Issues in Resolver.php (master) - Issues in master - phossa2/di - Measure and Improve Code Quality continuously with Scrutinizer

Issues (2)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Di/Resolver/Resolver.php (2 issues)

Labels

Bug 2

Severity

Minor 2

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Phossa Project
 *
 * PHP version 5.4
 *
 * @category  Library
 * @package   Phossa2\Di
 * @copyright Copyright (c) 2016 phossa.com
 * @license   http://mit-license.org/ MIT License
 * @link      http://www.phossa.com/
 */
/*# declare(strict_types=1); */

namespace Phossa2\Di\Resolver;

use Phossa2\Di\Container;
use Phossa2\Config\Config;
use Phossa2\Di\Interfaces\ResolverInterface;
use Phossa2\Di\Interfaces\AutoWiringInterface;
use Phossa2\Config\Interfaces\ConfigInterface;
use Phossa2\Config\Delegator as ConfigDelegator;
use Phossa2\Shared\Reference\ReferenceInterface;
use Phossa2\Di\Interfaces\ReferenceResolveInterface;
use Phossa2\Di\Interfaces\AutoTranslationInterface;

/**
 * Resolver
 *
 * A config delegator for resolving service or parameter references
 *
 * @package Phossa2\Di
 * @author  Hong Zhang <[email protected]>
 * @see     \Phossa2\Config\Delegator
 * @see     ResolverInterface
 * @see     AutoWiringInterface
 * @see     ReferenceResolveInterface
 * @version 2.1.0
 * @since   2.0.0 added
 * @since   2.1.0 added AutoTranslationInterface
 */
class Resolver extends ConfigDelegator implements ResolverInterface, AutoWiringInterface, AutoTranslationInterface, ReferenceResolveInterface
{
    /**
     * The config for object resolving
     *
     * @var    ObjectResolver
     * @access protected
     */
    protected $object_resolver;

    /**
     * The config for parameter resolver
     *
     * @var    ConfigInterface
     * @access protected
     */
    protected $config_resolver;

    /**
     * Container related definition starting node at $config
     *
     * @var    string
     * @access protected
     */
    protected $base_node;

    /**
     * For autowiring
     *
     * @var    bool
     * @access protected
     */
    protected $auto = true;

    /**
     * For service translation
     *
     * @var    bool
     * @access protected
     */
    protected $trans = true;

    /**
     * @param  Container $container
     * @param  ConfigInterface $config inject config for parameter resolving
     * @param  string $nodeName
     * @access public
     */
    public function __construct(
        Container $container,
        ConfigInterface $config,
        /*# string */ $nodeName
    ) {
        // set parameter resolver
        $this->config_resolver = $config;
        $this->base_node = $nodeName;

        // set object resolver
        $this->object_resolver = new ObjectResolver($container);

        // delegator
        $this->addConfig($this->object_resolver);
        $this->addConfig($this->config_resolver);
    }

    /**
     * Resolving use the parameter resolver
     *
     * {@inheritDoc}
     */
    public function resolve(&$toResolve)
    {
        if ($this->config_resolver instanceof ReferenceInterface) {
            $this->config_resolver->deReferenceArray($toResolve);
        }
        return $this;
    }

    /**
     * {@inheritDoc}
     */
    public function getService(/*# string */ $id = '')
    {
        if ($this->hasService($id)) {
            return $this->get($this->getSectionId($id));
        } else {
            return null;
        }
    }

    /**
     * Autowiring support added
     *
     * {@inheritDoc}
     * @since  2.1.0 added service translation
     */
    public function hasService(/*# string */ $id = '')/*# : bool */
    {
        $sid = $this->getSectionId($id);

        // direct match
        if ($this->has($sid)) {
            return true;
        }

        // autoclass
        if ($this->autoClassName($id)) {
            return true;
        }

        // translation
        if ($this->serviceTranslation($id)) {
            return true;
        }

        return false;
    }

    /**
     * {@inheritDoc}
     */
    public function setService(
        /*# string */ $id,
        $definition,
        array $args = []
    )/*# : bool */ {
        if (!empty($args)) {
            $definition = [
                'class' => $definition,
                'args'  => $args
            ];
        }
        return $this->set($this->getSectionId($id), $definition);
    }

    /**
     * {@inheritDoc}
     */
    public function getSectionId(
        /*# string */ $id,
        /*# string */ $section = 'service'
    )/*# : string */ {
        $sec = $this->base_node . '.' . $section;
        return '' == $id ? $sec : ($sec . '.' . $id);
    }

