Issues in PodsRESTHandlers.php (2.x) - Issues in 2.x - pods-framework/pods - Measure and Improve Code Quality continuously with Scrutinizer

Issues (2873)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

classes/PodsRESTHandlers.php (3 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/**
 * Class PodsRESTHandlers
 *
 * Handlers for reading and writing Pods fields via REST API
 *
 * @package Pods
 * @since   2.5.6
 */
class PodsRESTHandlers {

	/**
	 * Holds a Pods object to avoid extra DB queries
	 *
	 * @since 2.5.6
	 *
	 * @var Pods
	 */
	private static $pod;

	/**
	 * Get Pod object
	 *
	 * @since 2.5.6
	 *
	 * @param $pod_name
	 * @param $id
	 *
	 * @return bool|Pods

	 */
	protected static function get_pod( $pod_name, $id ) {

		if ( ! self::$pod || self::$pod->pod !== $pod_name ) {
			self::$pod = pods( $pod_name, $id, true );
		}

		if ( self::$pod && (int) self::$pod->id !== (int) $id ) {
			self::$pod->fetch( $id );
		}

		return self::$pod;

	}

	/**
	 * Handler for getting custom field data.
	 *
	 * @since 2.5.6
	 *
	 * @param array           $object      The object from the response
	 * @param string          $field_name  Name of field
	 * @param WP_REST_Request $request     Current request
	 * @param string          $object_type Type of object
	 *
	 * @return mixed
	 */
	public static function get_handler( $object, $field_name, $request, $object_type ) {

		$pod_name = pods_v( 'type', $object );

		/**
		 * If $pod_name in the line above is empty then the route invoked
		 * may be for a taxonomy, so lets try and check for that
		 */
		if ( empty( $pod_name ) ) {
			$pod_name = pods_v( 'taxonomy', $object );
		}

		/**
		 * $pod_name is still empty, so check lets check $object_type
		 */

		if ( empty( $pod_name ) ) {
			if ( 'attachment' === $object_type ) {
				$pod_name = 'media';
			} else {
				$pod_name = $object_type;
			}
		}

		/**
		 * Filter the pod name
		 *
		 * @since 2.6.7
		 *
		 * @param array           $pod_name    Pod name
		 * @param Pods            $object      Rest object
		 * @param string          $field_name  Name of the field
		 * @param WP_REST_Request $request     Current request
		 * @param string          $object_type Rest Object type
		 */
		$pod_name = apply_filters( 'pods_rest_api_pod_name', $pod_name, $object, $field_name, $request, $object_type );

		$id = pods_v( 'id', $object );

		if ( empty( $id ) ) {
			$id = pods_v( 'ID', $object );
		}

		$pod = self::get_pod( $pod_name, $id );

		$value = false;

		if ( $pod && PodsRESTFields::field_allowed_to_extend( $field_name, $pod, 'read' ) ) {
			$params = null;

			$field_data = $pod->fields( $field_name );

			if ( 'pick' === pods_v( 'type', $field_data ) ) {
				$output_type = pods_v( 'rest_pick_response', $field_data['options'], 'array' );

				/**
				 * What output type to use for a related field REST response.
				 *
				 * @since 2.7
				 *
				 * @param string                 $output_type The pick response output type.
				 * @param string                 $field_name  The name of the field
				 * @param array                  $field_data  The field data
				 * @param object|Pods            $pod         The Pods object for Pod relationship is from.
				 * @param int                    $id          Current item ID
				 * @param object|WP_REST_Request Current      request object.
				 */
				$output_type = apply_filters( 'pods_rest_api_output_type_for_relationship_response', $output_type, $field_name, $field_data, $pod, $id, $request );

				if ( 'array' === $output_type ) {
					$related_pod_items = $pod->field( $field_name, array( 'output' => 'pod' ) );

					if ( $related_pod_items ) {
						$fields = false;
						$items  = array();
						$depth  = pods_v( 'rest_pick_depth', $field_data['options'], 2 );

						if ( ! is_array( $related_pod_items ) ) {
							$related_pod_items = array( $related_pod_items );
						}

						/**
						 * @var $related_pod Pods
						 */
						foreach ( $related_pod_items as $related_pod ) {
							if ( ! is_object( $related_pod ) || ! is_a( $related_pod, 'Pods' ) ) {
								$items = $related_pod_items;

								break;
							}

							if ( false === $fields ) {
								$fields = $related_pod->fields();
								$fields = array_keys( $fields );

								if ( isset( $related_pod->pod_data['object_fields'] ) && ! empty( $related_pod->pod_data['object_fields'] ) ) {
									$fields = array_merge( $fields, array_keys( $related_pod->pod_data['object_fields'] ) );
								}

