Issues in QueryBuilderGenerator.php (master) - Issues in master - saxulum/saxulum-elasticsearch-querybuilder-generator - Measure and Improve Code Quality continuously with Scrutinizer

Issues (22)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/QueryBuilderGenerator.php (7 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

declare(strict_types=1);

namespace Saxulum\ElasticSearchQueryBuilder\Generator;

use PhpParser\Node\Arg;
use PhpParser\Node\Expr;
use PhpParser\Node\Expr\Assign;
use PhpParser\Node\Expr\ConstFetch;
use PhpParser\Node\Expr\MethodCall;
use PhpParser\Node\Expr\New_;
use PhpParser\Node\Expr\Variable;
use PhpParser\Node\Name;
use PhpParser\Node\Scalar\DNumber;
use PhpParser\Node\Scalar\LNumber;
use PhpParser\Node\Scalar\String_;
use PhpParser\PrettyPrinter\Standard as PhpGenerator;

/**
 * @deprecated use Saxulum\ElasticSearchQueryBuilder\Generator\NodeGenerator
 */
final class QueryBuilderGenerator
{
    /**
     * @var PhpGenerator
     */
    private $phpGenerator;

    /**
     * @var bool
     */
    private $useMethodName;

    /**
     * @param bool         $useMethodName
     * @param PhpGenerator $phpGenerator
     */
    public function __construct(PhpGenerator $phpGenerator, bool $useMethodName = false)
    {
        @trigger_error(sprintf('Use "%s" instead of the "%s"', NodeGenerator::class, self::class), E_USER_DEPRECATED);
// For example instead of
@mkdir($dir);

// Better use
if (@mkdir($dir) === false) {
    throw new \RuntimeException('The directory '.$dir.' could not be created.');
}

        $this->phpGenerator = $phpGenerator;
        $this->useMethodName = $useMethodName;
    }

    /**
     * @param $query
     *
     * @return string
     */
    public function generateByJson($query): string
    {
        $data = json_decode($query, false);
        if (JSON_ERROR_NONE !== json_last_error()) {
            throw new \InvalidArgumentException(sprintf('Message: %s, query: %s', json_last_error_msg(), $query));
        }

        $queryBuilder = new Variable('qb');

        $stmts = [];

        $stmts[] = $this->createQueryBuilderNode();
        $stmts[] = $this->appendChildrenToObjectNode($queryBuilder, $queryBuilder, $data);

        return $this->structureCode($this->phpGenerator->prettyPrint($stmts));
    }

    /**
     * @return Expr
     */
    private function createQueryBuilderNode(): Expr
    {
        return new Assign(new Variable('qb'), new New_(new Name('QueryBuilder')));
    }

    /**
     * @param Expr $expr
     *
     * @return Expr
     */
    private function createObjectNode(Expr $expr): Expr
    {
        return new MethodCall($expr, 'objectNode');
    }

    /**
     * @param Expr $expr
     *
     * @return Expr
     */
    private function createArrayNode(Expr $expr): Expr
    {
        return new MethodCall($expr, 'arrayNode');
    }

    /**
     * @param Expr                       $expr
     * @param string|float|int|bool|null $value
     *
     * @return Expr
     */
    private function createScalarNode(Expr $expr, $value): Expr
    {
        if (is_int($value)) {
            return new MethodCall($expr, 'intNode', [new Arg(new LNumber($value))]);
        } elseif (is_float($value)) {
            return new MethodCall($expr, 'floatNode', [new Arg(new DNumber($value))]);
        } elseif (is_bool($value)) {
            return new MethodCall($expr, 'boolNode', [new Arg(new ConstFetch(new Name($value ? 'true' : 'false')))]);
        } elseif (null === $value) {
            return new MethodCall($expr, 'nullNode');
        }

        return new MethodCall($expr, 'stringNode', [new Arg(new String_($value))]);
    }

    /**
     * @param Expr  $queryBuilder
     * @param Expr  $expr
     * @param array $data
     *
     * @return Expr
     */
    private function appendChildrenToArrayNode(Expr $queryBuilder, Expr $expr, array $data)
    {
        foreach ($data as $value) {
            if ($value instanceof \stdClass) {

                $argument = $this->createObjectNode($queryBuilder);
            } elseif (is_array($value)) {
                $argument = $this->createArrayNode($queryBuilder);
            } else {
                $argument = $this->createScalarNode($queryBuilder, $value);
            }

            $methodName = $this->useMethodName ? 'addToArrayNode' : 'add';

