Issues in MemoryConfigCollection.php (master) - Issues in master - silverstripe/silverstripe-config - Measure and Improve Code Quality continuously with Scrutinizer

Issues (16)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Collections/MemoryConfigCollection.php (6 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace SilverStripe\Config\Collections;

use SilverStripe\Config\MergeStrategy\Priority;
use SilverStripe\Config\Middleware\MiddlewareAware;
use SilverStripe\Config\Transformer\TransformerInterface;
use Serializable;

/**
 * Basic mutable config collection stored in memory
 */
class MemoryConfigCollection implements MutableConfigCollectionInterface, Serializable
{
    use MiddlewareAware;

    /**
     * Stores a list of key/value config prior to middleware being applied
     *
     * @var array
     */
    protected $config = [];

    /**
     * Call cache for non-trivial config calls including middleware
     *
     * @var array
     */
    protected $callCache = [];

    /**
     * @var array
     */
    protected $metadata = [];

    /**
     * @var array
     */
    protected $history = [];

    /**
     * @var boolean
     */
    protected $trackMetadata = false;

    /**
     * ConfigCollection constructor.
     *
     * @param bool $trackMetadata
     */
    public function __construct($trackMetadata = false)
    {
        $this->trackMetadata = $trackMetadata;
    }

    /**
     * @return static
     */
    public static function create()
    {
        return new static();
    }

    /**
     * Trigger transformers to load into this store
     *
     * @param  TransformerInterface[] $transformers
     * @return $this
     */
    public function transform($transformers)
    {
        foreach ($transformers as $transformer) {
            $transformer->transform($this);
        }
        return $this;
    }

    public function set($class, $name, $data, $metadata = [])
    {
        $this->saveMetadata($class, $metadata);

        $classKey = strtolower($class);
        if ($name) {
            if (!isset($this->config[$classKey])) {
                $this->config[$classKey] = [];
            }
            $this->config[$classKey][$name] = $data;
        } else {
            $this->config[$classKey] = $data;
        }

        // Flush call cache
        $this->callCache = [];
        return $this;
    }

    public function get($class, $name = null, $excludeMiddleware = 0)
    {
        if (!is_int($excludeMiddleware) && $excludeMiddleware !== true) {
            throw new \InvalidArgumentException("Invalid middleware flags");
        }

        // Get config for complete class
        $config = $this->getClassConfig($class, $excludeMiddleware);

        // Return either name, or whole-class config
        if ($name) {
''   == false // true
''   == null  // true
'ab' == false // false
'ab' == null  // false

// It is often better to use strict comparison
'' === false // false
'' === null  // false
            return isset($config[$name]) ? $config[$name] : null;
        }
        return $config;
    }

    /**
     * Retrieve config for an entire class
     *
     * @param string $class Name of class
     * @param int|true $excludeMiddleware Optional flag of middleware to disable.
     * Passing in `true` disables all middleware.
     * Can also pass in int flags to specify specific middlewares.
     * @return array
     */
    protected function getClassConfig($class, $excludeMiddleware = 0)
    {
        // `true` excludes all middleware, so bypass call cache
        $classKey = strtolower($class);
        if ($excludeMiddleware === true) {
            return isset($this->config[$classKey]) ? $this->config[$classKey] : [];
        }

        // Check cache
        if (isset($this->callCache[$classKey][$excludeMiddleware])) {
            return $this->callCache[$classKey][$excludeMiddleware];
        }

        // Build middleware
        $result = $this->callMiddleware(
            $class,
            $excludeMiddleware,
            function ($class, $excludeMiddleware) {

                return $this->getClassConfig($class, true);
function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
            }
        );

        // Save cache
        if (!isset($this->callCache[$classKey])) {
            $this->callCache[$classKey] = [];
        }
        $this->callCache[$classKey][$excludeMiddleware] = $result;
        return $result;
    }

    public function exists($class, $name = null, $excludeMiddleware = 0)
    {
        $config = $this->get($class, null, $excludeMiddleware);
        if (empty($config)) {
            return false;
        }
        if ($name) {
''   == false // true
''   == null  // true
'ab' == false // false
'ab' == null  // false

// It is often better to use strict comparison
'' === false // false
'' === null  // false
            return array_key_exists($name, $config);
        }
        return true;
    }

    public function remove($class, $name = null)
    {
        $classKey = strtolower($class);
        if ($name) {
''   == false // true
''   == null  // true
'ab' == false // false
'ab' == null  // false

