Issues in YmlCatalog.php (master) - Issues in master - pastuhov/yii2-yml-catalog - Measure and Improve Code Quality continuously with Scrutinizer

Issues (18)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/YmlCatalog.php (6 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
namespace pastuhov\ymlcatalog;

use pastuhov\ymlcatalog\models\BaseModel;
use pastuhov\ymlcatalog\models\Category;
use pastuhov\ymlcatalog\models\Currency;
use pastuhov\ymlcatalog\models\LocalDeliveryCost;
use pastuhov\ymlcatalog\models\Shop;
use pastuhov\ymlcatalog\models\SimpleOffer;
use pastuhov\ymlcatalog\models\DeliveryOption;
use Yii;
use pastuhov\FileStream\BaseFileStream;
use yii\base\Exception;
use yii\data\ActiveDataProvider;
use yii\db\ActiveQuery;

/**
 * Yml генератор каталога.
 *
 * @package pastuhov\ymlcatalog
 */
class YmlCatalog
{
    /**
     * @var BaseFileStream
     */
    protected $handle;
    /**
     * @var string
     */
    protected $shopClass;
    /**
     * @var string
     */
    protected $currencyClass;
    /**
     * @var string
     */
    protected $categoryClass;
    /**
     * @var null|string
     */
    protected $localDeliveryCostClass;
    /**
     * @var string
     */
    protected $offerClass;
    /**
     * @var null|string
     */
    protected $date;

    /**
     * @var null|callable
     */
    protected $onValidationError;

    /**
     * @var null|string
     */
    protected $customOfferClass;

    /**
     * @var null|string
     */
    protected $customCategoryClass;

    /**
     * @var null|string
     */
    protected $deliveryOptionClass;

    /**
     * @param BaseFileStream $handle
     * @param string $shopClass class name
     * @param string $currencyClass class name
     * @param string $categoryClass class name
     * @param string $localDeliveryCostClass class name
     * @param string[] $offerClasses
     * @param null|string $date
     * @param null|callable $onValidationError
     * @param null|string $customOfferClass
     * @param null|string $customCategoryClass
     * @param string $deliveryOptionClass
     */
    public function __construct(
        BaseFileStream $handle,
        $shopClass,
        $currencyClass,
        $categoryClass,
        $localDeliveryCostClass = null,
        Array $offerClasses,
        $date = null,
        $onValidationError = null,
        $customOfferClass = null,
        $deliveryOptionClass = null,
        $customCategoryClass = null
    ) {
        $this->handle = $handle;
        $this->shopClass = $shopClass;
        $this->currencyClass = $currencyClass;
        $this->categoryClass = $categoryClass;
        $this->localDeliveryCostClass = $localDeliveryCostClass;
        $this->offerClasses = $offerClasses;

        $this->date = $date;
        $this->onValidationError = $onValidationError;
        $this->customOfferClass = $customOfferClass;
        $this->deliveryOptionClass = $deliveryOptionClass;
        $this->customCategoryClass = $customCategoryClass;
    }

    /**
     * @throws Exception
     */
    public function generate()
    {
        $date = $this->getDate();

        $this->write(
            '<?xml version="1.0" encoding="utf-8"?>' . PHP_EOL .
            '<!DOCTYPE yml_catalog SYSTEM "shops.dtd">' . PHP_EOL .
            '<yml_catalog date="' . $date . '">' . PHP_EOL
        );

        $this->writeTag('shop');
        $this->writeModel(new Shop(), new $this->shopClass());
        $this->writeTag('currencies');
        $this->writeEachModel($this->currencyClass);
        $this->writeTag('/currencies');
        $this->writeTag('categories');
        $this->writeEachModel($this->categoryClass);
        $this->writeTag('/categories');
        if($this->deliveryOptionClass) {
''   == false // true
''   == null  // true
'ab' == false // false
'ab' == null  // false

// It is often better to use strict comparison
'' === false // false
'' === null  // false
            $this->writeTag('delivery-options');
            $this->writeModel(new DeliveryOption(), \Yii::createObject($this->deliveryOptionClass));
            $this->writeTag('/delivery-options');
        }
        if($this->localDeliveryCostClass) {
''   == false // true
''   == null  // true
'ab' == false // false
'ab' == null  // false

