Issues in AbstractSwiftTwigMailTemplate.php (5.0) - Issues in 5.0 - thecodingmachine/swift-twig-mail-template - Measure and Improve Code Quality continuously with Scrutinizer

Issues (2)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/AbstractSwiftTwigMailTemplate.php (1 issue)

Labels

Unused Code 1

Severity

Minor 1

David Négrier 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace TheCodingMachine\Mail\Template;

use TheCodingMachine\Mail\SwiftMailTemplate;

abstract class AbstractSwiftTwigMailTemplate implements SwiftMailTemplate
{
    /**
     * @var \Twig_Environment
     */
    protected $twigEnvironment;

    /**
     * @var string|array
     */
    protected $fromAddresses;

    /**
     * @var string
     */
    protected $fromName = null;

    /**
     * @var string|array
     */
    protected $toAddresses;

    /**
     * @var string
     */
    protected $toName = null;

    /**
     * @var string|array
     */
    protected $bccAddresses;

    /**
     * @var string
     */
    protected $bccName = null;

    /**
     * @var string|array
     */
    protected $ccAddresses;

    /**
     * @var string
     */
    protected $ccName = null;

    /**
     * @var string|array
     */
    protected $replyToAddresses;

    /**
     * @var string
     */
    protected $replyToName = null;

    /**
     * @var int
     */
    protected $maxLineLength = 1000;

    /**
     * @var int
     */
    protected $priority;

    /**
     * @var string
     */
    protected $readReceiptTo;

    /**
     * @var string
     */
    protected $returnPath;

    /**
     * SwiftTwigMailGenerator constructor.
     *
     * @param \Twig_Environment $twig_Environment
     */
    public function __construct(\Twig_Environment $twig_Environment)
    {
        $this->twigEnvironment = $twig_Environment;
    }

    /**
     * @return \Twig_Template|\Twig_TemplateInterface
     */
    abstract public function getTemplate();

    /**
     * @param array $data
     *
     * @return \Swift_Message
     */
    public function renderMail(array $data = []) :\Swift_Message
    {
        $mail = new \Swift_Message();

        if (!$this->twigEnvironment->hasExtension(TwigMailExtension::class)) {
            $this->twigEnvironment->addExtension(new TwigMailExtension());
        }

        $twigMailExtension = $this->twigEnvironment->getExtension(TwigMailExtension::class);
        /* @var $twigMailExtension TwigMailExtension */

        $twigMailExtension->pushMessage($mail);

        $template = $this->getTemplate();
        $context = $this->twigEnvironment->mergeGlobals($data);

        if (!$template->hasBlock('subject', $context) || (!$template->hasBlock('body_html', $context) && !$template->hasBlock('body_text', $context))) {
            throw MissingBlockException::missingBlock($template->getBlockNames($context, []));
        }

        $subject = $template->renderBlock('subject', $data);
        $mail->setSubject($subject);

        if ($template->hasBlock('body_html', $context)) {
            $bodyHtml = $template->renderBlock('body_html', $data);
            if (!$template->hasBlock('body_text', $context)) {
                $bodyText = $this->removeHtml($bodyHtml);
            } else {
                $bodyText = $template->renderBlock('body_text', $data);
            }

            $mail->setBody($bodyHtml, 'text/html');
            $mail->addPart($bodyText, 'text/plain');
        } else {
            $bodyText = $template->renderBlock('body_text', $data);

            $mail->setBody($bodyText, 'text/plain');
        }

        if( $this->fromAddresses) {
            $mail->setFrom($this->fromAddresses, $this->fromName);
            $mail->setSender($this->fromAddresses, $this->fromName);
        }
        if( $this->toAddresses) {
            $mail->setTo($this->toAddresses, $this->toName);
        }
        if( $this->bccAddresses) {
            $mail->setBcc($this->bccAddresses, $this->bccName);
        }
        if( $this->ccAddresses) {
            $mail->setCc($this->ccAddresses, $this->ccName);
        }
        if( $this->replyToAddresses) {
            $mail->setReplyTo($this->replyToAddresses, $this->replyToName);
        }
        if( $this->maxLineLength) {
            $mail->setMaxLineLength($this->maxLineLength);
        }
        if( $this->priority) {
            $mail->setPriority($this->priority);
        }
        if( $this->readReceiptTo) {
            $mail->setReadReceiptTo($this->readReceiptTo);
        }
        if( $this->returnPath) {
            $mail->setReturnPath($this->returnPath);
        }

