Issues in Module.php (master) - Issues in master - phproberto/joomla-module - Measure and Improve Code Quality continuously with Scrutinizer

Issues (17)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Module.php (3 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/**
 * Joomla! module.
 *
 * @copyright  Copyright (C) 2017 Roberto Segura López, Inc. All rights reserved.
 * @license    GNU/GPL 2, http://www.gnu.org/licenses/gpl-2.0.htm
 */

namespace Phproberto\Joomla\Module;

defined('JPATH_PLATFORM') || die;

use Joomla\Registry\Registry;
use Phproberto\Joomla\Traits as CommonTraits;

/**
 * Base module class.
 *
 * @since  0.0.1
 */
abstract class Module implements ModuleInterface
{
	use CommonTraits\HasExtension, CommonTraits\HasInstances, CommonTraits\HasLayoutData, CommonTraits\HasParams;
	use Traits\HasModule;

	/**
	 * Element of this module. Example: mod_articles_latest
	 *
	 * @var  string
	 */
	protected $element;

	/**
	 * Module identifier.
	 *
	 * @var  integer
	 */
	protected $id;

	/**
	 * Constructor.
	 *
	 * @param   integer   $id  Module identifier
	 */
	public function __construct($id = null)
	{
		if (empty($this->element))
		{
			throw Exception\InvalidModuleException::invalidElement($this);
		}

		$this->id = (int) $id;
	}

	/**
	 * Get the client/application of the module.
	 *
	 * @return  integer
	 */
	public function getClient()
	{
		return (int) $this->getModuleProperty('client_id', STATIC::CLIENT_SITE);
	}

	/**
	 * Get the content of this module.
	 *
	 * @return  string
	 */
	public function getContent()
	{
		$module = $this->getModule();

		return empty($module->content) ? '' : $module->content;
	}

	/**
	 * Get the element of this module.
	 *
	 * @return  string
	 */
	public function getElement()
	{
		return $this->element;
	}

	/**
	 * Get the module identifier.
	 *
	 * @return  integer
	 */
	public function getId()
	{
		return (int) $this->id;
	}

	/**
	 * Get the module language.
	 *
	 * @return  string
	 */
	public function getLanguage()
	{
		$module = $this->getModule();

		return empty($module->language) ? '' : $module->language;
	}

	/**
	 * Get the path to a layout.
	 *
	 * @param   string  $layoutId  Layout identifier
	 *
	 * @return  mixed   string | false
	 */
	private function getLayoutPath($layoutId)
	{
		$originalTemplate = $template = \JFactory::getApplication()->getTemplate();

		if (strpos($layoutId, ':') !== false)
		{
			// Get the template and file name from the string
			$temp = explode(':', $layoutId);
			$template = ($temp[0] == '_') ? $template : $temp[0];
			$layoutId = $temp[1];
		}

		$defaultTemplate = ($originalTemplate == $template);

		$layoutPaths = $defaultTemplate ? $this->getLayoutPaths() : array_map(
			function ($path) use ($originalTemplate, $template)
			{
				return str_replace(
					$this->getThemesPath() . '/' . $originalTemplate,
					$this->getThemesPath() . '/' . $template,
					$path
				);
			},
			$this->getLayoutPaths()
		);

		$path = \JPath::find($layoutPaths, $layoutId . '.php');

		if ($path || $layoutId == 'default')
		{
			return $path;
		}

		return $this->getLayoutPath('default');
	}

	/**
	 * Get the paths where we will search for layouts.
	 *
	 * @return  string[]
	 */
	protected function getLayoutPaths()

	{
		$reflection = new \ReflectionClass($this);

		return array(
			$this->getThemesPath() . '/' . \JFactory::getApplication()->getTemplate() . '/html/' . $this->element,
			dirname($reflection->getFileName()) . '/tmpl'
		);
	}

	/**
	 * Get the date set as null in the database driver.
	 *
	 * @return  string
	 */
	private function getNullDate()
	{
		return \JFactory::getDbo()->getNullDate();
	}

	/**
	 * Get the module position.
	 *
	 * @return  string
	 */
	public function getPosition()
	{
		return $this->getModuleProperty('position', '');
	}

	/**
	 * Get the main path to templates folder. Mainly for testing puposes.
	 *
	 * @return  string
	 *
	 * @codeCoverageIgnore
	 */
	protected function getThemesPath()
	{
		return JPATH_THEMES;
	}

	/**
	 * Get the title of the module.
	 *
	 * @return  string
	 */
	public function getTitle()
	{
		return $this->getModuleProperty('title', '');
	}

	/**
	 * Check if this module has an identifier.
	 *
	 * @return  boolean
	 */
	public function hasId()
	{
		return !empty($this->id);
	}

