Issues in CompletionCommand.php (master) - Issues in master - stecman/symfony-console-completion - Measure and Improve Code Quality continuously with Scrutinizer

Issues (6)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/CompletionCommand.php (1 issue)

Labels

Severity

Minor 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace Stecman\Component\Symfony\Console\BashCompletion;

use Symfony\Component\Console\Command\Command as SymfonyCommand;
use Symfony\Component\Console\Input\InputDefinition;
use Symfony\Component\Console\Input\InputInterface;
use Symfony\Component\Console\Input\InputOption;
use Symfony\Component\Console\Output\OutputInterface;

class CompletionCommand extends SymfonyCommand
{
    /**
     * @var CompletionHandler
     */
    protected $handler;

    protected function configure()
    {
        $this
            ->setName('_completion')
            ->setDefinition($this->createDefinition())
            ->setDescription('BASH completion hook.')
            ->setHelp(<<<END
To enable BASH completion, run:

    <comment>eval `[program] _completion -g`</comment>.

Or for an alias:

    <comment>eval `[program] _completion -g -p [alias]`</comment>.

END
            );

        // Hide this command from listing if supported
        // Command::setHidden() was not available before Symfony 3.2.0
        if (method_exists($this, 'setHidden')) {
            $this->setHidden(true);
        }
    }

    /**
     * {@inheritdoc}
     */
    public function getNativeDefinition()
    {
        return $this->createDefinition();
    }

    /**
     * Ignore user-defined global options
     *
     * Any global options defined by user-code are meaningless to this command.
     * Options outside of the core defaults are ignored to avoid name and shortcut conflicts.
     */
    public function mergeApplicationDefinition($mergeArgs = true)
    {
        // Get current application options
        $appDefinition = $this->getApplication()->getDefinition();
        $originalOptions = $appDefinition->getOptions();

        // Temporarily replace application options with a filtered list
        $appDefinition->setOptions(
            $this->filterApplicationOptions($originalOptions)
        );

        parent::mergeApplicationDefinition($mergeArgs);

        // Restore original application options
        $appDefinition->setOptions($originalOptions);
    }

    /**
     * Reduce the passed list of options to the core defaults (if they exist)
     *
     * @param InputOption[] $appOptions
     * @return InputOption[]
     */
    protected function filterApplicationOptions(array $appOptions)
    {
        return array_filter($appOptions, function(InputOption $option) {
            static $coreOptions = array(
                'help' => true,
                'quiet' => true,
                'verbose' => true,
                'version' => true,
                'ansi' => true,
                'no-ansi' => true,
                'no-interaction' => true,
            );

            return isset($coreOptions[$option->getName()]);
        });
    }

    protected function execute(InputInterface $input, OutputInterface $output)
    {
        $this->handler = new CompletionHandler($this->getApplication());
        $handler = $this->handler;

        if ($input->getOption('generate-hook')) {
            global $argv;
            $program = $argv[0];

            $factory = new HookFactory();
            $alias = $input->getOption('program');
            $multiple = (bool)$input->getOption('multiple');

            if (!$alias) {
                $alias = basename($program);
            }

            $hook = $factory->generateHook(
                $input->getOption('shell-type') ?: $this->getShellType(),
                $program,
                $alias,
                $multiple
            );

            $output->write($hook, true);
        } else {
            $handler->setContext(new EnvironmentCompletionContext());

            // Get completion results
            $results = $this->runCompletion();

            // Escape results for the current shell
            $shellType = $input->getOption('shell-type') ?: $this->getShellType();

            foreach ($results as &$result) {
                $result = $this->escapeForShell($result, $shellType);
            }

            $output->write($results, true);
        }

        return 0;
    }

    /**
     * Escape each completion result for the specified shell
     *
     * @param string $result - Completion results that should appear in the shell
     * @param string $shellType - Valid shell type from HookFactory
     * @return string
     */
    protected function escapeForShell($result, $shellType)
    {
        switch ($shellType) {
            // BASH requires special escaping for multi-word and special character results
            // This emulates registering completion with`-o filenames`, without side-effects like dir name slashes
            case 'bash':
                $context = $this->handler->getContext();
                $wordStart = substr($context->getRawCurrentWord(), 0, 1);

                if ($wordStart == "'") {
                    // If the current word is single-quoted, escape any single quotes in the result
                    $result = str_replace("'", "\\'", $result);
                } else if ($wordStart == '"') {
                    // If the current word is double-quoted, escape any double quotes in the result
                    $result = str_replace('"', '\\"', $result);
                } else {
                    // Otherwise assume the string is unquoted and word breaks should be escaped
                    $result = preg_replace('/([\s\'"\\\\])/', '\\\\$1', $result);
                }

