Issues in syntax.php (master) - Issues in master - splitbrain/dokuwiki - Measure and Improve Code Quality continuously with Scrutinizer

Issues (847)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

lib/plugins/info/syntax.php (2 issues)

Labels

Bug 2

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Info Plugin: Displays information about various DokuWiki internals
 *
 * @license    GPL 2 (http://www.gnu.org/licenses/gpl.html)
 * @author     Andreas Gohr <[email protected]>
 * @author     Esther Brunner <[email protected]>
 */
class syntax_plugin_info extends DokuWiki_Syntax_Plugin
{

    /**
     * What kind of syntax are we?
     */
    public function getType()
    {
        return 'substition';
    }

    /**
     * What about paragraphs?
     */
    public function getPType()
    {
        return 'block';
    }

    /**
     * Where to sort in?
     */
    public function getSort()
    {
        return 155;
    }


    /**
     * Connect pattern to lexer
     */
    public function connectTo($mode)
    {
        $this->Lexer->addSpecialPattern('~~INFO:\w+~~', $mode, 'plugin_info');
    }

    /**
     * Handle the match
     *
     * @param   string       $match   The text matched by the patterns
     * @param   int          $state   The lexer state for the match
     * @param   int          $pos     The character position of the matched text
     * @param   Doku_Handler $handler The Doku_Handler object
     * @return  array Return an array with all data you want to use in render
     */
    public function handle($match, $state, $pos, Doku_Handler $handler)
    {
        $match = substr($match, 7, -2); //strip ~~INFO: from start and ~~ from end
        return array(strtolower($match));
    }

    /**
     * Create output
     *
     * @param string $format   string     output format being rendered
     * @param Doku_Renderer    $renderer  the current renderer object
     * @param array            $data      data created by handler()
     * @return  boolean                 rendered correctly?
     */
    public function render($format, Doku_Renderer $renderer, $data)
    {
        if ($format == 'xhtml') {
            /** @var Doku_Renderer_xhtml $renderer */
            //handle various info stuff
            switch ($data[0]) {
                case 'syntaxmodes':
                    $renderer->doc .= $this->renderSyntaxModes();
                    break;
                case 'syntaxtypes':
                    $renderer->doc .= $this->renderSyntaxTypes();
                    break;
                case 'syntaxplugins':
                    $this->renderPlugins('syntax', $renderer);
                    break;
                case 'adminplugins':
                    $this->renderPlugins('admin', $renderer);
                    break;
                case 'actionplugins':
                    $this->renderPlugins('action', $renderer);
                    break;
                case 'rendererplugins':
                    $this->renderPlugins('renderer', $renderer);
                    break;
                case 'helperplugins':
                    $this->renderPlugins('helper', $renderer);
                    break;
                case 'authplugins':
                    $this->renderPlugins('auth', $renderer);
                    break;
                case 'remoteplugins':
                    $this->renderPlugins('remote', $renderer);
                    break;
                case 'helpermethods':
                    $this->renderHelperMethods($renderer);
                    break;
                case 'datetime':
                    $renderer->doc .= date('r');
                    break;
                default:
                    $renderer->doc .= "no info about ".htmlspecialchars($data[0]);
            }
            return true;
        }
        return false;
    }

    /**
     * list all installed plugins
     *
     * uses some of the original renderer methods
     *
     * @param string $type
     * @param Doku_Renderer_xhtml $renderer
     */
    protected function renderPlugins($type, Doku_Renderer_xhtml $renderer)
    {
        global $lang;
        $renderer->doc .= '<ul>';

        $plugins = plugin_list($type);
        $plginfo = array();

        // remove subparts
        foreach ($plugins as $p) {
            if (!$po = plugin_load($type, $p)) continue;
            list($name,/* $part */) = explode('_', $p, 2);
            $plginfo[$name] = $po->getInfo();
        }