            $expr = new MethodCall($expr, $methodName, [new Arg($argument)]);

            if ($value instanceof \stdClass) {

                $expr = new MethodCall($this->appendChildrenToObjectNode($queryBuilder, $expr, $value), 'end');
            } elseif (is_array($value)) {
                $expr = new MethodCall($this->appendChildrenToArrayNode($queryBuilder, $expr, $value), 'end');
            }
        }

        return $expr;
    }

    /**
     * @param Expr      $queryBuilder
     * @param Expr      $expr
     * @param \stdClass $data
     *
     * @return Expr
     */
    private function appendChildrenToObjectNode(Expr $queryBuilder, Expr $expr, \stdClass $data)
    {
        foreach ($data as $key => $value) {

            if ($value instanceof \stdClass) {

                $argument = $this->createObjectNode($queryBuilder);
            } elseif (is_array($value)) {
                $argument = $this->createArrayNode($queryBuilder);
            } else {
                $argument = $this->createScalarNode($queryBuilder, $value);
            }

            $methodName = $this->useMethodName ? 'addToObjectNode' : 'add';

            $expr = new MethodCall($expr, $methodName, [new Arg(new String_($key)), new Arg($argument)]);

            if ($value instanceof \stdClass) {

                $expr = new MethodCall($this->appendChildrenToObjectNode($queryBuilder, $expr, $value), 'end');
            } elseif (is_array($value)) {
                $expr = new MethodCall($this->appendChildrenToArrayNode($queryBuilder, $expr, $value), 'end');
            }
        }

        return $expr;
    }

    /**
     * @param string $code
     *
     * @return string
     */
    private function structureCode(string $code): string
    {
        $lines = $this->getLinesByCode($code);

        $position = 0;

        $structuredLines = [];

        foreach ($lines as $i => $line) {

            $lastLine = $lines[$i - 1] ?? '';
            $this->structuredLine($line, $lastLine, $position, $structuredLines);
        }

        return implode("\n", $structuredLines);
    }

    /**
     * @param string $code
     *
     * @return array
     */
    private function getLinesByCode(string $code): array
    {
        $codeWithLinebreaks = str_replace('->add', "\n->add", $code);
        $codeWithLinebreaks = str_replace('->end', "\n->end", $codeWithLinebreaks);

        return explode("\n", $codeWithLinebreaks);
    }

    /**
     * @param string $line
     * @param string $lastLine
     * @param int    $position
     * @param array  $structuredLines
     */
    private function structuredLine(string $line, string $lastLine, int &$position, array &$structuredLines)
    {
        if (0 === strpos($line, '->add')) {
            if (false === strpos($lastLine, '->end') &&
                false === strpos($lastLine, '->boolNode') &&
                false === strpos($lastLine, '->floatNode') &&
                false === strpos($lastLine, '->intNode') &&
                false === strpos($lastLine, '->nullNode') &&
                false === strpos($lastLine, '->stringNode')
            ) {
                ++$position;
            }

            $structuredLines[] = str_pad('', $position * 4).$line;

            return;
        }

        if (0 === strpos($line, '->end')) {
            if (strpos($lastLine, '->objectNode') || strpos($lastLine, '->arrayNode')) {
                $structuredLines[count($structuredLines) - 1] .= '->end()';

                return;
            }

            --$position;

            $structuredLines[] = str_pad('', $position * 4).$line;

