Issues in class-wp-post.php (master) - Issues in master - staylor/WordPress - Measure and Improve Code Quality continuously with Scrutinizer

Issues (2010)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

wp-includes/class-wp-post.php (2 issues)

Labels

Bug 2

Severity

Minor 2

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Post API: WP_Post class
 *
 * @package WordPress
 * @subpackage Post
 * @since 4.4.0
 */

/**
 * Core class used to implement the WP_Post object.
 *
 * @since 3.5.0
 *
 * @property string $page_template
 *
 * @property-read array  $ancestors
 * @property-read int    $post_category
 * @property-read string $tag_input
 *
 */
final class WP_Post {

	/**
	 * Post ID.
	 *
	 * @var int
	 */
	public $ID;

	/**
	 * ID of post author.
	 *
	 * A numeric string, for compatibility reasons.
	 *
	 * @var string
	 */
	public $post_author = 0;

	/**
	 * The post's local publication time.
	 *
	 * @var string
	 */
	public $post_date = '0000-00-00 00:00:00';

	/**
	 * The post's GMT publication time.
	 *
	 * @var string
	 */
	public $post_date_gmt = '0000-00-00 00:00:00';

	/**
	 * The post's content.
	 *
	 * @var string
	 */
	public $post_content = '';

	/**
	 * The post's title.
	 *
	 * @var string
	 */
	public $post_title = '';

	/**
	 * The post's excerpt.
	 *
	 * @var string
	 */
	public $post_excerpt = '';

	/**
	 * The post's status.
	 *
	 * @var string
	 */
	public $post_status = 'publish';

	/**
	 * Whether comments are allowed.
	 *
	 * @var string
	 */
	public $comment_status = 'open';

	/**
	 * Whether pings are allowed.
	 *
	 * @var string
	 */
	public $ping_status = 'open';

	/**
	 * The post's password in plain text.
	 *
	 * @var string
	 */
	public $post_password = '';

	/**
	 * The post's slug.
	 *
	 * @var string
	 */
	public $post_name = '';

	/**
	 * URLs queued to be pinged.
	 *
	 * @var string
	 */
	public $to_ping = '';

	/**
	 * URLs that have been pinged.
	 *
	 * @var string
	 */
	public $pinged = '';

	/**
	 * The post's local modified time.
	 *
	 * @var string
	 */
	public $post_modified = '0000-00-00 00:00:00';

	/**
	 * The post's GMT modified time.
	 *
	 * @var string
	 */
	public $post_modified_gmt = '0000-00-00 00:00:00';

	/**
	 * A utility DB field for post content.
	 *
	 *
	 * @var string
	 */
	public $post_content_filtered = '';

	/**
	 * ID of a post's parent post.
	 *
	 * @var int
	 */
	public $post_parent = 0;

	/**
	 * The unique identifier for a post, not necessarily a URL, used as the feed GUID.
	 *
	 * @var string
	 */
	public $guid = '';

	/**
	 * A field used for ordering posts.
	 *
	 * @var int
	 */
	public $menu_order = 0;

	/**
	 * The post's type, like post or page.
	 *
	 * @var string
	 */
	public $post_type = 'post';

	/**
	 * An attachment's mime type.
	 *
	 * @var string
	 */
	public $post_mime_type = '';

	/**
	 * Cached comment count.
	 *
	 * A numeric string, for compatibility reasons.
	 *
	 * @var string
	 */
	public $comment_count = 0;

	/**
	 * Stores the post object's sanitization level.
	 *
	 * Does not correspond to a DB field.
	 *
	 * @var string
	 */
	public $filter;

	/**
	 * Retrieve WP_Post instance.
	 *
	 * @static
	 * @access public
	 *
	 * @global wpdb $wpdb WordPress database abstraction object.
	 *
	 * @param int $post_id Post ID.
	 * @return WP_Post|false Post object, false otherwise.
	 */
	public static function get_instance( $post_id ) {
		global $wpdb;

		$post_id = (int) $post_id;
		if ( ! $post_id )
			return false;

		$_post = wp_cache_get( $post_id, 'posts' );

		if ( ! $_post ) {
			$_post = $wpdb->get_row( $wpdb->prepare( "SELECT * FROM $wpdb->posts WHERE ID = %d LIMIT 1", $post_id ) );

			if ( ! $_post )
				return false;

