Issues (6)

Security Analysis    not enabled

This project does not seem to handle request data directly as such no vulnerable execution paths were found.

  Cross-Site Scripting
Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.
  File Exposure
File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.
  File Manipulation
File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.
  Object Injection
Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.
  Code Injection
Code Injection enables an attacker to execute arbitrary code on the server.
  Response Splitting
Response Splitting can be used to send arbitrary responses.
  File Inclusion
File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.
  Command Injection
Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.
  SQL Injection
SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.
  XPath Injection
XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.
  LDAP Injection
LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.
  Header Injection
  Other Vulnerability
This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.
  Regex Injection
Regex Injection enables an attacker to execute arbitrary code in your PHP process.
  XML Injection
XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.
  Variable Injection
Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.
Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

external/header.php (5 issues)

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

1
<?php
2
/* Things you may want to tweak in here:
3
 *  - xhprof_enable() uses a few constants.
4
 *  - The values passed to rand() determine the the odds of any particular run being profiled.
5
 *  - The MongoDB collection and such.
6
 *
7
 * I use unsafe writes by default, let's not slow down requests any more than I need to. As a result you will
8
 * indubidubly want to ensure that writes are actually working.
9
 *
10
 * The easiest way to get going is to either include this file in your index.php script, or use php.ini's
11
 * auto_prepend_file directive http://php.net/manual/en/ini.core.php#ini.auto-prepend-file
12
 */
13
14
/* xhprof_enable()
15
 * See: http://php.net/manual/en/xhprof.constants.php
16
 *
17
 *
18
 * XHPROF_FLAGS_NO_BUILTINS
19
 *  Omit built in functions from return
20
 *  This can be useful to simplify the output, but there's some value in seeing that you've called strpos() 2000 times
21
 *  (disabled on PHP 5.5+ as it causes a segfault)
22
 *
23
 * XHPROF_FLAGS_CPU
24
 *  Include CPU profiling information in output
25
 *
26
 * XHPROF_FLAGS_MEMORY (integer)
27
 *  Include Memory profiling information in output
28
 *
29
 *
30
 * Use bitwise operators to combine, so XHPROF_FLAGS_CPU | XHPROF_FLAGS_MEMORY to profile CPU and Memory
31
 *
32
 */
33
34
/* uprofiler support
35
 * The uprofiler extension is a fork of xhprof.  See: https://github.com/FriendsOfPHP/uprofiler
36
 *
37
 * The two extensions are very similar, and this script will use the uprofiler extension if it is loaded,
38
 * or the xhprof extension if not.  At least one of these extensions must be present.
39
 *
40
 * The UPROFILER_* constants mirror the XHPROF_* ones exactly, with one additional constant available:
41
 *
42
 * UPROFILER_FLAGS_FUNCTION_INFO (integer)
43
 *  Adds more information about function calls (this information is not currently used by XHGui)
44
 */
45
46
/* Tideways XHProf support
47
 * The tideways_xhprof extension is a fork of xhprof. See https://github.com/tideways/php-profiler-extension
48
 *
49
 * It works on PHP 5.5+ and PHP 7 and improves on the ancient timing algorithms used by XHProf using
50
 * more modern Linux APIs to collect high performance timing data.
51
 *
52
 * v4 (tideways): The TIDEWAYS_* constants are similar to the ones by XHProf, however you need to disable timeline
53
 * mode when using XHGui, because it only supports callgraphs and we can save the overhead. Use
54
 * TIDEWAYS_FLAGS_NO_SPANS to disable timeline mode.
55
 *
56
 * v5 (tideways_xhprof): The TIDEWAYS_XHPROF_* constants are similar to the ones by XHProf, however you cannot use
57
 * additional TIDEWAYS_XHPROF_FLAGS_MEMORY_* flags since XHGui does not support the extra data that they produce.
58
 */
59
60
// this file should not - under no circumstances - interfere with any other application
61
if (!extension_loaded('xhprof')
62
    && !extension_loaded('uprofiler')
63
    && !extension_loaded('tideways')
64
    && !extension_loaded('tideways_xhprof')
65
) {
66
    error_log('xhgui - either extension xhprof, uprofiler, tideways or tideways_xhprof must be loaded');
67
    return;
68
}
69
70
// Use the callbacks defined in the configuration file
71
// to determine whether or not XHgui should enable profiling.
72
//
73
// Only load the config class so we don't pollute the host application's
74
// autoloaders.
75
$dir = dirname(__DIR__);
76
require_once $dir . '/src/Xhgui/Config.php';
77
$configDir = defined('XHGUI_CONFIG_DIR') ? XHGUI_CONFIG_DIR : $dir . '/config/';
78 View Code Duplication
if (file_exists($configDir . 'config.php')) {
0 ignored issues
show
This code seems to be duplicated across your project.

Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation.

You can also find more detailed suggestions in the “Code” section of your repository.