                // Escape output to prevent special characters being lost when passing results to compgen
                return escapeshellarg($result);

            // No transformation by default
            default:
                return $result;
        }
    }

    /**
     * Run the completion handler and return a filtered list of results
     *
     * @deprecated - This will be removed in 1.0.0 in favour of CompletionCommand::configureCompletion
     *
     * @return string[]
     */
    protected function runCompletion()
    {
        $this->configureCompletion($this->handler);
        return $this->handler->runCompletion();
    }

    /**
     * Configure the CompletionHandler instance before it is run
     *
     * @param CompletionHandler $handler
     */
    protected function configureCompletion(CompletionHandler $handler)

    {
        // Override this method to configure custom value completions
    }

    /**
     * Determine the shell type for use with HookFactory
     *
     * @return string
     */
    protected function getShellType()
    {
        if (!getenv('SHELL')) {
            throw new \RuntimeException('Could not read SHELL environment variable. Please specify your shell type using the --shell-type option.');
        }

        return basename(getenv('SHELL'));
    }

    protected function createDefinition()
    {
        return new InputDefinition(array(
            new InputOption(
                'generate-hook',
                'g',
                InputOption::VALUE_NONE,
                'Generate BASH code that sets up completion for this application.'
            ),
            new InputOption(
                'program',
                'p',
                InputOption::VALUE_REQUIRED,
                "Program name that should trigger completion\n<comment>(defaults to the absolute application path)</comment>."
            ),
            new InputOption(
                'multiple',
                'm',
                InputOption::VALUE_NONE,
                "Generated hook can be used for multiple applications."
            ),
            new InputOption(
                'shell-type',
                null,
                InputOption::VALUE_OPTIONAL,
                'Set the shell type (zsh or bash). Otherwise this is determined automatically.'
            ),
        ));
    }
}