        $twigMailExtension->popMessage($mail);


        return $mail;
    }

    /**
     * @param array|string $fromAddresses
     */
    public function setFromAddresses($fromAddresses)
    {
        $this->fromAddresses = $fromAddresses;
    }

    /**
     * @param string $fromName
     */
    public function setFromName($fromName)
    {
        $this->fromName = $fromName;
    }

    /**
     * @param array|string $toAddresses
     */
    public function setToAddresses($toAddresses)
    {
        $this->toAddresses = $toAddresses;
    }

    /**
     * @param string $toName
     */
    public function setToName($toName)
    {
        $this->toName = $toName;
    }

    /**
     * @param array|string $bccAddresses
     */
    public function setBccAddresses($bccAddresses)
    {
        $this->bccAddresses = $bccAddresses;
    }

    /**
     * @param string $bccName
     */
    public function setBccName($bccName)
    {
        $this->bccName = $bccName;
    }

    /**
     * @param array|string $ccAddresses
     */
    public function setCcAddresses($ccAddresses)
    {
        $this->ccAddresses = $ccAddresses;
    }

    /**
     * @param string $ccName
     */
    public function setCcName($ccName)
    {
        $this->ccName = $ccName;
    }

    /**
     * @param array|string $replyToAddresses
     */
    public function setReplyToAddresses($replyToAddresses)
    {
        $this->replyToAddresses = $replyToAddresses;
    }

    /**
     * @param string $replyToName
     */
    public function setReplyToName($replyToName)
    {
        $this->replyToName = $replyToName;
    }

    /**
     * @param int $maxLineLength
     */
    public function setMaxLineLength($maxLineLength)
    {
        $this->maxLineLength = $maxLineLength;
    }

    /**
     * @param int $priority
     */
    public function setPriority($priority)
    {
        $this->priority = $priority;
    }

    /**
     * @param string $readReceiptTo
     */
    public function setReadReceiptTo($readReceiptTo)
    {
        $this->readReceiptTo = $readReceiptTo;
    }

    /**
     * @param string $returnPath
     */
    public function setReturnPath($returnPath)
    {
        $this->returnPath = $returnPath;
    }

    /**
     * Removes the HTML tags from the text.
     *
     * @param string $s
     * @param string $keep   The list of tags to keep
     * @param string $expand The list of tags to remove completely, along their content
     */
    private function removeHtml(string $s, string $keep = '', string $expand = 'script|style|noframes|select|option') :string
    {
        /**///prep the string
        $s = ' '.$s;

        /**///initialize keep tag logic
        if (strlen($keep) > 0) {
            $k = explode('|', $keep);
            $s = $this->keepTag($s, $k, '<', '[{(');
        }
        //begin removal
        /**///remove comment blocks
        $s = $this->removeElement($s, '<!--', '-->');

        /**///remove tags with content between them
        if (strlen($expand) > 0) {
            $e = explode('|', $expand);
            $count = count($e);
            $pos = [];
            $len = [];
            for ($i = 0;$i < $count;++$i) {
                while (stripos($s, '<'.$e[$i]) > 0) {
                    $len[1] = strlen('<'.$e[$i]);
                    $pos[1] = stripos($s, '<'.$e[$i]);
                    $pos[2] = stripos($s, $e[$i].'>', $pos[1] + $len[1]);
                    $len[2] = $pos[2] - $pos[1] + $len[1];
                    $x = substr($s, $pos[1], $len[2]);
                    $s = str_replace($x, '', $s);
                }
            }
        }

        /**///remove remaining tags
        $s = $this->removeElement($s, '<', '>');

