Issues in FileOperationTrait.php (master) - Issues in master - phootwork/file - Measure and Improve Code Quality continuously with Scrutinizer

Issues (3)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

FileOperationTrait.php (3 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
namespace phootwork\file;

use \DateTime;
use phootwork\file\exception\FileException;

trait FileOperationTrait {

	/** @var string */
	protected $pathname;

	/**
	 * Static instantiator
	 *
	 * @param string $pathname
	 * @return static
	 */
	public static function create($pathname) {
		return new static($pathname);
	}

	protected function init($pathname) {
		$this->pathname = ''.$pathname; // "cast" to string
	}

	/**
	 * Returns the file extensions
	 *
	 * @return string the file extension
	 */
	public function getExtension() {
		return pathinfo($this->pathname, PATHINFO_EXTENSION);
	}

	/**
	 * Returns the filename
	 *
	 * @return string the filename
	 */
	public function getFilename() {
		return basename($this->pathname);
	}

	/**
	 * Gets the path without filename
	 *
	 * @return string
	 */
	public function getDirname() {
		return dirname($this->pathname);
	}

	/**
	 * Gets the path to the file
	 *
	 * @return string
	 */
	public function getPathname() {
		return $this->pathname;
	}

	/**
	 * Converts the path into a path object
	 *
	 * @return Path
	 */
	public function toPath() {
		return new Path($this->pathname);
	}

	/**
	 * Gets last access time.
	 *
	 * @return DateTime
	 */
	public function getLastAccessedAt() {
		$timestamp = fileatime($this->pathname);
		$time = new DateTime();
		$time->setTimestamp($timestamp);
		return $time;
	}

	/**
	 * Gets the created time.
	 *
	 * @return DateTime
	 */
	public function getCreatedAt() {
		$timestamp = filemtime($this->pathname);
		$time = new DateTime();
		$time->setTimestamp($timestamp);
		return $time;
	}

	/**
	 * Gets last modified time.
	 *
	 * @return DateTime
	 */
	public function getModifiedAt() {
		$timestamp = filemtime($this->pathname);
		$time = new DateTime();
		$time->setTimestamp($timestamp);
		return $time;
	}

	/**
	 * Gets file inode
	 *
	 * @return int Returns the inode number of the file, or FALSE on failure.
	 */
	public function getInode() {
		return fileinode($this->pathname);
	}

	/**
	 * Gets file group
	 *
	 * @return int Returns the group ID, or FALSE if an error occurs.
	 */
	public function getGroup() {
		return filegroup($this->pathname);
	}

	/**
	 * Gets file owner
	 *
	 * @return int Returns the user ID of the owner, or FALSE on failure.
	 */
	public function getOwner() {
		return fileowner($this->pathname);
	}

	/**
	 * Gets file permissions
	 *
	 * @return int Returns the file's permissions as a numeric mode. Lower bits of this
	 * 		mode are the same as the permissions expected by chmod(), however on most platforms
	 * 		the return value will also include information on the type of file given as filename.
	 * 		The examples below demonstrate how to test the return value for specific permissions
	 * 		and file types on POSIX systems, including Linux and Mac OS X.
	 */
	public function getPermissions() {
		return fileperms($this->pathname);
	}

	/**
	 * Checks its existance
	 *
	 * @return boolean Returns TRUE if exists; FALSE otherwise. Will return FALSE for symlinks
	 * 		pointing to non-existing files.
	 */
	public function exists() {
		return file_exists($this->pathname);
	}

	/**
	 * Tells whether is executable
	 *
	 * @return boolean Returns TRUE if exists and is executable.
	 */
	public function isExecutable() {
		return is_executable($this->pathname);
	}

	/**
	 * Tells whether is readable
	 *
	 * @return boolean Returns TRUE if exists and is readable.
	 */
	public function isReadable() {
		return is_readable($this->pathname);
	}

	/**
	 * Tells whether is writable
	 *
	 * @return boolean Returns TRUE if exists and is writable.
	 */
	public function isWritable() {
		return is_writable($this->pathname);
	}

	/**
	 * Tells whether the filename is a symbolic link
	 *
	 * @return boolean Returns TRUE if the filename exists and is a symbolic link, FALSE otherwise.
	 */
	public function isLink() {
		return is_link($this->pathname);
	}

	/**
	 * Returns the target if this is a symbolic link
	 *
	 * @see #isLink
	 * @return Path|null The target path or null if this isn't a link
	 */
	public function getLinkTarget() {
		if ($this->isLink()) {
			return new Path(readlink($this->pathname));
		}
		return null;
	}

	/**
	 * Attempts to change the group.
	 *
	 * Only the superuser may change the group arbitrarily; other users may
	 * change the group of a file to any group of which that user is a member.
	 *
	 * @param mixed $group A group name or number.
	 * @return boolean Returns TRUE on success or FALSE on failure.
	 */
	public function setGroup($group) {
		if ($this->isLink()) {
			return lchgrp($this->pathname, $group);
		} else {
			return chgrp($this->pathname, $group);
		}
	}

