        return static::$someVariable;
    }
}
    }

    /**
     * Set a default timezone if it is not already configured in environment.
     *
     * @return void
     */
    public function setTimezoneIfNotSet()
    {
        if (!ini_get('date.timezone')) {
            ini_set('date.timezone', PH7_DEFAULT_TIMEZONE);
        }
    }

    /**
     * Initialize the app, load the files and launch the main FrontController router.
     *
     * @return void
     *
     * @throws Exception
     * @throws Except\PH7Exception
     * @throws Except\UserException
     * @throws FileNotFoundException
     */
    public function run()
    {
        try {
            $this->loadInitFiles();

            //** Temporary code. In the near future, pH7CMS will be usable without mod_rewrite
            if (!Server::isRewriteMod()) {
$a = canBeFalseAndNull();

// Instead of
if ( ! $a) { }

// Better use one of the explicit versions:
if ($a !== null) { }
if ($a !== false) { }
if ($a !== null && $a !== false) { }
                $this->notRewriteModEnabledError();
                exit;

            }  //*/

            // Enable client browser cache
            (new Browser)->cache();

            new Server; // Start Server

            $this->startPageBenchmark();
            //Framework\Compress\Compress::setZlipCompression();


            // Initialize the FrontController, we are asking the front controller to process the HTTP request
            FrontController::getInstance()->runRouter();
        /**  TODO: When pH7CMS will support PHP 7.1
        } catch (FileNotFoundException | Except\UserException $oE) {
        //*/
        } catch (FileNotFoundException $oE) {
            echo $oE->getMessage();
        } catch (Except\UserException $oE) {
            echo $oE->getMessage(); // Simple User Error with Exception
        } catch (Except\PH7Exception $oE) {
            Except\PH7Exception::launch($oE);
        } catch (Exception $oE) {
            Except\PH7Exception::launch($oE);
        } finally {
            $this->closeAppSession();
        }
    }

    /**
     * Load all necessary files for running the app.
     *
     * @return void
     */
    private function loadInitFiles()
    {
        // Load Framework Classes
        require PH7_PATH_FRAMEWORK . 'Loader/Autoloader.php';
        FrameworkLoader::getInstance()->init();

        /** Loading configuration files environments **/
        // For All environment
        Import::file(PH7_PATH_APP . 'configs/environment/all.env');
        // Specific to the current environment
        Import::file(PH7_PATH_APP . 'configs/environment/' . Env::getFileName(Config::getInstance()->values['mode']['environment']));

        // Load Class ~/protected/app/includes/classes/*
        Import::pH7App('includes.classes.Loader.Autoloader');
        AppLoader::getInstance()->init();

        // Load Debug class
        Import::pH7FwkClass('Error.Debug');

        // Load String Class
        Import::pH7FwkClass('Str.Str');

        /* Structure/General.class.php functions are not currently used */
        // Import::pH7FwkClass('Structure.General');

    }

    /**
     * Initialize the benchmark time. It is calculated in Framework\Layout\Html\Design::stat()
     *
     * @return void
     */
    private function startPageBenchmark()
    {
        Registry::getInstance()->start_time = microtime(true);
<?php

/**
 * @property int $x
 * @property int $y
 * @property string $text
 */
class MyLabel
{
    private $properties;

    private $allowedProperties = array('x', 'y', 'text');

    public function __get($name)
    {
        if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) {
            return $properties[$name];
        } else {
            return null;
        }
    }

    public function __set($name, $value)
    {
        if (in_array($name, $this->allowedProperties)) {
            $properties[$name] = $value;
        } else {
            throw new \LogicException("Property $name is not defined.");
        }
    }

}
    }

    /**
     * If sessions status are enabled, writes session data and ends session.
     *
     * @return void
     */
    private function closeAppSession()
    {
        if (session_status() === PHP_SESSION_ACTIVE) {
            session_write_close();
        }
    }