        // list them
        foreach ($plginfo as $info) {
            $renderer->doc .= '<li><div class="li">';
            $renderer->externallink($info['url'], $info['name']);
            $renderer->doc .= ' ';
            $renderer->doc .= '<em>'.$info['date'].'</em>';
            $renderer->doc .= ' ';
            $renderer->doc .= $lang['by'];
            $renderer->doc .= ' ';
            $renderer->emaillink($info['email'], $info['author']);
            $renderer->doc .= '<br />';
            $renderer->doc .= strtr(hsc($info['desc']), array("\n"=>"<br />"));
            $renderer->doc .= '</div></li>';
            unset($po);
        }

        $renderer->doc .= '</ul>';
    }

    /**
     * list all installed plugins
     *
     * uses some of the original renderer methods
     *
     * @param Doku_Renderer_xhtml $renderer
     */
    protected function renderHelperMethods(Doku_Renderer_xhtml $renderer)
    {
        $plugins = plugin_list('helper');
        foreach ($plugins as $p) {
            if (!$po = plugin_load('helper', $p)) continue;

            if (!method_exists($po, 'getMethods')) continue;
            $methods = $po->getMethods();

            $info = $po->getInfo();

            $hid = $this->addToToc($info['name'], 2, $renderer);
            $doc = '<h2><a name="'.$hid.'" id="'.$hid.'">'.hsc($info['name']).'</a></h2>';
            $doc .= '<div class="level2">';
            $doc .= '<p>'.strtr(hsc($info['desc']), array("\n"=>"<br />")).'</p>';
            $doc .= '<pre class="code">$'.$p." = plugin_load('helper', '".$p."');</pre>";
            $doc .= '</div>';
            foreach ($methods as $method) {
                $title = '$'.$p.'->'.$method['name'].'()';
                $hid = $this->addToToc($title, 3, $renderer);
                $doc .= '<h3><a name="'.$hid.'" id="'.$hid.'">'.hsc($title).'</a></h3>';
                $doc .= '<div class="level3">';
                $doc .= '<div class="table"><table class="inline"><tbody>';
                $doc .= '<tr><th>Description</th><td colspan="2">'.$method['desc'].
                    '</td></tr>';
                if ($method['params']) {
                    $c = count($method['params']);
                    $doc .= '<tr><th rowspan="'.$c.'">Parameters</th><td>';
                    $params = array();
                    foreach ($method['params'] as $desc => $type) {
                        $params[] = hsc($desc).'</td><td>'.hsc($type);
                    }
                    $doc .= join('</td></tr><tr><td>', $params).'</td></tr>';
                }
                if ($method['return']) {
                    $doc .= '<tr><th>Return value</th><td>'.hsc(key($method['return'])).
                        '</td><td>'.hsc(current($method['return'])).'</td></tr>';
                }
                $doc .= '</tbody></table></div>';
                $doc .= '</div>';
            }
            unset($po);

            $renderer->doc .= $doc;
        }
    }

    /**
     * lists all known syntax types and their registered modes
     *
     * @return string
     */
    protected function renderSyntaxTypes()
    {
        global $PARSER_MODES;
        $doc  = '';

        $doc .= '<div class="table"><table class="inline"><tbody>';
        foreach ($PARSER_MODES as $mode => $modes) {
            $doc .= '<tr>';
            $doc .= '<td class="leftalign">';
            $doc .= $mode;
            $doc .= '</td>';
            $doc .= '<td class="leftalign">';
            $doc .= join(', ', $modes);
            $doc .= '</td>';
            $doc .= '</tr>';
        }
        $doc .= '</tbody></table></div>';
        return $doc;
    }

    /**
     * lists all known syntax modes and their sorting value
     *
     * @return string
     */
    protected function renderSyntaxModes()
    {
        $modes = p_get_parsermodes();

        $compactmodes = array();
        foreach ($modes as $mode) {
$collection = json_decode($data, true);
if ( ! is_array($collection)) {
    throw new \RuntimeException('$collection must be an array.');
}

foreach ($collection as $item) { /** ... */ }
            $compactmodes[$mode['sort']][] = $mode['mode'];
        }
        $doc  = '';
        $doc .= '<div class="table"><table class="inline"><tbody>';

        foreach ($compactmodes as $sort => $modes) {
            $rowspan = '';
            if (count($modes) > 1) {
                $rowspan = ' rowspan="'.count($modes).'"';
            }

            foreach ($modes as $index => $mode) {
                $doc .= '<tr>';
                $doc .= '<td class="leftalign">';
                $doc .= $mode;
                $doc .= '</td>';

                if ($index === 0) {
                    $doc .= '<td class="rightalign" '.$rowspan.'>';
                    $doc .= $sort;
                    $doc .= '</td>';
                }
                $doc .= '</tr>';
            }
        }

