Issues in BaseParametersResolver.php (master) - Issues in master - theofidry/LaravelYaml - Measure and Improve Code Quality continuously with Scrutinizer

Issues (17)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

Resolver/BaseParametersResolver.php (3 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/*
 * This file is part of the LaravelYaml package.
 *
 * (c) Théo FIDRY <[email protected]>
 *
 * For the full copyright and license information, please view the LICENSE
 * file that was distributed with this source code.
 */

namespace Fidry\LaravelYaml\DependencyInjection\Resolver;

use Fidry\LaravelYaml\Exception\DependencyInjection\Resolver\ParameterCircularReferenceException;
use Fidry\LaravelYaml\Exception\DependencyInjection\Resolver\RuntimeException;
use Fidry\LaravelYaml\Exception\Exception;
use Fidry\LaravelYaml\Exception\ParameterNotFoundException;
use Illuminate\Contracts\Config\Repository as ConfigRepository;
use Symfony\Component\ExpressionLanguage\Expression;
use Symfony\Component\ExpressionLanguage\ExpressionLanguage;

/**
 * @author Théo FIDRY <[email protected]>
 */
final class BaseParametersResolver implements ParametersResolverInterface
{
    /**
     * @var ConfigRepository
     */
    private $config;

    /**
     * @var string
     */
    private $defaultValue;

    /**
     * @var ExpressionLanguage|null
     */
    private $expressionLanguage;

    /**
     * @var array|null
     */
    private $parameters;

    /**
     * @var array
     */
    private $resolved = [];

    public function __construct(ConfigRepository $config)
    {
        $this->config = $config;
        $this->defaultValue = spl_object_hash(new \stdClass());
    }

    /**
     * {@inheritdoc}
     *
     * @param array $parameters
     *
     * @return array
     *
     * @throws ParameterCircularReferenceException
     * @throws ParameterNotFoundException
     * @throws Exception
     */
    public function resolve(array $parameters)
    {
        $this->parameters = $parameters;
        foreach ($this->parameters as $key => $value) {
            $resolving = $this->addToResolving([], $key);
            $value = $this->resolveValue($value, $resolving);
            $this->resolved[$key] = $value;
        }

        return $this->resolved;
    }

    /**
     * @param mixed $value
     * @param array $resolving
     *
     * @return mixed
     * @throws ParameterCircularReferenceException
     * @throws ParameterNotFoundException
     */
    private function resolveValue($value, $resolving = [])
    {
        if (is_bool($value) || is_numeric($value)) {
            return $value;
        }

        if (is_array($value)) {
            return $this->resolveArray($value, $resolving);
        }
        
        if ($value instanceof Expression) {
            return $this->getExpressionLanguage()->evaluate($value, array('container' => $this));
        }

        if (is_string($value)) {
            return $this->resolveString($value, $resolving);
        }

        return $value;
    }

    private function resolveArray(array $arrayValue, array $resolving)

    {
        $resolvedValue = [];
        foreach ($arrayValue as $key => $value) {
            $resolvedValue[$key] = $this->resolveValue($value, $resolving);
        }

        return $resolvedValue;
    }

    /**
     * @param $value
     * @param $resolving
     *
     * @return array|mixed
     * @throws ParameterCircularReferenceException
     * @throws ParameterNotFoundException
     */
    private function resolveString($value, array $resolving)
    {
        if (preg_match('/^%([^%\s]+)%$/', $value, $match)) {
            $key = $match[1];
            $resolving = $this->addToResolving($resolving, $key);
            return $this->resolveStringKey($key, $resolving);
        }
        $self = $this;
        return preg_replace_callback(
            '/%%|%([^%\s]+)%/',
            function ($match) use ($self, $resolving, $value) {
                // skip %%
                if (false === isset($match[1])) {
                    return '%';
                }
                $key = $match[1];
                $resolving = $this->addToResolving($resolving, $key);
$x = 1;
$callable = function() use ($x) {
    $x = 2; // Not visible in outer scope. If you would like this, how
            // about using a different variable name than $x?
};

$callable();
var_dump($x); // integer(1)
                return $this->resolveStringKey($key, $resolving);
            },
            $value
        );
    }
    
