Issues in PHPMD.php (master) - Issues in master - phpmd/phpmd - Measure and Improve Code Quality continuously with Scrutinizer

Issues (249)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/main/php/PHPMD/PHPMD.php (1 issue)

Labels

Documentation 1

Severity

Minor 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * This file is part of PHP Mess Detector.
 *
 * Copyright (c) Manuel Pichler <[email protected]>.
 * All rights reserved.
 *
 * Licensed under BSD License
 * For full copyright and license information, please see the LICENSE file.
 * Redistributions of files must retain the above copyright notice.
 *
 * @author Manuel Pichler <[email protected]>
 * @copyright Manuel Pichler. All rights reserved.
 * @license https://opensource.org/licenses/bsd-license.php BSD License
 * @link http://phpmd.org/
 */

namespace PHPMD;

/**
 * This is the main facade of the PHP PMD application
 */
class PHPMD
{
    /**
     * The current PHPMD version.
     */
    const VERSION = '@package_version@';

    /**
     * This property will be set to <b>true</b> when an error
     * was found in the processed source code.
     *
     * @var boolean
     * @since 2.10.0
     */
    private $errors = false;

    /**
     * List of valid file extensions for analyzed files.
     *
     * @var array(string)
     */
    private $fileExtensions = array('php', 'php3', 'php4', 'php5', 'inc');

    /**
     * List of exclude directory patterns.
     *
     * @var array(string)
     */
    private $ignorePatterns = array('.git', '.svn', 'CVS', '.bzr', '.hg', 'SCCS');

    /**
     * The input source file or directory.
     *
     * @var string
     */
    private $input;

    /**
     * This property will be set to <b>true</b> when a violation
     * was found in the processed source code.
     *
     * @var boolean
     * @since 0.2.5
     */
    private $violations = false;

    /**
     * Additional options for PHPMD or one of it's parser backends.
     *
     * @var array
     * @since 1.2.0
     */
    private $options = array();

    /**
     * This method will return <b>true</b> when the processed source code
     * contains errors.
     *
     * @return boolean
     * @since 2.10.0
     */
    public function hasErrors()
    {
        return $this->errors;
    }

    /**
     * This method will return <b>true</b> when the processed source code
     * contains violations.
     *
     * @return boolean
     * @since 0.2.5
     */
    public function hasViolations()
    {
        return $this->violations;
    }

    /**
     * Returns the input source file or directory path.
     *
     * @return string
     */
    public function getInput()
    {
        return $this->input;
    }

    /**
     * Returns an array with valid php source file extensions.
     *
     * @return string[]
     * @since 0.2.0
     */
    public function getFileExtensions()
    {
        return $this->fileExtensions;
    }

    /**
     * Sets a list of filename extensions for valid php source code files.
     *
     * @param array<string> $fileExtensions Extensions without leading dot.
     * @return void
     */
    public function setFileExtensions(array $fileExtensions)
    {
        $this->fileExtensions = $fileExtensions;
    }

    /**
     * Returns an array with string patterns that mark a file path as invalid.
     *
     * @return string[]
     * @since 0.2.0
     * @deprecated 3.0.0 Use getIgnorePatterns() instead, you always get a list of patterns.
     */
    public function getIgnorePattern()
    {
        return $this->getIgnorePatterns();
    }

    /**
     * Returns an array with string patterns that mark a file path invalid.
     *
     * @return string[]
     * @since 2.9.0
     */
    public function getIgnorePatterns()
    {
        return $this->ignorePatterns;
    }

    /**
     * Sets a list of ignore patterns that is used to exclude directories from
     * the source analysis.
     *
     * @param array<string> $ignorePatterns List of ignore patterns.
     * @return void
     * @deprecated 3.0.0 Use addIgnorePatterns() instead, both will add an not set the patterns.
     */
    public function setIgnorePattern(array $ignorePatterns)
    {
        $this->addIgnorePatterns($ignorePatterns);
    }

    /**
     * Add a list of ignore patterns which is used to exclude directories from
     * the source analysis.
     *
     * @param array<string> $ignorePatterns List of ignore patterns.
     * @return $this
     * @since 2.9.0
     */
    public function addIgnorePatterns(array $ignorePatterns)
    {
        $this->ignorePatterns = array_merge(
            $this->ignorePatterns,
            $ignorePatterns
        );

        return $this;
    }

    /**
     * Returns additional options for PHPMD or one of it's parser backends.
     *
     * @return array
     */
    public function getOptions()
    {
        return $this->options;
    }

