Issues in AbstractCommand.php (develop) - Issues in develop - siad007/versioncontrol_hg - Measure and Improve Code Quality continuously with Scrutinizer

Issues (1)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Command/AbstractCommand.php (1 issue)

Labels

Bug 1

Severity

Major 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * VersionControl_HG
 * Simple OO implementation for Mercurial.
 *
 * PHP Version 5.4
 *
 * @copyright 2014 Siad Ardroumli
 * @license http://www.opensource.org/licenses/mit-license.php MIT
 * @link http://siad007.github.io/versioncontrol_hg
 */

namespace Siad007\VersionControl\HG\Command;

/**
 * Abstract class for VersionControl_HG.
 *
 * This class maintains all global options and take care about getters and
 * setters.
 *
 * @method boolean getVerbose()
 * @method void setVerbose(boolean $flag)
 * @method boolean getQuiet()
 * @method void setQuiet(boolean $flag)
 * @method boolean getNoninteractive()
 * @method void setNoninteractive(boolean $flag)
 * @method boolean getCwd()
 * @method void setCwd(string $directory)
 * @method boolean getDebug()
 * @method void setDebug(boolean $flag)
 * @method boolean getDebugger()
 * @method void setDebugger(boolean $flag)
 * @method string getEncoding()
 * @method void setEncoding(string $encoding)
 * @method string getEncodingmode()
 * @method void setEncodingmode(string $mode)
 * @method boolean getTraceback()
 * @method void setTraceback(boolean $flag)
 * @method boolean getTime()
 * @method void setTime(boolean $flag)
 * @method boolean getProfile()
 * @method void setProfile(boolean $flag)
 * @method boolean getVersion()
 * @method void setVersion(boolean $flag)
 * @method boolean getHelp()
 * @method void setHelp(boolean $flag)
 * @method boolean getHidden()
 * @method void setHidden(boolean $flag)
 * @method array getConfig()
 * @method void addConfig(string $config)
 */
abstract class AbstractCommand
{
    /** @var string $name */
    protected $name = '';

    /** @var string $hgPath */
    protected $hgPath = 'hg';

    /** @var string $command */
    protected $command = '%s %s';

    /**
     * Command specific options.
     *
     * @var array $options
     */
    protected $options = [];

    /** @var array $globalOptions */
    protected $globalOptions = [
        '--repository'     => '',
        '--cwd'            => '',
        '--noninteractive' => false,
        '--quiet'          => false,
        '--verbose'        => false,
        '--config'         => [],
        '--debug'          => false,
        '--debugger'       => false,
        '--encoding'       => '',
        '--encodingmode'   => '',
        '--traceback'      => false,
        '--time'           => false,
        '--profile'        => false,
        '--version'        => false,
        '--help'           => false,
        '--hidden'         => false,
    ];

    /**
     * Get hg path.
     *
     * @return string
     */
    public function getHgPath()
    {
        return $this->hgPath;
    }

    /**
     * Set path to hg executable.
     *
     * @param string $path
     *
     * @return $this
     */
    public function setHgPath($path)
    {
        $this->hgPath = $path;

        return $this;
    }

    /**
     * Returns a string representation for the mercurial shell command.
     *
     * @return string
     */
    public function __toString()
    {
        return sprintf($this->command, $this->hgPath, $this);
    }

    /**
     * Standard constructor.
     *
     * - sets the concrete commands name
     * - merges the global options with the concrete commands options
     *
     * @param mixed $options
     */
    public function __construct($options = [])
    {
        $this->name = $this->getCommandName();

        $this->options = array_merge($this->options, $options);
    }

    /**
     * Execute mercurial command.
     *
     * @return string
     *
     * @throws \RuntimeException
     */
    public function execute()
    {
        $output = [];
        $code = 0;

        exec(sprintf($this->command, $this->hgPath, $this) . " 2>&1", $output, $code);

        if ($code != 0) {

            throw new \RuntimeException(
                'An error occurred while using VersionControl_HG; hg returned: '
                . implode(PHP_EOL, $output),
                $code
            );
        }

        return implode(PHP_EOL, $output);
    }

    /**
     * Returns the string representation of the command.
     *
     * @return string
     */
    public function asString()
    {
        return self::__toString();
    }

    /**
     * Magic method to get option entries with a getter/setter method.
     *
     * @param string $name
     * @param array  $arguments
     *
     * @return boolean|array|string|self
     *
     * @throws \InvalidArgumentException
     */
    public function __call($name, $arguments)
    {
        if (preg_match('~^(set|get|add)([A-Z])([a-z]*)([A-Z]?)(.*)$~', $name, $matches)) {
            $match = !empty($matches[4]) ? sprintf('-%s%s', strtolower($matches[4]), $matches[5]) : '';
            $property = strtolower($matches[2]) . $matches[3] . $match;