    /**
     * {@inheritDoc}
     */
    public function auto(/*# bool */ $flag = true)
    {
        $this->auto = (bool) $flag;
        return $this;
    }

    /**
     * {@inheritDoc}
     */
    public function isAuto()/*# : bool */
    {
        return $this->auto;
    }

    /**
     * {@inheritDoc}
     *
     * @since  2.1.0 added
     */
    public function translation(/*# bool */ $flag = true)
    {
        $this->trans = (bool) $flag;
        return $this;
    }

    /**
     * Returns true if
     *
     * 1) autowiring is true
     * 2) $id is a existing classname
     * 3) resolver $this is writable
     *
     * @param  string $id
     * @return bool
     * @access protected
     */
    protected function autoClassName(/*# string */ $id)/*# : bool */
    {
        if ($this->auto && class_exists($id) && $this->isWritable()) {
            return $this->setService($id, $id);
        }
        return false;
    }

    /**
     * if 'di.service.storage' not found, try 'storage.di。storage'
     *
     * @param  string $id
     * @return bool
     * @access protected
     * @since  2.1.0 added
     */
    protected function serviceTranslation(/*# string */ $id)/*# : bool */
    {
        // no translation allowed
        if (!$this->trans) {
            return false;
        }

        // translate to 'storage.di' & 'storage.di.storage'
        $newSec = $id . '.' . $this->base_node;
        $newId  = $newSec . '.' . $id;

        // check 'storage.di.storage' in config
        if ($this->config_resolver->has($newId) &&
            method_exists($this->config_resolver, 'enableDeReference')
        ) {
            $data = $this->getRawConfig($newSec);
            foreach ($data as $xId => $xDef) {
                $this->set($this->getSectionId($xId), $xDef);
            }
            return true;
        }

        return false;
    }

    /**
     * Get not-dereferenced config from config_resolver
     *
     * @param  string $id
     * @return array
     * @access protected
     */
    protected function getRawConfig(/*# string */ $id)
    {
        $this->config_resolver->enableDeReference(false);
interface User
{
    /** @return string */
    public function getPassword();
}

class MyUser implements User
{
    public function getPassword()
    {
        // return something
    }

    public function getDisplayName()
    {
        // return some name.
    }
}

class AuthSystem
{
    public function authenticate(User $user)
    {
        $this->logger->info(sprintf('Authenticating %s.', $user->getDisplayName()));
        // do something.
    }
}
        $data = $this->config_resolver->get($id);
        $this->config_resolver->enableDeReference(true);
interface User
{
    /** @return string */
    public function getPassword();
}

class MyUser implements User
{
    public function getPassword()
    {
        // return something
    }

    public function getDisplayName()
    {
        // return some name.
    }
}

class AuthSystem
{
    public function authenticate(User $user)
    {
        $this->logger->info(sprintf('Authenticating %s.', $user->getDisplayName()));
        // do something.
    }
}
        return $data;
    }
}


GitHub Access Token became invalid

Issues (2)

Security Analysis no request data

src/Di/Resolver/Resolver.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Available Fixes

