Issues in ProxyQuery.php (master) - Issues in master - sonata-project/SonataDoctrinePhpcrAdminBundle - Measure and Improve Code Quality continuously with Scrutinizer

Issues (159)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Datagrid/ProxyQuery.php (1 issue)

Labels

Severity

Major 1

Lukas Kahwe Smith 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

declare(strict_types=1);

/*
 * This file is part of the Sonata Project package.
 *
 * (c) Thomas Rabaix <[email protected]>
 *
 * For the full copyright and license information, please view the LICENSE
 * file that was distributed with this source code.
 */

namespace Sonata\DoctrinePHPCRAdminBundle\Datagrid;

use Doctrine\ODM\PHPCR\DocumentManager;
use Doctrine\ODM\PHPCR\Query\Builder\AbstractNode;
use Doctrine\ODM\PHPCR\Query\Builder\QueryBuilder;
use Sonata\AdminBundle\Datagrid\ProxyQueryInterface;

/**
 * This class is used to abstract the Admin Bundle from the different QueryBuilder implementations.
 */
class ProxyQuery implements ProxyQueryInterface
{
    /**
     * Query Builder Fluent interface for the QOM.
     *
     * @var QueryBuilder
     */
    protected $qb;

    /**
     * The alias name used for the document FQN.
     *
     * @var string
     */
    protected $alias;

    /**
     * The root path.
     *
     * @var string|null
     */
    protected $root;

    /**
     * Property that determines the Ordering of the results.
     *
     * @var string
     */
    protected $sortBy;

    /**
     * Ordering of the results (ASC, DESC).
     *
     * @var string
     */
    protected $sortOrder;

    /**
     * PHPCR ODM Document Manager.
     *
     * @var DocumentManager
     */
    protected $documentManager;

    /**
     * Name of this document class.
     *
     * @var string
     */
    protected $documentName;

    /**
     * Creates a Query Builder from the QOMFactory.
     *
     * @param string $alias Short name to use instead of the FQN
     *                      of the document
     *
     * @throws \InvalidArgumentException if alias is not a string or an empty string
     */
    public function __construct(QueryBuilder $queryBuilder, $alias)
    {
        if (!\is_string($alias) || '' === $alias) {
            throw new \InvalidArgumentException('$alias must be a non empty string');
        }

        $this->qb = $queryBuilder;
        $this->alias = $alias;
    }

    /**
     * Allows for direct calls to the QueryBuilder.
     *
     * @param string $name name of the method
     * @param array  $args arguments of the call
     *
     * @codeCoverageIgnore
     */
    public function __call($name, $args)
    {
        return \call_user_func_array([$this->qb, $name], $args);
    }

    /**
     * @return string
     */
    public function getAlias()
    {
        return $this->alias;
    }

    /**
     * @param string $root root path to restrict what documents to find
     */
    public function setRootPath($root): void
    {
        $this->root = $root;
    }

    /**
     * Executes the query, applying the source, the constraint of documents being of the phpcr:class of
     * this kind of document and builds an array of retrieved documents.
     *
     * @param array $params        doesn't have any effect
     * @param mixed $hydrationMode doesn't have any effect
     *
     * @throws \Exception if $this->sortOrder is not ASC or DESC
     *
     * @return array of documents
     */
    public function execute(array $params = [], $hydrationMode = null)
    {
        // always clone the original queryBuilder
        $queryBuilder = clone $this->qb;

        if ($this->getSortBy()) {
            $orderByChildren = $queryBuilder->getChildrenOfType(AbstractNode::NT_ORDER_BY);
            $queryBuilder->removeChildrenOfType(AbstractNode::NT_ORDER_BY);

            switch ($this->sortOrder) {
                case 'DESC':
                    $queryBuilder->orderBy()->desc()->field($this->alias.'.'.$this->sortBy);

                    break;
                case 'ASC':
                    $queryBuilder->orderBy()->asc()->field($this->alias.'.'.$this->sortBy);

                    break;
                default:
                    throw new \Exception('Unsupported sort order direction: '.$this->sortOrder);
            }

            foreach ($orderByChildren as $orderByChild) {
                $queryBuilder->addChild($orderByChild);
            }
        }

        if ($this->root) {
''   == false // true
''   == null  // true
'ab' == false // false
'ab' == null  // false

