Issues in Model.php (master) - Issues in master - pomm-project/ModelManager - Measure and Improve Code Quality continuously with Scrutinizer

Issues (13)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

sources/lib/Model/Model.php (2 issues)

Labels

Bug 2

Severity

Minor 2

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/*
 * This file is part of the PommProject/ModelManager package.
 *
 * (c) 2014 - 2015 Grégoire HUBERT <[email protected]>
 *
 * For the full copyright and license information, please view the LICENSE
 * file that was distributed with this source code.
 */
namespace PommProject\ModelManager\Model;

use PommProject\Foundation\Client\ClientInterface;
use PommProject\Foundation\Session\Session;
use PommProject\ModelManager\Converter\PgEntity;
use PommProject\ModelManager\Exception\ModelException;
use PommProject\ModelManager\Model\FlexibleEntity\FlexibleEntityInterface;

/**
 * Model
 *
 * Base class for custom Model classes.
 *
 * @abstract
 * @package     Pomm
 * @copyright   2014 - 2019 Grégoire HUBERT
 * @author      Grégoire HUBERT
 * @license     X11 {@link http://opensource.org/licenses/mit-license.php}
 * @see         ClientInterface
 */
abstract class Model implements ClientInterface
{
    protected $session;
    protected $flexible_entity_class;


    /**
     * @var RowStructure
     */
    protected $structure;

    /**
     * getSession
     *
     * Return the current session. If session is not set, a ModelException is
     * thrown.
     *
     * @access public
     * @return Session
     * @throws ModelException
     */
    public function getSession()
    {
        if ($this->session === null) {
            throw new ModelException(sprintf("Model class '%s' is not registered against the session.", get_class($this)));
        }

        return $this->session;
    }

    /**
     * getClientType
     *
     * @see ClientInterface
     */
    public function getClientType()
    {
        return 'model';
    }

    /**
     * getClientIdentifier
     *
     * @see ClientInterface
     */
    public function getClientIdentifier()
    {
        return trim(get_class($this), "\\");
    }

    /**
     * initialize
     *
     * @see ClientInterface
     */
    public function initialize(Session $session)
    {
        $this->session = $session;

        if ($this->structure === null) {
            throw new ModelException(sprintf("Structure not set while initializing Model class '%s'.", get_class($this)));
        }

        if ($this->flexible_entity_class == null) {
            throw new ModelException(sprintf("Flexible entity not set while initializing Model class '%s'.", get_class($this)));
        } elseif (!(new \ReflectionClass($this->flexible_entity_class))
            ->implementsInterface('\PommProject\ModelManager\Model\FlexibleEntity\FlexibleEntityInterface')
        ) {
            throw new ModelException(sprintf("Flexible entity must implement FlexibleEntityInterface."));
        }

        $session->getPoolerForType('converter')
interface User
{
    /** @return string */
    public function getPassword();
}

class MyUser implements User
{
    public function getPassword()
    {
        // return something
    }

    public function getDisplayName()
    {
        // return some name.
    }
}

class AuthSystem
{
    public function authenticate(User $user)
    {
        $this->logger->info(sprintf('Authenticating %s.', $user->getDisplayName()));
        // do something.
    }
}
            ->getConverterHolder()
            ->registerConverter(
                $this->flexible_entity_class,
                new PgEntity(
                    $this->flexible_entity_class,
                    $this->getStructure()
                ),
                [
                    $this->getStructure()->getRelation(),
                    $this->flexible_entity_class,
                ]
        );
    }

    /**
     * shutdown
     *
     * @see ClientInterface
     */
    public function shutdown()
    {
    }

    /**
     * createEntity
     *
     * Create a new entity.
     *
     * @access public
     * @param array $values
     * @return FlexibleEntityInterface
     */
    public function createEntity(array $values = [])
    {
        $class_name = $this->getFlexibleEntityClass();

        return (new $class_name)
            ->hydrate($values)
            ;
    }

    /**
     * query
     *
     * Execute the given query and return a Collection iterator on results. If
     * no projections are passed, it will use the default projection using
     * createProjection() method.
     *
     * @access protected
     * @param  string             $sql
     * @param  array              $values
     * @param  Projection         $projection
     * @return CollectionIterator
     */
    protected function query($sql, array $values = [], Projection $projection = null)
    {
        if ($projection === null) {
            $projection = $this->createProjection();
        }

        $result = $this
interface User
{
    /** @return string */
    public function getPassword();
}

class MyUser implements User
{
    public function getPassword()
    {
        // return something
    }

    public function getDisplayName()
    {
        // return some name.
    }
}

class AuthSystem
{
    public function authenticate(User $user)
    {
        $this->logger->info(sprintf('Authenticating %s.', $user->getDisplayName()));
        // do something.
    }
}
            ->getSession()
            ->getClientUsingPooler('prepared_query', $sql)
            ->execute($values)
            ;