			$_post = sanitize_post( $_post, 'raw' );
			wp_cache_add( $_post->ID, $_post, 'posts' );
		} elseif ( empty( $_post->filter ) ) {
			$_post = sanitize_post( $_post, 'raw' );
		}

		return new WP_Post( $_post );
	}

	/**
	 * Constructor.
	 *
	 * @param WP_Post|object $post Post object.
	 */
	public function __construct( $post ) {
		foreach ( get_object_vars( $post ) as $key => $value )
			$this->$key = $value;
	}

	/**
	 * Isset-er.
	 *
	 * @param string $key Property to check if set.
	 * @return bool
	 */
	public function __isset( $key ) {
		if ( 'ancestors' == $key )
			return true;

		if ( 'page_template' == $key )
			return ( 'page' == $this->post_type );

		if ( 'post_category' == $key )
		   return true;

		if ( 'tags_input' == $key )
		   return true;

		return metadata_exists( 'post', $this->ID, $key );
	}

	/**
	 * Getter.
	 *
	 * @param string $key Key to get.
	 * @return mixed
	 */
	public function __get( $key ) {
		if ( 'page_template' == $key && $this->__isset( $key ) ) {
			return get_post_meta( $this->ID, '_wp_page_template', true );
		}

		if ( 'post_category' == $key ) {
			if ( is_object_in_taxonomy( $this->post_type, 'category' ) )
				$terms = get_the_terms( $this, 'category' );

			if ( empty( $terms ) )
				return array();

			return wp_list_pluck( $terms, 'term_id' );
/**
 * @return array|string
 */
function returnsDifferentValues($x) {
    if ($x) {
        return 'foo';
    }

    return array();
}

$x = returnsDifferentValues($y);
if (is_array($x)) {
    // $x is an array.
}
		}

		if ( 'tags_input' == $key ) {
			if ( is_object_in_taxonomy( $this->post_type, 'post_tag' ) )
				$terms = get_the_terms( $this, 'post_tag' );

			if ( empty( $terms ) )
				return array();

			return wp_list_pluck( $terms, 'name' );
/**
 * @return array|string
 */
function returnsDifferentValues($x) {
    if ($x) {
        return 'foo';
    }

    return array();
}

$x = returnsDifferentValues($y);
if (is_array($x)) {
    // $x is an array.
}
		}

		// Rest of the values need filtering.
		if ( 'ancestors' == $key )
			$value = get_post_ancestors( $this );
		else
			$value = get_post_meta( $this->ID, $key, true );

		if ( $this->filter )
			$value = sanitize_post_field( $key, $value, $this->ID, $this->filter );

		return $value;
	}

	/**
	 * {@Missing Summary}
	 *
	 * @param string $filter Filter.
	 * @return self|array|bool|object|WP_Post
	 */
	public function filter( $filter ) {
		if ( $this->filter == $filter )
			return $this;

		if ( $filter == 'raw' )
			return self::get_instance( $this->ID );

		return sanitize_post( $this, $filter );
	}

	/**
	 * Convert object to array.
	 *
	 * @return array Object as array.
	 */
	public function to_array() {
		$post = get_object_vars( $this );

		foreach ( array( 'ancestors', 'page_template', 'post_category', 'tags_input' ) as $key ) {
			if ( $this->__isset( $key ) )
				$post[ $key ] = $this->__get( $key );
		}

