Issues in Material.php (master) - Issues in master - samsoncms/api - Measure and Improve Code Quality continuously with Scrutinizer

Issues (168)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Material.php (3 issues)

Labels

Severity

Minor 3

nik-os 3

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Created by Vitaly Iegorov <[email protected]>
 * on 07.08.14 at 17:11
 */
namespace samsoncms\api;

use samson\activerecord\dbQuery;
use samson\activerecord\structurematerial;
use samsoncms\api\field\Row;
use \samsonframework\orm\QueryInterface;

/**
 * SamsonCMS Material database record object.
 * This class extends default ActiveRecord material table record functionality.
 * @package samson\cms
 * @author Vitaly Egorov <[email protected]>
 */
class Material extends \samson\activerecord\Material
{
    /** Store entity name */
    const ENTITY = __CLASS__;

    /** Entity field names constants for using in code */
    const F_PRIMARY = 'MaterialID';
    const F_IDENTIFIER = 'Url';
    const F_DELETION = 'Active';
    const F_PUBLISHED = 'Published';
    const F_PARENT = 'parent_id';
    const F_PRIORITY = 'priority';
    const F_CREATED = 'Created';
    const F_MODIFIED = 'Modyfied';

    /**
     * Get material entity by URL(s).
     *
     * @param QueryInterface $query Object for performing database queries
     * @param array|string $url Material URL or collection of material URLs
     * @param self|array|null $return Variable where request result would be returned
     * @return bool|self True if material entities has been found
     */
    public static function byUrl(QueryInterface $query, $url, & $return = array())
    {
        // Get entities by filtered identifiers
        $return = $query->entity(get_called_class())
            ->where('Url', $url)
            ->where('Active', 1)
            ->first();

        // If only one argument is passed - return null, otherwise bool
        return func_num_args() > 2 ? $return !== null : $return;
    }

    /**
     * Set additional material field value by field identifier
     * @param string $fieldID Field identifier
     * @param string $value Value to be stored
     * @param string $locale Locale identifier
     */
    public function setFieldByID($fieldID, $value, $locale = null)
    {
        /** @var Field $fieldRecord Try to find this additional field */
        $fieldRecord = null;
        if (Field::byID($this->query, $fieldID, $fieldRecord)) {
            /** @var MaterialField $materialFieldRecord Try to find additional field value */
            $materialFieldRecord = null;
            if (!MaterialField::byFieldIDAndMaterialID($this->query, $this->id, $fieldRecord->id, $materialFieldRecord, $locale)) {
                // Create new additional field value record if it does not exists
                $materialFieldRecord = new MaterialField();
                $materialFieldRecord->FieldID = $fieldRecord->id;
                $materialFieldRecord->MaterialID = $this->id;
                $materialFieldRecord->Active = 1;

                // Add locale if field needs it
                if ($fieldRecord->localized()) {
                    $materialFieldRecord->locale = $locale;
                }
            } else { // Get first record(actually it should be only one)
                $materialFieldRecord = array_shift($materialFieldRecord);
            }

            // At this point we already have database record instance
            $valueFieldName = $fieldRecord->valueFieldName();
            $materialFieldRecord->$valueFieldName = $value;
            $materialFieldRecord->save();
        }
    }

    /**
     * Add new row to table of entity
     * @param $row
     */
    public function addTableRow(Row $row)
    {
        // Get user
        $user = m('socialemail')->user();

        $tableMaterial = new Material();
        $tableMaterial->parent_id = $this->id;
        $tableMaterial->type = 3;
        $tableMaterial->Name = $this->Url . '-' . md5(date('Y-m-d-h-i-s'));
        $tableMaterial->Url = $this->Url . '-' . md5(date('Y-m-d-h-i-s'));
        $tableMaterial->Published = 1;
        $tableMaterial->Active = 1;
        $tableMaterial->priority = 0;
        $tableMaterial->UserID = $user->id;
        $tableMaterial->Created = date('Y-m-d H:m:s');
        $tableMaterial->Modyfied = date('Y-m-d H:m:s');
        $tableMaterial->save();

        // TODO: Ugly way to retrieve static var
        $class = new \ReflectionClass(preg_replace('/Row$/', '', get_class($row)));
        $structureId = $class->getConstant('IDENTIFIER');

        $structureMaterial = new structurematerial();
        $structureMaterial->Active = 1;
        $structureMaterial->MaterialID = $tableMaterial->id;
        $structureMaterial->StructureID = $structureId;
        $structureMaterial->save();