// It is often better to use strict comparison
'' === false // false
'' === null  // false
            $this->writeModel(new LocalDeliveryCost(), \Yii::createObject($this->localDeliveryCostClass));

        }
        $this->writeTag('offers');
        foreach ($this->offerClasses as $offerClass) {

            $this->writeEachModel($offerClass);
        }
        $this->writeTag('/offers');
        $this->writeTag('/shop');

        $this->write('</yml_catalog>');
    }

    /**
     * @return null|string
     */
    protected function getDate()
    {
        $date = $this->date;

        if ($date === null) {
            $date = Yii::$app->formatter->asDatetime(new \DateTime(), 'php:Y-m-d H:i');
        }

        return $date;
    }

    /**
     * @param string $string
     * @throws \Exception
     */
    protected function write($string)
    {
        $this->handle->write($string);
    }

    /**
     * @param string $string tag name
     */
    protected function writeTag($string)
    {
        $this->write('<' . $string . '>' . PHP_EOL);
    }

    /**
     * @param BaseModel $model
     * @param $valuesModel
     * @throws Exception
     */
    protected function writeModel(BaseModel $model, $valuesModel)
    {
        if (method_exists($valuesModel, 'getParams')) {
            $model->setParams($valuesModel->getParams());
        }
        if (method_exists($valuesModel, 'getPictures')) {
            $model->setPictures($valuesModel->getPictures());
        }
        if(method_exists($valuesModel, 'getDeliveryOptions')) {
            $model->setDeliveryOptions($valuesModel->getDeliveryOptions());
        }

        if($model->loadModel($valuesModel, $this->onValidationError)) {
/**
 * @return array|string
 */
function returnsDifferentValues($x) {
    if ($x) {
        return 'foo';
    }

    return array();
}

$x = returnsDifferentValues($y);
if (is_array($x)) {
    // $x is an array.
}
            $string = $model->getYml();
            $this->write($string);
        }
    }

    /**
     * @param string|array $modelClass class name or yii configuration array. You can also set params:
     *      `findParams`:   array of additional find params;
     *      `query`:        ActiveQuery object to generate yml use already created object;
     *      `dataProvider`: ActiveDataProvider or true to generate yml with pagination;
     */
    protected function writeEachModel($modelClass)
    {
        /**
         * @var mixed
         */
        $findParams = [];

        /**
         * @var ActiveQuery
         */
        $query = null;

        /**
         * @var ActiveDataProvider
         */
        $dataProvider = null;

        if (is_array($modelClass)) {
            foreach (['findParams', 'query', 'dataProvider'] as $name) {
                if (array_key_exists($name, $modelClass)) {
                    $$name = $modelClass[$name];
                    unset($modelClass[$name]);
                }
            }
        }

        /**
         * @var BaseFindYmlInterface $class
         */
        $class = \Yii::createObject($modelClass);

        /**
         * @var ReaderInterface
         */
        $reader = ReaderFactory::build(
            $class,
            $dataProvider,
            $query,
            $findParams
        );

        $newModel = $this->getNewModel($class);

        foreach ($reader as $models) {
            foreach ($models as $model) {
                $this->writeModel($newModel, $model);
            }
            $this->gc();
        }
    }

    /**
     * @param BaseFindYmlInterface $modelClass
     * @return Category|Currency|SimpleOffer
     * @throws Exception
     */
    protected function getNewModel($modelClass)
    {
        $obj = is_object($modelClass) ? $modelClass : \Yii::createObject($modelClass);

        if ($obj instanceof CurrencyInterface) {
            $model = new Currency();
        } elseif ($obj instanceof CustomCategoryInterface && !empty($this->customCategoryClass) && class_exists($this->customCategoryClass)) {
            $model = \Yii::createObject($this->customCategoryClass);
        } elseif ($obj instanceof CategoryInterface) {
            $model = new Category();
        } elseif ($obj instanceof CustomOfferInterface && $this->customOfferClass !== null && class_exists($this->customOfferClass)) {
            $model = \Yii::createObject($this->customOfferClass);
        } elseif ($obj instanceof SimpleOfferInterface) {
            $model = new SimpleOffer();
        } else {
            throw new Exception('Model ' . get_class($obj) . ' has unknown interface');
        }

        return $model;
    }

    /**
     * Performs PHP memory garbage collection.
     */
    protected function gc()
    {
        if (!gc_enabled()) {
            gc_enable();
        }
        gc_collect_cycles();
    }
}