        /**///finalize keep tag
        if (isset($k)) {
            $s = $this->keepTag($s, $k, '[{(', '<');
        }

        return trim($s);
    }

    /**
     * @param string $s
     * @param string $openTag
     * @param string $closeTag
     *
     * @return mixed|string
     */
    private function removeElement(string $s, string $openTag, string $closeTag)
    {
        $pos = [];
        $len = [];
        while (stripos($s, $openTag) > 0) {
            $pos[1] = stripos($s, $openTag);
            $pos[2] = stripos($s, $closeTag, $pos[1]);
            $len[1] = $pos[2] - $pos[1] + 1;
            $x = substr($s, $pos[1], $len[1]);
            $s = str_replace($x, '', $s);
        }

        return $s;
    }

    /**
     * @param string $s
     * @param array  $tagToKeep
     * @param string $initial
     * @param string $finalize
     *
     * @return string
     */
    private function keepTag(string $s, array $tagToKeep, string $initial, string $finalize):string
    {
        $count = count($tagToKeep);
        for ($i = 0;$i < $count;++$i) {
            $s = str_replace($initial.$tagToKeep[$i], $finalize.$tagToKeep[$i], $s);
            $s = str_replace($initial.'/'.$tagToKeep[$i], $finalize.'/'.$tagToKeep[$i], $s);
        }