    /**
     * @param $value
     * @param $resolving
     *
     * @return array|mixed
     * @throws ParameterCircularReferenceException
     * @throws ParameterNotFoundException
     */
    private function resolveStringKey($value, array $resolving)
    {
        if (0 === preg_match('/^%([^%\s]+)%$/', $value, $match)) {
            if (false === array_key_exists($value, $resolving)) {
                return $value;
            }
            $key = $value;
        } else {
            $key = $match[1];
        }
        if (array_key_exists($key, $this->parameters)) {
            return $this->resolveParameter($key, $resolving);
        }
        if ($this->config->has($key)) {
            return $this->config->get($key);
        }

        return $this->resolveEnvironmentValue($key);
    }

    /**
     * @param string $key
     * @param array  $resolving
     *
     * @return array|mixed
     * @throws ParameterCircularReferenceException
     * @throws ParameterNotFoundException
     */
    private function resolveParameter($key, array $resolving)
    {
        if (array_key_exists($key, $this->resolved)) {
            return $this->resolved[$key];
        }

        if (array_key_exists($key, $resolving) && $resolving[$key] >= 10) {
            throw new ParameterCircularReferenceException(
                sprintf(
                    'Circular reference detected for the parameter "%s" while resolving [%s]',
                    $key,
                    implode(', ', array_keys($resolving))
                )
            );
        }
        $resolving = $this->addToResolving($resolving, $key);
        $this->resolved[$key] = $this->resolveValue($this->parameters[$key], $resolving);

        return $this->resolved[$key];
    }

    /**
     * @param string $key
     *
     * @return string|int|bool|null
     * @throws ParameterNotFoundException
     */
    private function resolveEnvironmentValue($key)

    {
        $environmentKey = strtoupper(str_replace('.', '_', $key));
        $value = env($environmentKey, $this->defaultValue);
        if ($this->defaultValue !== $value) {
            return $value;
        }

        throw new ParameterNotFoundException(sprintf('No parameter "%s" found', $key));
    }

    /**
     * @return ExpressionLanguage
     * @throws RuntimeException
     */
    private function getExpressionLanguage()
    {
        if (null === $this->expressionLanguage) {
            if (!class_exists('Symfony\Component\ExpressionLanguage\ExpressionLanguage')) {
                throw new RuntimeException('Unable to use expressions as the Symfony ExpressionLanguage component is not installed.');
            }
            $this->expressionLanguage = new ExpressionLanguage();
        }

        return $this->expressionLanguage;
    }

    /**
     * @param array  $resolving
     * @param string $key
     *
     * @return array
     */
    private function addToResolving(array $resolving, $key)
    {
        if (array_key_exists($key, $resolving)) {
            $resolving[$key]++;
        } else {
            $resolving[$key] = 1;
        }
        return $resolving;
    }
}


Issues (17)

Security Analysis not enabled

Resolver/BaseParametersResolver.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Change not visible in outer-scope