								/**
								 * What fields to show in a related field REST response.
								 *
								 * @since 0.0.1
								 *
								 * @param array                  $fields     The fields to show
								 * @param string                 $field_name The name of the field
								 * @param object|Pods            $pod        The Pods object for Pod relationship is from.
								 * @param object|Pods            $pod        The Pods object for Pod relationship is to.
								 * @param int                    $id         Current item ID
								 * @param object|WP_REST_Request Current     request object.
								 */
								$fields = apply_filters( 'pods_rest_api_fields_for_relationship_response', $fields, $field_name, $pod, $related_pod, $id, $request );
							}//end if

							/**
							 * What depth to use for a related field REST response.
							 *
							 * @since 0.0.1
							 *
							 * @param array                  $depth      The depth.
							 * @param string                 $field_name The name of the field
							 * @param object|Pods            $pod        The Pods object for Pod relationship is from.
							 * @param object|Pods            $pod        The Pods object for Pod relationship is to.
							 * @param int                    $id         Current item ID
							 * @param object|WP_REST_Request Current     request object.
							 */
							$depth = apply_filters( 'pods_rest_api_depth_for_relationship_response', $depth, $field_name, $pod, $related_pod, $id, $request );

							$params = array(
								'fields'  => $fields,
								'depth'   => $depth,
								'context' => 'rest',
							);

							$items[] = $related_pod->export( $params );
						}//end foreach

						$value = $items;
					}//end if
				}//end if

				$params = array(
					'output' => $output_type,
				);
			}//end if

			// If no value set yet, get normal field value
			if ( ! $value && ! is_array( $value ) ) {
				$value = $pod->field( $field_name, $params );
			}
		}//end if

		return $value;

	}

	/**
	 * Handle saving of Pod fields from REST API write requests.
	 *
	 * @param WP_Post|WP_Term|WP_User|WP_Comment $object   Inserted or updated object.
	 * @param WP_REST_Request                    $request  Request object.
	 * @param bool                               $creating True when creating an item, false when updating.
	 */
	public static function save_handler( $object, $request, $creating ) {

		if ( is_a( $object, 'WP_Post' ) ) {
			$pod_name = $object->post_type;

			if ( 'attachment' === $pod_name ) {
				$pod_name = 'media';
			}

			$id = $object->ID;
		} elseif ( is_a( $object, 'WP_Term' ) ) {
			$pod_name = $object->taxonomy;

			$id = $object->term_id;
		} elseif ( is_a( $object, 'WP_User' ) ) {
			$pod_name = 'user';

			$id = $object->ID;
		} elseif ( is_a( $object, 'WP_Comment' ) ) {
			$pod_name = 'comment';

			$id = $object->comment_ID;
		} else {
			// Not a supported object
			return;
		}//end if

		$pod = self::get_pod( $pod_name, $id );

		global $wp_rest_additional_fields;
function myFunction($a, $b) {
    // Do something
}

		$rest_enable = (boolean) pods_v( 'rest_enable', $pod->pod_data['options'], false );

		if ( $pod && $rest_enable && ! empty( $wp_rest_additional_fields[ $pod_name ] ) ) {
			$fields = $pod->fields();

			$save_fields = array();

			$params = array(
				'is_new_item' => $creating,
			);

			foreach ( $fields as $field_name => $field ) {
				if ( empty( $wp_rest_additional_fields[ $pod_name ][ $field_name ]['pods_update'] ) ) {
					continue;
				} elseif ( ! isset( $request[ $field_name ] ) ) {
					continue;
				} elseif ( ! PodsRESTFields::field_allowed_to_extend( $field_name, $pod, 'write' ) ) {
					continue;
				}

				$save_fields[ $field_name ] = $request[ $field_name ];
			}

			if ( ! empty( $save_fields ) || $creating ) {
				$pod->save( $save_fields, null, null, $params );
			}
		}//end if

	}

}


Issues (2873)