1		<?php
2		namespace pastuhov\ymlcatalog;
3
4		use pastuhov\ymlcatalog\models\BaseModel;
5		use pastuhov\ymlcatalog\models\Category;
6		use pastuhov\ymlcatalog\models\Currency;
7		use pastuhov\ymlcatalog\models\LocalDeliveryCost;
8		use pastuhov\ymlcatalog\models\Shop;
9		use pastuhov\ymlcatalog\models\SimpleOffer;
10		use pastuhov\ymlcatalog\models\DeliveryOption;
11		use Yii;
12		use pastuhov\FileStream\BaseFileStream;
13		use yii\base\Exception;
14		use yii\data\ActiveDataProvider;
15		use yii\db\ActiveQuery;
16
17		/**
18		* Yml генератор каталога.
19		*
20		* @package pastuhov\ymlcatalog
21		*/
22		class YmlCatalog
23		{
24		/**
25		* @var BaseFileStream
26		*/
27		protected $handle;
28		/**
29		* @var string
30		*/
31		protected $shopClass;
32		/**
33		* @var string
34		*/
35		protected $currencyClass;
36		/**
37		* @var string
38		*/
39		protected $categoryClass;
40		/**
41		* @var null\|string
42		*/
43		protected $localDeliveryCostClass;
44		/**
45		* @var string
46		*/
47		protected $offerClass;
48		/**
49		* @var null\|string
50		*/
51		protected $date;
52
53		/**
54		* @var null\|callable
55		*/
56		protected $onValidationError;
57
58		/**
59		* @var null\|string
60		*/
61		protected $customOfferClass;
62
63		/**
64		* @var null\|string
65		*/
66		protected $customCategoryClass;
67
68		/**
69		* @var null\|string
70		*/
71		protected $deliveryOptionClass;
72
73		/**
74		* @param BaseFileStream $handle
75		* @param string $shopClass class name
76		* @param string $currencyClass class name
77		* @param string $categoryClass class name
78		* @param string $localDeliveryCostClass class name
79	5	* @param string[] $offerClasses
80		* @param null\|string $date
81		* @param null\|callable $onValidationError
82		* @param null\|string $customOfferClass
83		* @param null\|string $customCategoryClass
84		* @param string $deliveryOptionClass
85		*/
86		public function __construct(
87		BaseFileStream $handle,
88		$shopClass,
89		$currencyClass,
90		$categoryClass,
91	5	$localDeliveryCostClass = null,
92	5	Array $offerClasses,
93	5	$date = null,
94	5	$onValidationError = null,
95	5	$customOfferClass = null,
96	5	$deliveryOptionClass = null,
97	5	$customCategoryClass = null
98	5	) {
99	5	$this->handle = $handle;
100	5	$this->shopClass = $shopClass;
101	5	$this->currencyClass = $currencyClass;
102		$this->categoryClass = $categoryClass;
103		$this->localDeliveryCostClass = $localDeliveryCostClass;
104		$this->offerClasses = $offerClasses;
		0 ignored issues – show Bug introduced 2016-01-15 12:20 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `offerClasses` does not seem to exist. Did you mean `offerClass`? An attempt at access to an undefined property has been detected. This may either be a typographical error or the property has been renamed but there are still references to its old name. If you really want to allow access to undefined properties, you can define magic methods to allow access. See the php core documentation on Overloading. Loading history...
105		$this->date = $date;
106	5	$this->onValidationError = $onValidationError;
107		$this->customOfferClass = $customOfferClass;
108	5	$this->deliveryOptionClass = $deliveryOptionClass;
109		$this->customCategoryClass = $customCategoryClass;
110	5	}
111	5
112	5	/**
113	5	* @throws Exception
114	5	*/
115		public function generate()
116	5	{
117	5	$date = $this->getDate();
118	5
119	5	$this->write(
120	5	'<?xml version="1.0" encoding="utf-8"?>' . PHP_EOL .
121	5	'<!DOCTYPE yml_catalog SYSTEM "shops.dtd">' . PHP_EOL .
122	5	'<yml_catalog date="' . $date . '">' . PHP_EOL
123	5	);
124	5
125	4	$this->writeTag('shop');
126	4	$this->writeModel(new Shop(), new $this->shopClass());
127	4	$this->writeTag('currencies');
128	4	$this->writeEachModel($this->currencyClass);
129	5	$this->writeTag('/currencies');
130	1	$this->writeTag('categories');
131	1	$this->writeEachModel($this->categoryClass);