        $collection = new CollectionIterator(
            $result,
            $this->getSession(),
            $projection
        );

        return $collection;
    }

    /**
     * createDefaultProjection
     *
     * This method creates a projection based on the structure definition of
     * the underlying relation. It may be used to shunt parent createProjection
     * call in inherited classes.
     * This method can be used where a projection that sticks to table
     * definition is needed like recursive CTEs. For normal projections, use
     * createProjection instead.
     *
     * @access public
     * @return Projection
     */
    final public function createDefaultProjection()
    {
        return new Projection($this->flexible_entity_class, $this->structure->getDefinition());
    }

    /**
     * createProjection
     *
     * This is a helper to create a new projection according to the current
     * structure.Overriding this method will change projection for all models.
     *
     * @access  public
     * @return  Projection
     */
    public function createProjection()
    {
        return $this->createDefaultProjection();
    }

    /**
     * checkFlexibleEntity
     *
     * Check if the given entity is an instance of this model's flexible class.
     * If not an exception is thrown.
     *
     * @access protected
     * @param  FlexibleEntityInterface $entity
     * @throws \InvalidArgumentException
     * @return Model          $this
     */
    protected function checkFlexibleEntity(FlexibleEntityInterface $entity)
    {
        if (!($entity instanceof $this->flexible_entity_class)) {
            throw new \InvalidArgumentException(sprintf(
                "Entity class '%s' is not a '%s'.",
                get_class($entity),
                $this->flexible_entity_class
            ));
        }

        return $this;
    }

    /**
     * getStructure
     *
     * Return the structure.
     *
     * @access public
     * @return RowStructure
     */
    public function getStructure()
    {
        return $this->structure;
    }

    /**
     * getModel
     *
     * Proxy to Session::getModel();
     *
     * @param  string    model identifier
     * @return Model
     */
    protected function getModel($identifier)
    {
        return $this
            ->getSession()
            ->getClientUsingPooler('model', $identifier);
    }


    /**
     * getFlexibleEntityClass
     *
     * Return the according flexible entity class associate with this Model
     * instance.
     *
     * @access public
     * @return string
     */
    public function getFlexibleEntityClass()
    {
        return $this->flexible_entity_class;
    }

    /**
     * escapeLiteral
     *
     * Handy method to escape strings.
     *
     * @access protected
     * @param  string $string
     * @return string
     */
    protected function escapeLiteral($string)
    {
        return $this
            ->getSession()
            ->getConnection()
            ->escapeLiteral($string);
    }

    /**
     * escapeLiteral
     *
     * Handy method to escape strings.
     *
     * @access protected
     * @param  string $string
     * @return string
     */
    protected function escapeIdentifier($string)
    {
        return $this
            ->getSession()
            ->getConnection()
            ->escapeIdentifier($string);
    }

    /**
     * executeAnonymousQuery
     *
     * Handy method for DDL statements.
     *
     * @access protected
     * @param  string $sql
     * @return Model  $this
     */
    protected function executeAnonymousQuery($sql)
    {
        $this
            ->getSession()
            ->getConnection()
            ->executeAnonymousQuery($sql);

        return $this;
    }
}


Issues (13)

Security Analysis no request data

sources/lib/Model/Model.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Available Fixes

