Issues in Hive.php (master) - Issues in master - themainframe/veto - Measure and Improve Code Quality continuously with Scrutinizer

Issues (23)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Configuration/Hive.php (1 issue)

Labels

Bug 1

Severity

Minor 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Veto.
 * PHP Microframework.
 *
 * @author Damien Walsh <[email protected]>
 * @copyright Damien Walsh 2013-2014
 * @version 0.1
 * @package veto
 */
namespace Veto\Configuration;

use Symfony\Component\Yaml\Parser;
use Veto\Configuration\Exception\ConfigurationException;

/**
 * Hive
 * Implements a configuration hive that can handle loading from YAML config files.
 *
 * @since 0.1
 */
class Hive implements \ArrayAccess
{
    private $values = array();

    /**
     * Load configuration data from a YAML file.
     *
     * @todo Decouple this from the filesystem - make it accept a YAML string or stream instead
     * @throws ConfigurationException
     * @param string $path The path to the YAML configuration file.
     */
    public function load($path)
    {
        $parser = new Parser();
        $configYAML = file_get_contents($path);
        $config = $parser->parse($configYAML);

        // Process any config import directives
        $config = $this->processImports($path, $config);
/**
 * @return array|string
 */
function returnsDifferentValues($x) {
    if ($x) {
        return 'foo';
    }

    return array();
}

$x = returnsDifferentValues($y);
if (is_array($x)) {
    // $x is an array.
}

        // Merge the configuration hive with this file
        $this->merge($config);
    }


    /**
     * Merge an array of data into this tree object.
     * The behaviour is identical to that of array_merge_recursive.
     *
     * @param array $data The data to merge into the tree.
     * @return bool
     */
    public function merge($data)
    {
        $this->values = array_replace_recursive(
            $this->values,
            $data
        );

        return true;
    }

    /**
     * Retrieve the full configuration hive as an array.
     *
     * @return array
     */
    public function all()
    {
        return $this->values;
    }

    /**
     * Whether a offset exists
     *
     * @link http://php.net/manual/en/arrayaccess.offsetexists.php
     * @param mixed $offset
     * @return boolean true on success or false on failure.
     */
    public function offsetExists($offset)
    {
        return array_key_exists($offset, $this->values);
    }

    /**
     * Offset to retrieve
     *
     * @link http://php.net/manual/en/arrayaccess.offsetget.php
     * @param mixed $offset
     * @return mixed Can return all value types.
     */
    public function offsetGet($offset)
    {
        return $this->values[$offset];
    }

    /**
     * Offset to set
     *
     * @link http://php.net/manual/en/arrayaccess.offsetset.php
     * @param mixed $offset
     * @param mixed $value
     * @return void
     */
    public function offsetSet($offset, $value)
    {
        $this->values[$offset] = $value;
    }

    /**
     * Offset to unset
     *
     * @link http://php.net/manual/en/arrayaccess.offsetunset.php
     * @param mixed $offset
     * @return void
     */
    public function offsetUnset($offset)
    {
        unset($this->values[$offset]);
    }

    /**
     * Process any @import directives that occur at the top-level of the configuration array.
     *
     * @param string $basePath The base path used for relative @import directives
     * @param array $config The configuration array being processed
     * @return array
     * @throws ConfigurationException
     */
    private function processImports($basePath, array $config)
    {
        // Process any @import directives
        if (array_key_exists('@import', $config)) {

            if (!is_array($config['@import'])) {
                throw new ConfigurationException(
                    '@import directives must contain an array of configuration file paths.'
                );
            }

            foreach($config['@import'] as $importPath) {
                $importPath = dirname($basePath) . '/' . $importPath;

                if (!file_exists($importPath)) {
                    throw ConfigurationException::missingImportedFile(
                        $importPath,
                        $basePath
                    );
                }