	/**
	 * Attempts to change the mode.
	 *
	 * @see #setGroup
	 * @see #setOwner
	 *
	 * @param int $mode
	 * 		Note that mode is not automatically assumed to be an octal value, so strings
	 * 		(such as "g+w") will not work properly. To ensure the expected operation, you
	 * 		need to prefix mode with a zero (0).
	 *
	 * @return boolean Returns TRUE on success or FALSE on failure.
	 */
	public function setMode($mode) {
		if ($this->isLink()) {
			return lchmod($this->pathname, $mode);
		} else {
			return chmod($this->pathname, $mode);
		}
	}

	/**
	 * Changes file owner
	 *
	 * Attempts to change the owner. Only the superuser may change the owner of a file.
	 *
	 * @param mixed $user A user name or number.
	 * @return boolean Returns TRUE on success or FALSE on failure.
	 */
	public function setOwner($user) {
		if ($this->isLink()) {
			return lchown($this->pathname, $user);
		} else {
			return chown($this->pathname, $user);
		}
	}

	/**
	 * Copies the file
	 *
	 * If the destination file already exists, it will be overwritten.
	 *
	 * @throws FileException When an error appeared.
	 * @param string|Path $destination The destination path.
	 */
	public function copy($destination) {
		$destination = $this->getDestination($destination);
/**
 * @return array|string
 */
function returnsDifferentValues($x) {
    if ($x) {
        return 'foo';
    }

    return array();
}

$x = returnsDifferentValues($y);
if (is_array($x)) {
    // $x is an array.
}

		if (!@copy($this->getPathname(), $destination)) {
			throw new FileException(sprintf('Failed to copy %s to %s', $this->pathname, $destination));
		}
	}

	/**
	 * Moves the file
	 *
	 * @throws FileException When an error appeared.
	 * @param string|Path $destination
	 */
	public function move($destination) {
		$destination = $this->getDestination($destination);
/**
 * @return array|string
 */
function returnsDifferentValues($x) {
    if ($x) {
        return 'foo';
    }

    return array();
}

$x = returnsDifferentValues($y);
if (is_array($x)) {
    // $x is an array.
}

		if (@rename($this->getPathname(), $destination)) {
			$this->pathname = $destination;

		} else {
			throw new FileException(sprintf('Failed to move %s to %s', $this->pathname, $destination));
		}
	}

	/**
	 * Transforms destination into path and ensures, parent directory exists
	 *
	 * @param string $destination
	 * @return Path
	 */
	private function getDestination($destination) {
		$destination = $destination instanceof Path ? $destination : new Path($destination);
		$targetDir = new Directory($destination->getDirname());
		$targetDir->make();
		return $destination;
	}

	/**
	 * Creates a symlink to the given destination
	 *
	 * @param string|Path $destination
	 */
	public function linkTo($destination) {
		$target = new FileDescriptor($destination);
		$targetDir = new Directory($target->getDirname());
		$targetDir->make();

		$ok = false;
		if ($target->isLink()) {
			if (!$target->getLinkTarget()->equals($this->pathname)) {
				$target->delete();
			} else {
				$ok = true;
			}
		}

		if (!$ok && @symlink($this->pathname, $target->getPathname()) !== true) {
			$report = error_get_last();
			if (is_array($report) && DIRECTORY_SEPARATOR === '\\' && strpos($report['message'], 'error code(1314)') !== false) {
				throw new FileException('Unable to create symlink due to error code 1314: \'A required privilege is not held by the client\'. Do you have the required Administrator-rights?');
			}
			throw new FileException(sprintf('Failed to create symbolic link from %s to %s', $this->pathname, $targetDir));
		}
	}

	public abstract function delete();