        return $s;
    }
}

1			<?php
2
3			namespace TheCodingMachine\Mail\Template;
4
5			use TheCodingMachine\Mail\SwiftMailTemplate;
6
7			abstract class AbstractSwiftTwigMailTemplate implements SwiftMailTemplate
8			{
9			/**
10			* @var \Twig_Environment
11			*/
12			protected $twigEnvironment;
13
14			/**
15			* @var string\|array
16			*/
17			protected $fromAddresses;
18
19			/**
20			* @var string
21			*/
22			protected $fromName = null;
23
24			/**
25			* @var string\|array
26			*/
27			protected $toAddresses;
28
29			/**
30			* @var string
31			*/
32			protected $toName = null;
33
34			/**
35			* @var string\|array
36			*/
37			protected $bccAddresses;
38
39			/**
40			* @var string
41			*/
42			protected $bccName = null;
43
44			/**
45			* @var string\|array
46			*/
47			protected $ccAddresses;
48
49			/**
50			* @var string
51			*/
52			protected $ccName = null;
53
54			/**
55			* @var string\|array
56			*/
57			protected $replyToAddresses;
58
59			/**
60			* @var string
61			*/
62			protected $replyToName = null;
63
64			/**
65			* @var int
66			*/
67			protected $maxLineLength = 1000;
68
69			/**
70			* @var int
71			*/
72			protected $priority;
73
74			/**
75			* @var string
76			*/
77			protected $readReceiptTo;
78
79			/**
80			* @var string
81			*/
82			protected $returnPath;
83
84			/**
85			* SwiftTwigMailGenerator constructor.
86			*
87			* @param \Twig_Environment $twig_Environment
88			*/
89			public function __construct(\Twig_Environment $twig_Environment)
90			{
91			$this->twigEnvironment = $twig_Environment;
92			}
93
94			/**
95			* @return \Twig_Template\|\Twig_TemplateInterface
96			*/
97			abstract public function getTemplate();
98
99			/**
100			* @param array $data
101			*
102			* @return \Swift_Message
103			*/
104			public function renderMail(array $data = []) :\Swift_Message
105			{
106			$mail = new \Swift_Message();
107
108			if (!$this->twigEnvironment->hasExtension(TwigMailExtension::class)) {
109			$this->twigEnvironment->addExtension(new TwigMailExtension());
110			}
111
112			$twigMailExtension = $this->twigEnvironment->getExtension(TwigMailExtension::class);
113			/* @var $twigMailExtension TwigMailExtension */
114
115			$twigMailExtension->pushMessage($mail);
116
117			$template = $this->getTemplate();
118			$context = $this->twigEnvironment->mergeGlobals($data);
119
120			if (!$template->hasBlock('subject', $context) \|\| (!$template->hasBlock('body_html', $context) && !$template->hasBlock('body_text', $context))) {
121			throw MissingBlockException::missingBlock($template->getBlockNames($context, []));
122			}
123
124			$subject = $template->renderBlock('subject', $data);
125			$mail->setSubject($subject);
126
127			if ($template->hasBlock('body_html', $context)) {
128			$bodyHtml = $template->renderBlock('body_html', $data);
129			if (!$template->hasBlock('body_text', $context)) {
130			$bodyText = $this->removeHtml($bodyHtml);
131			} else {
132			$bodyText = $template->renderBlock('body_text', $data);
133			}
134
135			$mail->setBody($bodyHtml, 'text/html');
136			$mail->addPart($bodyText, 'text/plain');
137			} else {
138			$bodyText = $template->renderBlock('body_text', $data);
139
140			$mail->setBody($bodyText, 'text/plain');
141			}
142
143			if( $this->fromAddresses) {
144			$mail->setFrom($this->fromAddresses, $this->fromName);
145			$mail->setSender($this->fromAddresses, $this->fromName);
146			}
147			if( $this->toAddresses) {
148			$mail->setTo($this->toAddresses, $this->toName);
149			}
150			if( $this->bccAddresses) {
151			$mail->setBcc($this->bccAddresses, $this->bccName);
152			}
153			if( $this->ccAddresses) {
154			$mail->setCc($this->ccAddresses, $this->ccName);
155			}
156			if( $this->replyToAddresses) {
157			$mail->setReplyTo($this->replyToAddresses, $this->replyToName);
158			}
159			if( $this->maxLineLength) {
160			$mail->setMaxLineLength($this->maxLineLength);
161			}
162			if( $this->priority) {
163			$mail->setPriority($this->priority);
164			}
165			if( $this->readReceiptTo) {
166			$mail->setReadReceiptTo($this->readReceiptTo);
167			}
168			if( $this->returnPath) {
169			$mail->setReturnPath($this->returnPath);
170			}
171
172			$twigMailExtension->popMessage($mail);
			0 ignored issues – show Unused Code introduced 2017-10-06 15:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this The call to `TwigMailExtension::popMessage()` has too many arguments starting with `$mail`. This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue. If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress. In this case you can add the `@ignore` PhpDoc annotation to the duplicate definition and it will be ignored. Loading history...
173
174			return $mail;
175			}
176
177			/**
178			* @param array\|string $fromAddresses
179			*/
180			public function setFromAddresses($fromAddresses)
181			{
182			$this->fromAddresses = $fromAddresses;
183			}
184