Loading history...
79
    Xhgui_Config::load($configDir . 'config.php');
80
} else {
81
    Xhgui_Config::load($configDir . 'config.default.php');
82
}
83
unset($dir, $configDir);
84
85
if ((!extension_loaded('mongo') && !extension_loaded('mongodb')) && Xhgui_Config::read('save.handler') === 'mongodb') {
86
    error_log('xhgui - extension mongo not loaded');
87
    return;
88
}
89
90
if (!Xhgui_Config::shouldRun()) {
91
    return;
92
}
93
94
if (!isset($_SERVER['REQUEST_TIME_FLOAT'])) {
95
    $_SERVER['REQUEST_TIME_FLOAT'] = microtime(true);
96
}
97
98
$skipBuiltIn = Xhgui_Config::read('profiler.skip_built_in');
99
$options = Xhgui_Config::read('profiler.options');
100
101
if (extension_loaded('uprofiler')) {
102
    $flags = UPROFILER_FLAGS_CPU | UPROFILER_FLAGS_MEMORY;
103
104
    if ($skipBuiltIn) {
105
        $flags |= UPROFILER_FLAGS_NO_BUILTINS;
106
    }
107
108
    uprofiler_enable($flags, $options);
109
} else if (extension_loaded('tideways')) {
110
    $flags = TIDEWAYS_FLAGS_CPU | TIDEWAYS_FLAGS_MEMORY | TIDEWAYS_FLAGS_NO_SPANS;
111
112
    if ($skipBuiltIn) {
113
        $flags |= TIDEWAYS_FLAGS_NO_BUILTINS;
114
    }
115
116
    tideways_enable($flags, $options);
117
} elseif (extension_loaded('tideways_xhprof')) {
118
    $flags = TIDEWAYS_XHPROF_FLAGS_CPU | TIDEWAYS_XHPROF_FLAGS_MEMORY;
119
120
    if ($skipBuiltIn) {
121
        $flags |= TIDEWAYS_XHPROF_FLAGS_NO_BUILTINS;
122
    }
123
124
    tideways_xhprof_enable($flags);
125
} else {
126
    $flags = XHPROF_FLAGS_CPU | XHPROF_FLAGS_MEMORY;
127
128
    $isFaulted = (PHP_MAJOR_VERSION == 5 && PHP_MINOR_VERSION > 4);
129
    if ($skipBuiltIn || $isFaulted) {
130
        $flags |= XHPROF_FLAGS_NO_BUILTINS;
131
    }
132
133
    xhprof_enable($flags, $options);
134
}
135
136
register_shutdown_function(
137
    function () {
138
        if (extension_loaded('uprofiler')) {
139
            $data['profile'] = uprofiler_disable();
0 ignored issues
show
Coding Style Comprehensibility introduced by
$data was never initialized. Although not strictly required by PHP, it is generally a good practice to add $data = array(); before regardless.

Adding an explicit array definition is generally preferable to implicit array definition as it guarantees a stable state of the code.

Let’s take a look at an example:

foreach ($collection as $item) {
    $myArray['foo'] = $item->getFoo();

    if ($item->hasBar()) {
        $myArray['bar'] = $item->getBar();
    }

    // do something with $myArray
}

As you can see in this example, the array $myArray is initialized the first time when the foreach loop is entered. You can also see that the value of the bar key is only written conditionally; thus, its value might result from a previous iteration.

This might or might not be intended. To make your intention clear, your code more readible and to avoid accidental bugs, we recommend to add an explicit initialization $myArray = array() either outside or inside the foreach loop.

Loading history...
140
        } else if (extension_loaded('tideways')) {
141
            $data['profile'] = tideways_disable();
0 ignored issues
show
Coding Style Comprehensibility introduced by
$data was never initialized. Although not strictly required by PHP, it is generally a good practice to add $data = array(); before regardless.

Adding an explicit array definition is generally preferable to implicit array definition as it guarantees a stable state of the code.

Let’s take a look at an example:

foreach ($collection as $item) {
    $myArray['foo'] = $item->getFoo();

    if ($item->hasBar()) {
        $myArray['bar'] = $item->getBar();
    }

    // do something with $myArray
}

As you can see in this example, the array $myArray is initialized the first time when the foreach loop is entered. You can also see that the value of the bar key is only written conditionally; thus, its value might result from a previous iteration.

This might or might not be intended. To make your intention clear, your code more readible and to avoid accidental bugs, we recommend to add an explicit initialization $myArray = array() either outside or inside the foreach loop.

Loading history...
142
        } elseif (extension_loaded('tideways_xhprof')) {
143
            $data['profile'] = tideways_xhprof_disable();
0 ignored issues
show
Coding Style Comprehensibility introduced by
$data was never initialized. Although not strictly required by PHP, it is generally a good practice to add $data = array(); before regardless.

Adding an explicit array definition is generally preferable to implicit array definition as it guarantees a stable state of the code.