            $this->options = array_merge($this->globalOptions, $this->options);

            $this->doesPropertyExist($property);

            $result = false;

            switch ($matches[1]) {
                case 'set':
                    $this->options["--{$property}"] = $arguments[0];
                    $result = $this;
                    break;
                case 'add':
                    $this->options["--{$property}"][] = $arguments[0];
                    $result = $this;
                    break;
                case 'get':
                    $result = $this->options["--{$property}"];
                    break;
            }

            return $result;
        }

        throw new \InvalidArgumentException('Method ' . $name . ' not exists');
    }

    /**
     * Does property exist check.
     *
     * @param string $property
     *
     * @throws \InvalidArgumentException
     */
    private function doesPropertyExist($property)
    {
        if (! isset($this->options["--{$property}"])) {
            throw new \InvalidArgumentException('Property ' . $property . ' not exists');
        }
    }

    /**
     * Concatinates string options.
     *
     * @return string
     */
    protected function assembleOptionString()
    {
        $optionString = '';

        foreach ($this->options as $name => $option) {
            if ($option === true) {
                $optionString .= " {$name}";
            } elseif (is_string($option) && $option !== '') {
                $optionString .= " {$name} " . escapeshellarg($option);
            } elseif (is_array($option) && !empty($option)) {
                $optionString .= " {$name} " . implode(' ', $option);
            }
        }

        return $optionString !== '' ? $optionString . '' : ' ';
    }

    /**
     * Returns the concrete commands name.
     *
     * @return string
     */
    private function getCommandName()
    {
        $className   = implode('', array_slice(explode('\\', get_class($this)), -1));
        $commandName = str_replace('command', '', strtolower($className));