            return;
        }

        $structuredLines[] = $line;
    }
}


1			<?php
2
3			declare(strict_types=1);
4
5			namespace Saxulum\ElasticSearchQueryBuilder\Generator;
6
7			use PhpParser\Node\Arg;
8			use PhpParser\Node\Expr;
9			use PhpParser\Node\Expr\Assign;
10			use PhpParser\Node\Expr\ConstFetch;
11			use PhpParser\Node\Expr\MethodCall;
12			use PhpParser\Node\Expr\New_;
13			use PhpParser\Node\Expr\Variable;
14			use PhpParser\Node\Name;
15			use PhpParser\Node\Scalar\DNumber;
16			use PhpParser\Node\Scalar\LNumber;
17			use PhpParser\Node\Scalar\String_;
18			use PhpParser\PrettyPrinter\Standard as PhpGenerator;
19
20			/**
21			* @deprecated use Saxulum\ElasticSearchQueryBuilder\Generator\NodeGenerator
22			*/
23			final class QueryBuilderGenerator
24			{
25			/**
26			* @var PhpGenerator
27			*/
28			private $phpGenerator;
29
30			/**
31			* @var bool
32			*/
33			private $useMethodName;
34
35			/**
36			* @param bool $useMethodName
37			* @param PhpGenerator $phpGenerator
38			*/
39	14		public function __construct(PhpGenerator $phpGenerator, bool $useMethodName = false)
40			{
41	14		@trigger_error(sprintf('Use "%s" instead of the "%s"', NodeGenerator::class, self::class), E_USER_DEPRECATED);
			0 ignored issues – show Security Best Practice introduced 2018-04-18 17:39 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you do not handle an error condition here. This can introduce security issues, and is generally not recommended. If you suppress an error, we recommend checking for the error condition explicitly: // For example instead of @mkdir($dir); // Better use if (@mkdir($dir) === false) { throw new \RuntimeException('The directory '.$dir.' could not be created.'); } Loading history...
42
43	14		$this->phpGenerator = $phpGenerator;
44	14		$this->useMethodName = $useMethodName;
45	14		}
46
47			/**
48			* @param $query
49			*
50			* @return string
51			*/
52	14		public function generateByJson($query): string
53			{
54	14		$data = json_decode($query, false);
55	14		if (JSON_ERROR_NONE !== json_last_error()) {
56	1		throw new \InvalidArgumentException(sprintf('Message: %s, query: %s', json_last_error_msg(), $query));
57			}
58
59	13		$queryBuilder = new Variable('qb');
60
61	13		$stmts = [];
62
63	13		$stmts[] = $this->createQueryBuilderNode();
64	13		$stmts[] = $this->appendChildrenToObjectNode($queryBuilder, $queryBuilder, $data);
65
66	13		return $this->structureCode($this->phpGenerator->prettyPrint($stmts));
67			}
68
69			/**
70			* @return Expr
71			*/
72	13		private function createQueryBuilderNode(): Expr
73			{
74	13		return new Assign(new Variable('qb'), new New_(new Name('QueryBuilder')));
75			}
76
77			/**
78			* @param Expr $expr
79			*
80			* @return Expr
81			*/
82	13		private function createObjectNode(Expr $expr): Expr
83			{
84	13		return new MethodCall($expr, 'objectNode');
85			}
86
87			/**
88			* @param Expr $expr
89			*
90			* @return Expr
91			*/
92	3		private function createArrayNode(Expr $expr): Expr
93			{
94	3		return new MethodCall($expr, 'arrayNode');
95			}
96
97			/**
98			* @param Expr $expr
99			* @param string\|float\|int\|bool\|null $value
100			*
101			* @return Expr
102			*/
103	12		private function createScalarNode(Expr $expr, $value): Expr
104			{
105	12		if (is_int($value)) {
106	5		return new MethodCall($expr, 'intNode', [new Arg(new LNumber($value))]);
107	11		} elseif (is_float($value)) {
108	2		return new MethodCall($expr, 'floatNode', [new Arg(new DNumber($value))]);
109	11		} elseif (is_bool($value)) {
110	2		return new MethodCall($expr, 'boolNode', [new Arg(new ConstFetch(new Name($value ? 'true' : 'false')))]);
111	11		} elseif (null === $value) {
112	2		return new MethodCall($expr, 'nullNode');
113			}
114
115	11		return new MethodCall($expr, 'stringNode', [new Arg(new String_($value))]);
116			}
117
118			/**
119			* @param Expr $queryBuilder
120			* @param Expr $expr
121			* @param array $data
122			*
123			* @return Expr
124			*/
125	3		private function appendChildrenToArrayNode(Expr $queryBuilder, Expr $expr, array $data)
126			{
127	3		foreach ($data as $value) {
128	3	View Code Duplication	if ($value instanceof \stdClass) {
			0 ignored issues – show Duplication introduced 2017-04-24 12:02 UTC by Report Bug Copy Issue Report Show Similar Issues like this This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
129	2		$argument = $this->createObjectNode($queryBuilder);
130	3		} elseif (is_array($value)) {
131	2		$argument = $this->createArrayNode($queryBuilder);
132			} else {
133	1		$argument = $this->createScalarNode($queryBuilder, $value);
134			}
135
136	3		$methodName = $this->useMethodName ? 'addToArrayNode' : 'add';
137
138	3		$expr = new MethodCall($expr, $methodName, [new Arg($argument)]);