Let’s take a look at an example:

foreach ($collection as $item) {
    $myArray['foo'] = $item->getFoo();

    if ($item->hasBar()) {
        $myArray['bar'] = $item->getBar();
    }

    // do something with $myArray
}

As you can see in this example, the array $myArray is initialized the first time when the foreach loop is entered. You can also see that the value of the bar key is only written conditionally; thus, its value might result from a previous iteration.

This might or might not be intended. To make your intention clear, your code more readible and to avoid accidental bugs, we recommend to add an explicit initialization $myArray = array() either outside or inside the foreach loop.

Loading history...
144
        } else {
145
            $data['profile'] = xhprof_disable();
0 ignored issues
show
Coding Style Comprehensibility introduced by
$data was never initialized. Although not strictly required by PHP, it is generally a good practice to add $data = array(); before regardless.

Adding an explicit array definition is generally preferable to implicit array definition as it guarantees a stable state of the code.

Let’s take a look at an example:

foreach ($collection as $item) {
    $myArray['foo'] = $item->getFoo();

    if ($item->hasBar()) {
        $myArray['bar'] = $item->getBar();
    }

    // do something with $myArray
}

As you can see in this example, the array $myArray is initialized the first time when the foreach loop is entered. You can also see that the value of the bar key is only written conditionally; thus, its value might result from a previous iteration.

This might or might not be intended. To make your intention clear, your code more readible and to avoid accidental bugs, we recommend to add an explicit initialization $myArray = array() either outside or inside the foreach loop.

Loading history...
146
        }
147
148
        // ignore_user_abort(true) allows your PHP script to continue executing, even if the user has terminated their request.
149
        // Further Reading: http://blog.preinheimer.com/index.php?/archives/248-When-does-a-user-abort.html
150
        // flush() asks PHP to send any data remaining in the output buffers. This is normally done when the script completes, but
151
        // since we're delaying that a bit by dealing with the xhprof stuff, we'll do it now to avoid making the user wait.
152
        ignore_user_abort(true);
153
        if (function_exists('session_write_close')) {
154
            session_write_close();
155
        }
156
        flush();
157
158
        if (!defined('XHGUI_ROOT_DIR')) {
159
            require dirname(__DIR__) . '/src/bootstrap.php';
160
        }
161
162
        if (Xhgui_Config::read('fastcgi_finish_request') && function_exists('fastcgi_finish_request')) {
163
            fastcgi_finish_request();
164
        }
165
166
        $uri = array_key_exists('REQUEST_URI', $_SERVER)
167
            ? $_SERVER['REQUEST_URI']
168
            : null;
169
        if (empty($uri) && isset($_SERVER['argv'])) {
170
            $cmd = basename($_SERVER['argv'][0]);
171
            $uri = $cmd . ' ' . implode(' ', array_slice($_SERVER['argv'], 1));
172
        }
173
        
174
        $replace_url = Xhgui_Config::read('profiler.replace_url');
175
        if (is_callable($replace_url)) {
176
            $uri = $replace_url($uri);
177
        }
178
179
        $prepare_profile = Xhgui_Config::read('profiler.prepare_profile');
180
        if (is_callable($prepare_profile)) {
181
            $data['profile'] = $prepare_profile($data['profile']);
182
        }
183
184
        $time = array_key_exists('REQUEST_TIME', $_SERVER)
185
            ? $_SERVER['REQUEST_TIME']
186
            : time();
187
188
        // In some cases there is comma instead of dot
189
        $delimiter = (strpos($_SERVER['REQUEST_TIME_FLOAT'], ',') !== false) ? ',' : '.';
190
        $requestTimeFloat = explode($delimiter, $_SERVER['REQUEST_TIME_FLOAT']);
191
        if (!isset($requestTimeFloat[1])) {
192
            $requestTimeFloat[1] = 0;
193
        }
194
195
        $requestTs = array('sec' => $time, 'usec' => 0);
196
        $requestTsMicro = array('sec' => $requestTimeFloat[0], 'usec' => $requestTimeFloat[1]);
197
198
        $data['meta'] = array(
199
            'url' => $uri,
200
            'SERVER' => $_SERVER,
201
            'get' => $_GET,
202
            'env' => $_ENV,
203
            'simple_url' => Xhgui_Util::simpleUrl($uri),
204
            'request_ts' => $requestTs,
205
            'request_ts_micro' => $requestTsMicro,
206
            'request_date' => date('Y-m-d', $time),
207
        );
208
209
        try {
210
            $config = Xhgui_Config::all();
211
            $config += array('db.options' => array());
212
            $config += array('db.driverOptions' => array());
213
            $saver = Xhgui_Saver::factory($config);
214
            $saver->save($data);
215
        } catch (Exception $e) {
216
            error_log('xhgui - ' . $e->getMessage());
217
        }
218
    }
219
);
220