1			<?php
2
3			namespace Stecman\Component\Symfony\Console\BashCompletion;
4
5			use Symfony\Component\Console\Command\Command as SymfonyCommand;
6			use Symfony\Component\Console\Input\InputDefinition;
7			use Symfony\Component\Console\Input\InputInterface;
8			use Symfony\Component\Console\Input\InputOption;
9			use Symfony\Component\Console\Output\OutputInterface;
10
11			class CompletionCommand extends SymfonyCommand
12			{
13			/**
14			* @var CompletionHandler
15			*/
16			protected $handler;
17
18			protected function configure()
19			{
20			$this
21			->setName('_completion')
22			->setDefinition($this->createDefinition())
23			->setDescription('BASH completion hook.')
24			->setHelp(<<<END
25			To enable BASH completion, run:
26
27			<comment>eval `[program] _completion -g`</comment>.
28
29			Or for an alias:
30
31			<comment>eval `[program] _completion -g -p [alias]`</comment>.
32
33			END
34			);
35
36			// Hide this command from listing if supported
37			// Command::setHidden() was not available before Symfony 3.2.0
38			if (method_exists($this, 'setHidden')) {
39			$this->setHidden(true);
40			}
41			}
42
43			/**
44			* {@inheritdoc}
45			*/
46			public function getNativeDefinition()
47			{
48			return $this->createDefinition();
49			}
50
51			/**
52			* Ignore user-defined global options
53			*
54			* Any global options defined by user-code are meaningless to this command.
55			* Options outside of the core defaults are ignored to avoid name and shortcut conflicts.
56			*/
57			public function mergeApplicationDefinition($mergeArgs = true)
58			{
59			// Get current application options
60			$appDefinition = $this->getApplication()->getDefinition();
61			$originalOptions = $appDefinition->getOptions();
62
63			// Temporarily replace application options with a filtered list
64			$appDefinition->setOptions(
65			$this->filterApplicationOptions($originalOptions)
66			);
67
68			parent::mergeApplicationDefinition($mergeArgs);
69
70			// Restore original application options
71			$appDefinition->setOptions($originalOptions);
72			}
73
74			/**
75			* Reduce the passed list of options to the core defaults (if they exist)
76			*
77			* @param InputOption[] $appOptions
78			* @return InputOption[]
79			*/
80			protected function filterApplicationOptions(array $appOptions)
81			{
82			return array_filter($appOptions, function(InputOption $option) {
83			static $coreOptions = array(
84			'help' => true,
85			'quiet' => true,
86			'verbose' => true,
87			'version' => true,
88			'ansi' => true,
89			'no-ansi' => true,
90			'no-interaction' => true,
91			);
92
93			return isset($coreOptions[$option->getName()]);
94			});
95			}
96
97			protected function execute(InputInterface $input, OutputInterface $output)
98			{
99			$this->handler = new CompletionHandler($this->getApplication());
100			$handler = $this->handler;
101
102			if ($input->getOption('generate-hook')) {
103			global $argv;
104			$program = $argv[0];
105
106			$factory = new HookFactory();
107			$alias = $input->getOption('program');
108			$multiple = (bool)$input->getOption('multiple');
109
110			if (!$alias) {
111			$alias = basename($program);
112			}
113
114			$hook = $factory->generateHook(
115			$input->getOption('shell-type') ?: $this->getShellType(),
116			$program,
117			$alias,
118			$multiple
119			);
120
121			$output->write($hook, true);
122			} else {
123			$handler->setContext(new EnvironmentCompletionContext());
124
125			// Get completion results
126			$results = $this->runCompletion();
127
128			// Escape results for the current shell
129			$shellType = $input->getOption('shell-type') ?: $this->getShellType();
130
131			foreach ($results as &$result) {
132			$result = $this->escapeForShell($result, $shellType);
133			}
134
135			$output->write($results, true);
136			}
137
138			return 0;
139			}
140
141			/**
142			* Escape each completion result for the specified shell
143			*
144			* @param string $result - Completion results that should appear in the shell
145			* @param string $shellType - Valid shell type from HookFactory
146			* @return string
147			*/
148			protected function escapeForShell($result, $shellType)
149			{
150			switch ($shellType) {
151			// BASH requires special escaping for multi-word and special character results
152			// This emulates registering completion with`-o filenames`, without side-effects like dir name slashes
153			case 'bash':
154			$context = $this->handler->getContext();
155			$wordStart = substr($context->getRawCurrentWord(), 0, 1);
156
157			if ($wordStart == "'") {
158			// If the current word is single-quoted, escape any single quotes in the result
159			$result = str_replace("'", "\\'", $result);
160			} else if ($wordStart == '"') {
161			// If the current word is double-quoted, escape any double quotes in the result
162			$result = str_replace('"', '\\"', $result);
163			} else {
164			// Otherwise assume the string is unquoted and word breaks should be escaped
165			$result = preg_replace('/([\s\'"\\\\])/', '\\\\$1', $result);
166			}
167
168			// Escape output to prevent special characters being lost when passing results to compgen
169			return escapeshellarg($result);
170
171			// No transformation by default
172			default:
173			return $result;
174			}
175			}
176
177			/**
178			* Run the completion handler and return a filtered list of results
179			*
180			* @deprecated - This will be removed in 1.0.0 in favour of CompletionCommand::configureCompletion
181			*
182			* @return string[]
183			*/
184			protected function runCompletion()
185			{
186			$this->configureCompletion($this->handler);
187			return $this->handler->runCompletion();
188			}
189
190			/**
191			* Configure the CompletionHandler instance before it is run
192			*
193			* @param CompletionHandler $handler
194			*/
195			protected function configureCompletion(CompletionHandler $handler)
			0 ignored issues – show Unused Code introduced 2017-10-21 20:17 UTC by Report Bug Copy Issue Report Show Similar Issues like this The parameter `$handler` is not used and could be removed. This check looks from parameters that have been defined for a function or method, but which are not used in the method body. Loading history...
196			{
197			// Override this method to configure custom value completions
198			}
199
200			/**
201			* Determine the shell type for use with HookFactory
202			*
203			* @return string
204			*/
205			protected function getShellType()
206			{
207			if (!getenv('SHELL')) {
208			throw new \RuntimeException('Could not read SHELL environment variable. Please specify your shell type using the --shell-type option.');
209			}
210
211			return basename(getenv('SHELL'));
212			}
213
214			protected function createDefinition()
215			{
216			return new InputDefinition(array(
217			new InputOption(
218			'generate-hook',
219			'g',
220			InputOption::VALUE_NONE,
221			'Generate BASH code that sets up completion for this application.'
222			),
223			new InputOption(
224			'program',
225			'p',
226			InputOption::VALUE_REQUIRED,
227			"Program name that should trigger completion\n<comment>(defaults to the absolute application path)</comment>."
228			),
229			new InputOption(
230			'multiple',
231			'm',
232			InputOption::VALUE_NONE,
233			"Generated hook can be used for multiple applications."
234			),
235			new InputOption(
236			'shell-type',
237			null,
238			InputOption::VALUE_OPTIONAL,
239			'Set the shell type (zsh or bash). Otherwise this is determined automatically.'
240			),
241			));
242			}
243			}
244

stecman / symfony-console-completion

Issues (6)

Security Analysis no request data

src/CompletionCommand.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like