139
140	3	View Code Duplication	if ($value instanceof \stdClass) {
			0 ignored issues – show Duplication introduced 2017-04-24 12:02 UTC by Report Bug Copy Issue Report Show Similar Issues like this This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
141	2		$expr = new MethodCall($this->appendChildrenToObjectNode($queryBuilder, $expr, $value), 'end');
142	3		} elseif (is_array($value)) {
143	3		$expr = new MethodCall($this->appendChildrenToArrayNode($queryBuilder, $expr, $value), 'end');
144			}
145			}
146
147	3		return $expr;
148			}
149
150			/**
151			* @param Expr $queryBuilder
152			* @param Expr $expr
153			* @param \stdClass $data
154			*
155			* @return Expr
156			*/
157	13		private function appendChildrenToObjectNode(Expr $queryBuilder, Expr $expr, \stdClass $data)
158			{
159	13		foreach ($data as $key => $value) {
			0 ignored issues – show Bug introduced 2017-04-24 12:02 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$data` of type `object<stdClass>` is not traversable. Loading history...
160	13	View Code Duplication	if ($value instanceof \stdClass) {
			0 ignored issues – show Duplication introduced 2017-04-24 12:02 UTC by Report Bug Copy Issue Report Show Similar Issues like this This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
161	13		$argument = $this->createObjectNode($queryBuilder);
162	12		} elseif (is_array($value)) {
163	3		$argument = $this->createArrayNode($queryBuilder);
164			} else {
165	12		$argument = $this->createScalarNode($queryBuilder, $value);
166			}
167
168	13		$methodName = $this->useMethodName ? 'addToObjectNode' : 'add';
169
170	13		$expr = new MethodCall($expr, $methodName, [new Arg(new String_($key)), new Arg($argument)]);
171
172	13	View Code Duplication	if ($value instanceof \stdClass) {
			0 ignored issues – show Duplication introduced 2017-04-24 12:02 UTC by Report Bug Copy Issue Report Show Similar Issues like this This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
173	13		$expr = new MethodCall($this->appendChildrenToObjectNode($queryBuilder, $expr, $value), 'end');
174	12		} elseif (is_array($value)) {
175	13		$expr = new MethodCall($this->appendChildrenToArrayNode($queryBuilder, $expr, $value), 'end');
176			}
177			}
178
179	13		return $expr;
180			}
181
182			/**
183			* @param string $code
184			*
185			* @return string
186			*/
187	13		private function structureCode(string $code): string
188			{
189	13		$lines = $this->getLinesByCode($code);
190
191	13		$position = 0;
192
193	13		$structuredLines = [];
194
195	13	View Code Duplication	foreach ($lines as $i => $line) {
			0 ignored issues – show Duplication introduced 2017-04-24 12:02 UTC by Report Bug Copy Issue Report Show Similar Issues like this This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
196	13		$lastLine = $lines[$i - 1] ?? '';
197	13		$this->structuredLine($line, $lastLine, $position, $structuredLines);
198			}
199
200	13		return implode("\n", $structuredLines);
201			}
202
203			/**
204			* @param string $code
205			*
206			* @return array
207			*/
208	13		private function getLinesByCode(string $code): array
209			{
210	13		$codeWithLinebreaks = str_replace('->add', "\n->add", $code);
211	13		$codeWithLinebreaks = str_replace('->end', "\n->end", $codeWithLinebreaks);
212
213	13		return explode("\n", $codeWithLinebreaks);
214			}
215
216			/**
217			* @param string $line
218			* @param string $lastLine
219			* @param int $position
220			* @param array $structuredLines
221			*/
222	13		private function structuredLine(string $line, string $lastLine, int &$position, array &$structuredLines)
223			{
224	13		if (0 === strpos($line, '->add')) {
225	13		if (false === strpos($lastLine, '->end') &&
226	13		false === strpos($lastLine, '->boolNode') &&
227	13		false === strpos($lastLine, '->floatNode') &&
228	13		false === strpos($lastLine, '->intNode') &&
229	13		false === strpos($lastLine, '->nullNode') &&
230	13		false === strpos($lastLine, '->stringNode')
231			) {
232	13		++$position;
233			}
234
235	13		$structuredLines[] = str_pad('', $position * 4).$line;
236
237	13		return;
238			}
239
240	13		if (0 === strpos($line, '->end')) {
241	13		if (strpos($lastLine, '->objectNode') \|\| strpos($lastLine, '->arrayNode')) {
242	1		$structuredLines[count($structuredLines) - 1] .= '->end()';
243
244	1		return;
245			}
246
247	13		--$position;
248
249	13		$structuredLines[] = str_pad('', $position * 4).$line;
250
251	13		return;
252			}
253
254	13		$structuredLines[] = $line;
255	13		}
256			}
257

saxulum / saxulum-elasticsearch-querybuilder-generator

Issues (22)

Security Analysis no request data

src/QueryBuilderGenerator.php (7 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like