		return $post;
	}
}


1		<?php
2		/**
3		* Post API: WP_Post class
4		*
5		* @package WordPress
6		* @subpackage Post
7		* @since 4.4.0
8		*/
9
10		/**
11		* Core class used to implement the WP_Post object.
12		*
13		* @since 3.5.0
14		*
15		* @property string $page_template
16		*
17		* @property-read array $ancestors
18		* @property-read int $post_category
19		* @property-read string $tag_input
20		*
21		*/
22		final class WP_Post {
23
24		/**
25		* Post ID.
26		*
27		* @var int
28		*/
29		public $ID;
30
31		/**
32		* ID of post author.
33		*
34		* A numeric string, for compatibility reasons.
35		*
36		* @var string
37		*/
38		public $post_author = 0;
39
40		/**
41		* The post's local publication time.
42		*
43		* @var string
44		*/
45		public $post_date = '0000-00-00 00:00:00';
46
47		/**
48		* The post's GMT publication time.
49		*
50		* @var string
51		*/
52		public $post_date_gmt = '0000-00-00 00:00:00';
53
54		/**
55		* The post's content.
56		*
57		* @var string
58		*/
59		public $post_content = '';
60
61		/**
62		* The post's title.
63		*
64		* @var string
65		*/
66		public $post_title = '';
67
68		/**
69		* The post's excerpt.
70		*
71		* @var string
72		*/
73		public $post_excerpt = '';
74
75		/**
76		* The post's status.
77		*
78		* @var string
79		*/
80		public $post_status = 'publish';
81
82		/**
83		* Whether comments are allowed.
84		*
85		* @var string
86		*/
87		public $comment_status = 'open';
88
89		/**
90		* Whether pings are allowed.
91		*
92		* @var string
93		*/
94		public $ping_status = 'open';
95
96		/**
97		* The post's password in plain text.
98		*
99		* @var string
100		*/
101		public $post_password = '';
102
103		/**
104		* The post's slug.
105		*
106		* @var string
107		*/
108		public $post_name = '';
109
110		/**
111		* URLs queued to be pinged.
112		*
113		* @var string
114		*/
115		public $to_ping = '';
116
117		/**
118		* URLs that have been pinged.
119		*
120		* @var string
121		*/
122		public $pinged = '';
123
124		/**
125		* The post's local modified time.
126		*
127		* @var string
128		*/
129		public $post_modified = '0000-00-00 00:00:00';
130
131		/**
132		* The post's GMT modified time.
133		*
134		* @var string
135		*/
136		public $post_modified_gmt = '0000-00-00 00:00:00';
137
138		/**
139		* A utility DB field for post content.
140		*
141		*
142		* @var string
143		*/
144		public $post_content_filtered = '';
145
146		/**
147		* ID of a post's parent post.
148		*
149		* @var int
150		*/
151		public $post_parent = 0;
152
153		/**
154		* The unique identifier for a post, not necessarily a URL, used as the feed GUID.
155		*
156		* @var string
157		*/
158		public $guid = '';
159
160		/**
161		* A field used for ordering posts.
162		*
163		* @var int
164		*/
165		public $menu_order = 0;
166
167		/**
168		* The post's type, like post or page.
169		*
170		* @var string
171		*/
172		public $post_type = 'post';
173
174		/**
175		* An attachment's mime type.
176		*
177		* @var string
178		*/
179		public $post_mime_type = '';
180
181		/**
182		* Cached comment count.
183		*
184		* A numeric string, for compatibility reasons.
185		*
186		* @var string
187		*/
188		public $comment_count = 0;
189
190		/**
191		* Stores the post object's sanitization level.
192		*
193		* Does not correspond to a DB field.
194		*
195		* @var string
196		*/
197		public $filter;
198
199		/**
200		* Retrieve WP_Post instance.
201		*
202		* @static
203		* @access public
204		*
205		* @global wpdb $wpdb WordPress database abstraction object.
206		*
207		* @param int $post_id Post ID.
208		* @return WP_Post\|false Post object, false otherwise.
209		*/
210		public static function get_instance( $post_id ) {
211		global $wpdb;
212
213		$post_id = (int) $post_id;
214		if ( ! $post_id )
215		return false;
216
217		$_post = wp_cache_get( $post_id, 'posts' );
218
219		if ( ! $_post ) {
220		$_post = $wpdb->get_row( $wpdb->prepare( "SELECT * FROM $wpdb->posts WHERE ID = %d LIMIT 1", $post_id ) );
221
222		if ( ! $_post )
223		return false;
224
225		$_post = sanitize_post( $_post, 'raw' );
226		wp_cache_add( $_post->ID, $_post, 'posts' );
227		} elseif ( empty( $_post->filter ) ) {
228		$_post = sanitize_post( $_post, 'raw' );
229		}
230
231		return new WP_Post( $_post );
232		}
233
234		/**
235		* Constructor.
236		*
237		* @param WP_Post\|object $post Post object.