                $this->load($importPath);
            }

            // Do not keep these in the configuration hive
            unset($config['@import']);
        }

        return $config;
    }
}

1			<?php
2			/**
3			* Veto.
4			* PHP Microframework.
5			*
6			* @author Damien Walsh <[email protected]>
7			* @copyright Damien Walsh 2013-2014
8			* @version 0.1
9			* @package veto
10			*/
11			namespace Veto\Configuration;
12
13			use Symfony\Component\Yaml\Parser;
14			use Veto\Configuration\Exception\ConfigurationException;
15
16			/**
17			* Hive
18			* Implements a configuration hive that can handle loading from YAML config files.
19			*
20			* @since 0.1
21			*/
22			class Hive implements \ArrayAccess
23			{
24			private $values = array();
25
26			/**
27			* Load configuration data from a YAML file.
28			*
29			* @todo Decouple this from the filesystem - make it accept a YAML string or stream instead
30			* @throws ConfigurationException
31			* @param string $path The path to the YAML configuration file.
32			*/
33			public function load($path)
34			{
35			$parser = new Parser();
36			$configYAML = file_get_contents($path);
37			$config = $parser->parse($configYAML);
38
39			// Process any config import directives
40			$config = $this->processImports($path, $config);
			0 ignored issues – show Bug introduced 2016-02-15 00:35 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$config` can also be of type `string`; however, `Veto\Configuration\Hive::processImports()` does only seem to accept `array`, maybe add an additional type check? If a method or function can return multiple different values and unless you are sure that you only can receive a single value in this context, we recommend to add an additional type check: /** * @return array\|string */ function returnsDifferentValues($x) { if ($x) { return 'foo'; } return array(); } $x = returnsDifferentValues($y); if (is_array($x)) { // $x is an array. } If this a common case that PHP Analyzer should handle natively, please let us know by opening an issue. Loading history...
41
42			// Merge the configuration hive with this file
43			$this->merge($config);
44			}
45
46
47			/**
48			* Merge an array of data into this tree object.
49			* The behaviour is identical to that of array_merge_recursive.
50			*
51			* @param array $data The data to merge into the tree.
52			* @return bool
53			*/
54			public function merge($data)
55			{
56			$this->values = array_replace_recursive(
57			$this->values,
58			$data
59			);
60
61			return true;
62			}
63
64			/**
65			* Retrieve the full configuration hive as an array.
66			*
67			* @return array
68			*/
69			public function all()
70			{
71			return $this->values;
72			}
73
74			/**
75			* Whether a offset exists
76			*
77			* @link http://php.net/manual/en/arrayaccess.offsetexists.php
78			* @param mixed $offset
79			* @return boolean true on success or false on failure.
80			*/
81			public function offsetExists($offset)
82			{
83			return array_key_exists($offset, $this->values);
84			}
85
86			/**
87			* Offset to retrieve
88			*
89			* @link http://php.net/manual/en/arrayaccess.offsetget.php
90			* @param mixed $offset
91			* @return mixed Can return all value types.
92			*/
93			public function offsetGet($offset)
94			{
95			return $this->values[$offset];
96			}
97
98			/**
99			* Offset to set
100			*
101			* @link http://php.net/manual/en/arrayaccess.offsetset.php
102			* @param mixed $offset
103			* @param mixed $value
104			* @return void
105			*/
106			public function offsetSet($offset, $value)
107			{
108			$this->values[$offset] = $value;
109			}
110
111			/**
112			* Offset to unset
113			*
114			* @link http://php.net/manual/en/arrayaccess.offsetunset.php
115			* @param mixed $offset
116			* @return void
117			*/
118			public function offsetUnset($offset)
119			{
120			unset($this->values[$offset]);
121			}
122
123			/**
124			* Process any @import directives that occur at the top-level of the configuration array.
125			*
126			* @param string $basePath The base path used for relative @import directives
127			* @param array $config The configuration array being processed
128			* @return array
129			* @throws ConfigurationException
130			*/
131			private function processImports($basePath, array $config)
132			{
133			// Process any @import directives
134			if (array_key_exists('@import', $config)) {
135
136			if (!is_array($config['@import'])) {
137			throw new ConfigurationException(
138			'@import directives must contain an array of configuration file paths.'
139			);
140			}
141
142			foreach($config['@import'] as $importPath) {
143			$importPath = dirname($basePath) . '/' . $importPath;
144
145			if (!file_exists($importPath)) {
146			throw ConfigurationException::missingImportedFile(
147			$importPath,
148			$basePath
149			);
150			}
151
152			$this->load($importPath);
153			}
154
155			// Do not keep these in the configuration hive
156			unset($config['@import']);
157			}
158
159			return $config;
160			}
161			}

themainframe / veto

Issues (23)

Security Analysis no request data

src/Configuration/Hive.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like