// It is often better to use strict comparison
'' === false // false
'' === null  // false
            $queryBuilder->andWhere()->descendant($this->root, $this->alias);
        }

        return $queryBuilder->getQuery()->execute();
    }

    /**
     * Set the property to be sorted by.
     *
     * {@inheritdoc}
     */
    public function setSortBy($parentAssociationMappings, $fieldMapping)
    {
        $this->sortBy = $fieldMapping['fieldName'];

        return $this;
    }

    /**
     * Gets the property that defines the ordering.
     *
     * @return string the property to be sorted by
     */
    public function getSortBy()
    {
        return $this->sortBy;
    }

    /**
     * Set the sort ordering.
     *
     * {@inheritdoc}
     *
     * @param string $sortOrder (ASC|DESC)
     *
     * @throws \InvalidArgumentException if $sortOrder is not one of ASC or DESC
     */
    public function setSortOrder($sortOrder)
    {
        if (!\in_array($sortOrder, ['ASC', 'DESC'], true)) {
            throw new \InvalidArgumentException(sprintf('The parameter $sortOrder must be one of "ASC" or "DESC", got "%s"', $sortOrder));
        }
        $this->sortOrder = $sortOrder;

        return $this;
    }

    /**
     * Get the ordering.
     *
     * @return string ASC or DESC
     */
    public function getSortOrder()
    {
        return $this->sortOrder;
    }

    /**
     * @codeCoverageIgnore
     *
     * @throws \Exception
     */
    public function getSingleScalarResult(): void
    {
        /* TODO: Figure out who calls this method and what to do here in context of PHPCR */
        throw new \Exception('Used by what??');
    }

    /**
     * Gets the QueryBuilder.
     *
     * @return QueryBuilder
     */
    public function getQueryBuilder()
    {
        return $this->qb;
    }

    /**
     * Sets the first result (offset).
     *
     * {@inheritdoc}
     */
    public function setFirstResult($firstResult)
    {
        $this->qb->setFirstResult($firstResult);

        return $this;
    }

    /**
     * Gets the first result (offset).
     *
     * @return int the offset
     */
    public function getFirstResult()
    {
        return $this->qb->getFirstResult();
    }

    /**
     * Set maximum number of results to retrieve.
     *
     * {@inheritdoc}
     */
    public function setMaxResults($maxResults)
    {
        $this->qb->setMaxResults($maxResults);

        return $this;
    }

    /**
     * Gets the maximum number of results to retrieve.
     *
     * @return int
     */
    public function getMaxResults()
    {
        return $this->qb->getMaxResults();
    }

    /**
     * Sets the document manager.
     */
    public function setDocumentManager(DocumentManager $documentManager)
    {
        $this->documentManager = $documentManager;

        return $this;
    }

    /**
     * Gets the document manager.
     *
     * @return DocumentManager $documentManager
     */
    public function getDocumentManager()
    {
        return $this->documentManager;
    }