}

1			<?php
2			namespace phootwork\file;
3
4			use \DateTime;
5			use phootwork\file\exception\FileException;
6
7			trait FileOperationTrait {
8
9			/** @var string */
10			protected $pathname;
11
12			/**
13			* Static instantiator
14			*
15			* @param string $pathname
16			* @return static
17			*/
18			public static function create($pathname) {
19			return new static($pathname);
20			}
21
22			protected function init($pathname) {
23			$this->pathname = ''.$pathname; // "cast" to string
24			}
25
26			/**
27			* Returns the file extensions
28			*
29			* @return string the file extension
30			*/
31			public function getExtension() {
32			return pathinfo($this->pathname, PATHINFO_EXTENSION);
33			}
34
35			/**
36			* Returns the filename
37			*
38			* @return string the filename
39			*/
40			public function getFilename() {
41			return basename($this->pathname);
42			}
43
44			/**
45			* Gets the path without filename
46			*
47			* @return string
48			*/
49			public function getDirname() {
50			return dirname($this->pathname);
51			}
52
53			/**
54			* Gets the path to the file
55			*
56			* @return string
57			*/
58			public function getPathname() {
59			return $this->pathname;
60			}
61
62			/**
63			* Converts the path into a path object
64			*
65			* @return Path
66			*/
67			public function toPath() {
68			return new Path($this->pathname);
69			}
70
71			/**
72			* Gets last access time.
73			*
74			* @return DateTime
75			*/
76			public function getLastAccessedAt() {
77			$timestamp = fileatime($this->pathname);
78			$time = new DateTime();
79			$time->setTimestamp($timestamp);
80			return $time;
81			}
82
83			/**
84			* Gets the created time.
85			*
86			* @return DateTime
87			*/
88			public function getCreatedAt() {
89			$timestamp = filemtime($this->pathname);
90			$time = new DateTime();
91			$time->setTimestamp($timestamp);
92			return $time;
93			}
94
95			/**
96			* Gets last modified time.
97			*
98			* @return DateTime
99			*/
100			public function getModifiedAt() {
101			$timestamp = filemtime($this->pathname);
102			$time = new DateTime();
103			$time->setTimestamp($timestamp);
104			return $time;
105			}
106
107			/**
108			* Gets file inode
109			*
110			* @return int Returns the inode number of the file, or FALSE on failure.
111			*/
112			public function getInode() {
113			return fileinode($this->pathname);
114			}
115
116			/**
117			* Gets file group
118			*
119			* @return int Returns the group ID, or FALSE if an error occurs.
120			*/
121			public function getGroup() {
122			return filegroup($this->pathname);
123			}
124
125			/**
126			* Gets file owner
127			*
128			* @return int Returns the user ID of the owner, or FALSE on failure.
129			*/
130			public function getOwner() {
131			return fileowner($this->pathname);
132			}
133
134			/**
135			* Gets file permissions
136			*
137			* @return int Returns the file's permissions as a numeric mode. Lower bits of this
138			* mode are the same as the permissions expected by chmod(), however on most platforms
139			* the return value will also include information on the type of file given as filename.
140			* The examples below demonstrate how to test the return value for specific permissions
141			* and file types on POSIX systems, including Linux and Mac OS X.
142			*/
143			public function getPermissions() {
144			return fileperms($this->pathname);
145			}
146
147			/**
148			* Checks its existance
149			*
150			* @return boolean Returns TRUE if exists; FALSE otherwise. Will return FALSE for symlinks
151			* pointing to non-existing files.
152			*/
153			public function exists() {
154			return file_exists($this->pathname);
155			}
156
157			/**
158			* Tells whether is executable
159			*
160			* @return boolean Returns TRUE if exists and is executable.
161			*/
162			public function isExecutable() {
163			return is_executable($this->pathname);
164			}
165
166			/**
167			* Tells whether is readable
168			*
169			* @return boolean Returns TRUE if exists and is readable.
170			*/
171			public function isReadable() {
172			return is_readable($this->pathname);
173			}
174
175			/**
176			* Tells whether is writable
177			*
178			* @return boolean Returns TRUE if exists and is writable.
179			*/
180			public function isWritable() {
181			return is_writable($this->pathname);
182			}
183
184			/**
185			* Tells whether the filename is a symbolic link
186			*
187			* @return boolean Returns TRUE if the filename exists and is a symbolic link, FALSE otherwise.
188			*/
189			public function isLink() {
190			return is_link($this->pathname);
191			}
192
193			/**
194			* Returns the target if this is a symbolic link
195			*
196			* @see #isLink
197			* @return Path\|null The target path or null if this isn't a link
198			*/
199			public function getLinkTarget() {
200			if ($this->isLink()) {
201			return new Path(readlink($this->pathname));
202			}
203			return null;
204			}
205
206			/**
207			* Attempts to change the group.
208			*
209			* Only the superuser may change the group arbitrarily; other users may
210			* change the group of a file to any group of which that user is a member.
211			*
212			* @param mixed $group A group name or number.
213			* @return boolean Returns TRUE on success or FALSE on failure.
214			*/
215			public function setGroup($group) {
216			if ($this->isLink()) {
217			return lchgrp($this->pathname, $group);
218			} else {
219			return chgrp($this->pathname, $group);
220			}
221			}
222
223			/**
224			* Attempts to change the mode.
225			*
226			* @see #setGroup
227			* @see #setOwner
228			*
229			* @param int $mode
230			* Note that mode is not automatically assumed to be an octal value, so strings
231			* (such as "g+w") will not work properly. To ensure the expected operation, you
