Issues in AbstractContainer.php (master) - Issues in master - rtheunissen/config - Measure and Improve Code Quality continuously with Scrutinizer

Issues (5)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/AbstractContainer.php (1 issue)

Labels

Severity

Major 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace Concat\Config\Container;

use InvalidArgumentException;
use Serializable;

/**
 * Abstract configuration container used to manage a configuration array.
 */
abstract class AbstractContainer implements Serializable
{
    /**
     * @var mixed[] Provided configuration values.
     */
    protected $provided;

    /**
     * @var mixed[] Evaluated configuration values.
     */
    protected $evaluated = [];

    /**
     * @var array Expected configuration value types.
     */
    private $types;

    /**
     * @var array Default configuration values.
     */
    private $defaults;

    /**
     * Returns an associative array of expected types, with names mapped to
     * either a single type or an array of accepted types. These types can be
     * \Concat\Config\Container\Value constants or class names. You can also
     * specify `null` as an expected type, which allows null evaluations.
     *
     * eg.
     * return [
     *     'a' => Value::TYPE_INTEGER,
     *     'b' => [
     *         'c' => "\Class\Path",
     *     ],
     * ];
     *
     * @return array
     */
    abstract protected function getExpectedTypes();

    /**
     * Returns an associative array of optional default values, with names
     * mapped to a single value. This value can also be a class name, which will
     * be evaluated when first requested. You can also specify callables which
     * will evaluate to their result when the value is requested, however this
     * does not work if a callable is also an acceptable value type.
     *
     * eg.
     * return [
     *     'a' => 10,
     *     'b' => [
     *         'c' => new \Class\Path(),
     *     ],
     * ];
     *
     * @return array
     */
    abstract protected function getDefaultValues();

    /**
     * Constructs this configuration container. Public access is not allowed as
     * a container should not be able to be re-constructed. Use ::make instead.
     *
     * @param mixed[] $provided
     */
    protected function __construct(array $provided)
    {
        $this->types    = $this->getExpectedTypes();
        $this->defaults = $this->getDefaultValues();

        $this->provided = array_replace_recursive($this->defaults, $provided);

    }

    /**
     * Creates an instance of this container using the provided values.
     *
     * @param array $provided
     *
     * @return AbstractContainer
     */
    public static function make(array $provided = [])
    {
        return new static($provided);
    }

    /**
     * Attempts to find a value by descending into an array, following a given
     * key path.
     *
     * @param array $haystack
     * @param array $path
     *
     * @return mixed
     *
     * @throws InvalidArgumentException if the path is not valid
     */
    private function find(array $haystack, array $path)
    {
        foreach ($path as $key) {
            if ( ! array_key_exists($key, $haystack)) {
                throw new InvalidArgumentException(
                    "Could not find value for " . implode('.', $path)
                );
            }

            $haystack = $haystack[$key];
        }

        // Should be the value we are looking for
        return $haystack;
    }

    /**
     * Finds the expected types for a given key path.
     *
     * @param array $path
     *
     * @return array
     *
     * @throws InvalidArgumentException if the types could not be found.
     */
    protected function findTypes(array $path)
    {
        $types = $this->find($this->types, $path);
        return is_array($types) ? $types : [$types];
    }

    /**
     * Finds the configuration value for a given key path.
     *
     * @param array $path
     *
     * @return mixed
     *
     * @throws InvalidArgumentException if the value could not be found.
     */
    protected function findValue(array $path)
    {
        return $this->find($this->provided, $path);
    }

    /**
     * Evaluates a configuration value according to an array of expected types.
     *
     * @param mixed $value The value to evaluate.
     * @param array $types The expected types for the value.
     *
     * @return mixed The evaluated configuration value.
     *
     * @throws UnexpectedValueException if the value doesn't match.
     */
    protected function evaluate($value, array $types)
    {
        if ($value === null && in_array($value, $types)) {
            return $value;
        }

        return Evaluator::evaluate($value, $types);
    }

    /**
     * Returns a configuration value defined by a path provided as arguments.
     *
     * @return mixed
     */
    public function get()
    {
        $path = func_get_args();
        $key  = implode('.', $path);

        // Allow dot-notation in first parameter.
        if (count($path) === 1 && strpos($path[0], '.') !== false) {
            $path = explode('.', $path[0]);
        }

        if ( ! array_key_exists($key, $this->evaluated)) {
            $value = $this->findValue($path);
            $types = $this->findTypes($path);

            $this->evaluated[$key] = $this->evaluate($value, $types);
        }

        return $this->evaluated[$key];
    }

    /**
     * @inheritdoc
     *
     * @return array
     */
    public function serialize()
    {
        return serialize([
            $this->provided,
            $this->evaluated,
            $this->types,
            $this->defaults,
        ]);
    }

    /**
     * @inheritdoc
     *
     * @param array $serialized
     */
    public function unserialize($serialized)
    {
        $data = unserialize($serialized);

        $this->provided = $data[0];
        $this->evaluated = $data[1];
        $this->types = $data[2];
        $this->defaults = $data[3];
    }
}


