Issues in Loader.php (master) - Issues in master - sergeymakinen/yii2-config - Measure and Improve Code Quality continuously with Scrutinizer

Issues (3)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Loader.php (2 issues)

Labels

Deprecated Code 2

Severity

Minor 2

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Yii 2 config loader
 *
 * @see       https://github.com/sergeymakinen/yii2-config
 * @copyright Copyright (c) 2016-2017 Sergey Makinen (https://makinen.ru)
 * @license   https://github.com/sergeymakinen/yii2-config/blob/master/LICENSE The MIT License
 */

namespace sergeymakinen\yii\config;

use yii\base\BaseObject;

/**
 * Base config loader.
 */
abstract class Loader extends BaseObject
{
    /**
     * @var string|string[]|null a tier name or an array of tier names to match a tier name specified in [[Config]].
     *
     * If there're an array it will match *any of* specified values.
     * You can also use an exclamation mark (`!`) before a name to use a `not` match. Example:
     *
     * ```php
     * [
     *     'tier1',
     *     '!tier2',
     * ]
     * ```
     *
     * It matches if the tier name is `tier1` *or* **not** `tier2`.
     */
    public $tier;

    /**
     * @var string|string[]|null an environment name or an array of environment names to match an environment name specified in [[Config]].
     *
     * If there're an array it will match *any of* specified values.
     * You can also use an exclamation mark (`!`) before a name to use a `not` match. Example:
     *
     * ```php
     * [
     *     'env1',
     *     '!env2',
     * ]
     * ```
     *
     * It matches if the environment name is `env1` *or* **not** `env2`.
     */
    public $env;

    /**
     * @var string full path to a directory where [[Config]] will store its cached configs.
     */
    public $path;

    /**
     * @var bool whether the file is required.
     */
    public $required = true;

    /**
     * @var bool whether to look for a local config in addition to a main one.
     *
     * For example, if [[$enableLocal]] is `true` and a main config file name is `NAME.EXT`,
     * [[Config]] will also look for the `NAME-local.EXT` file.
     */
    public $enableLocal = true;

    /**
     * @var Config [[Config]] instance.
     */
    protected $config;

    /**
     * @var Storage internal config object instance.
     */
    protected $storage;

    /**
     * Creates a new Loader object.
     * @param Config $configObject current [[Config]] instance.
     * @param Storage $storage internal config object instance.
     * @param array $config name-value pairs that will be used to initialize the object properties.
     */
    public function __construct(Config $configObject, Storage $storage, $config = [])
    {
        $this->config = $configObject;
        $this->storage = $storage;
        parent::__construct($config);
    }

    /**
     * Compiles resolved files into the internal config object.
     */
    abstract public function compile();

    /**
     * Loads resolved files into the internal config object.
     */
    abstract public function load();

    /**
     * Resolves the current configuration into config file pathes.
     * @return string[] config file pathes.
     * @throws ConfigNotFoundException
     */
    public function resolveFiles()
    {
        if (!$this->isAllowed()) {
            return [];
        }

        $nonLocalFileCount = 0;
        $files = [];
        foreach ($this->config->dirs as $path) {
            $filePath = $this->config->configDir . '/' . strtr($path . '/' . $this->path, [
                '{tier}' => $this->config->tier,
                '{env}' => $this->config->env,
            ]);
            if (!is_file($filePath)) {
                continue;
            }

            $files[] = $filePath;
            \Yii::trace("Loaded config file: '{$filePath}'", __METHOD__);

            $nonLocalFileCount++;
            if (!$this->enableLocal) {
                continue;
            }

            $filePath = $this->makeLocalPath($filePath);
            if (is_file($filePath)) {
                $files[] = $filePath;
                \Yii::trace("Loaded config file: '{$filePath}'", __METHOD__);

            }
        }
        if ($this->required && $nonLocalFileCount === 0) {
            throw new ConfigNotFoundException("The '{$this->path}' config file is required but not available.");
        }

        return $files;
    }

    /**
     * Returns a file path with a "-local" suffix.
     * @param string $path the file path.
     * @return string file path with a "-local" suffix.
     */
    protected function makeLocalPath($path)
    {
        $extension = '.' . pathinfo($path, PATHINFO_EXTENSION);
        if ($extension !== '.') {
            $path = mb_substr($path, 0, -1 * mb_strlen($extension, 'UTF-8'), 'UTF-8');
        }
        $path .= '-local';
        if ($extension !== '.') {
            $path .= $extension;
        }
        return $path;
    }