        // TODO: Ugly way to retrieve static var
        $class = new \ReflectionClass(get_class($row));
        $fieldIDs = $class->getStaticPropertyValue('fieldIDs');

        // Iterate and set all fields of row
        foreach ($row as $id => $value) {

            /**
             * Go next if it primary key because its public
             * TODO Fix it
             */
            if ($id === 'primary') {
                continue;
            }

            // Get field id
            $fieldId = $fieldIDs[$id];

            // Add additional field to created material
            $tableMaterial->setFieldByID($fieldId, $value);
        }

        // Save material
        $tableMaterial->save();
    }

    /**
     * Get select additional field text value.
     *
     * @param string $fieldID Field identifier
     * @return string Select field text
     */
    public function selectText($fieldID)
    {
        // TODO: this is absurd as we do not have any additional values here
        /** @var Field $field */
        $field = null;

        // If this entity has this field set
        if (Field::byID($this->query, $fieldID, $field) && isset($this[$field->Name]{0})) {
            return $field->options($this[$field->Name]);
        }

        // Value not set
        return '';
    }

    /**
     * Get collection of images for material by gallery additional field selector. If none is passed
     * all images from gallery table would be returned for this material entity.
     *
     * @param string|null $fieldSelector Additional field selector value
     * @param string $selector Additional field field name to search for
     * @return \samsonframework\orm\RecordInterface[] Collection of images in this gallery additional field for material
     */
    public function &gallery($fieldSelector = null, $selector = 'FieldID')
    {
        /** @var \samsonframework\orm\RecordInterface[] $images Get material images for this gallery */
        $images = array();

        $this->query->entity(CMS::MATERIAL_FIELD_RELATION_ENTITY);

        /* @var Field Get field object if we need to search it by other fields */
        $field = null;
        if ($selector != 'FieldID' && Field::oneByColumn($this->query, $selector, $fieldSelector)) {
            $fieldSelector = $field->id;
        }

        // Add field filter if present
        if (isset($fieldSelector)) {
            $this->query->where("FieldID", $fieldSelector);
        }

        /** @var \samson\activerecord\materialfield $dbMaterialField Find material field gallery record */
        $dbMaterialField = null;
        if ($this->query->where('MaterialID', $this->id)->first($dbMaterialField)) {
            // Get material images for this materialfield
            $images = $this->query->entity(CMS::MATERIAL_IMAGES_RELATION_ENTITY)
                ->where('materialFieldId', $dbMaterialField->id)
                ->exec();
        }

        return $images;
    }

    /**
     * Copy this material related entities.
     *
     * @param string $entity Entity identifier
     * @param string $newIdentifier Copied material idetifier
     * @param array $excludedIDs Collection of related entity identifier to exclude from copying
     */
    protected function copyRelatedEntity($entity, $newIdentifier, $excludedIDs = array())
    {
        /** @var self $copiedEntity Copy additional fields */
        foreach ($this->query->entity($entity)->where(self::F_PRIMARY, $this->MaterialID)->exec() as $copiedEntity) {
            // Check if field is NOT excluded from copying
            if (!in_array($copiedEntity->id, $excludedIDs)) {
                /** @var MaterialField $copy Copy instance */
                $copy = &$copiedEntity->copy();
                $copy->MaterialID = $newIdentifier;
                $copy->save();
            }
        }
    }

    /**
     * Create copy of current object.
     *
     * @param mixed $clone Material for cloning
     * @param array $excludedFields Additional fields identifiers not copied
     * @returns self New copied instance
     */
    public function &copy(&$clone = null, $excludedFields = array())
    {
        /** @var Material $clone Create new instance by copying */
        $clone = parent::copy($clone);

        $this->copyRelatedEntity(CMS::MATERIAL_NAVIGATION_RELATION_ENTITY, $clone->id);
        $this->copyRelatedEntity(CMS::MATERIAL_FIELD_RELATION_ENTITY, $clone->id, $excludedFields);
        $this->copyRelatedEntity(CMS::MATERIAL_IMAGES_RELATION_ENTITY, $clone->id);

        return $clone;
    }

    /**
     * Remove current object.
     */
    public function remove()
    {
        $this->Active = 0;
$answer = 42;

$correct = false;

$correct = (bool) $answer;