	/**
	 * Is this a backend module?
	 *
	 * @return  boolean
	 */
	public function isAdmin()
	{
		return $this->getClient() === static::CLIENT_ADMIN;
	}

	/**
	 * Check if this module is published.
	 *
	 * @return  boolean
	 */
	public function isPublished()
	{
		$published = $this->getModuleProperty('published', static::STATE_UNPUBLISHED);

		if ($published != static::STATE_PUBLISHED)
		{
			return false;
		}

		$publishDown = $this->getModuleProperty('publish_down', $this->getNullDate());
		$publishUp   = $this->getModuleProperty('publish_up', $this->getNullDate());

		$isPublishedUp   = $publishUp == $this->getNullDate() || \JFactory::getDate($publishUp) <= \JFactory::getDate();
		$isPublishedDown = $publishDown != $this->getNullDate() && \JFactory::getDate($publishDown) < \JFactory::getDate();

		return $isPublishedUp && !$isPublishedDown;
	}

	/**
	 * Is this a frontend module?
	 *
	 * @return  boolean
	 */
	public function isSite()
	{
		return $this->getClient() === static::CLIENT_SITE;
	}

	/**
	 * Is the module title set as shown?
	 *
	 * @return  boolean
	 */
	public function isTitleShown()
	{
		return $this->getModuleProperty('showtitle', static::TITLE_SHOWN) == static::TITLE_SHOWN;
	}

	/**
	 * Load extension from DB.
	 *
	 * @return  \stdClass
	 */
	protected function loadExtension()
	{
		$db = \JFactory::getDbo();
		$query = $db->getQuery(true)
			->select('*')
			->from('#__extensions')
			->where('type = ' . $db->quote('module'))
			->where('name = ' . $db->q($this->element));

		$db->setQuery($query);

		return $db->loadObject() ?: new \stdClass;
	}

	/**
	 * Load layout data.
	 *
	 * @return  self
	 */
	protected function loadLayoutData()
	{
		return array(
			'module'         => $this->getModule(),
			'moduleInstance' => $this,
			'params'         => $this->getParams()
		);
	}

	/**
	 * Load module parameters from database.
	 *
	 * @return  Registry
	 */
	protected function loadParams()
	{
		if (!$this->hasId())
		{
			return new Registry;
		}

		return new Registry($this->getModuleProperty('params', array()));
	}

	/**
	 * Render this module.
	 *
	 * @param   string  $layoutId  Layout identifier
	 * @param   array   $data      Optional data
	 *
	 * @return  string
	 */
	public function render($layoutId = null, $data = array())
	{
		$layoutId = $layoutId ?: $this->getParam('layout', 'default');

		$layoutPath = $this->getLayoutPath($layoutId);

		if (!file_exists($layoutPath))
		{
			return '';
		}

		extract(array_merge($this->getLayoutData(), $data));


		ob_start();
		include $layoutPath;
		$output = ob_get_contents();
		ob_end_clean();

		return $output;
	}

	/**
	 * Save parameters to database.
	 *
	 * @return  Registry
	 */
	public function saveParams()
	{
		$db = \JFactory::getDbo();

		$query = $db->getQuery(true)
			->update('#__modules')
			->set('params = ' . $db->q($this->getParams()->toString()))
			->where('id = ' . (int) $this->getId());

		$db->setQuery($query);