// It is often better to use strict comparison
'' === false // false
'' === null  // false
            unset($this->config[$classKey][$name]);
        } else {
            unset($this->config[$classKey]);
        }
        // Discard call cache
        unset($this->callCache[$classKey]);
        return $this;
    }

    public function removeAll()
    {
        $this->config = [];
        $this->metadata = [];
        $this->history = [];
        $this->callCache = [];
    }

    /**
     * Get complete config (excludes middleware-applied config)
     *
     * @return array
     */
    public function getAll()
    {
        return $this->config;
    }

    /**
     * @deprecated 4.0...5.0
     *
     * Synonym for merge()
     *
     * @param string $class
     * @param string $name
     * @param mixed  $value
     * @return $this
     */
    public function update($class, $name, $value)
    {
        $this->merge($class, $name, $value);
        return $this;
    }

    public function merge($class, $name, $value)
    {
        // Detect mergeable config
        $existing = $this->get($class, $name, true);
function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
        if (is_array($value) && is_array($existing)) {
            $value = Priority::mergeArray($value, $existing);
        }

        // Apply
        $this->set($class, $name, $value);
        return $this;
    }

    public function getMetadata()
    {
        if (!$this->trackMetadata || !is_array($this->metadata)) {
            return [];
        }

        return $this->metadata;
    }

    public function getHistory()
    {
        if (!$this->trackMetadata || !is_array($this->history)) {
            return [];
        }

        return $this->history;
    }

    /**
     * Get list of serialized properties
     *
     * @return array
     */
    protected function getSerializedMembers()
    {
        return array_filter(array_keys(get_object_vars($this)), function ($key) {
            // Skip $_underscoreProp
            return strpos($key, '_') !== 0;
        });
    }

    public function serialize()
    {
        // Auto-serialize
        $data = [];
        foreach ($this->getSerializedMembers() as $key) {
            $data[$key] = $this->$key;
        }
        return serialize($data);
    }

    public function unserialize($serialized)
    {
        $data = unserialize($serialized);
        foreach ($this->getSerializedMembers() as $key) {
            $this->$key = isset($data[$key]) ? $data[$key] : null;
        }
    }

    public function nest()
    {
        return clone $this;
    }

    /**
     * Save metadata for the given class
     *
     * @param string $class
     * @param array  $metadata
     */
    protected function saveMetadata($class, $metadata)
    {
        if (!$this->trackMetadata) {
            return;
        }

        $classKey = strtolower($class);
        if (isset($this->metadata[$classKey]) && isset($this->config[$classKey])) {
            if (!isset($this->history[$classKey])) {
                $this->history[$classKey] = [];
            }

            array_unshift(
                $this->history[$classKey],
                [
                'value' => $this->config[$classKey],
                'metadata' => $this->metadata[$classKey]
                ]
            );
        }