132	5	$this->writeTag('/categories');
133	5	if($this->deliveryOptionClass) {
		0 ignored issues – show Bug Best Practice introduced 2016-08-23 05:49 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$this->deliveryOptionClass` of type `null\|string` is loosely compared to `true`; this is ambiguous if the string can be empty. You might want to explicitly use `!== null` instead. In PHP, under loose comparison (like `==`, or `!=`, or `switch` conditions), values of different types might be equal. For `string` values, the empty string `''` is a special case, in particular the following results might be unexpected: '' == false // true '' == null // true 'ab' == false // false 'ab' == null // false // It is often better to use strict comparison '' === false // false '' === null // false Loading history...
134	5	$this->writeTag('delivery-options');
135	4	$this->writeModel(new DeliveryOption(), \Yii::createObject($this->deliveryOptionClass));
136	4	$this->writeTag('/delivery-options');
137	4	}
138		if($this->localDeliveryCostClass) {
		0 ignored issues – show Bug Best Practice introduced 2016-08-23 05:49 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$this->localDeliveryCostClass` of type `null\|string` is loosely compared to `true`; this is ambiguous if the string can be empty. You might want to explicitly use `!== null` instead. In PHP, under loose comparison (like `==`, or `!=`, or `switch` conditions), values of different types might be equal. For `string` values, the empty string `''` is a special case, in particular the following results might be unexpected: '' == false // true '' == null // true 'ab' == false // false 'ab' == null // false // It is often better to use strict comparison '' === false // false '' === null // false Loading history...
139	4	$this->writeModel(new LocalDeliveryCost(), \Yii::createObject($this->localDeliveryCostClass));
		0 ignored issues – show Deprecated Code introduced 2016-08-23 06:53 UTC by Report Bug Copy Issue Report Show Similar Issues like this The class `pastuhov\ymlcatalog\models\LocalDeliveryCost` has been deprecated. This class, trait or interface has been deprecated. Loading history...
140	4	}
141		$this->writeTag('offers');
142		foreach ($this->offerClasses as $offerClass) {
		0 ignored issues – show Bug introduced 2016-01-15 12:20 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `offerClasses` does not seem to exist. Did you mean `offerClass`? An attempt at access to an undefined property has been detected. This may either be a typographical error or the property has been renamed but there are still references to its old name. If you really want to allow access to undefined properties, you can define magic methods to allow access. See the php core documentation on Overloading. Loading history...
143		$this->writeEachModel($offerClass);
144		}
145	5	$this->writeTag('/offers');
146		$this->writeTag('/shop');
147	5
148		$this->write('</yml_catalog>');
149	5	}
150	1
151	1	/**
152		* @return null\|string
153	5	*/
154		protected function getDate()
155		{
156		$date = $this->date;
157
158		if ($date === null) {
159		$date = Yii::$app->formatter->asDatetime(new \DateTime(), 'php:Y-m-d H:i');
160	5	}
161
162	5	return $date;
163	5	}
164
165		/**
166		* @param string $string
167		* @throws \Exception
168	5	*/
169		protected function write($string)
170	5	{
171	5	$this->handle->write($string);
172		}
173
174		/**
175		* @param string $string tag name
176		*/
177		protected function writeTag($string)
178	5	{
179		$this->write('<' . $string . '>' . PHP_EOL);
180	5	}
181	5
182	5	/**
183	5	* @param BaseModel $model
184	5	* @param $valuesModel
185	5	* @throws Exception
186	5	*/
187	5	protected function writeModel(BaseModel $model, $valuesModel)
188	5	{
189		if (method_exists($valuesModel, 'getParams')) {
190	5	$model->setParams($valuesModel->getParams());
191	5	}
192	5	if (method_exists($valuesModel, 'getPictures')) {