        $doc .= '</tbody></table></div>';
        return $doc;
    }

    /**
     * Adds a TOC item
     *
     * @param string $text
     * @param int $level
     * @param Doku_Renderer_xhtml $renderer
     * @return string
     */
    protected function addToToc($text, $level, Doku_Renderer_xhtml $renderer)
    {
        global $conf;

        $hid = '';
        if (($level >= $conf['toptoclevel']) && ($level <= $conf['maxtoclevel'])) {
            $hid  = $renderer->_headerToLink($text, true);
            $renderer->toc[] = array(
                'hid'   => $hid,
                'title' => $text,
                'type'  => 'ul',
                'level' => $level - $conf['toptoclevel'] + 1
            );
        }
        return $hid;
    }
}

//Setup VIM: ex: et ts=4 :


1			<?php
2			/**
3			* Info Plugin: Displays information about various DokuWiki internals
4			*
5			* @license GPL 2 (http://www.gnu.org/licenses/gpl.html)
6			* @author Andreas Gohr <[email protected]>
7			* @author Esther Brunner <[email protected]>
8			*/
9			class syntax_plugin_info extends DokuWiki_Syntax_Plugin
10			{
11
12			/**
13			* What kind of syntax are we?
14			*/
15			public function getType()
16			{
17			return 'substition';
18			}
19
20			/**
21			* What about paragraphs?
22			*/
23			public function getPType()
24			{
25			return 'block';
26			}
27
28			/**
29			* Where to sort in?
30			*/
31			public function getSort()
32			{
33			return 155;
34			}
35
36
37			/**
38			* Connect pattern to lexer
39			*/
40			public function connectTo($mode)
41			{
42			$this->Lexer->addSpecialPattern('~~INFO:\w+~~', $mode, 'plugin_info');
43			}
44
45			/**
46			* Handle the match
47			*
48			* @param string $match The text matched by the patterns
49			* @param int $state The lexer state for the match
50			* @param int $pos The character position of the matched text
51			* @param Doku_Handler $handler The Doku_Handler object
52			* @return array Return an array with all data you want to use in render
53			*/
54			public function handle($match, $state, $pos, Doku_Handler $handler)
55			{
56			$match = substr($match, 7, -2); //strip ~~INFO: from start and ~~ from end
57			return array(strtolower($match));
58			}
59
60			/**
61			* Create output
62			*
63			* @param string $format string output format being rendered
64			* @param Doku_Renderer $renderer the current renderer object
65			* @param array $data data created by handler()
66			* @return boolean rendered correctly?
67			*/
68			public function render($format, Doku_Renderer $renderer, $data)
69			{
70			if ($format == 'xhtml') {
71			/** @var Doku_Renderer_xhtml $renderer */
72			//handle various info stuff
73			switch ($data[0]) {
74			case 'syntaxmodes':
75			$renderer->doc .= $this->renderSyntaxModes();
76			break;
77			case 'syntaxtypes':
78			$renderer->doc .= $this->renderSyntaxTypes();
79			break;
80			case 'syntaxplugins':
81			$this->renderPlugins('syntax', $renderer);
82			break;
83			case 'adminplugins':
84			$this->renderPlugins('admin', $renderer);
85			break;
86			case 'actionplugins':
87			$this->renderPlugins('action', $renderer);
88			break;
89			case 'rendererplugins':
90			$this->renderPlugins('renderer', $renderer);
91			break;
92			case 'helperplugins':
93			$this->renderPlugins('helper', $renderer);
94			break;
95			case 'authplugins':
96			$this->renderPlugins('auth', $renderer);
97			break;
98			case 'remoteplugins':
99			$this->renderPlugins('remote', $renderer);
100			break;
101			case 'helpermethods':
102			$this->renderHelperMethods($renderer);
103			break;
104			case 'datetime':