Available Fixes

1			<?php
2			/*
3			* This file is part of the PommProject/ModelManager package.
4			*
5			* (c) 2014 - 2015 Grégoire HUBERT <[email protected]>
6			*
7			* For the full copyright and license information, please view the LICENSE
8			* file that was distributed with this source code.
9			*/
10			namespace PommProject\ModelManager\Model;
11
12			use PommProject\Foundation\Client\ClientInterface;
13			use PommProject\Foundation\Session\Session;
14			use PommProject\ModelManager\Converter\PgEntity;
15			use PommProject\ModelManager\Exception\ModelException;
16			use PommProject\ModelManager\Model\FlexibleEntity\FlexibleEntityInterface;
17
18			/**
19			* Model
20			*
21			* Base class for custom Model classes.
22			*
23			* @abstract
24			* @package Pomm
25			* @copyright 2014 - 2019 Grégoire HUBERT
26			* @author Grégoire HUBERT
27			* @license X11 {@link http://opensource.org/licenses/mit-license.php}
28			* @see ClientInterface
29			*/
30			abstract class Model implements ClientInterface
31			{
32			protected $session;
33			protected $flexible_entity_class;
34
35
36			/**
37			* @var RowStructure
38			*/
39			protected $structure;
40
41			/**
42			* getSession
43			*
44			* Return the current session. If session is not set, a ModelException is
45			* thrown.
46			*
47			* @access public
48			* @return Session
49			* @throws ModelException
50			*/
51			public function getSession()
52			{
53			if ($this->session === null) {
54			throw new ModelException(sprintf("Model class '%s' is not registered against the session.", get_class($this)));
55			}
56
57			return $this->session;
58			}
59
60			/**
61			* getClientType
62			*
63			* @see ClientInterface
64			*/
65			public function getClientType()
66			{
67			return 'model';
68			}
69
70			/**
71			* getClientIdentifier
72			*
73			* @see ClientInterface
74			*/
75			public function getClientIdentifier()
76			{
77			return trim(get_class($this), "\\");
78			}
79
80			/**
81			* initialize
82			*
83			* @see ClientInterface
84			*/
85			public function initialize(Session $session)
86			{
87			$this->session = $session;
88
89			if ($this->structure === null) {
90			throw new ModelException(sprintf("Structure not set while initializing Model class '%s'.", get_class($this)));
91			}
92
93			if ($this->flexible_entity_class == null) {
94			throw new ModelException(sprintf("Flexible entity not set while initializing Model class '%s'.", get_class($this)));
95			} elseif (!(new \ReflectionClass($this->flexible_entity_class))
96			->implementsInterface('\PommProject\ModelManager\Model\FlexibleEntity\FlexibleEntityInterface')
97			) {
98			throw new ModelException(sprintf("Flexible entity must implement FlexibleEntityInterface."));
99			}
100
101			$session->getPoolerForType('converter')
			0 ignored issues – show Bug introduced 2015-11-26 10:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you code against a concrete implementation and not the interface `PommProject\Foundation\C...t\ClientPoolerInterface` as the method `getConverterHolder()` does only exist in the following implementations of said interface: `PommProject\Foundation\Converter\ConverterPooler`. Let’s take a look at an example: interface User { /** @return string / public function getPassword(); } class MyUser implements User { public function getPassword() { // return something } public function getDisplayName() { // return some name. } } class AuthSystem { public function authenticate(User $user) { $this->logger->info(sprintf('Authenticating %s.', $user->getDisplayName())); // do something. } } In the above example, the authenticate() method works fine as long as you just pass instances of MyUser. However, if you now also want to pass a different implementation of User which does not have a getDisplayName() method, the code will break. Available Fixes Change the type-hint for the parameter: class AuthSystem { public function authenticate(MyUser $user) { / ... / } } Add an additional type-check: class AuthSystem { public function authenticate(User $user) { if ($user instanceof MyUser) { $this->logger->info(/* ... /); } // or alternatively if ( ! $user instanceof MyUser) { throw new \LogicException( '$user must be an instance of MyUser, ' .'other instances are not supported.' ); } } } Note:* PHP Analyzer uses reverse abstract interpretation to narrow down the types inside the if block in such a case. Add the method to the interface: interface User { /** @return string / public function getPassword(); /* @return string */ public function getDisplayName(); } Loading history...
102			->getConverterHolder()
103			->registerConverter(
104			$this->flexible_entity_class,
105			new PgEntity(
106			$this->flexible_entity_class,
107			$this->getStructure()
108			),
109			[
110			$this->getStructure()->getRelation(),
111			$this->flexible_entity_class,
112			]
113			);
114			}
115
116			/**
117			* shutdown
118			*
119			* @see ClientInterface
120			*/
121			public function shutdown()
122			{
123			}
124
125			/**
126			* createEntity
127			*
128			* Create a new entity.
129			*
130			* @access public
131			* @param array $values
132			* @return FlexibleEntityInterface
133			*/
134			public function createEntity(array $values = [])
135			{
136			$class_name = $this->getFlexibleEntityClass();
137
138			return (new $class_name)
139			->hydrate($values)
140			;
141			}
142
143			/**
144			* query
145			*
146			* Execute the given query and return a Collection iterator on results. If
147			* no projections are passed, it will use the default projection using
148			* createProjection() method.
149			*
150			* @access protected
151			* @param string $sql
152			* @param array $values
153			* @param Projection $projection
154			* @return CollectionIterator
155			*/
156			protected function query($sql, array $values = [], Projection $projection = null)
157			{
158			if ($projection === null) {
159			$projection = $this->createProjection();