193	5	$model->setPictures($valuesModel->getPictures());
194	5	}
195		if(method_exists($valuesModel, 'getDeliveryOptions')) {
196		$model->setDeliveryOptions($valuesModel->getDeliveryOptions());
197		}
198
199		if($model->loadModel($valuesModel, $this->onValidationError)) {
		0 ignored issues – show Bug introduced 2016-09-15 06:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$this->onValidationError` can also be of type `callable`; however, `pastuhov\ymlcatalog\models\BaseModel::loadModel()` does only seem to accept `null`, maybe add an additional type check? If a method or function can return multiple different values and unless you are sure that you only can receive a single value in this context, we recommend to add an additional type check: /** * @return array\|string */ function returnsDifferentValues($x) { if ($x) { return 'foo'; } return array(); } $x = returnsDifferentValues($y); if (is_array($x)) { // $x is an array. } If this a common case that PHP Analyzer should handle natively, please let us know by opening an issue. Loading history...
200		$string = $model->getYml();
201		$this->write($string);
202	5	}
203		}
204
205		/**
206		* @param string\|array $modelClass class name or yii configuration array. You can also set params:
207	5	* `findParams`: array of additional find params;
208		* `query`: ActiveQuery object to generate yml use already created object;
209		* `dataProvider`: ActiveDataProvider or true to generate yml with pagination;
210		*/
211		protected function writeEachModel($modelClass)
212	5	{
213		/**
214		* @var mixed
215		*/
216		$findParams = [];
217	5
218		/**
219	5	* @var ActiveQuery
220	4	*/
221	4	$query = null;
222	4
223	4	/**
224	4	* @var ActiveDataProvider
225	4	*/
226	4	$dataProvider = null;
227
228		if (is_array($modelClass)) {
229		foreach (['findParams', 'query', 'dataProvider'] as $name) {
230		if (array_key_exists($name, $modelClass)) {
231	5	$$name = $modelClass[$name];
232		unset($modelClass[$name]);
233		}
234		}
235		}
236	5
237	5	/**
238	5	* @var BaseFindYmlInterface $class
239	5	*/
240		$class = \Yii::createObject($modelClass);
241	5
242		/**
243	5	* @var ReaderInterface
244		*/
245	5	$reader = ReaderFactory::build(
246	5	$class,
247	5	$dataProvider,
248	5	$query,
249	5	$findParams
250	5	);
251	5
252		$newModel = $this->getNewModel($class);
253
254		foreach ($reader as $models) {
255		foreach ($models as $model) {
256		$this->writeModel($newModel, $model);
257		}
258	5	$this->gc();
259		}
260	5	}
261
262	5	/**
263	5	* @param BaseFindYmlInterface $modelClass
264	5	* @return Category\|Currency\|SimpleOffer
265	5	* @throws Exception
266	5	*/
267	1	protected function getNewModel($modelClass)
268	5	{
269	4	$obj = is_object($modelClass) ? $modelClass : \Yii::createObject($modelClass);
270	4
271		if ($obj instanceof CurrencyInterface) {
272		$model = new Currency();
273		} elseif ($obj instanceof CustomCategoryInterface && !empty($this->customCategoryClass) && class_exists($this->customCategoryClass)) {
274	5	$model = \Yii::createObject($this->customCategoryClass);
275		} elseif ($obj instanceof CategoryInterface) {
276		$model = new Category();
277		} elseif ($obj instanceof CustomOfferInterface && $this->customOfferClass !== null && class_exists($this->customOfferClass)) {
278		$model = \Yii::createObject($this->customOfferClass);
279		} elseif ($obj instanceof SimpleOfferInterface) {
280	5	$model = new SimpleOffer();
281		} else {
282	5	throw new Exception('Model ' . get_class($obj) . ' has unknown interface');
283		}
284
285	5	return $model;
286	5	}
287
288		/**
289		* Performs PHP memory garbage collection.
290		*/
291		protected function gc()
292		{
293		if (!gc_enabled()) {
294		gc_enable();
295		}
296		gc_collect_cycles();
297		}
298		}
299

pastuhov / yii2-yml-catalog

Issues (18)

Security Analysis no request data

src/YmlCatalog.php (6 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like