238		*/
239		public function __construct( $post ) {
240		foreach ( get_object_vars( $post ) as $key => $value )
241		$this->$key = $value;
242		}
243
244		/**
245		* Isset-er.
246		*
247		* @param string $key Property to check if set.
248		* @return bool
249		*/
250		public function __isset( $key ) {
251		if ( 'ancestors' == $key )
252		return true;
253
254		if ( 'page_template' == $key )
255		return ( 'page' == $this->post_type );
256
257		if ( 'post_category' == $key )
258		return true;
259
260		if ( 'tags_input' == $key )
261		return true;
262
263		return metadata_exists( 'post', $this->ID, $key );
264		}
265
266		/**
267		* Getter.
268		*
269		* @param string $key Key to get.
270		* @return mixed
271		*/
272		public function __get( $key ) {
273		if ( 'page_template' == $key && $this->__isset( $key ) ) {
274		return get_post_meta( $this->ID, '_wp_page_template', true );
275		}
276
277	View Code Duplication	if ( 'post_category' == $key ) {
278		if ( is_object_in_taxonomy( $this->post_type, 'category' ) )
279		$terms = get_the_terms( $this, 'category' );
280
281		if ( empty( $terms ) )
282		return array();
283
284		return wp_list_pluck( $terms, 'term_id' );
		0 ignored issues – show Bug introduced 2016-08-19 16:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$terms` defined by `get_the_terms($this, 'category')` on line `279` can also be of type `object<WP_Error>`; however, `wp_list_pluck()` does only seem to accept `array`, maybe add an additional type check? If a method or function can return multiple different values and unless you are sure that you only can receive a single value in this context, we recommend to add an additional type check: /** * @return array\|string */ function returnsDifferentValues($x) { if ($x) { return 'foo'; } return array(); } $x = returnsDifferentValues($y); if (is_array($x)) { // $x is an array. } If this a common case that PHP Analyzer should handle natively, please let us know by opening an issue. Loading history...
285		}
286
287	View Code Duplication	if ( 'tags_input' == $key ) {
288		if ( is_object_in_taxonomy( $this->post_type, 'post_tag' ) )
289		$terms = get_the_terms( $this, 'post_tag' );
290
291		if ( empty( $terms ) )
292		return array();
293
294		return wp_list_pluck( $terms, 'name' );
		0 ignored issues – show Bug introduced 2016-08-19 16:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$terms` defined by `get_the_terms($this, 'post_tag')` on line `289` can also be of type `object<WP_Error>`; however, `wp_list_pluck()` does only seem to accept `array`, maybe add an additional type check? If a method or function can return multiple different values and unless you are sure that you only can receive a single value in this context, we recommend to add an additional type check: /** * @return array\|string */ function returnsDifferentValues($x) { if ($x) { return 'foo'; } return array(); } $x = returnsDifferentValues($y); if (is_array($x)) { // $x is an array. } If this a common case that PHP Analyzer should handle natively, please let us know by opening an issue. Loading history...
295		}
296
297		// Rest of the values need filtering.
298		if ( 'ancestors' == $key )
299		$value = get_post_ancestors( $this );
300		else
301		$value = get_post_meta( $this->ID, $key, true );
302
303		if ( $this->filter )
304		$value = sanitize_post_field( $key, $value, $this->ID, $this->filter );
305
306		return $value;
307		}
308
309		/**
310		* {@Missing Summary}
311		*
312		* @param string $filter Filter.
313		* @return self\|array\|bool\|object\|WP_Post
314		*/
315		public function filter( $filter ) {
316		if ( $this->filter == $filter )
317		return $this;
318
319		if ( $filter == 'raw' )
320		return self::get_instance( $this->ID );
321
322		return sanitize_post( $this, $filter );
323		}
324
325		/**
326		* Convert object to array.
327		*
328		* @return array Object as array.
329		*/
330		public function to_array() {
331		$post = get_object_vars( $this );
332
333		foreach ( array( 'ancestors', 'page_template', 'post_category', 'tags_input' ) as $key ) {
334		if ( $this->__isset( $key ) )
335		$post[ $key ] = $this->__get( $key );
336		}
337
338		return $post;
339		}
340		}
341

staylor / WordPress

Issues (2010)

Security Analysis not enabled

wp-includes/class-wp-post.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like