        $this->metadata[$classKey] = $metadata;
    }
}


1		<?php
2
3		namespace SilverStripe\Config\Collections;
4
5		use SilverStripe\Config\MergeStrategy\Priority;
6		use SilverStripe\Config\Middleware\MiddlewareAware;
7		use SilverStripe\Config\Transformer\TransformerInterface;
8		use Serializable;
9
10		/**
11		* Basic mutable config collection stored in memory
12		*/
13		class MemoryConfigCollection implements MutableConfigCollectionInterface, Serializable
14		{
15		use MiddlewareAware;
16
17		/**
18		* Stores a list of key/value config prior to middleware being applied
19		*
20		* @var array
21		*/
22		protected $config = [];
23
24		/**
25		* Call cache for non-trivial config calls including middleware
26		*
27		* @var array
28		*/
29		protected $callCache = [];
30
31		/**
32		* @var array
33		*/
34		protected $metadata = [];
35
36		/**
37		* @var array
38		*/
39		protected $history = [];
40
41		/**
42		* @var boolean
43		*/
44		protected $trackMetadata = false;
45
46		/**
47		* ConfigCollection constructor.
48		*
49		* @param bool $trackMetadata
50		*/
51	31	public function __construct($trackMetadata = false)
52		{
53	31	$this->trackMetadata = $trackMetadata;
54	31	}
55
56		/**
57		* @return static
58		*/
59		public static function create()
60		{
61		return new static();
62		}
63
64		/**
65		* Trigger transformers to load into this store
66		*
67		* @param TransformerInterface[] $transformers
68		* @return $this
69		*/
70	18	public function transform($transformers)
71		{
72	18	foreach ($transformers as $transformer) {
73	18	$transformer->transform($this);
74	16	}
75	16	return $this;
76		}
77
78	28	public function set($class, $name, $data, $metadata = [])
79		{
80	28	$this->saveMetadata($class, $metadata);
81
82	28	$classKey = strtolower($class);
83	28	if ($name) {
84	6	if (!isset($this->config[$classKey])) {
85	6	$this->config[$classKey] = [];
86	6	}
87	6	$this->config[$classKey][$name] = $data;
88	6	} else {
89	28	$this->config[$classKey] = $data;
90		}
91
92		// Flush call cache
93	28	$this->callCache = [];
94	28	return $this;
95		}
96
97	28	public function get($class, $name = null, $excludeMiddleware = 0)
98		{
99	28	if (!is_int($excludeMiddleware) && $excludeMiddleware !== true) {
100		throw new \InvalidArgumentException("Invalid middleware flags");
101		}
102
103		// Get config for complete class
104	28	$config = $this->getClassConfig($class, $excludeMiddleware);
105
106		// Return either name, or whole-class config
107	28	if ($name) {
		0 ignored issues – show Bug Best Practice introduced 2017-04-10 22:07 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$name` of type `string\|null` is loosely compared to `true`; this is ambiguous if the string can be empty. You might want to explicitly use `!== null` instead. In PHP, under loose comparison (like `==`, or `!=`, or `switch` conditions), values of different types might be equal. For `string` values, the empty string `''` is a special case, in particular the following results might be unexpected: '' == false // true '' == null // true 'ab' == false // false 'ab' == null // false // It is often better to use strict comparison '' === false // false '' === null // false Loading history...
108	7	return isset($config[$name]) ? $config[$name] : null;
109		}
110	28	return $config;
111		}
112
113		/**
114		* Retrieve config for an entire class
115		*
116		* @param string $class Name of class
117		* @param int\|true $excludeMiddleware Optional flag of middleware to disable.
118		* Passing in `true` disables all middleware.
119		* Can also pass in int flags to specify specific middlewares.
120		* @return array
121		*/
122	28	protected function getClassConfig($class, $excludeMiddleware = 0)
123		{
124		// `true` excludes all middleware, so bypass call cache
125	28	$classKey = strtolower($class);
126	28	if ($excludeMiddleware === true) {
127	27	return isset($this->config[$classKey]) ? $this->config[$classKey] : [];
128		}
129
130		// Check cache
131	28	if (isset($this->callCache[$classKey][$excludeMiddleware])) {
132	3	return $this->callCache[$classKey][$excludeMiddleware];
133		}
134
135		// Build middleware
136	28	$result = $this->callMiddleware(
137	28	$class,
138	28	$excludeMiddleware,
139		function ($class, $excludeMiddleware) {
		0 ignored issues – show Unused Code introduced 2017-10-12 01:21 UTC by Report Bug Copy Issue Report Show Similar Issues like this The parameter `$excludeMiddleware` is not used and could be removed. This check looks from parameters that have been defined for a function or method, but which are not used in the method body. Loading history...
140	27	return $this->getClassConfig($class, true);
		0 ignored issues – show Documentation introduced 2017-10-12 01:21 UTC by Report Bug Copy Issue Report Show Similar Issues like this `true` is of type `boolean`, but the function expects a `integer`. It seems like the type of the argument is not accepted by the function/method which you are calling. In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug. We suggest to add an explicit type cast like in the following example: function acceptsInteger($int) { } $x = '123'; // string "123" // Instead of acceptsInteger($x); // we recommend to use acceptsInteger((integer) $x); Loading history...
141		}
142	28	);
143
144		// Save cache
145	28	if (!isset($this->callCache[$classKey])) {
146	28	$this->callCache[$classKey] = [];
147	28	}
148	28	$this->callCache[$classKey][$excludeMiddleware] = $result;
149	28	return $result;
150		}
151
152	2	public function exists($class, $name = null, $excludeMiddleware = 0)
153		{
154	2	$config = $this->get($class, null, $excludeMiddleware);