185			/**
186			* @param string $fromName
187			*/
188			public function setFromName($fromName)
189			{
190			$this->fromName = $fromName;
191			}
192
193			/**
194			* @param array\|string $toAddresses
195			*/
196			public function setToAddresses($toAddresses)
197			{
198			$this->toAddresses = $toAddresses;
199			}
200
201			/**
202			* @param string $toName
203			*/
204			public function setToName($toName)
205			{
206			$this->toName = $toName;
207			}
208
209			/**
210			* @param array\|string $bccAddresses
211			*/
212			public function setBccAddresses($bccAddresses)
213			{
214			$this->bccAddresses = $bccAddresses;
215			}
216
217			/**
218			* @param string $bccName
219			*/
220			public function setBccName($bccName)
221			{
222			$this->bccName = $bccName;
223			}
224
225			/**
226			* @param array\|string $ccAddresses
227			*/
228			public function setCcAddresses($ccAddresses)
229			{
230			$this->ccAddresses = $ccAddresses;
231			}
232
233			/**
234			* @param string $ccName
235			*/
236			public function setCcName($ccName)
237			{
238			$this->ccName = $ccName;
239			}
240
241			/**
242			* @param array\|string $replyToAddresses
243			*/
244			public function setReplyToAddresses($replyToAddresses)
245			{
246			$this->replyToAddresses = $replyToAddresses;
247			}
248
249			/**
250			* @param string $replyToName
251			*/
252			public function setReplyToName($replyToName)
253			{
254			$this->replyToName = $replyToName;
255			}
256
257			/**
258			* @param int $maxLineLength
259			*/
260			public function setMaxLineLength($maxLineLength)
261			{
262			$this->maxLineLength = $maxLineLength;
263			}
264
265			/**
266			* @param int $priority
267			*/
268			public function setPriority($priority)
269			{
270			$this->priority = $priority;
271			}
272
273			/**
274			* @param string $readReceiptTo
275			*/
276			public function setReadReceiptTo($readReceiptTo)
277			{
278			$this->readReceiptTo = $readReceiptTo;
279			}
280
281			/**
282			* @param string $returnPath
283			*/
284			public function setReturnPath($returnPath)
285			{
286			$this->returnPath = $returnPath;
287			}
288
289			/**
290			* Removes the HTML tags from the text.
291			*
292			* @param string $s
293			* @param string $keep The list of tags to keep
294			* @param string $expand The list of tags to remove completely, along their content
295			*/
296			private function removeHtml(string $s, string $keep = '', string $expand = 'script\|style\|noframes\|select\|option') :string
297			{
298			/**///prep the string
299			$s = ' '.$s;
300
301			/**///initialize keep tag logic
302			if (strlen($keep) > 0) {
303			$k = explode('\|', $keep);
304			$s = $this->keepTag($s, $k, '<', '[{(');
305			}
306			//begin removal
307			/**///remove comment blocks
308			$s = $this->removeElement($s, '<!--', '-->');
309
310			/**///remove tags with content between them
311			if (strlen($expand) > 0) {
312			$e = explode('\|', $expand);
313			$count = count($e);
314			$pos = [];
315			$len = [];
316			for ($i = 0;$i < $count;++$i) {
317			while (stripos($s, '<'.$e[$i]) > 0) {
318			$len[1] = strlen('<'.$e[$i]);
319			$pos[1] = stripos($s, '<'.$e[$i]);
320			$pos[2] = stripos($s, $e[$i].'>', $pos[1] + $len[1]);
321			$len[2] = $pos[2] - $pos[1] + $len[1];
322			$x = substr($s, $pos[1], $len[2]);
323			$s = str_replace($x, '', $s);
324			}
325			}
326			}
327
328			/**///remove remaining tags
329			$s = $this->removeElement($s, '<', '>');
330
331			/**///finalize keep tag
332			if (isset($k)) {
333			$s = $this->keepTag($s, $k, '[{(', '<');
334			}
335
336			return trim($s);
337			}
338
339			/**
340			* @param string $s
341			* @param string $openTag
342			* @param string $closeTag
343			*
344			* @return mixed\|string
345			*/
346			private function removeElement(string $s, string $openTag, string $closeTag)
347			{
348			$pos = [];
349			$len = [];
350			while (stripos($s, $openTag) > 0) {
351			$pos[1] = stripos($s, $openTag);
352			$pos[2] = stripos($s, $closeTag, $pos[1]);
353			$len[1] = $pos[2] - $pos[1] + 1;
354			$x = substr($s, $pos[1], $len[1]);
355			$s = str_replace($x, '', $s);
356			}
357
358			return $s;
359			}
360
361			/**
362			* @param string $s
363			* @param array $tagToKeep
364			* @param string $initial
365			* @param string $finalize
366			*
367			* @return string
368			*/
369			private function keepTag(string $s, array $tagToKeep, string $initial, string $finalize):string
370			{
371			$count = count($tagToKeep);
372			for ($i = 0;$i < $count;++$i) {
373			$s = str_replace($initial.$tagToKeep[$i], $finalize.$tagToKeep[$i], $s);
374			$s = str_replace($initial.'/'.$tagToKeep[$i], $finalize.'/'.$tagToKeep[$i], $s);
375			}
376
377			return $s;
378			}
379			}

thecodingmachine / swift-twig-mail-template

Issues (2)

Security Analysis no request data

src/AbstractSwiftTwigMailTemplate.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like