Available Fixes

1			<?php
2			/**
3			* Phossa Project
4			*
5			* PHP version 5.4
6			*
7			* @category Library
8			* @package Phossa2\Di
9			* @copyright Copyright (c) 2016 phossa.com
10			* @license http://mit-license.org/ MIT License
11			* @link http://www.phossa.com/
12			*/
13			/# declare(strict_types=1); /
14
15			namespace Phossa2\Di\Resolver;
16
17			use Phossa2\Di\Container;
18			use Phossa2\Config\Config;
19			use Phossa2\Di\Interfaces\ResolverInterface;
20			use Phossa2\Di\Interfaces\AutoWiringInterface;
21			use Phossa2\Config\Interfaces\ConfigInterface;
22			use Phossa2\Config\Delegator as ConfigDelegator;
23			use Phossa2\Shared\Reference\ReferenceInterface;
24			use Phossa2\Di\Interfaces\ReferenceResolveInterface;
25			use Phossa2\Di\Interfaces\AutoTranslationInterface;
26
27			/**
28			* Resolver
29			*
30			* A config delegator for resolving service or parameter references
31			*
32			* @package Phossa2\Di
33			* @author Hong Zhang <[email protected]>
34			* @see \Phossa2\Config\Delegator
35			* @see ResolverInterface
36			* @see AutoWiringInterface
37			* @see ReferenceResolveInterface
38			* @version 2.1.0
39			* @since 2.0.0 added
40			* @since 2.1.0 added AutoTranslationInterface
41			*/
42			class Resolver extends ConfigDelegator implements ResolverInterface, AutoWiringInterface, AutoTranslationInterface, ReferenceResolveInterface
43			{
44			/**
45			* The config for object resolving
46			*
47			* @var ObjectResolver
48			* @access protected
49			*/
50			protected $object_resolver;
51
52			/**
53			* The config for parameter resolver
54			*
55			* @var ConfigInterface
56			* @access protected
57			*/
58			protected $config_resolver;
59
60			/**
61			* Container related definition starting node at $config
62			*
63			* @var string
64			* @access protected
65			*/
66			protected $base_node;
67
68			/**
69			* For autowiring
70			*
71			* @var bool
72			* @access protected
73			*/
74			protected $auto = true;
75
76			/**
77			* For service translation
78			*
79			* @var bool
80			* @access protected
81			*/
82			protected $trans = true;
83
84			/**
85			* @param Container $container
86			* @param ConfigInterface $config inject config for parameter resolving
87			* @param string $nodeName
88			* @access public
89			*/
90			public function __construct(
91			Container $container,
92			ConfigInterface $config,
93			/# string / $nodeName
94			) {
95			// set parameter resolver
96			$this->config_resolver = $config;
97			$this->base_node = $nodeName;
98
99			// set object resolver
100			$this->object_resolver = new ObjectResolver($container);
101
102			// delegator
103			$this->addConfig($this->object_resolver);
104			$this->addConfig($this->config_resolver);
105			}
106
107			/**
108			* Resolving use the parameter resolver
109			*
110			* {@inheritDoc}
111			*/
112			public function resolve(&$toResolve)
113			{
114			if ($this->config_resolver instanceof ReferenceInterface) {
115			$this->config_resolver->deReferenceArray($toResolve);
116			}
117			return $this;
118			}
119
120			/**
121			* {@inheritDoc}
122			*/
123			public function getService(/# string / $id = '')
124			{
125			if ($this->hasService($id)) {
126			return $this->get($this->getSectionId($id));
127			} else {
128			return null;
129			}
130			}
131
132			/**
133			* Autowiring support added
134			*
135			* {@inheritDoc}
136			* @since 2.1.0 added service translation
137			*/
138			public function hasService(/# string / $id = '')/# : bool /
139			{
140			$sid = $this->getSectionId($id);
141
142			// direct match
143			if ($this->has($sid)) {
144			return true;
145			}
146
147			// autoclass
148			if ($this->autoClassName($id)) {
149			return true;
150			}
151
152			// translation
153			if ($this->serviceTranslation($id)) {
154			return true;
155			}
156
157			return false;
158			}
159
160			/**
161			* {@inheritDoc}
162			*/
163			public function setService(
164			/# string / $id,
165			$definition,
166			array $args = []
167			)/# : bool / {
168			if (!empty($args)) {
169			$definition = [
170			'class' => $definition,
171			'args' => $args
172			];
173			}
174			return $this->set($this->getSectionId($id), $definition);
175			}
176
177			/**
178			* {@inheritDoc}
179			*/
180			public function getSectionId(
181			/# string / $id,
182			/# string / $section = 'service'
183			)/# : string / {
184			$sec = $this->base_node . '.' . $section;
185			return '' == $id ? $sec : ($sec . '.' . $id);
186			}
187
188			/**
189			* {@inheritDoc}
190			*/
191			public function auto(/# bool / $flag = true)
192			{
193			$this->auto = (bool) $flag;
194			return $this;
195			}
196
197			/**
198			* {@inheritDoc}
199			*/
200			public function isAuto()/# : bool /
201			{
202			return $this->auto;
203			}
204
205			/**
206			* {@inheritDoc}
207			*
208			* @since 2.1.0 added
209			*/
210			public function translation(/# bool / $flag = true)
211			{
212			$this->trans = (bool) $flag;
213			return $this;
214			}
215
216			/**
217			* Returns true if
218			*
219			* 1) autowiring is true
220			* 2) $id is a existing classname
221			* 3) resolver $this is writable
222			*
223			* @param string $id
224			* @return bool
225			* @access protected
226			*/
227			protected function autoClassName(/# string / $id)/# : bool /