    /**
     * Sets additional options for PHPMD or one of it's parser backends.
     *
     * @param array $options Additional backend or PHPMD options.
     * @return void
     */
    public function setOptions(array $options)
    {
        $this->options = $options;
    }

    /**
     * This method will process all files that can be found in the given input
     * path. It will apply rules defined in the comma-separated <b>$ruleSets</b>
     * argument. The result will be passed to all given renderer instances.
     *
     * @param string $inputPath
     * @param string $ruleSets
     * @param \PHPMD\AbstractRenderer[] $renderers
     * @param \PHPMD\RuleSetFactory $ruleSetFactory
     * @param \PHPMD\Report $report
     * @return void
     */
    public function processFiles(
        $inputPath,
        $ruleSets,
        array $renderers,
        RuleSetFactory $ruleSetFactory,
        Report $report
    ) {
        // Merge parsed excludes
        $this->addIgnorePatterns($ruleSetFactory->getIgnorePattern($ruleSets));
function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);

        $this->input = $inputPath;

        $factory = new ParserFactory();
        $parser = $factory->create($this);

        foreach ($ruleSetFactory->createRuleSets($ruleSets) as $ruleSet) {
            $parser->addRuleSet($ruleSet);
        }

        $report->start();
        $parser->parse($report);
        $report->end();

        foreach ($renderers as $renderer) {
            $renderer->start();
        }

        foreach ($renderers as $renderer) {
            $renderer->renderReport($report);
        }

        foreach ($renderers as $renderer) {
            $renderer->end();
        }

        $this->errors = $report->hasErrors();
        $this->violations = !$report->isEmpty();
    }
}