Security Analysis not enabled

classes/PodsRESTHandlers.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

1. Pass all data via parameters

2. Create a class that maintains your state

1			<?php
2
3			/**
4			* Class PodsRESTHandlers
5			*
6			* Handlers for reading and writing Pods fields via REST API
7			*
8			* @package Pods
9			* @since 2.5.6
10			*/
11			class PodsRESTHandlers {
12
13			/**
14			* Holds a Pods object to avoid extra DB queries
15			*
16			* @since 2.5.6
17			*
18			* @var Pods
19			*/
20			private static $pod;
21
22			/**
23			* Get Pod object
24			*
25			* @since 2.5.6
26			*
27			* @param $pod_name
28			* @param $id
29			*
30			* @return bool\|Pods
			0 ignored issues – show Documentation introduced 2018-03-03 20:10 UTC by Report Bug Copy Issue Report Show Similar Issues like this Consider making the return type a bit more specific; maybe use `false\|Pods`. This check looks for the generic type `array` as a return type and suggests a more specific type. This type is inferred from the actual code. Loading history...
31			*/
32			protected static function get_pod( $pod_name, $id ) {
33
34			if ( ! self::$pod \|\| self::$pod->pod !== $pod_name ) {
35			self::$pod = pods( $pod_name, $id, true );
36			}
37
38			if ( self::$pod && (int) self::$pod->id !== (int) $id ) {
39			self::$pod->fetch( $id );
40			}
41
42			return self::$pod;
43
44			}
45
46			/**
47			* Handler for getting custom field data.
48			*
49			* @since 2.5.6
50			*
51			* @param array $object The object from the response
52			* @param string $field_name Name of field
53			* @param WP_REST_Request $request Current request
54			* @param string $object_type Type of object
55			*
56			* @return mixed
57			*/
58			public static function get_handler( $object, $field_name, $request, $object_type ) {
59
60			$pod_name = pods_v( 'type', $object );
61
62			/**
63			* If $pod_name in the line above is empty then the route invoked
64			* may be for a taxonomy, so lets try and check for that
65			*/
66			if ( empty( $pod_name ) ) {
67			$pod_name = pods_v( 'taxonomy', $object );
68			}
69
70			/**
71			* $pod_name is still empty, so check lets check $object_type
72			*/
73
74			if ( empty( $pod_name ) ) {
75			if ( 'attachment' === $object_type ) {
76			$pod_name = 'media';
77			} else {
78			$pod_name = $object_type;
79			}
80			}
81
82			/**
83			* Filter the pod name
84			*
85			* @since 2.6.7
86			*
87			* @param array $pod_name Pod name
88			* @param Pods $object Rest object
89			* @param string $field_name Name of the field
90			* @param WP_REST_Request $request Current request
91			* @param string $object_type Rest Object type
92			*/
93			$pod_name = apply_filters( 'pods_rest_api_pod_name', $pod_name, $object, $field_name, $request, $object_type );
94
95			$id = pods_v( 'id', $object );
96
97			if ( empty( $id ) ) {
98			$id = pods_v( 'ID', $object );
99			}
100
101			$pod = self::get_pod( $pod_name, $id );
102
103			$value = false;
104
105			if ( $pod && PodsRESTFields::field_allowed_to_extend( $field_name, $pod, 'read' ) ) {
106			$params = null;
107
108			$field_data = $pod->fields( $field_name );
109
110			if ( 'pick' === pods_v( 'type', $field_data ) ) {
111			$output_type = pods_v( 'rest_pick_response', $field_data['options'], 'array' );
112
113			/**
114			* What output type to use for a related field REST response.
115			*
116			* @since 2.7
117			*
118			* @param string $output_type The pick response output type.
119			* @param string $field_name The name of the field
120			* @param array $field_data The field data
121			* @param object\|Pods $pod The Pods object for Pod relationship is from.
122			* @param int $id Current item ID
123			* @param object\|WP_REST_Request Current request object.
124			*/
125			$output_type = apply_filters( 'pods_rest_api_output_type_for_relationship_response', $output_type, $field_name, $field_data, $pod, $id, $request );
126
127			if ( 'array' === $output_type ) {
128			$related_pod_items = $pod->field( $field_name, array( 'output' => 'pod' ) );
129
130			if ( $related_pod_items ) {
131			$fields = false;
132			$items = array();
133			$depth = pods_v( 'rest_pick_depth', $field_data['options'], 2 );
134
135			if ( ! is_array( $related_pod_items ) ) {
136			$related_pod_items = array( $related_pod_items );
137			}
138
139			/**
140			* @var $related_pod Pods
141			*/
142			foreach ( $related_pod_items as $related_pod ) {
143			if ( ! is_object( $related_pod ) \|\| ! is_a( $related_pod, 'Pods' ) ) {
144			$items = $related_pod_items;
145
146			break;
147			}
148
149			if ( false === $fields ) {
150			$fields = $related_pod->fields();
151			$fields = array_keys( $fields );
152
153			if ( isset( $related_pod->pod_data['object_fields'] ) && ! empty( $related_pod->pod_data['object_fields'] ) ) {
154			$fields = array_merge( $fields, array_keys( $related_pod->pod_data['object_fields'] ) );
155			}
156
157			/**
158			* What fields to show in a related field REST response.
159			*