    /**
     * Display an error message if the Apache mod_rewrite is not enabled.
     *
     * @return void HTML output.
     */
    private function notRewriteModEnabledError()
    {
        $sMsg = '<p class="warning"><a href="' . Kernel::SOFTWARE_WEBSITE . '">pH7CMS</a> requires Apache "mod_rewrite".</p>
        <p>Firstly, please <strong>make sure the ".htaccess" file has been uploaded to the root directory where pH7CMS is installed</strong>. If not, use your FTP client (such as Filezilla) and upload it again from pH7CMS unziped package and try again.<br />
        Secondly, please <strong>make sure "mod_rewrite" is correctly installed</strong>.<br /> Click <a href="http://ph7cms.com/doc/en/how-to-install-rewrite-module" target="_blank" rel="noopener">here</a> if you want to get more information on how to install the rewrite module.<br /><br />
        After that, please <a href="' . PH7_URL_ROOT . '">retry</a>.</p>';

        echo html_body("Apache's mod_rewrite is required", $sMsg);
    }
}


1			<?php
			0 ignored issues – show Coding Style Compatibility introduced 2017-04-19 19:08 UTC by Report Bug Copy Issue Report Show Similar Issues like this For compatibility and reusability of your code, PSR1 recommends that a file should introduce either new symbols (like classes, functions, etc.) or have side-effects (like outputting something, or including other files), but not both at the same time. The first symbol is defined on line 32 and the first side effect is on line 12. The PSR-1: Basic Coding Standard recommends that a file should either introduce new symbols, that is classes, functions, constants or similar, or have side effects. Side effects are anything that executes logic, like for example printing output, changing ini settings or writing to a file. The idea behind this recommendation is that merely auto-loading a class should not change the state of an application. It also promotes a cleaner style of programming and makes your code less prone to errors, because the logic is not spread out all over the place. To learn more about the PSR-1, please see the PHP-FIG site on the PSR-1. Loading history...
2			/**
3			* @author Pierre-Henry Soria <[email protected]>
4			* @copyright (c) 2012-2019, Pierre-Henry Soria. All Rights Reserved.
5			* @license GNU General Public License; See PH7.LICENSE.txt and PH7.COPYRIGHT.txt in the root directory.
6			* @link http://ph7cms.com
7			* @package PH7 / App / Core
8			*/
9
10			namespace PH7;
11
12			defined('PH7') or exit('Restricted access');
13
14			use Exception;
15			use PH7\App\Includes\Classes\Loader\Autoloader as AppLoader;
16			use PH7\Framework\Config\Config;
17			use PH7\Framework\Config\FileNotFoundException;
18			use PH7\Framework\Core\Kernel;
19			use PH7\Framework\Error\CException as Except;
20			use PH7\Framework\File\Import;
			0 ignored issues – show Bug introduced 2017-07-03 19:29 UTC by Report Bug Copy Issue Report Show Similar Issues like this This use statement conflicts with another class in this namespace, `PH7\Import`. Let’s assume that you have a directory layout like this: . \|-- OtherDir \| \|-- Bar.php \| `-- Foo.php `-- SomeDir `-- Foo.php and let’s assume the following content of `Bar.php`: // Bar.php namespace OtherDir; use SomeDir\Foo; // This now conflicts the class OtherDir\Foo If both files `OtherDir/Foo.php` and `SomeDir/Foo.php` are loaded in the same runtime, you will see a PHP error such as the following: PHP Fatal error: Cannot use SomeDir\Foo as Foo because the name is already in use in OtherDir/Foo.php However, as `OtherDir/Foo.php` does not necessarily have to be loaded and the error is only triggered if it is loaded before `OtherDir/Bar.php`, this problem might go unnoticed for a while. In order to prevent this error from surfacing, you must import the namespace with a different alias: // Bar.php namespace OtherDir; use SomeDir\Foo as SomeDirFoo; // There is no conflict anymore. Loading history...
21			use PH7\Framework\Loader\Autoloader as FrameworkLoader;
22			use PH7\Framework\Mvc\Router\FrontController;
23			use PH7\Framework\Navigation\Browser;
24			use PH7\Framework\Registry\Registry;
25			use PH7\Framework\Server\Environment as Env;
26			use PH7\Framework\Server\Server;
27
28			/* Begin Loading Files */
29			require 'configs/constants.php';
30			require 'includes/helpers/misc.php';
31
32			class Bootstrap
33			{
34			/**
35			* @var Bootstrap $oInstance
36			*/
37			private static $oInstance = null;
38
39			/**
40			* Set constructor/cloning to private since it's a singleton class.
41			*/
42			private function __construct() {}
43			private function __clone() {}
44
45			/**
46			* Get instance of class.
47			*
48			* @return Bootstrap Returns the instance class or create initial instance of the class.
49			*/