		return $db->execute() ? true : false;
	}
}


1			<?php
			0 ignored issues – show Coding Style Compatibility introduced 2017-06-22 10:52 UTC by Report Bug Copy Issue Report Show Similar Issues like this For compatibility and reusability of your code, PSR1 recommends that a file should introduce either new symbols (like classes, functions, etc.) or have side-effects (like outputting something, or including other files), but not both at the same time. The first symbol is defined on line 21 and the first side effect is on line 11. The PSR-1: Basic Coding Standard recommends that a file should either introduce new symbols, that is classes, functions, constants or similar, or have side effects. Side effects are anything that executes logic, like for example printing output, changing ini settings or writing to a file. The idea behind this recommendation is that merely auto-loading a class should not change the state of an application. It also promotes a cleaner style of programming and makes your code less prone to errors, because the logic is not spread out all over the place. To learn more about the PSR-1, please see the PHP-FIG site on the PSR-1. Loading history...
2			/**
3			* Joomla! module.
4			*
5			* @copyright Copyright (C) 2017 Roberto Segura López, Inc. All rights reserved.
6			* @license GNU/GPL 2, http://www.gnu.org/licenses/gpl-2.0.htm
7			*/
8
9			namespace Phproberto\Joomla\Module;
10
11	1		defined('JPATH_PLATFORM') \|\| die;
12
13			use Joomla\Registry\Registry;
14			use Phproberto\Joomla\Traits as CommonTraits;
15
16			/**
17			* Base module class.
18			*
19			* @since 0.0.1
20			*/
21			abstract class Module implements ModuleInterface
22			{
23			use CommonTraits\HasExtension, CommonTraits\HasInstances, CommonTraits\HasLayoutData, CommonTraits\HasParams;
24			use Traits\HasModule;
25
26			/**
27			* Element of this module. Example: mod_articles_latest
28			*
29			* @var string
30			*/
31			protected $element;
32
33			/**
34			* Module identifier.
35			*
36			* @var integer
37			*/
38			protected $id;
39
40			/**
41			* Constructor.
42			*
43			* @param integer $id Module identifier
44			*/
45	26		public function __construct($id = null)
46			{
47	26		if (empty($this->element))
48			{
49	1		throw Exception\InvalidModuleException::invalidElement($this);
50			}
51
52	25		$this->id = (int) $id;
53	25		}
54
55			/**
56			* Get the client/application of the module.
57			*
58			* @return integer
59			*/
60	3		public function getClient()
61			{
62	3		return (int) $this->getModuleProperty('client_id', STATIC::CLIENT_SITE);
63			}
64
65			/**
66			* Get the content of this module.
67			*
68			* @return string
69			*/
70	1		public function getContent()
71			{
72	1		$module = $this->getModule();
73
74	1		return empty($module->content) ? '' : $module->content;
75			}
76
77			/**
78			* Get the element of this module.
79			*
80			* @return string
81			*/
82	1		public function getElement()
83			{
84	1		return $this->element;
85			}
86
87			/**
88			* Get the module identifier.
89			*
90			* @return integer
91			*/
92	18		public function getId()
93			{
94	18		return (int) $this->id;
95			}
96
97			/**
98			* Get the module language.
99			*
100			* @return string
101			*/
102	1		public function getLanguage()
103			{
104	1		$module = $this->getModule();
105
106	1		return empty($module->language) ? '' : $module->language;
107			}
108
109			/**
110			* Get the path to a layout.
111			*
112			* @param string $layoutId Layout identifier
113			*
114			* @return mixed string \| false
115			*/
116	1		private function getLayoutPath($layoutId)
117			{
118	1		$originalTemplate = $template = \JFactory::getApplication()->getTemplate();
119
120	1		if (strpos($layoutId, ':') !== false)
121			{
122			// Get the template and file name from the string
123	1		$temp = explode(':', $layoutId);
124	1		$template = ($temp[0] == '_') ? $template : $temp[0];
125	1		$layoutId = $temp[1];
126			}
127
128	1		$defaultTemplate = ($originalTemplate == $template);
129
130	1		$layoutPaths = $defaultTemplate ? $this->getLayoutPaths() : array_map(
131	1		function ($path) use ($originalTemplate, $template)
132			{
133	1		return str_replace(
134	1		$this->getThemesPath() . '/' . $originalTemplate,
135	1		$this->getThemesPath() . '/' . $template,
136			$path
137			);
138	1		},
139	1		$this->getLayoutPaths()
140			);
141
142	1		$path = \JPath::find($layoutPaths, $layoutId . '.php');
143
144	1		if ($path \|\| $layoutId == 'default')
145			{
146	1		return $path;
147			}
148
149	1		return $this->getLayoutPath('default');
150			}
151
152			/**
153			* Get the paths where we will search for layouts.
154			*
155			* @return string[]
156			*/
157	1	View Code Duplication	protected function getLayoutPaths()
			0 ignored issues – show Duplication introduced 2017-06-22 10:52 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
158			{
159	1		$reflection = new \ReflectionClass($this);
160
161			return array(
162	1		$this->getThemesPath() . '/' . \JFactory::getApplication()->getTemplate() . '/html/' . $this->element,
163	1		dirname($reflection->getFileName()) . '/tmpl'