        $this->removeRelatedEntity(CMS::MATERIAL_NAVIGATION_RELATION_ENTITY);
        $this->removeRelatedEntity(CMS::MATERIAL_FIELD_RELATION_ENTITY);
        $this->removeRelatedEntity(CMS::MATERIAL_IMAGES_RELATION_ENTITY);
        foreach ($this->query->entity(self::ENTITY)->where(self::F_PARENT, $this->MaterialID)->exec() as $removedChild) {
$collection = json_decode($data, true);
if ( ! is_array($collection)) {
    throw new \RuntimeException('$collection must be an array.');
}

foreach ($collection as $item) { /** ... */ }
            /** @var MaterialField $copy Copy instance */
            $removedChild->remove();
        }
        $this->save();
    }

    /**
     * Remove this material related entities.
     *
     * @param string $entity Entity identifier
     */
    protected function removeRelatedEntity($entity)
    {
        /** @var self $copiedEntity Remove additional fields */
        foreach ($this->query->entity($entity)->where(self::F_PRIMARY, $this->MaterialID)->exec() as $removedEntity) {
$collection = json_decode($data, true);
if ( ! is_array($collection)) {
    throw new \RuntimeException('$collection must be an array.');
}

foreach ($collection as $item) { /** ... */ }
            /** @var MaterialField $copy Copy instance */
            $removedEntity->Active = 0;
            $removedEntity->save();
        }
    }
}