    public function getUniqueParameterId(): void
    {
    }

    public function entityJoin(array $associationMappings): void
    {
    }
}


1			<?php
2
3			declare(strict_types=1);
4
5			/*
6			* This file is part of the Sonata Project package.
7			*
8			* (c) Thomas Rabaix <[email protected]>
9			*
10			* For the full copyright and license information, please view the LICENSE
11			* file that was distributed with this source code.
12			*/
13
14			namespace Sonata\DoctrinePHPCRAdminBundle\Datagrid;
15
16			use Doctrine\ODM\PHPCR\DocumentManager;
17			use Doctrine\ODM\PHPCR\Query\Builder\AbstractNode;
18			use Doctrine\ODM\PHPCR\Query\Builder\QueryBuilder;
19			use Sonata\AdminBundle\Datagrid\ProxyQueryInterface;
20
21			/**
22			* This class is used to abstract the Admin Bundle from the different QueryBuilder implementations.
23			*/
24			class ProxyQuery implements ProxyQueryInterface
25			{
26			/**
27			* Query Builder Fluent interface for the QOM.
28			*
29			* @var QueryBuilder
30			*/
31			protected $qb;
32
33			/**
34			* The alias name used for the document FQN.
35			*
36			* @var string
37			*/
38			protected $alias;
39
40			/**
41			* The root path.
42			*
43			* @var string\|null
44			*/
45			protected $root;
46
47			/**
48			* Property that determines the Ordering of the results.
49			*
50			* @var string
51			*/
52			protected $sortBy;
53
54			/**
55			* Ordering of the results (ASC, DESC).
56			*
57			* @var string
58			*/
59			protected $sortOrder;
60
61			/**
62			* PHPCR ODM Document Manager.
63			*
64			* @var DocumentManager
65			*/
66			protected $documentManager;
67
68			/**
69			* Name of this document class.
70			*
71			* @var string
72			*/
73			protected $documentName;
74
75			/**
76			* Creates a Query Builder from the QOMFactory.
77			*
78			* @param string $alias Short name to use instead of the FQN
79			* of the document
80			*
81			* @throws \InvalidArgumentException if alias is not a string or an empty string
82			*/
83			public function __construct(QueryBuilder $queryBuilder, $alias)
84			{
85			if (!\is_string($alias) \|\| '' === $alias) {
86			throw new \InvalidArgumentException('$alias must be a non empty string');
87			}
88
89			$this->qb = $queryBuilder;
90			$this->alias = $alias;
91			}
92
93			/**
94			* Allows for direct calls to the QueryBuilder.
95			*
96			* @param string $name name of the method
97			* @param array $args arguments of the call
98			*
99			* @codeCoverageIgnore
100			*/
101			public function __call($name, $args)
102			{
103			return \call_user_func_array([$this->qb, $name], $args);
104			}
105
106			/**
107			* @return string
108			*/
109			public function getAlias()
110			{
111			return $this->alias;
112			}
113
114			/**
115			* @param string $root root path to restrict what documents to find
116			*/
117			public function setRootPath($root): void
118			{
119			$this->root = $root;
120			}
121
122			/**
123			* Executes the query, applying the source, the constraint of documents being of the phpcr:class of
124			* this kind of document and builds an array of retrieved documents.
125			*
126			* @param array $params doesn't have any effect
127			* @param mixed $hydrationMode doesn't have any effect
128			*
129			* @throws \Exception if $this->sortOrder is not ASC or DESC
130			*
131			* @return array of documents
132			*/
133			public function execute(array $params = [], $hydrationMode = null)
134			{
135			// always clone the original queryBuilder
136			$queryBuilder = clone $this->qb;
137
138			if ($this->getSortBy()) {
139			$orderByChildren = $queryBuilder->getChildrenOfType(AbstractNode::NT_ORDER_BY);
140			$queryBuilder->removeChildrenOfType(AbstractNode::NT_ORDER_BY);
141
142			switch ($this->sortOrder) {
143			case 'DESC':
144			$queryBuilder->orderBy()->desc()->field($this->alias.'.'.$this->sortBy);
145
146			break;
147			case 'ASC':
148			$queryBuilder->orderBy()->asc()->field($this->alias.'.'.$this->sortBy);
149
150			break;
151			default:
152			throw new \Exception('Unsupported sort order direction: '.$this->sortOrder);
153			}
154
155			foreach ($orderByChildren as $orderByChild) {
156			$queryBuilder->addChild($orderByChild);
157			}
158			}
159