160			}
161
162			$result = $this
			0 ignored issues – show Bug introduced 2015-11-26 10:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you code against a concrete implementation and not the interface `PommProject\Foundation\Client\ClientInterface` as the method `execute()` does only exist in the following implementations of said interface: `PommProject\Foundation\PreparedQuery\PreparedQuery`. Let’s take a look at an example: interface User { /** @return string / public function getPassword(); } class MyUser implements User { public function getPassword() { // return something } public function getDisplayName() { // return some name. } } class AuthSystem { public function authenticate(User $user) { $this->logger->info(sprintf('Authenticating %s.', $user->getDisplayName())); // do something. } } In the above example, the authenticate() method works fine as long as you just pass instances of MyUser. However, if you now also want to pass a different implementation of User which does not have a getDisplayName() method, the code will break. Available Fixes Change the type-hint for the parameter: class AuthSystem { public function authenticate(MyUser $user) { / ... / } } Add an additional type-check: class AuthSystem { public function authenticate(User $user) { if ($user instanceof MyUser) { $this->logger->info(/* ... /); } // or alternatively if ( ! $user instanceof MyUser) { throw new \LogicException( '$user must be an instance of MyUser, ' .'other instances are not supported.' ); } } } Note:* PHP Analyzer uses reverse abstract interpretation to narrow down the types inside the if block in such a case. Add the method to the interface: interface User { /** @return string / public function getPassword(); /* @return string */ public function getDisplayName(); } Loading history...
163			->getSession()
164			->getClientUsingPooler('prepared_query', $sql)
165			->execute($values)
166			;
167
168			$collection = new CollectionIterator(
169			$result,
170			$this->getSession(),
171			$projection
172			);
173
174			return $collection;
175			}
176
177			/**
178			* createDefaultProjection
179			*
180			* This method creates a projection based on the structure definition of
181			* the underlying relation. It may be used to shunt parent createProjection
182			* call in inherited classes.
183			* This method can be used where a projection that sticks to table
184			* definition is needed like recursive CTEs. For normal projections, use
185			* createProjection instead.
186			*
187			* @access public
188			* @return Projection
189			*/
190			final public function createDefaultProjection()
191			{
192			return new Projection($this->flexible_entity_class, $this->structure->getDefinition());
193			}
194
195			/**
196			* createProjection
197			*
198			* This is a helper to create a new projection according to the current
199			* structure.Overriding this method will change projection for all models.
200			*
201			* @access public
202			* @return Projection
203			*/
204			public function createProjection()
205			{
206			return $this->createDefaultProjection();
207			}
208
209			/**
210			* checkFlexibleEntity
211			*
212			* Check if the given entity is an instance of this model's flexible class.
213			* If not an exception is thrown.
214			*
215			* @access protected
216			* @param FlexibleEntityInterface $entity
217			* @throws \InvalidArgumentException
218			* @return Model $this
219			*/
220			protected function checkFlexibleEntity(FlexibleEntityInterface $entity)
221			{
222			if (!($entity instanceof $this->flexible_entity_class)) {
223			throw new \InvalidArgumentException(sprintf(
224			"Entity class '%s' is not a '%s'.",
225			get_class($entity),
226			$this->flexible_entity_class
227			));
228			}
229
230			return $this;
231			}
232
233			/**
234			* getStructure
235			*
236			* Return the structure.
237			*
238			* @access public
239			* @return RowStructure
240			*/
241			public function getStructure()
242			{
243			return $this->structure;
244			}
245
246			/**
247			* getModel
248			*
249			* Proxy to Session::getModel();
250			*
251			* @param string model identifier
252			* @return Model
253			*/
254			protected function getModel($identifier)
255			{
256			return $this
257			->getSession()
258			->getClientUsingPooler('model', $identifier);
259			}
260
261
262			/**
263			* getFlexibleEntityClass
264			*
265			* Return the according flexible entity class associate with this Model
266			* instance.
267			*
268			* @access public
269			* @return string
270			*/
271			public function getFlexibleEntityClass()
272			{
273			return $this->flexible_entity_class;
274			}
275
276			/**
277			* escapeLiteral
278			*
279			* Handy method to escape strings.
280			*
281			* @access protected
282			* @param string $string
283			* @return string
284			*/
285			protected function escapeLiteral($string)
286			{
287			return $this
288			->getSession()
289			->getConnection()
290			->escapeLiteral($string);
291			}
292
293			/**
294			* escapeLiteral
295			*
296			* Handy method to escape strings.
297			*
298			* @access protected
299			* @param string $string
300			* @return string
301			*/
302			protected function escapeIdentifier($string)
303			{
304			return $this
305			->getSession()
306			->getConnection()
307			->escapeIdentifier($string);
308			}
309
310			/**
311			* executeAnonymousQuery
312			*
313			* Handy method for DDL statements.
314			*
315			* @access protected
316			* @param string $sql
317			* @return Model $this
318			*/
319			protected function executeAnonymousQuery($sql)
320			{
321			$this
322			->getSession()
323			->getConnection()
324			->executeAnonymousQuery($sql);
325
326			return $this;
327			}
328			}
329

pomm-project / ModelManager

Issues (13)

Security Analysis no request data

sources/lib/Model/Model.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Available Fixes

Available Fixes

Duplication Side-by-Side

Filter issues like