        return $commandName;
    }
}


1		<?php
2		/**
3		* VersionControl_HG
4		* Simple OO implementation for Mercurial.
5		*
6		* PHP Version 5.4
7		*
8		* @copyright 2014 Siad Ardroumli
9		* @license http://www.opensource.org/licenses/mit-license.php MIT
10		* @link http://siad007.github.io/versioncontrol_hg
11		*/
12
13		namespace Siad007\VersionControl\HG\Command;
14
15		/**
16		* Abstract class for VersionControl_HG.
17		*
18		* This class maintains all global options and take care about getters and
19		* setters.
20		*
21		* @method boolean getVerbose()
22		* @method void setVerbose(boolean $flag)
23		* @method boolean getQuiet()
24		* @method void setQuiet(boolean $flag)
25		* @method boolean getNoninteractive()
26		* @method void setNoninteractive(boolean $flag)
27		* @method boolean getCwd()
28		* @method void setCwd(string $directory)
29		* @method boolean getDebug()
30		* @method void setDebug(boolean $flag)
31		* @method boolean getDebugger()
32		* @method void setDebugger(boolean $flag)
33		* @method string getEncoding()
34		* @method void setEncoding(string $encoding)
35		* @method string getEncodingmode()
36		* @method void setEncodingmode(string $mode)
37		* @method boolean getTraceback()
38		* @method void setTraceback(boolean $flag)
39		* @method boolean getTime()
40		* @method void setTime(boolean $flag)
41		* @method boolean getProfile()
42		* @method void setProfile(boolean $flag)
43		* @method boolean getVersion()
44		* @method void setVersion(boolean $flag)
45		* @method boolean getHelp()
46		* @method void setHelp(boolean $flag)
47		* @method boolean getHidden()
48		* @method void setHidden(boolean $flag)
49		* @method array getConfig()
50		* @method void addConfig(string $config)
51		*/
52		abstract class AbstractCommand
53		{
54		/** @var string $name */
55		protected $name = '';
56
57		/** @var string $hgPath */
58		protected $hgPath = 'hg';
59
60		/** @var string $command */
61		protected $command = '%s %s';
62
63		/**
64		* Command specific options.
65		*
66		* @var array $options
67		*/
68		protected $options = [];
69
70		/** @var array $globalOptions */
71		protected $globalOptions = [
72		'--repository' => '',
73		'--cwd' => '',
74		'--noninteractive' => false,
75		'--quiet' => false,
76		'--verbose' => false,
77		'--config' => [],
78		'--debug' => false,
79		'--debugger' => false,
80		'--encoding' => '',
81		'--encodingmode' => '',
82		'--traceback' => false,
83		'--time' => false,
84		'--profile' => false,
85		'--version' => false,
86		'--help' => false,
87		'--hidden' => false,
88		];
89
90		/**
91		* Get hg path.
92		*
93		* @return string
94		*/
95	1	public function getHgPath()
96		{
97	1	return $this->hgPath;
98		}
99
100		/**
101		* Set path to hg executable.
102		*
103		* @param string $path
104		*
105		* @return $this
106		*/
107	1	public function setHgPath($path)
108		{
109	1	$this->hgPath = $path;
110
111	1	return $this;
112		}
113
114		/**
115		* Returns a string representation for the mercurial shell command.
116		*
117		* @return string
118		*/
119	44	public function __toString()
120		{
121	44	return sprintf($this->command, $this->hgPath, $this);
122		}
123
124		/**
125		* Standard constructor.
126		*
127		* - sets the concrete commands name
128		* - merges the global options with the concrete commands options
129		*
130		* @param mixed $options
131		*/
132	51	public function __construct($options = [])
133		{
134	51	$this->name = $this->getCommandName();
135
136	51	$this->options = array_merge($this->options, $options);
137	51	}
138
139		/**
140		* Execute mercurial command.
141		*
142		* @return string
143		*
144		* @throws \RuntimeException
145		*/
146	2	public function execute()
147		{
148	2	$output = [];
149	2	$code = 0;
150
151	2	exec(sprintf($this->command, $this->hgPath, $this) . " 2>&1", $output, $code);
152
153	2	if ($code != 0) {
		0 ignored issues – show Bug introduced 2016-05-10 21:20 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you are loosely comparing `$code` of type `integer\|null` to `0`; this is ambiguous as not only `0 == 0` is true, but `null == 0` is true, too. Consider using a strict comparison `===`. Loading history...
154	1	throw new \RuntimeException(
155		'An error occurred while using VersionControl_HG; hg returned: '
156	1	. implode(PHP_EOL, $output),
157		$code
158		);
159		}
160
161	1	return implode(PHP_EOL, $output);
162		}
163
164		/**
165		* Returns the string representation of the command.
166		*
167		* @return string
168		*/
169	44	public function asString()
170		{
171	44	return self::__toString();
172		}
173
174		/**
175		* Magic method to get option entries with a getter/setter method.
176		*
177		* @param string $name
178		* @param array $arguments
179		*
180		* @return boolean\|array\|string\|self
181		*
182		* @throws \InvalidArgumentException
183		*/
184	43	public function __call($name, $arguments)
185		{
186	43	if (preg_match('~^(set\|get\|add)([A-Z])([a-z])([A-Z]?)(.)$~', $name, $matches)) {
187	42	$match = !empty($matches[4]) ? sprintf('-%s%s', strtolower($matches[4]), $matches[5]) : '';
188	42	$property = strtolower($matches[2]) . $matches[3] . $match;
189
190	42	$this->options = array_merge($this->globalOptions, $this->options);
191
192	42	$this->doesPropertyExist($property);
193
194	41	$result = false;
195
196	41	switch ($matches[1]) {
197	41	case 'set':
198	39	$this->options["--{$property}"] = $arguments[0];
199	39	$result = $this;
200	39	break;
201	17	case 'add':
202	16	$this->options["--{$property}"][] = $arguments[0];
203	16	$result = $this;
204	16	break;
205	1	case 'get':
206	1	$result = $this->options["--{$property}"];
207	1	break;
208		}
209
210	41	return $result;
211		}
212
213	1	throw new \InvalidArgumentException('Method ' . $name . ' not exists');
214		}
215
216		/**
217		* Does property exist check.
218		*
219		* @param string $property
220		*
221		* @throws \InvalidArgumentException
222		*/
223	42	private function doesPropertyExist($property)
224		{
225	42	if (! isset($this->options["--{$property}"])) {
226	1	throw new \InvalidArgumentException('Property ' . $property . ' not exists');
227		}
228	41	}
229
230		/**
231		* Concatinates string options.
232		*
233		* @return string
234		*/
235	41	protected function assembleOptionString()
236		{
237	41	$optionString = '';
238
239	41	foreach ($this->options as $name => $option) {
240	40	if ($option === true) {
241	37	$optionString .= " {$name}";
242	40	} elseif (is_string($option) && $option !== '') {
243	20	$optionString .= " {$name} " . escapeshellarg($option);
244	40	} elseif (is_array($option) && !empty($option)) {
245	40	$optionString .= " {$name} " . implode(' ', $option);
246		}
247		}
248
249	41	return $optionString !== '' ? $optionString . '' : ' ';
250		}
251
252		/**
253		* Returns the concrete commands name.
254		*
255		* @return string
256		*/
257	51	private function getCommandName()
258		{
259	51	$className = implode('', array_slice(explode('\\', get_class($this)), -1));
260	51	$commandName = str_replace('command', '', strtolower($className));
261
262	51	return $commandName;
263		}
264		}
265

siad007 / versioncontrol_hg

Issues (1)

Security Analysis no request data

src/Command/AbstractCommand.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like