228			{
229			if ($this->auto && class_exists($id) && $this->isWritable()) {
230			return $this->setService($id, $id);
231			}
232			return false;
233			}
234
235			/**
236			* if 'di.service.storage' not found, try 'storage.di。storage'
237			*
238			* @param string $id
239			* @return bool
240			* @access protected
241			* @since 2.1.0 added
242			*/
243			protected function serviceTranslation(/# string / $id)/# : bool /
244			{
245			// no translation allowed
246			if (!$this->trans) {
247			return false;
248			}
249
250			// translate to 'storage.di' & 'storage.di.storage'
251			$newSec = $id . '.' . $this->base_node;
252			$newId = $newSec . '.' . $id;
253
254			// check 'storage.di.storage' in config
255			if ($this->config_resolver->has($newId) &&
256			method_exists($this->config_resolver, 'enableDeReference')
257			) {
258			$data = $this->getRawConfig($newSec);
259			foreach ($data as $xId => $xDef) {
260			$this->set($this->getSectionId($xId), $xDef);
261			}
262			return true;
263			}
264
265			return false;
266			}
267
268			/**
269			* Get not-dereferenced config from config_resolver
270			*
271			* @param string $id
272			* @return array
273			* @access protected
274			*/
275			protected function getRawConfig(/# string / $id)
276			{
277			$this->config_resolver->enableDeReference(false);
			0 ignored issues – show Bug introduced 2016-10-04 01:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you code against a concrete implementation and not the interface `Phossa2\Config\Interfaces\ConfigInterface` as the method `enableDeReference()` does only exist in the following implementations of said interface: `Phossa2\Config\Config`. Let’s take a look at an example: interface User { /** @return string / public function getPassword(); } class MyUser implements User { public function getPassword() { // return something } public function getDisplayName() { // return some name. } } class AuthSystem { public function authenticate(User $user) { $this->logger->info(sprintf('Authenticating %s.', $user->getDisplayName())); // do something. } } In the above example, the authenticate() method works fine as long as you just pass instances of MyUser. However, if you now also want to pass a different implementation of User which does not have a getDisplayName() method, the code will break. Available Fixes Change the type-hint for the parameter: class AuthSystem { public function authenticate(MyUser $user) { / ... / } } Add an additional type-check: class AuthSystem { public function authenticate(User $user) { if ($user instanceof MyUser) { $this->logger->info(/* ... /); } // or alternatively if ( ! $user instanceof MyUser) { throw new \LogicException( '$user must be an instance of MyUser, ' .'other instances are not supported.' ); } } } Note:* PHP Analyzer uses reverse abstract interpretation to narrow down the types inside the if block in such a case. Add the method to the interface: interface User { /** @return string / public function getPassword(); /* @return string */ public function getDisplayName(); } Loading history...
278			$data = $this->config_resolver->get($id);
279			$this->config_resolver->enableDeReference(true);
			0 ignored issues – show Bug introduced 2016-10-04 01:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you code against a concrete implementation and not the interface `Phossa2\Config\Interfaces\ConfigInterface` as the method `enableDeReference()` does only exist in the following implementations of said interface: `Phossa2\Config\Config`. Let’s take a look at an example: interface User { /** @return string / public function getPassword(); } class MyUser implements User { public function getPassword() { // return something } public function getDisplayName() { // return some name. } } class AuthSystem { public function authenticate(User $user) { $this->logger->info(sprintf('Authenticating %s.', $user->getDisplayName())); // do something. } } In the above example, the authenticate() method works fine as long as you just pass instances of MyUser. However, if you now also want to pass a different implementation of User which does not have a getDisplayName() method, the code will break. Available Fixes Change the type-hint for the parameter: class AuthSystem { public function authenticate(MyUser $user) { / ... / } } Add an additional type-check: class AuthSystem { public function authenticate(User $user) { if ($user instanceof MyUser) { $this->logger->info(/* ... /); } // or alternatively if ( ! $user instanceof MyUser) { throw new \LogicException( '$user must be an instance of MyUser, ' .'other instances are not supported.' ); } } } Note:* PHP Analyzer uses reverse abstract interpretation to narrow down the types inside the if block in such a case. Add the method to the interface: interface User { /** @return string / public function getPassword(); /* @return string */ public function getDisplayName(); } Loading history...
280			return $data;
281			}
282			}
283

phossa2 / di

GitHub Access Token became invalid

Issues (2)

Security Analysis no request data

src/Di/Resolver/Resolver.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Available Fixes

Available Fixes

Duplication Side-by-Side

Filter issues like