160			* @since 0.0.1
161			*
162			* @param array $fields The fields to show
163			* @param string $field_name The name of the field
164			* @param object\|Pods $pod The Pods object for Pod relationship is from.
165			* @param object\|Pods $pod The Pods object for Pod relationship is to.
166			* @param int $id Current item ID
167			* @param object\|WP_REST_Request Current request object.
168			*/
169			$fields = apply_filters( 'pods_rest_api_fields_for_relationship_response', $fields, $field_name, $pod, $related_pod, $id, $request );
170			}//end if
171
172			/**
173			* What depth to use for a related field REST response.
174			*
175			* @since 0.0.1
176			*
177			* @param array $depth The depth.
178			* @param string $field_name The name of the field
179			* @param object\|Pods $pod The Pods object for Pod relationship is from.
180			* @param object\|Pods $pod The Pods object for Pod relationship is to.
181			* @param int $id Current item ID
182			* @param object\|WP_REST_Request Current request object.
183			*/
184			$depth = apply_filters( 'pods_rest_api_depth_for_relationship_response', $depth, $field_name, $pod, $related_pod, $id, $request );
185
186			$params = array(
187			'fields' => $fields,
188			'depth' => $depth,
189			'context' => 'rest',
190			);
191
192			$items[] = $related_pod->export( $params );
193			}//end foreach
194
195			$value = $items;
196			}//end if
197			}//end if
198
199			$params = array(
200			'output' => $output_type,
201			);
202			}//end if
203
204			// If no value set yet, get normal field value
205			if ( ! $value && ! is_array( $value ) ) {
206			$value = $pod->field( $field_name, $params );
207			}
208			}//end if
209
210			return $value;
211
212			}
213
214			/**
215			* Handle saving of Pod fields from REST API write requests.
216			*
217			* @param WP_Post\|WP_Term\|WP_User\|WP_Comment $object Inserted or updated object.
218			* @param WP_REST_Request $request Request object.
219			* @param bool $creating True when creating an item, false when updating.
220			*/
221			public static function save_handler( $object, $request, $creating ) {
222
223			if ( is_a( $object, 'WP_Post' ) ) {
224			$pod_name = $object->post_type;
225
226			if ( 'attachment' === $pod_name ) {
227			$pod_name = 'media';
228			}
229
230			$id = $object->ID;
231			} elseif ( is_a( $object, 'WP_Term' ) ) {
232			$pod_name = $object->taxonomy;
233
234			$id = $object->term_id;
235			} elseif ( is_a( $object, 'WP_User' ) ) {
236			$pod_name = 'user';
237
238			$id = $object->ID;
239			} elseif ( is_a( $object, 'WP_Comment' ) ) {
240			$pod_name = 'comment';
241
242			$id = $object->comment_ID;
243			} else {
244			// Not a supported object
245			return;
246			}//end if
247
248			$pod = self::get_pod( $pod_name, $id );
249
250			global $wp_rest_additional_fields;
			0 ignored issues – show Compatibility Best Practice introduced 2017-09-06 19:27 UTC by Report Bug Copy Issue Report Show Similar Issues like this Use of `global` functionality is not recommended; it makes your code harder to test, and less reusable. Instead of relying on `global` state, we recommend one of these alternatives: 1. Pass all data via parameters function myFunction($a, $b) { // Do something } 2. Create a class that maintains your state class MyClass { private $a; private $b; public function __construct($a, $b) { $this->a = $a; $this->b = $b; } public function myFunction() { // Do something } } Loading history... Comprehensibility Naming introduced 2018-03-03 20:10 UTC by Report Bug Copy Issue Report Show Similar Issues like this The variable name `$wp_rest_additional_fields` exceeds the maximum configured length of `20`. Very long variable names usually make code harder to read. It is therefore recommended not to make variable names too verbose. Loading history...
251
252			$rest_enable = (boolean) pods_v( 'rest_enable', $pod->pod_data['options'], false );
253
254			if ( $pod && $rest_enable && ! empty( $wp_rest_additional_fields[ $pod_name ] ) ) {
255			$fields = $pod->fields();
256
257			$save_fields = array();
258
259			$params = array(
260			'is_new_item' => $creating,
261			);
262
263			foreach ( $fields as $field_name => $field ) {
264			if ( empty( $wp_rest_additional_fields[ $pod_name ][ $field_name ]['pods_update'] ) ) {
265			continue;
266			} elseif ( ! isset( $request[ $field_name ] ) ) {
267			continue;
268			} elseif ( ! PodsRESTFields::field_allowed_to_extend( $field_name, $pod, 'write' ) ) {
269			continue;
270			}
271
272			$save_fields[ $field_name ] = $request[ $field_name ];
273			}
274
275			if ( ! empty( $save_fields ) \|\| $creating ) {
276			$pod->save( $save_fields, null, null, $params );
277			}
278			}//end if
279
280			}
281
282			}
283

pods-framework / pods

Issues (2873)

Security Analysis not enabled

classes/PodsRESTHandlers.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

1. Pass all data via parameters

2. Create a class that maintains your state

Duplication Side-by-Side

Filter issues like