232			* need to prefix mode with a zero (0).
233			*
234			* @return boolean Returns TRUE on success or FALSE on failure.
235			*/
236			public function setMode($mode) {
237			if ($this->isLink()) {
238			return lchmod($this->pathname, $mode);
239			} else {
240			return chmod($this->pathname, $mode);
241			}
242			}
243
244			/**
245			* Changes file owner
246			*
247			* Attempts to change the owner. Only the superuser may change the owner of a file.
248			*
249			* @param mixed $user A user name or number.
250			* @return boolean Returns TRUE on success or FALSE on failure.
251			*/
252			public function setOwner($user) {
253			if ($this->isLink()) {
254			return lchown($this->pathname, $user);
255			} else {
256			return chown($this->pathname, $user);
257			}
258			}
259
260			/**
261			* Copies the file
262			*
263			* If the destination file already exists, it will be overwritten.
264			*
265			* @throws FileException When an error appeared.
266			* @param string\|Path $destination The destination path.
267			*/
268			public function copy($destination) {
269			$destination = $this->getDestination($destination);
			0 ignored issues – show Bug introduced 2016-04-21 15:09 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$destination` defined by `$this->getDestination($destination)` on line `269` can also be of type `object<phootwork\file\Path>`; however, `phootwork\file\FileOpera...Trait::getDestination()` does only seem to accept `string`, maybe add an additional type check? If a method or function can return multiple different values and unless you are sure that you only can receive a single value in this context, we recommend to add an additional type check: /** * @return array\|string */ function returnsDifferentValues($x) { if ($x) { return 'foo'; } return array(); } $x = returnsDifferentValues($y); if (is_array($x)) { // $x is an array. } If this a common case that PHP Analyzer should handle natively, please let us know by opening an issue. Loading history...
270
271			if (!@copy($this->getPathname(), $destination)) {
272			throw new FileException(sprintf('Failed to copy %s to %s', $this->pathname, $destination));
273			}
274			}
275
276			/**
277			* Moves the file
278			*
279			* @throws FileException When an error appeared.
280			* @param string\|Path $destination
281			*/
282			public function move($destination) {
283			$destination = $this->getDestination($destination);
			0 ignored issues – show Bug introduced 2016-04-21 15:09 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$destination` defined by `$this->getDestination($destination)` on line `283` can also be of type `object<phootwork\file\Path>`; however, `phootwork\file\FileOpera...Trait::getDestination()` does only seem to accept `string`, maybe add an additional type check? If a method or function can return multiple different values and unless you are sure that you only can receive a single value in this context, we recommend to add an additional type check: /** * @return array\|string */ function returnsDifferentValues($x) { if ($x) { return 'foo'; } return array(); } $x = returnsDifferentValues($y); if (is_array($x)) { // $x is an array. } If this a common case that PHP Analyzer should handle natively, please let us know by opening an issue. Loading history...
284
285			if (@rename($this->getPathname(), $destination)) {
286			$this->pathname = $destination;
			0 ignored issues – show Documentation Bug introduced 2018-09-14 16:43 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$destination` of type `object<phootwork\file\Path>` is incompatible with the declared type `string` of property `$pathname`. Our type inference engine has found an assignment to a property that is incompatible with the declared type of that property. Either this assignment is in error or the assigned type should be added to the documentation/type hint for that property.. Loading history...
287			} else {
288			throw new FileException(sprintf('Failed to move %s to %s', $this->pathname, $destination));
289			}
290			}
291
292			/**
293			* Transforms destination into path and ensures, parent directory exists
294			*
295			* @param string $destination
296			* @return Path
297			*/
298			private function getDestination($destination) {
299			$destination = $destination instanceof Path ? $destination : new Path($destination);
300			$targetDir = new Directory($destination->getDirname());
301			$targetDir->make();
302			return $destination;
303			}
304
305			/**
306			* Creates a symlink to the given destination
307			*
308			* @param string\|Path $destination
309			*/
310			public function linkTo($destination) {
311			$target = new FileDescriptor($destination);
312			$targetDir = new Directory($target->getDirname());
313			$targetDir->make();
314
315			$ok = false;
316			if ($target->isLink()) {
317			if (!$target->getLinkTarget()->equals($this->pathname)) {
318			$target->delete();
319			} else {
320			$ok = true;
321			}
322			}
323
324			if (!$ok && @symlink($this->pathname, $target->getPathname()) !== true) {
325			$report = error_get_last();
326			if (is_array($report) && DIRECTORY_SEPARATOR === '\\' && strpos($report['message'], 'error code(1314)') !== false) {
327			throw new FileException('Unable to create symlink due to error code 1314: \'A required privilege is not held by the client\'. Do you have the required Administrator-rights?');
328			}
329			throw new FileException(sprintf('Failed to create symbolic link from %s to %s', $this->pathname, $targetDir));
330			}
331			}
332
333			public abstract function delete();
334
335			}

phootwork / file

Issues (3)

Security Analysis no request data

FileOperationTrait.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like