105			$renderer->doc .= date('r');
106			break;
107			default:
108			$renderer->doc .= "no info about ".htmlspecialchars($data[0]);
109			}
110			return true;
111			}
112			return false;
113			}
114
115			/**
116			* list all installed plugins
117			*
118			* uses some of the original renderer methods
119			*
120			* @param string $type
121			* @param Doku_Renderer_xhtml $renderer
122			*/
123			protected function renderPlugins($type, Doku_Renderer_xhtml $renderer)
124			{
125			global $lang;
126			$renderer->doc .= '<ul>';
127
128			$plugins = plugin_list($type);
129			$plginfo = array();
130
131			// remove subparts
132			foreach ($plugins as $p) {
133			if (!$po = plugin_load($type, $p)) continue;
134			list($name,/* $part */) = explode('_', $p, 2);
135			$plginfo[$name] = $po->getInfo();
136			}
137
138			// list them
139			foreach ($plginfo as $info) {
140			$renderer->doc .= '<li><div class="li">';
141			$renderer->externallink($info['url'], $info['name']);
142			$renderer->doc .= ' ';
143			$renderer->doc .= '<em>'.$info['date'].'</em>';
144			$renderer->doc .= ' ';
145			$renderer->doc .= $lang['by'];
146			$renderer->doc .= ' ';
147			$renderer->emaillink($info['email'], $info['author']);
148			$renderer->doc .= '<br />';
149			$renderer->doc .= strtr(hsc($info['desc']), array("\n"=>"<br />"));
150			$renderer->doc .= '</div></li>';
151			unset($po);
152			}
153
154			$renderer->doc .= '</ul>';
155			}
156
157			/**
158			* list all installed plugins
159			*
160			* uses some of the original renderer methods
161			*
162			* @param Doku_Renderer_xhtml $renderer
163			*/
164			protected function renderHelperMethods(Doku_Renderer_xhtml $renderer)
165			{
166			$plugins = plugin_list('helper');
167			foreach ($plugins as $p) {
168			if (!$po = plugin_load('helper', $p)) continue;
169
170			if (!method_exists($po, 'getMethods')) continue;
171			$methods = $po->getMethods();
			0 ignored issues – show Bug introduced 2018-06-15 15:40 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `getMethods()` does not seem to exist on `object<dokuwiki\Extension\PluginInterface>`. This check looks for calls to methods that do not seem to exist on a given type. It looks for the method on the type itself as well as in inherited classes or implemented interfaces. This is most likely a typographical error or the method has been renamed. Loading history...
172			$info = $po->getInfo();
173
174			$hid = $this->addToToc($info['name'], 2, $renderer);
175			$doc = '<h2><a name="'.$hid.'" id="'.$hid.'">'.hsc($info['name']).'</a></h2>';
176			$doc .= '<div class="level2">';
177			$doc .= '<p>'.strtr(hsc($info['desc']), array("\n"=>"<br />")).'</p>';
178			$doc .= '<pre class="code">$'.$p." = plugin_load('helper', '".$p."');</pre>";
179			$doc .= '</div>';
180			foreach ($methods as $method) {
181			$title = '$'.$p.'->'.$method['name'].'()';
182			$hid = $this->addToToc($title, 3, $renderer);
183			$doc .= '<h3><a name="'.$hid.'" id="'.$hid.'">'.hsc($title).'</a></h3>';
184			$doc .= '<div class="level3">';
185			$doc .= '<div class="table"><table class="inline"><tbody>';
186			$doc .= '<tr><th>Description</th><td colspan="2">'.$method['desc'].
187			'</td></tr>';
188			if ($method['params']) {
189			$c = count($method['params']);
190			$doc .= '<tr><th rowspan="'.$c.'">Parameters</th><td>';
191			$params = array();
192			foreach ($method['params'] as $desc => $type) {
193			$params[] = hsc($desc).'</td><td>'.hsc($type);
194			}
195			$doc .= join('</td></tr><tr><td>', $params).'</td></tr>';
196			}
197			if ($method['return']) {
198			$doc .= '<tr><th>Return value</th><td>'.hsc(key($method['return'])).