1		<?php
2		/**
3		* This file is part of PHP Mess Detector.
4		*
5		* Copyright (c) Manuel Pichler <[email protected]>.
6		* All rights reserved.
7		*
8		* Licensed under BSD License
9		* For full copyright and license information, please see the LICENSE file.
10		* Redistributions of files must retain the above copyright notice.
11		*
12		* @author Manuel Pichler <[email protected]>
13		* @copyright Manuel Pichler. All rights reserved.
14		* @license https://opensource.org/licenses/bsd-license.php BSD License
15		* @link http://phpmd.org/
16		*/
17
18		namespace PHPMD;
19
20		/**
21		* This is the main facade of the PHP PMD application
22		*/
23		class PHPMD
24		{
25		/**
26		* The current PHPMD version.
27		*/
28		const VERSION = '@package_version@';
29
30		/**
31		* This property will be set to <b>true</b> when an error
32		* was found in the processed source code.
33		*
34		* @var boolean
35		* @since 2.10.0
36		*/
37		private $errors = false;
38
39		/**
40		* List of valid file extensions for analyzed files.
41		*
42		* @var array(string)
43		*/
44		private $fileExtensions = array('php', 'php3', 'php4', 'php5', 'inc');
45
46		/**
47		* List of exclude directory patterns.
48		*
49		* @var array(string)
50		*/
51		private $ignorePatterns = array('.git', '.svn', 'CVS', '.bzr', '.hg', 'SCCS');
52
53		/**
54		* The input source file or directory.
55		*
56		* @var string
57		*/
58		private $input;
59
60		/**
61		* This property will be set to <b>true</b> when a violation
62		* was found in the processed source code.
63		*
64		* @var boolean
65		* @since 0.2.5
66		*/
67		private $violations = false;
68
69		/**
70		* Additional options for PHPMD or one of it's parser backends.
71		*
72		* @var array
73		* @since 1.2.0
74		*/
75	7	private $options = array();
76
77	7	/**
78		* This method will return <b>true</b> when the processed source code
79		* contains errors.
80		*
81		* @return boolean
82		* @since 2.10.0
83		*/
84		public function hasErrors()
85	11	{
86		return $this->errors;
87	11	}
88
89		/**
90		* This method will return <b>true</b> when the processed source code
91		* contains violations.
92		*
93		* @return boolean
94		* @since 0.2.5
95		*/
96	11	public function hasViolations()
97		{
98	11	return $this->violations;
99		}
100
101		/**
102		* Returns the input source file or directory path.
103		*
104		* @return string
105		*/
106		public function getInput()
107		{
108		return $this->input;
109		}
110
111		/**
112		* Returns an array with valid php source file extensions.
113		*
114		* @return string[]
115		* @since 0.2.0
116		*/
117		public function getFileExtensions()
118	11	{
119		return $this->fileExtensions;
120	11	}
121
122		/**
123		* Sets a list of filename extensions for valid php source code files.
124		*
125		* @param array<string> $fileExtensions Extensions without leading dot.
126		* @return void
127		*/
128		public function setFileExtensions(array $fileExtensions)
129		{
130		$this->fileExtensions = $fileExtensions;
131		}
132
133		/**
134		* Returns an array with string patterns that mark a file path as invalid.
135		*
136		* @return string[]
137		* @since 0.2.0
138		* @deprecated 3.0.0 Use getIgnorePatterns() instead, you always get a list of patterns.
139		*/
140		public function getIgnorePattern()
141		{
142		return $this->getIgnorePatterns();
143	11	}
144
145	11	/**
146		* Returns an array with string patterns that mark a file path invalid.
147		*
148		* @return string[]
149		* @since 2.9.0
150		*/
151		public function getIgnorePatterns()
152		{
153		return $this->ignorePatterns;
154	4	}
155
156	4	/**
157	4	* Sets a list of ignore patterns that is used to exclude directories from
158		* the source analysis.
159		*
160		* @param array<string> $ignorePatterns List of ignore patterns.
161		* @return void
162		* @deprecated 3.0.0 Use addIgnorePatterns() instead, both will add an not set the patterns.
163		*/
164		public function setIgnorePattern(array $ignorePatterns)
165		{
166		$this->addIgnorePatterns($ignorePatterns);
167		}
168
169		/**
170	11	* Add a list of ignore patterns which is used to exclude directories from
171		* the source analysis.
172		*
173		* @param array<string> $ignorePatterns List of ignore patterns.
174		* @return $this
175		* @since 2.9.0
176		*/
177		public function addIgnorePatterns(array $ignorePatterns)
178	11	{
179		$this->ignorePatterns = array_merge(
180	11	$this->ignorePatterns,
181		$ignorePatterns
182	11	);
183
184	11	return $this;
185	11	}
186
187	11	/**
188	11	* Returns additional options for PHPMD or one of it's parser backends.
189		*
190		* @return array
191	11	*/
192	11	public function getOptions()
193	11	{
194		return $this->options;
195	11	}
196	11
197		/**
198		* Sets additional options for PHPMD or one of it's parser backends.
199	11	*
200	11	* @param array $options Additional backend or PHPMD options.
201		* @return void
202		*/
203	11	public function setOptions(array $options)
204	11	{
205		$this->options = $options;
206		}
207	11
208	11	/**
209		* This method will process all files that can be found in the given input
210		* path. It will apply rules defined in the comma-separated <b>$ruleSets</b>
211		* argument. The result will be passed to all given renderer instances.
212		*
213		* @param string $inputPath
214		* @param string $ruleSets
215		* @param \PHPMD\AbstractRenderer[] $renderers
216		* @param \PHPMD\RuleSetFactory $ruleSetFactory
217		* @param \PHPMD\Report $report
218		* @return void
219		*/
220		public function processFiles(
221		$inputPath,
222		$ruleSets,
223		array $renderers,
224		RuleSetFactory $ruleSetFactory,
225		Report $report
226		) {
227		// Merge parsed excludes
228		$this->addIgnorePatterns($ruleSetFactory->getIgnorePattern($ruleSets));
		0 ignored issues – show Documentation introduced 2020-04-04 09:35 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$ruleSetFactory->getIgnorePattern($ruleSets)` is of type `array\|null`, but the function expects a `array<integer,string>`. It seems like the type of the argument is not accepted by the function/method which you are calling. In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug. We suggest to add an explicit type cast like in the following example: function acceptsInteger($int) { } $x = '123'; // string "123" // Instead of acceptsInteger($x); // we recommend to use acceptsInteger((integer) $x); Loading history...
229
230		$this->input = $inputPath;
231
232		$factory = new ParserFactory();
233		$parser = $factory->create($this);
234
235		foreach ($ruleSetFactory->createRuleSets($ruleSets) as $ruleSet) {
236		$parser->addRuleSet($ruleSet);
237		}
238
239		$report->start();
240		$parser->parse($report);
241		$report->end();
242
243		foreach ($renderers as $renderer) {
244		$renderer->start();
245		}
246
247		foreach ($renderers as $renderer) {
248		$renderer->renderReport($report);
249		}
250
251		foreach ($renderers as $renderer) {
252		$renderer->end();
253		}
254
255		$this->errors = $report->hasErrors();
256		$this->violations = !$report->isEmpty();
257		}
258		}
259

phpmd / phpmd

Issues (249)

Security Analysis no request data

src/main/php/PHPMD/PHPMD.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like