50			public static function getInstance()
51			{
52			return null === static::$oInstance ? static::$oInstance = new static : static::$oInstance;
			0 ignored issues – show Bug introduced 2017-02-18 20:34 UTC by Report Bug Copy Issue Report Show Similar Issues like this Since `$oInstance` is declared private, accessing it with `static` will lead to errors in possible sub-classes; consider using `self`, or increasing the visibility of `$oInstance` to at least protected. Let’s assume you have a class which uses late-static binding: class YourClass { private static $someVariable; public static function getSomeVariable() { return static::$someVariable; } } The code above will run fine in your PHP runtime. However, if you now create a sub-class and call the `getSomeVariable()` on that sub-class, you will receive a runtime error: class YourSubClass extends YourClass { } YourSubClass::getSomeVariable(); // Will cause an access error. In the case above, it makes sense to update `SomeClass` to use `self` instead: class SomeClass { private static $someVariable; public static function getSomeVariable() { return self::$someVariable; // self works fine with private. } } Loading history...
53			}
54
55			/**
56			* Set a default timezone if it is not already configured in environment.
57			*
58			* @return void
59			*/
60			public function setTimezoneIfNotSet()
61			{
62			if (!ini_get('date.timezone')) {
63			ini_set('date.timezone', PH7_DEFAULT_TIMEZONE);
64			}
65			}
66
67			/**
68			* Initialize the app, load the files and launch the main FrontController router.
69			*
70			* @return void
71			*
72			* @throws Exception
73			* @throws Except\PH7Exception
74			* @throws Except\UserException
75			* @throws FileNotFoundException
76			*/
77			public function run()
78			{
79			try {
80			$this->loadInitFiles();
81
82			//** Temporary code. In the near future, pH7CMS will be usable without mod_rewrite
83			if (!Server::isRewriteMod()) {
			0 ignored issues – show Bug Best Practice introduced 2017-02-18 20:34 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `\PH7\Framework\Server\Server::isRewriteMod()` of type `null\|boolean` is loosely compared to `false`; this is ambiguous if the boolean can be false. You might want to explicitly use `!== null` instead. If an expression can have both `false`, and `null` as possible values. It is generally a good practice to always use strict comparison to clearly distinguish between those two values. $a = canBeFalseAndNull(); // Instead of if ( ! $a) { } // Better use one of the explicit versions: if ($a !== null) { } if ($a !== false) { } if ($a !== null && $a !== false) { } Loading history...
84			$this->notRewriteModEnabledError();
85			exit;
			0 ignored issues – show Coding Style Compatibility introduced 2017-02-18 20:34 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `run()` contains an exit expression. An exit expression should only be used in rare cases. For example, if you write a short command line script. In most cases however, using an `exit` expression makes the code untestable and often causes incompatibilities with other libraries. Thus, unless you are absolutely sure it is required here, we recommend to refactor your code to avoid its usage. Loading history...
86			} //*/
87
88			// Enable client browser cache
89			(new Browser)->cache();
90
91			new Server; // Start Server
92
93			$this->startPageBenchmark();
94			//Framework\Compress\Compress::setZlipCompression();
			0 ignored issues – show Unused Code Comprehensibility introduced 2018-01-24 11:56 UTC by Report Bug Copy Issue Report Show Similar Issues like this `67%` of this comment could be valid code. Did you maybe forget this after debugging? Sometimes obsolete code just ends up commented out instead of removed. In this case it is better to remove the code once you have checked you do not need it. The code might also have been commented out for debugging purposes. In this case it is vital that someone uncomments it again or your project may behave in very unexpected ways in production. This check looks for comments that seem to be mostly valid code and reports them. Loading history...
95
96			// Initialize the FrontController, we are asking the front controller to process the HTTP request
97			FrontController::getInstance()->runRouter();
98			/** TODO: When pH7CMS will support PHP 7.1
99			} catch (FileNotFoundException \| Except\UserException $oE) {
100			//*/
101			} catch (FileNotFoundException $oE) {
102			echo $oE->getMessage();
103			} catch (Except\UserException $oE) {
104			echo $oE->getMessage(); // Simple User Error with Exception
105			} catch (Except\PH7Exception $oE) {
106			Except\PH7Exception::launch($oE);
107			} catch (Exception $oE) {
108			Except\PH7Exception::launch($oE);
109			} finally {