199			'</td><td>'.hsc(current($method['return'])).'</td></tr>';
200			}
201			$doc .= '</tbody></table></div>';
202			$doc .= '</div>';
203			}
204			unset($po);
205
206			$renderer->doc .= $doc;
207			}
208			}
209
210			/**
211			* lists all known syntax types and their registered modes
212			*
213			* @return string
214			*/
215			protected function renderSyntaxTypes()
216			{
217			global $PARSER_MODES;
218			$doc = '';
219
220			$doc .= '<div class="table"><table class="inline"><tbody>';
221			foreach ($PARSER_MODES as $mode => $modes) {
222			$doc .= '<tr>';
223			$doc .= '<td class="leftalign">';
224			$doc .= $mode;
225			$doc .= '</td>';
226			$doc .= '<td class="leftalign">';
227			$doc .= join(', ', $modes);
228			$doc .= '</td>';
229			$doc .= '</tr>';
230			}
231			$doc .= '</tbody></table></div>';
232			return $doc;
233			}
234
235			/**
236			* lists all known syntax modes and their sorting value
237			*
238			* @return string
239			*/
240			protected function renderSyntaxModes()
241			{
242			$modes = p_get_parsermodes();
243
244			$compactmodes = array();
245			foreach ($modes as $mode) {
			0 ignored issues – show Bug introduced 2015-11-25 07:06 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$modes` of type `null\|array` is not guaranteed to be traversable. How about adding an additional type check? There are different options of fixing this problem. If you want to be on the safe side, you can add an additional type-check: $collection = json_decode($data, true); if ( ! is_array($collection)) { throw new \RuntimeException('$collection must be an array.'); } foreach ($collection as $item) { /** ... / } If you are sure that the expression is traversable, you might want to add a doc comment cast* to improve IDE auto-completion and static analysis: /** @var array $collection / $collection = json_decode($data, true); foreach ($collection as $item) { /* .. / } Mark the issue as a false-positive*: Just hover the remove button, in the top-right corner of this issue for more options. Loading history...
246			$compactmodes[$mode['sort']][] = $mode['mode'];
247			}
248			$doc = '';
249			$doc .= '<div class="table"><table class="inline"><tbody>';
250
251			foreach ($compactmodes as $sort => $modes) {
252			$rowspan = '';
253			if (count($modes) > 1) {
254			$rowspan = ' rowspan="'.count($modes).'"';
255			}
256
257			foreach ($modes as $index => $mode) {
258			$doc .= '<tr>';
259			$doc .= '<td class="leftalign">';
260			$doc .= $mode;
261			$doc .= '</td>';
262
263			if ($index === 0) {
264			$doc .= '<td class="rightalign" '.$rowspan.'>';
265			$doc .= $sort;
266			$doc .= '</td>';
267			}
268			$doc .= '</tr>';
269			}
270			}
271
272			$doc .= '</tbody></table></div>';
273			return $doc;
274			}
275
276			/**
277			* Adds a TOC item
278			*
279			* @param string $text
280			* @param int $level
281			* @param Doku_Renderer_xhtml $renderer
282			* @return string
283			*/
284			protected function addToToc($text, $level, Doku_Renderer_xhtml $renderer)
285			{
286			global $conf;
287
288			$hid = '';
289			if (($level >= $conf['toptoclevel']) && ($level <= $conf['maxtoclevel'])) {
290			$hid = $renderer->_headerToLink($text, true);
291			$renderer->toc[] = array(
292			'hid' => $hid,
293			'title' => $text,
294			'type' => 'ul',
295			'level' => $level - $conf['toptoclevel'] + 1
296			);
297			}
298			return $hid;
299			}
300			}
301
302			//Setup VIM: ex: et ts=4 :
303

splitbrain / dokuwiki

Issues (847)

Security Analysis not enabled

lib/plugins/info/syntax.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like