164			);
165			}
166
167			/**
168			* Get the date set as null in the database driver.
169			*
170			* @return string
171			*/
172	1		private function getNullDate()
173			{
174	1		return \JFactory::getDbo()->getNullDate();
175			}
176
177			/**
178			* Get the module position.
179			*
180			* @return string
181			*/
182	1		public function getPosition()
183			{
184	1		return $this->getModuleProperty('position', '');
185			}
186
187			/**
188			* Get the main path to templates folder. Mainly for testing puposes.
189			*
190			* @return string
191			*
192			* @codeCoverageIgnore
193			*/
194			protected function getThemesPath()
195			{
196			return JPATH_THEMES;
197			}
198
199			/**
200			* Get the title of the module.
201			*
202			* @return string
203			*/
204	1		public function getTitle()
205			{
206	1		return $this->getModuleProperty('title', '');
207			}
208
209			/**
210			* Check if this module has an identifier.
211			*
212			* @return boolean
213			*/
214	18		public function hasId()
215			{
216	18		return !empty($this->id);
217			}
218
219			/**
220			* Is this a backend module?
221			*
222			* @return boolean
223			*/
224	1		public function isAdmin()
225			{
226	1		return $this->getClient() === static::CLIENT_ADMIN;
227			}
228
229			/**
230			* Check if this module is published.
231			*
232			* @return boolean
233			*/
234	1		public function isPublished()
235			{
236	1		$published = $this->getModuleProperty('published', static::STATE_UNPUBLISHED);
237
238	1		if ($published != static::STATE_PUBLISHED)
239			{
240	1		return false;
241			}
242
243	1		$publishDown = $this->getModuleProperty('publish_down', $this->getNullDate());
244	1		$publishUp = $this->getModuleProperty('publish_up', $this->getNullDate());
245
246	1		$isPublishedUp = $publishUp == $this->getNullDate() \|\| \JFactory::getDate($publishUp) <= \JFactory::getDate();
247	1		$isPublishedDown = $publishDown != $this->getNullDate() && \JFactory::getDate($publishDown) < \JFactory::getDate();
248
249	1		return $isPublishedUp && !$isPublishedDown;
250			}
251
252			/**
253			* Is this a frontend module?
254			*
255			* @return boolean
256			*/
257	1		public function isSite()
258			{
259	1		return $this->getClient() === static::CLIENT_SITE;
260			}
261
262			/**
263			* Is the module title set as shown?
264			*
265			* @return boolean
266			*/
267	1		public function isTitleShown()
268			{
269	1		return $this->getModuleProperty('showtitle', static::TITLE_SHOWN) == static::TITLE_SHOWN;
270			}
271
272			/**
273			* Load extension from DB.
274			*
275			* @return \stdClass
276			*/
277	1		protected function loadExtension()
278			{
279	1		$db = \JFactory::getDbo();
280	1		$query = $db->getQuery(true)
281	1		->select('*')
282	1		->from('#__extensions')
283	1		->where('type = ' . $db->quote('module'))
284	1		->where('name = ' . $db->q($this->element));
285
286	1		$db->setQuery($query);
287
288	1		return $db->loadObject() ?: new \stdClass;
289			}
290
291			/**
292			* Load layout data.
293			*
294			* @return self
295			*/
296	3		protected function loadLayoutData()
297			{
298			return array(
299	3		'module' => $this->getModule(),
300	3		'moduleInstance' => $this,
301	3		'params' => $this->getParams()
302			);
303			}
304
305			/**
306			* Load module parameters from database.
307			*
308			* @return Registry
309			*/
310	6		protected function loadParams()
311			{
312	6		if (!$this->hasId())
313			{
314	2		return new Registry;
315			}
316
317	6		return new Registry($this->getModuleProperty('params', array()));
318			}
319
320			/**
321			* Render this module.
322			*
323			* @param string $layoutId Layout identifier
324			* @param array $data Optional data
325			*
326			* @return string
327			*/
328	1		public function render($layoutId = null, $data = array())
329			{
330	1		$layoutId = $layoutId ?: $this->getParam('layout', 'default');
331
332	1		$layoutPath = $this->getLayoutPath($layoutId);
333
334	1		if (!file_exists($layoutPath))
335			{
336	1		return '';
337			}
338
339	1		extract(array_merge($this->getLayoutData(), $data));
			0 ignored issues – show Bug introduced 2017-06-22 10:52 UTC by Report Bug Copy Issue Report Show Similar Issues like this `array_merge($this->getLayoutData(), $data)` cannot be passed to `extract()` as the parameter `$var_array` expects a reference. Loading history...
340
341	1		ob_start();
342	1		include $layoutPath;
343	1		$output = ob_get_contents();
344	1		ob_end_clean();
345
346	1		return $output;
347			}
348
349			/**
350			* Save parameters to database.
351			*
352			* @return Registry
353			*/
354	1		public function saveParams()
355			{
356	1		$db = \JFactory::getDbo();
357
358	1		$query = $db->getQuery(true)
359	1		->update('#__modules')
360	1		->set('params = ' . $db->q($this->getParams()->toString()))
361	1		->where('id = ' . (int) $this->getId());
362
363	1		$db->setQuery($query);
364
365	1		return $db->execute() ? true : false;
366			}
367			}
368

phproberto / joomla-module

Issues (17)

Security Analysis no request data

src/Module.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like