110			$this->closeAppSession();
111			}
112			}
113
114			/**
115			* Load all necessary files for running the app.
116			*
117			* @return void
118			*/
119			private function loadInitFiles()
120			{
121			// Load Framework Classes
122			require PH7_PATH_FRAMEWORK . 'Loader/Autoloader.php';
123			FrameworkLoader::getInstance()->init();
124
125			/ Loading configuration files environments /
126			// For All environment
127			Import::file(PH7_PATH_APP . 'configs/environment/all.env');
128			// Specific to the current environment
129			Import::file(PH7_PATH_APP . 'configs/environment/' . Env::getFileName(Config::getInstance()->values['mode']['environment']));
130
131			// Load Class ~/protected/app/includes/classes/*
132			Import::pH7App('includes.classes.Loader.Autoloader');
133			AppLoader::getInstance()->init();
134
135			// Load Debug class
136			Import::pH7FwkClass('Error.Debug');
137
138			// Load String Class
139			Import::pH7FwkClass('Str.Str');
140
141			/* Structure/General.class.php functions are not currently used */
142			// Import::pH7FwkClass('Structure.General');
			0 ignored issues – show Unused Code Comprehensibility introduced 2017-02-18 20:34 UTC by Report Bug Copy Issue Report Show Similar Issues like this `63%` of this comment could be valid code. Did you maybe forget this after debugging? Sometimes obsolete code just ends up commented out instead of removed. In this case it is better to remove the code once you have checked you do not need it. The code might also have been commented out for debugging purposes. In this case it is vital that someone uncomments it again or your project may behave in very unexpected ways in production. This check looks for comments that seem to be mostly valid code and reports them. Loading history...
143			}
144
145			/**
146			* Initialize the benchmark time. It is calculated in Framework\Layout\Html\Design::stat()
147			*
148			* @return void
149			*/
150			private function startPageBenchmark()
151			{
152			Registry::getInstance()->start_time = microtime(true);
			0 ignored issues – show Documentation introduced 2017-07-03 19:29 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `start_time` does not exist on `object<PH7\Framework\Registry\Registry>`. Since you implemented `__set`, maybe consider adding a @property annotation. Since your code implements the magic setter `_set`, this function will be called for any write access on an undefined variable. You can add the `@property` annotation to your class or interface to document the existence of this variable. <?php /** * @property int $x * @property int $y * @property string $text */ class MyLabel { private $properties; private $allowedProperties = array('x', 'y', 'text'); public function __get($name) { if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) { return $properties[$name]; } else { return null; } } public function __set($name, $value) { if (in_array($name, $this->allowedProperties)) { $properties[$name] = $value; } else { throw new \LogicException("Property $name is not defined."); } } } Since the property has write access only, you can use the @property-write annotation instead. Of course, you may also just have mistyped another name, in which case you should fix the error. See also the PhpDoc documentation for @property. Loading history...
153			}
154
155			/**
156			* If sessions status are enabled, writes session data and ends session.
157			*
158			* @return void
159			*/
160			private function closeAppSession()
161			{
162			if (session_status() === PHP_SESSION_ACTIVE) {
163			session_write_close();
164			}
165			}
166
167			/**
168			* Display an error message if the Apache mod_rewrite is not enabled.
169			*
170			* @return void HTML output.
171			*/
172			private function notRewriteModEnabledError()
173			{
174			$sMsg = '<p class="warning"><a href="' . Kernel::SOFTWARE_WEBSITE . '">pH7CMS</a> requires Apache "mod_rewrite".</p>
175			<p>Firstly, please <strong>make sure the ".htaccess" file has been uploaded to the root directory where pH7CMS is installed</strong>. If not, use your FTP client (such as Filezilla) and upload it again from pH7CMS unziped package and try again.<br />
176			Secondly, please <strong>make sure "mod_rewrite" is correctly installed</strong>.<br /> Click <a href="http://ph7cms.com/doc/en/how-to-install-rewrite-module" target="_blank" rel="noopener">here</a> if you want to get more information on how to install the rewrite module.<br /><br />
177			After that, please <a href="' . PH7_URL_ROOT . '">retry</a>.</p>';
178
179			echo html_body("Apache's mod_rewrite is required", $sMsg);
180			}
181			}
182

pH7Software / pH7-Social-Dating-CMS

Issues (3445)

Security Analysis not enabled

_protected/app/Bootstrap.php (8 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like