1		<?php
2
3		namespace Concat\Config\Container;
4
5		use InvalidArgumentException;
6		use Serializable;
7
8		/**
9		* Abstract configuration container used to manage a configuration array.
10		*/
11		abstract class AbstractContainer implements Serializable
12		{
13		/**
14		* @var mixed[] Provided configuration values.
15		*/
16		protected $provided;
17
18		/**
19		* @var mixed[] Evaluated configuration values.
20		*/
21		protected $evaluated = [];
22
23		/**
24		* @var array Expected configuration value types.
25		*/
26		private $types;
27
28		/**
29		* @var array Default configuration values.
30		*/
31		private $defaults;
32
33		/**
34		* Returns an associative array of expected types, with names mapped to
35		* either a single type or an array of accepted types. These types can be
36		* \Concat\Config\Container\Value constants or class names. You can also
37		* specify `null` as an expected type, which allows null evaluations.
38		*
39		* eg.
40		* return [
41		* 'a' => Value::TYPE_INTEGER,
42		* 'b' => [
43		* 'c' => "\Class\Path",
44		* ],
45		* ];
46		*
47		* @return array
48		*/
49		abstract protected function getExpectedTypes();
50
51		/**
52		* Returns an associative array of optional default values, with names
53		* mapped to a single value. This value can also be a class name, which will
54		* be evaluated when first requested. You can also specify callables which
55		* will evaluate to their result when the value is requested, however this
56		* does not work if a callable is also an acceptable value type.
57		*
58		* eg.
59		* return [
60		* 'a' => 10,
61		* 'b' => [
62		* 'c' => new \Class\Path(),
63		* ],
64		* ];
65		*
66		* @return array
67		*/
68		abstract protected function getDefaultValues();
69
70		/**
71		* Constructs this configuration container. Public access is not allowed as
72		* a container should not be able to be re-constructed. Use ::make instead.
73		*
74		* @param mixed[] $provided
75		*/
76	22	protected function __construct(array $provided)
77		{
78	22	$this->types = $this->getExpectedTypes();
79	22	$this->defaults = $this->getDefaultValues();
80
81	22	$this->provided = array_replace_recursive($this->defaults, $provided);
		0 ignored issues – show Documentation Bug introduced 2015-12-10 02:49 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `array_replace_recursive(...s->defaults, $provided)` of type `array<integer\|string,>` is incompatible with the declared type `array<integer,>` of property `$provided`. Our type inference engine has found an assignment to a property that is incompatible with the declared type of that property. Either this assignment is in error or the assigned type should be added to the documentation/type hint for that property.. Loading history...
82	22	}
83
84		/**
85		* Creates an instance of this container using the provided values.
86		*
87		* @param array $provided
88		*
89		* @return AbstractContainer
90		*/
91	22	public static function make(array $provided = [])
92		{
93	22	return new static($provided);
94		}
95
96		/**
97		* Attempts to find a value by descending into an array, following a given
98		* key path.
99		*
100		* @param array $haystack
101		* @param array $path
102		*
103		* @return mixed
104		*
105		* @throws InvalidArgumentException if the path is not valid
106		*/
107	22	private function find(array $haystack, array $path)
108		{
109	22	foreach ($path as $key) {
110	22	if ( ! array_key_exists($key, $haystack)) {
111	3	throw new InvalidArgumentException(
112	3	"Could not find value for " . implode('.', $path)
113	3	);
114		}
115
116	21	$haystack = $haystack[$key];
117	21	}
118
119		// Should be the value we are looking for
120	20	return $haystack;
121		}
122
123		/**
124		* Finds the expected types for a given key path.
125		*
126		* @param array $path
127		*
128		* @return array
129		*
130		* @throws InvalidArgumentException if the types could not be found.
131		*/
132	20	protected function findTypes(array $path)
133		{
134	20	$types = $this->find($this->types, $path);
135	19	return is_array($types) ? $types : [$types];
136		}
137
138		/**
139		* Finds the configuration value for a given key path.
140		*
141		* @param array $path
142		*
143		* @return mixed
144		*
145		* @throws InvalidArgumentException if the value could not be found.
146		*/
147	22	protected function findValue(array $path)
148		{
149	22	return $this->find($this->provided, $path);
150		}
151
152		/**
153		* Evaluates a configuration value according to an array of expected types.
154		*
155		* @param mixed $value The value to evaluate.
156		* @param array $types The expected types for the value.
157		*
158		* @return mixed The evaluated configuration value.
159		*
160		* @throws UnexpectedValueException if the value doesn't match.
161		*/
162	19	protected function evaluate($value, array $types)
163		{
164	19	if ($value === null && in_array($value, $types)) {
165	4	return $value;
166		}
167
168	15	return Evaluator::evaluate($value, $types);
169		}
170
171		/**
172		* Returns a configuration value defined by a path provided as arguments.
173		*
174		* @return mixed
175		*/
176	22	public function get()
177		{
178	22	$path = func_get_args();
179	22	$key = implode('.', $path);
180
181		// Allow dot-notation in first parameter.
182	22	if (count($path) === 1 && strpos($path[0], '.') !== false) {
183	1	$path = explode('.', $path[0]);
184	1	}
185
186	22	if ( ! array_key_exists($key, $this->evaluated)) {
187	22	$value = $this->findValue($path);
188	20	$types = $this->findTypes($path);
189
190	19	$this->evaluated[$key] = $this->evaluate($value, $types);
191	17	}
192
193	17	return $this->evaluated[$key];
194		}
195
196		/**
197		* @inheritdoc
198		*
199		* @return array
200		*/
201	1	public function serialize()
202		{
203	1	return serialize([
204	1	$this->provided,
205	1	$this->evaluated,
206	1	$this->types,
207	1	$this->defaults,
208	1	]);
209		}
210
211		/**
212		* @inheritdoc
213		*
214		* @param array $serialized
215		*/
216	1	public function unserialize($serialized)
217		{
218	1	$data = unserialize($serialized);
219
220	1	$this->provided = $data[0];
221	1	$this->evaluated = $data[1];
222	1	$this->types = $data[2];
223	1	$this->defaults = $data[3];
224	1	}
225		}
226

rtheunissen / config

Issues (5)

Security Analysis no request data

src/AbstractContainer.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like