    /**
     * Returns whether the configuration allows to load this config.
     * @return bool whether the configuration allows to load this config.
     */
    protected function isAllowed()
    {
        if (!$this->isValueAllowed($this->config->tier, $this->tier)) {
            return false;
        }

        if (!$this->isValueAllowed($this->config->env, $this->env)) {
            return false;
        }

        return true;
    }

    /**
     * Returns whether the value is in the list of allowed values.
     * @param mixed $value the value to be tested.
     * @param mixed $allowedValues the list of allowed values.
     * @return bool whether the value is in the list of allowed values.
     */
    protected function isValueAllowed($value, $allowedValues)
    {
        if ($allowedValues === null) {
            return true;
        }

        foreach ((array) $allowedValues as $allowedValue) {
            if (strpos($allowedValue, '!') === 0) {
                if (substr($allowedValue, 1) !== $value) {
                    return true;
                }
            } else {
                if ($allowedValue === $value) {
                    return true;
                }
            }
        }
        return false;
    }
}


1		<?php
2		/**
3		* Yii 2 config loader
4		*
5		* @see https://github.com/sergeymakinen/yii2-config
6		* @copyright Copyright (c) 2016-2017 Sergey Makinen (https://makinen.ru)
7		* @license https://github.com/sergeymakinen/yii2-config/blob/master/LICENSE The MIT License
8		*/
9
10		namespace sergeymakinen\yii\config;
11
12		use yii\base\BaseObject;
13
14		/**
15		* Base config loader.
16		*/
17		abstract class Loader extends BaseObject
18		{
19		/**
20		* @var string\|string[]\|null a tier name or an array of tier names to match a tier name specified in [[Config]].
21		*
22		* If there're an array it will match any of specified values.
23		* You can also use an exclamation mark (`!`) before a name to use a `not` match. Example:
24		*
25		* ```php
26		* [
27		* 'tier1',
28		* '!tier2',
29		* ]
30		* ```
31		*
32		* It matches if the tier name is `tier1` or not `tier2`.
33		*/
34		public $tier;
35
36		/**
37		* @var string\|string[]\|null an environment name or an array of environment names to match an environment name specified in [[Config]].
38		*
39		* If there're an array it will match any of specified values.
40		* You can also use an exclamation mark (`!`) before a name to use a `not` match. Example:
41		*
42		* ```php
43		* [
44		* 'env1',
45		* '!env2',
46		* ]
47		* ```
48		*
49		* It matches if the environment name is `env1` or not `env2`.
50		*/
51		public $env;
52
53		/**
54		* @var string full path to a directory where [[Config]] will store its cached configs.
55		*/
56		public $path;
57
58		/**
59		* @var bool whether the file is required.
60		*/
61		public $required = true;
62
63		/**
64		* @var bool whether to look for a local config in addition to a main one.
65		*
66		* For example, if [[$enableLocal]] is `true` and a main config file name is `NAME.EXT`,
67		* [[Config]] will also look for the `NAME-local.EXT` file.
68		*/
69		public $enableLocal = true;
70
71		/**
72		* @var Config [[Config]] instance.
73		*/
74		protected $config;
75
76		/**
77		* @var Storage internal config object instance.
78		*/
79		protected $storage;
80
81		/**
82		* Creates a new Loader object.
83		* @param Config $configObject current [[Config]] instance.
84		* @param Storage $storage internal config object instance.
85		* @param array $config name-value pairs that will be used to initialize the object properties.
86		*/
87	62	public function __construct(Config $configObject, Storage $storage, $config = [])
88		{
89	62	$this->config = $configObject;
90	62	$this->storage = $storage;
91	62	parent::__construct($config);
92	62	}
93
94		/**
95		* Compiles resolved files into the internal config object.
96		*/
97		abstract public function compile();
98
99		/**
100		* Loads resolved files into the internal config object.
101		*/
102		abstract public function load();