155	2	if (empty($config)) {
156	2	return false;
157		}
158	1	if ($name) {
		0 ignored issues – show Bug Best Practice introduced 2017-04-10 22:07 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$name` of type `string\|null` is loosely compared to `true`; this is ambiguous if the string can be empty. You might want to explicitly use `!== null` instead. In PHP, under loose comparison (like `==`, or `!=`, or `switch` conditions), values of different types might be equal. For `string` values, the empty string `''` is a special case, in particular the following results might be unexpected: '' == false // true '' == null // true 'ab' == false // false 'ab' == null // false // It is often better to use strict comparison '' === false // false '' === null // false Loading history...
159		return array_key_exists($name, $config);
160		}
161	1	return true;
162		}
163
164	1	public function remove($class, $name = null)
165		{
166	1	$classKey = strtolower($class);
167	1	if ($name) {
		0 ignored issues – show Bug Best Practice introduced 2017-04-10 22:07 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$name` of type `string\|null` is loosely compared to `true`; this is ambiguous if the string can be empty. You might want to explicitly use `!== null` instead. In PHP, under loose comparison (like `==`, or `!=`, or `switch` conditions), values of different types might be equal. For `string` values, the empty string `''` is a special case, in particular the following results might be unexpected: '' == false // true '' == null // true 'ab' == false // false 'ab' == null // false // It is often better to use strict comparison '' === false // false '' === null // false Loading history...
168		unset($this->config[$classKey][$name]);
169		} else {
170	1	unset($this->config[$classKey]);
171		}
172		// Discard call cache
173	1	unset($this->callCache[$classKey]);
174	1	return $this;
175		}
176
177	1	public function removeAll()
178		{
179	1	$this->config = [];
180	1	$this->metadata = [];
181	1	$this->history = [];
182	1	$this->callCache = [];
183	1	}
184
185		/**
186		* Get complete config (excludes middleware-applied config)
187		*
188		* @return array
189		*/
190		public function getAll()
191		{
192		return $this->config;
193		}
194
195		/**
196		* @deprecated 4.0...5.0
197		*
198		* Synonym for merge()
199		*
200		* @param string $class
201		* @param string $name
202		* @param mixed $value
203		* @return $this
204		*/
205		public function update($class, $name, $value)
206		{
207		$this->merge($class, $name, $value);
208		return $this;
209		}
210
211		public function merge($class, $name, $value)
212		{
213		// Detect mergeable config
214		$existing = $this->get($class, $name, true);
		0 ignored issues – show Documentation introduced 2017-04-10 22:07 UTC by Report Bug Copy Issue Report Show Similar Issues like this `true` is of type `boolean`, but the function expects a `integer`. It seems like the type of the argument is not accepted by the function/method which you are calling. In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug. We suggest to add an explicit type cast like in the following example: function acceptsInteger($int) { } $x = '123'; // string "123" // Instead of acceptsInteger($x); // we recommend to use acceptsInteger((integer) $x); Loading history...
215		if (is_array($value) && is_array($existing)) {
216		$value = Priority::mergeArray($value, $existing);
217		}
218
219		// Apply
220		$this->set($class, $name, $value);
221		return $this;
222		}
223
224	8	public function getMetadata()
225		{
226	8	if (!$this->trackMetadata \|\| !is_array($this->metadata)) {
227	7	return [];
228		}
229
230	1	return $this->metadata;
231		}
232
233	2	public function getHistory()
234		{
235	2	if (!$this->trackMetadata \|\| !is_array($this->history)) {
236	1	return [];
237		}
238
239	1	return $this->history;
240		}
241
242		/**
243		* Get list of serialized properties
244		*
245		* @return array
246		*/
247		protected function getSerializedMembers()
248		{
249		return array_filter(array_keys(get_object_vars($this)), function ($key) {
250		// Skip $_underscoreProp
251		return strpos($key, '_') !== 0;
252		});
253		}
254
255		public function serialize()
256		{
257		// Auto-serialize
258		$data = [];
259		foreach ($this->getSerializedMembers() as $key) {
260		$data[$key] = $this->$key;
261		}
262		return serialize($data);
263		}
264
265		public function unserialize($serialized)
266		{
267		$data = unserialize($serialized);
268		foreach ($this->getSerializedMembers() as $key) {
269		$this->$key = isset($data[$key]) ? $data[$key] : null;
270		}
271		}
272
273		public function nest()
274		{
275		return clone $this;
276		}
277
278		/**
279		* Save metadata for the given class
280		*
281		* @param string $class
282		* @param array $metadata
283		*/
284	28	protected function saveMetadata($class, $metadata)
285		{
286	28	if (!$this->trackMetadata) {
287	27	return;
288		}
289
290	1	$classKey = strtolower($class);
291	1	if (isset($this->metadata[$classKey]) && isset($this->config[$classKey])) {
292	1	if (!isset($this->history[$classKey])) {
293	1	$this->history[$classKey] = [];
294	1	}
295
296	1	array_unshift(
297	1	$this->history[$classKey],
298		[
299	1	'value' => $this->config[$classKey],
300	1	'metadata' => $this->metadata[$classKey]
301	1	]
302	1	);
303	1	}
304
305	1	$this->metadata[$classKey] = $metadata;
306	1	}
307		}
308

silverstripe / silverstripe-config

Issues (16)

Security Analysis no request data

src/Collections/MemoryConfigCollection.php (6 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like