160			if ($this->root) {
			0 ignored issues – show Bug Best Practice introduced 2020-03-23 23:31 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$this->root` of type `string\|null` is loosely compared to `true`; this is ambiguous if the string can be empty. You might want to explicitly use `!== null` instead. In PHP, under loose comparison (like `==`, or `!=`, or `switch` conditions), values of different types might be equal. For `string` values, the empty string `''` is a special case, in particular the following results might be unexpected: '' == false // true '' == null // true 'ab' == false // false 'ab' == null // false // It is often better to use strict comparison '' === false // false '' === null // false Loading history...
161			$queryBuilder->andWhere()->descendant($this->root, $this->alias);
162			}
163
164			return $queryBuilder->getQuery()->execute();
165			}
166
167			/**
168			* Set the property to be sorted by.
169			*
170			* {@inheritdoc}
171			*/
172			public function setSortBy($parentAssociationMappings, $fieldMapping)
173			{
174			$this->sortBy = $fieldMapping['fieldName'];
175
176			return $this;
177			}
178
179			/**
180			* Gets the property that defines the ordering.
181			*
182			* @return string the property to be sorted by
183			*/
184			public function getSortBy()
185			{
186			return $this->sortBy;
187			}
188
189			/**
190			* Set the sort ordering.
191			*
192			* {@inheritdoc}
193			*
194			* @param string $sortOrder (ASC\|DESC)
195			*
196			* @throws \InvalidArgumentException if $sortOrder is not one of ASC or DESC
197			*/
198			public function setSortOrder($sortOrder)
199			{
200			if (!\in_array($sortOrder, ['ASC', 'DESC'], true)) {
201			throw new \InvalidArgumentException(sprintf('The parameter $sortOrder must be one of "ASC" or "DESC", got "%s"', $sortOrder));
202			}
203			$this->sortOrder = $sortOrder;
204
205			return $this;
206			}
207
208			/**
209			* Get the ordering.
210			*
211			* @return string ASC or DESC
212			*/
213			public function getSortOrder()
214			{
215			return $this->sortOrder;
216			}
217
218			/**
219			* @codeCoverageIgnore
220			*
221			* @throws \Exception
222			*/
223			public function getSingleScalarResult(): void
224			{
225			/* TODO: Figure out who calls this method and what to do here in context of PHPCR */
226			throw new \Exception('Used by what??');
227			}
228
229			/**
230			* Gets the QueryBuilder.
231			*
232			* @return QueryBuilder
233			*/
234			public function getQueryBuilder()
235			{
236			return $this->qb;
237			}
238
239			/**
240			* Sets the first result (offset).
241			*
242			* {@inheritdoc}
243			*/
244			public function setFirstResult($firstResult)
245			{
246			$this->qb->setFirstResult($firstResult);
247
248			return $this;
249			}
250
251			/**
252			* Gets the first result (offset).
253			*
254			* @return int the offset
255			*/
256			public function getFirstResult()
257			{
258			return $this->qb->getFirstResult();
259			}
260
261			/**
262			* Set maximum number of results to retrieve.
263			*
264			* {@inheritdoc}
265			*/
266			public function setMaxResults($maxResults)
267			{
268			$this->qb->setMaxResults($maxResults);
269
270			return $this;
271			}
272
273			/**
274			* Gets the maximum number of results to retrieve.
275			*
276			* @return int
277			*/
278			public function getMaxResults()
279			{
280			return $this->qb->getMaxResults();
281			}
282
283			/**
284			* Sets the document manager.
285			*/
286			public function setDocumentManager(DocumentManager $documentManager)
287			{
288			$this->documentManager = $documentManager;
289
290			return $this;
291			}
292
293			/**
294			* Gets the document manager.
295			*
296			* @return DocumentManager $documentManager
297			*/
298			public function getDocumentManager()
299			{
300			return $this->documentManager;
301			}
302
303			public function getUniqueParameterId(): void
304			{
305			}
306
307			public function entityJoin(array $associationMappings): void
308			{
309			}
310			}
311

sonata-project / SonataDoctrinePhpcrAdminBundle

Issues (159)

Security Analysis not enabled

src/Datagrid/ProxyQuery.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like