103
104		/**
105		* Resolves the current configuration into config file pathes.
106		* @return string[] config file pathes.
107		* @throws ConfigNotFoundException
108		*/
109	49	public function resolveFiles()
110		{
111	49	if (!$this->isAllowed()) {
112	44	return [];
113		}
114
115	49	$nonLocalFileCount = 0;
116	49	$files = [];
117	49	foreach ($this->config->dirs as $path) {
118	49	$filePath = $this->config->configDir . '/' . strtr($path . '/' . $this->path, [
119	49	'{tier}' => $this->config->tier,
120	49	'{env}' => $this->config->env,
121	49	]);
122	49	if (!is_file($filePath)) {
123	46	continue;
124		}
125
126	47	$files[] = $filePath;
127	47	\Yii::trace("Loaded config file: '{$filePath}'", __METHOD__);
		0 ignored issues – show Deprecated Code introduced 2020-09-15 20:28 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `yii\BaseYii::trace()` has been deprecated with message: since 2.0.14. Use [[debug()]] instead. This method has been deprecated. The supplier of the class has supplied an explanatory message. The explanatory message should give you some clue as to whether and when the method will be removed from the class and what other method or class to use instead. Loading history...
128	47	$nonLocalFileCount++;
129	47	if (!$this->enableLocal) {
130	4	continue;
131		}
132
133	44	$filePath = $this->makeLocalPath($filePath);
134	44	if (is_file($filePath)) {
135	38	$files[] = $filePath;
136	38	\Yii::trace("Loaded config file: '{$filePath}'", __METHOD__);
		0 ignored issues – show Deprecated Code introduced 2020-09-15 20:28 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `yii\BaseYii::trace()` has been deprecated with message: since 2.0.14. Use [[debug()]] instead. This method has been deprecated. The supplier of the class has supplied an explanatory message. The explanatory message should give you some clue as to whether and when the method will be removed from the class and what other method or class to use instead. Loading history...
137	38	}
138	49	}
139	49	if ($this->required && $nonLocalFileCount === 0) {
140	2	throw new ConfigNotFoundException("The '{$this->path}' config file is required but not available.");
141		}
142
143	47	return $files;
144		}
145
146		/**
147		* Returns a file path with a "-local" suffix.
148		* @param string $path the file path.
149		* @return string file path with a "-local" suffix.
150		*/
151	44	protected function makeLocalPath($path)
152		{
153	44	$extension = '.' . pathinfo($path, PATHINFO_EXTENSION);
154	44	if ($extension !== '.') {
155	44	$path = mb_substr($path, 0, -1 * mb_strlen($extension, 'UTF-8'), 'UTF-8');
156	44	}
157	44	$path .= '-local';
158	44	if ($extension !== '.') {
159	44	$path .= $extension;
160	44	}
161	44	return $path;
162		}
163
164		/**
165		* Returns whether the configuration allows to load this config.
166		* @return bool whether the configuration allows to load this config.
167		*/
168	49	protected function isAllowed()
169		{
170	49	if (!$this->isValueAllowed($this->config->tier, $this->tier)) {
171	1	return false;
172		}
173
174	49	if (!$this->isValueAllowed($this->config->env, $this->env)) {
175	44	return false;
176		}
177
178	49	return true;
179		}
180
181		/**
182		* Returns whether the value is in the list of allowed values.
183		* @param mixed $value the value to be tested.
184		* @param mixed $allowedValues the list of allowed values.
185		* @return bool whether the value is in the list of allowed values.
186		*/
187	49	protected function isValueAllowed($value, $allowedValues)
188		{
189	49	if ($allowedValues === null) {
190	47	return true;
191		}
192
193	46	foreach ((array) $allowedValues as $allowedValue) {
194	46	if (strpos($allowedValue, '!') === 0) {
195	44	if (substr($allowedValue, 1) !== $value) {
196	1	return true;
197		}
198	43	} else {
199	46	if ($allowedValue === $value) {
200	45	return true;
201		}
202		}
203	44	}
204	44	return false;
205		}
206		}
207

sergeymakinen / yii2-config

Issues (3)

Security Analysis no request data

src/Loader.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like