1		<?php
2		/**
3		* Created by Vitaly Iegorov <[email protected]>
4		* on 07.08.14 at 17:11
5		*/
6		namespace samsoncms\api;
7
8		use samson\activerecord\dbQuery;
9		use samson\activerecord\structurematerial;
10		use samsoncms\api\field\Row;
11		use \samsonframework\orm\QueryInterface;
12
13		/**
14		* SamsonCMS Material database record object.
15		* This class extends default ActiveRecord material table record functionality.
16		* @package samson\cms
17		* @author Vitaly Egorov <[email protected]>
18		*/
19		class Material extends \samson\activerecord\Material
20		{
21		/** Store entity name */
22		const ENTITY = __CLASS__;
23
24		/** Entity field names constants for using in code */
25		const F_PRIMARY = 'MaterialID';
26		const F_IDENTIFIER = 'Url';
27		const F_DELETION = 'Active';
28		const F_PUBLISHED = 'Published';
29		const F_PARENT = 'parent_id';
30		const F_PRIORITY = 'priority';
31		const F_CREATED = 'Created';
32		const F_MODIFIED = 'Modyfied';
33
34		/**
35		* Get material entity by URL(s).
36		*
37		* @param QueryInterface $query Object for performing database queries
38		* @param array\|string $url Material URL or collection of material URLs
39		* @param self\|array\|null $return Variable where request result would be returned
40		* @return bool\|self True if material entities has been found
41		*/
42	View Code Duplication	public static function byUrl(QueryInterface $query, $url, & $return = array())
43		{
44		// Get entities by filtered identifiers
45		$return = $query->entity(get_called_class())
46		->where('Url', $url)
47		->where('Active', 1)
48		->first();
49
50		// If only one argument is passed - return null, otherwise bool
51		return func_num_args() > 2 ? $return !== null : $return;
52		}
53
54		/**
55		* Set additional material field value by field identifier
56		* @param string $fieldID Field identifier
57		* @param string $value Value to be stored
58		* @param string $locale Locale identifier
59		*/
60		public function setFieldByID($fieldID, $value, $locale = null)
61		{
62		/** @var Field $fieldRecord Try to find this additional field */
63		$fieldRecord = null;
64		if (Field::byID($this->query, $fieldID, $fieldRecord)) {
65		/** @var MaterialField $materialFieldRecord Try to find additional field value */
66		$materialFieldRecord = null;
67		if (!MaterialField::byFieldIDAndMaterialID($this->query, $this->id, $fieldRecord->id, $materialFieldRecord, $locale)) {
68		// Create new additional field value record if it does not exists
69		$materialFieldRecord = new MaterialField();
70		$materialFieldRecord->FieldID = $fieldRecord->id;
71		$materialFieldRecord->MaterialID = $this->id;
72		$materialFieldRecord->Active = 1;
73
74		// Add locale if field needs it
75		if ($fieldRecord->localized()) {
76		$materialFieldRecord->locale = $locale;
77		}
78		} else { // Get first record(actually it should be only one)
79		$materialFieldRecord = array_shift($materialFieldRecord);
80		}
81
82		// At this point we already have database record instance
83		$valueFieldName = $fieldRecord->valueFieldName();
84		$materialFieldRecord->$valueFieldName = $value;
85		$materialFieldRecord->save();
86		}
87		}
88
89		/**
90		* Add new row to table of entity
91		* @param $row
92		*/
93		public function addTableRow(Row $row)
94		{
95		// Get user
96		$user = m('socialemail')->user();
97
98		$tableMaterial = new Material();
99		$tableMaterial->parent_id = $this->id;
100		$tableMaterial->type = 3;
101		$tableMaterial->Name = $this->Url . '-' . md5(date('Y-m-d-h-i-s'));
102		$tableMaterial->Url = $this->Url . '-' . md5(date('Y-m-d-h-i-s'));
103		$tableMaterial->Published = 1;
104		$tableMaterial->Active = 1;
105		$tableMaterial->priority = 0;
106		$tableMaterial->UserID = $user->id;
107		$tableMaterial->Created = date('Y-m-d H:m:s');
108		$tableMaterial->Modyfied = date('Y-m-d H:m:s');
109		$tableMaterial->save();
110
111		// TODO: Ugly way to retrieve static var
112		$class = new \ReflectionClass(preg_replace('/Row$/', '', get_class($row)));
113		$structureId = $class->getConstant('IDENTIFIER');
114
115		$structureMaterial = new structurematerial();
116		$structureMaterial->Active = 1;
117		$structureMaterial->MaterialID = $tableMaterial->id;
118		$structureMaterial->StructureID = $structureId;
119		$structureMaterial->save();
120
121		// TODO: Ugly way to retrieve static var
122		$class = new \ReflectionClass(get_class($row));
123		$fieldIDs = $class->getStaticPropertyValue('fieldIDs');
124
125		// Iterate and set all fields of row
126		foreach ($row as $id => $value) {
127
128		/**
129		* Go next if it primary key because its public
130		* TODO Fix it
131		*/
132		if ($id === 'primary') {
133		continue;
134		}
135
136		// Get field id
137		$fieldId = $fieldIDs[$id];
138
139		// Add additional field to created material
140		$tableMaterial->setFieldByID($fieldId, $value);
141		}
142
143		// Save material
144		$tableMaterial->save();
145		}
146
147		/**
148		* Get select additional field text value.
149		*
150		* @param string $fieldID Field identifier
151		* @return string Select field text
152		*/
153		public function selectText($fieldID)
154		{
155		// TODO: this is absurd as we do not have any additional values here
156		/** @var Field $field */
157		$field = null;
158
159		// If this entity has this field set
160		if (Field::byID($this->query, $fieldID, $field) && isset($this[$field->Name]{0})) {
161		return $field->options($this[$field->Name]);
162		}
163
164		// Value not set
165		return '';
166		}
167
168		/**
169		* Get collection of images for material by gallery additional field selector. If none is passed
170		* all images from gallery table would be returned for this material entity.
171		*
172		* @param string\|null $fieldSelector Additional field selector value
173		* @param string $selector Additional field field name to search for
174		* @return \samsonframework\orm\RecordInterface[] Collection of images in this gallery additional field for material
175		*/
176		public function &gallery($fieldSelector = null, $selector = 'FieldID')
177		{
178		/** @var \samsonframework\orm\RecordInterface[] $images Get material images for this gallery */
179		$images = array();
180
181		$this->query->entity(CMS::MATERIAL_FIELD_RELATION_ENTITY);
182
183		/* @var Field Get field object if we need to search it by other fields */
184		$field = null;
185		if ($selector != 'FieldID' && Field::oneByColumn($this->query, $selector, $fieldSelector)) {
186		$fieldSelector = $field->id;
187		}
188
189		// Add field filter if present
190		if (isset($fieldSelector)) {
191		$this->query->where("FieldID", $fieldSelector);
192		}
193
194		/** @var \samson\activerecord\materialfield $dbMaterialField Find material field gallery record */
195		$dbMaterialField = null;
196		if ($this->query->where('MaterialID', $this->id)->first($dbMaterialField)) {
197		// Get material images for this materialfield
198		$images = $this->query->entity(CMS::MATERIAL_IMAGES_RELATION_ENTITY)
199		->where('materialFieldId', $dbMaterialField->id)
200		->exec();
201		}
202
203		return $images;
204		}
205
206		/**
207		* Copy this material related entities.
208		*
209		* @param string $entity Entity identifier
210		* @param string $newIdentifier Copied material idetifier
211		* @param array $excludedIDs Collection of related entity identifier to exclude from copying
212		*/
213		protected function copyRelatedEntity($entity, $newIdentifier, $excludedIDs = array())
214		{
215		/** @var self $copiedEntity Copy additional fields */
216		foreach ($this->query->entity($entity)->where(self::F_PRIMARY, $this->MaterialID)->exec() as $copiedEntity) {
217		// Check if field is NOT excluded from copying
218		if (!in_array($copiedEntity->id, $excludedIDs)) {
219		/** @var MaterialField $copy Copy instance */
220		$copy = &$copiedEntity->copy();
221		$copy->MaterialID = $newIdentifier;
222		$copy->save();
223		}
224		}
225		}
226
227		/**
228		* Create copy of current object.
229		*
230		* @param mixed $clone Material for cloning
231		* @param array $excludedFields Additional fields identifiers not copied
232		* @returns self New copied instance
233		*/
234		public function &copy(&$clone = null, $excludedFields = array())
235		{
236		/** @var Material $clone Create new instance by copying */
237		$clone = parent::copy($clone);
238
239		$this->copyRelatedEntity(CMS::MATERIAL_NAVIGATION_RELATION_ENTITY, $clone->id);
240		$this->copyRelatedEntity(CMS::MATERIAL_FIELD_RELATION_ENTITY, $clone->id, $excludedFields);
241		$this->copyRelatedEntity(CMS::MATERIAL_IMAGES_RELATION_ENTITY, $clone->id);
242
243		return $clone;
244		}
245
246		/**
247		* Remove current object.
248		*/
249		public function remove()
250		{
251		$this->Active = 0;
		0 ignored issues – show Documentation Bug introduced 2016-03-26 07:59 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `$Active` was declared of type `boolean`, but `0` is of type `integer`. Maybe add a type cast? This check looks for assignments to scalar types that may be of the wrong type. To ensure the code behaves as expected, it may be a good idea to add an explicit type cast. $answer = 42; $correct = false; $correct = (bool) $answer; Loading history...
252
253		$this->removeRelatedEntity(CMS::MATERIAL_NAVIGATION_RELATION_ENTITY);
254		$this->removeRelatedEntity(CMS::MATERIAL_FIELD_RELATION_ENTITY);
255		$this->removeRelatedEntity(CMS::MATERIAL_IMAGES_RELATION_ENTITY);
256		foreach ($this->query->entity(self::ENTITY)->where(self::F_PARENT, $this->MaterialID)->exec() as $removedChild) {
		0 ignored issues – show Bug introduced 2016-03-26 07:59 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$this->query->entity(sel...is->MaterialID)->exec()` of type `boolean\|array<integer,ob...k\orm\RecordInterface>>` is not guaranteed to be traversable. How about adding an additional type check? There are different options of fixing this problem. If you want to be on the safe side, you can add an additional type-check: $collection = json_decode($data, true); if ( ! is_array($collection)) { throw new \RuntimeException('$collection must be an array.'); } foreach ($collection as $item) { /** ... / } If you are sure that the expression is traversable, you might want to add a doc comment cast* to improve IDE auto-completion and static analysis: /** @var array $collection / $collection = json_decode($data, true); foreach ($collection as $item) { /* .. / } Mark the issue as a false-positive*: Just hover the remove button, in the top-right corner of this issue for more options. Loading history...
257		/** @var MaterialField $copy Copy instance */
258		$removedChild->remove();
259		}
260		$this->save();
261		}
262
263		/**
264		* Remove this material related entities.
265		*
266		* @param string $entity Entity identifier
267		*/
268		protected function removeRelatedEntity($entity)
269		{
270		/** @var self $copiedEntity Remove additional fields */
271		foreach ($this->query->entity($entity)->where(self::F_PRIMARY, $this->MaterialID)->exec() as $removedEntity) {
		0 ignored issues – show Bug introduced 2016-03-26 07:59 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$this->query->entity($en...is->MaterialID)->exec()` of type `boolean\|array<integer,ob...k\orm\RecordInterface>>` is not guaranteed to be traversable. How about adding an additional type check? There are different options of fixing this problem. If you want to be on the safe side, you can add an additional type-check: $collection = json_decode($data, true); if ( ! is_array($collection)) { throw new \RuntimeException('$collection must be an array.'); } foreach ($collection as $item) { /** ... / } If you are sure that the expression is traversable, you might want to add a doc comment cast* to improve IDE auto-completion and static analysis: /** @var array $collection / $collection = json_decode($data, true); foreach ($collection as $item) { /* .. / } Mark the issue as a false-positive*: Just hover the remove button, in the top-right corner of this issue for more options. Loading history...
272		/** @var MaterialField $copy Copy instance */
273		$removedEntity->Active = 0;
274		$removedEntity->save();
275		}
276		}
277		}
278

samsoncms / api

Issues (168)

Security Analysis no request data

src/Material.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like