Change visible in outer-scope

1			<?php
2
3			/*
4			* This file is part of the LaravelYaml package.
5			*
6			* (c) Théo FIDRY <[email protected]>
7			*
8			* For the full copyright and license information, please view the LICENSE
9			* file that was distributed with this source code.
10			*/
11
12			namespace Fidry\LaravelYaml\DependencyInjection\Resolver;
13
14			use Fidry\LaravelYaml\Exception\DependencyInjection\Resolver\ParameterCircularReferenceException;
15			use Fidry\LaravelYaml\Exception\DependencyInjection\Resolver\RuntimeException;
16			use Fidry\LaravelYaml\Exception\Exception;
17			use Fidry\LaravelYaml\Exception\ParameterNotFoundException;
18			use Illuminate\Contracts\Config\Repository as ConfigRepository;
19			use Symfony\Component\ExpressionLanguage\Expression;
20			use Symfony\Component\ExpressionLanguage\ExpressionLanguage;
21
22			/**
23			* @author Théo FIDRY <[email protected]>
24			*/
25			final class BaseParametersResolver implements ParametersResolverInterface
26			{
27			/**
28			* @var ConfigRepository
29			*/
30			private $config;
31
32			/**
33			* @var string
34			*/
35			private $defaultValue;
36
37			/**
38			* @var ExpressionLanguage\|null
39			*/
40			private $expressionLanguage;
41
42			/**
43			* @var array\|null
44			*/
45			private $parameters;
46
47			/**
48			* @var array
49			*/
50			private $resolved = [];
51
52	6		public function __construct(ConfigRepository $config)
53			{
54	6		$this->config = $config;
55	6		$this->defaultValue = spl_object_hash(new \stdClass());
56	6		}
57
58			/**
59			* {@inheritdoc}
60			*
61			* @param array $parameters
62			*
63			* @return array
64			*
65			* @throws ParameterCircularReferenceException
66			* @throws ParameterNotFoundException
67			* @throws Exception
68			*/
69	6		public function resolve(array $parameters)
70			{
71	6		$this->parameters = $parameters;
72	6		foreach ($this->parameters as $key => $value) {
73	6		$resolving = $this->addToResolving([], $key);
74	6		$value = $this->resolveValue($value, $resolving);
75	2		$this->resolved[$key] = $value;
76	1		}
77
78	2		return $this->resolved;
79			}
80
81			/**
82			* @param mixed $value
83			* @param array $resolving
84			*
85			* @return mixed
86			* @throws ParameterCircularReferenceException
87			* @throws ParameterNotFoundException
88			*/
89	6		private function resolveValue($value, $resolving = [])
90			{
91	6		if (is_bool($value) \|\| is_numeric($value)) {
92	2		return $value;
93			}
94
95	6		if (is_array($value)) {
96	2		return $this->resolveArray($value, $resolving);
97			}
98
99	6		if ($value instanceof Expression) {
100			return $this->getExpressionLanguage()->evaluate($value, array('container' => $this));
101			}
102
103	6		if (is_string($value)) {
104	6		return $this->resolveString($value, $resolving);
105			}
106
107	2		return $value;
108			}
109
110	2	View Code Duplication	private function resolveArray(array $arrayValue, array $resolving)
			0 ignored issues – show Duplication introduced 2016-03-06 03:05 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
111			{
112	2		$resolvedValue = [];
113	2		foreach ($arrayValue as $key => $value) {
114	2		$resolvedValue[$key] = $this->resolveValue($value, $resolving);
115	1		}
116
117	2		return $resolvedValue;
118			}
119
120			/**
121			* @param $value
122			* @param $resolving
123			*
124			* @return array\|mixed
125			* @throws ParameterCircularReferenceException
126			* @throws ParameterNotFoundException
127			*/
128	6		private function resolveString($value, array $resolving)
129			{
130	6		if (preg_match('/^%([^%\s]+)%$/', $value, $match)) {
131	6		$key = $match[1];
132	6		$resolving = $this->addToResolving($resolving, $key);
133	6		return $this->resolveStringKey($key, $resolving);
134			}
135	2		$self = $this;
136	2		return preg_replace_callback(
137	2		'/%%\|%([^%\s]+)%/',
138	2		function ($match) use ($self, $resolving, $value) {
139			// skip %%
140	2		if (false === isset($match[1])) {
141	2		return '%';
142			}
143	2		$key = $match[1];
144	2		$resolving = $this->addToResolving($resolving, $key);
			0 ignored issues – show Bug introduced 2016-04-18 00:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this Consider using a different name than the imported variable `$resolving`, or did you forget to import by reference? It seems like you are assigning to a variable which was imported through a `use` statement which was not imported by reference. For clarity, we suggest to use a different name or import by reference depending on whether you would like to have the change visibile in outer-scope. Change not visible in outer-scope $x = 1; $callable = function() use ($x) { $x = 2; // Not visible in outer scope. If you would like this, how // about using a different variable name than $x? }; $callable(); var_dump($x); // integer(1) Change visible in outer-scope $x = 1; $callable = function() use (&$x) { $x = 2; }; $callable(); var_dump($x); // integer(2) Loading history...
145	2		return $this->resolveStringKey($key, $resolving);
146	2		},
147			$value
148	1		);
149			}
150
151			/**
152			* @param $value
153			* @param $resolving
154			*
155			* @return array\|mixed
156			* @throws ParameterCircularReferenceException
157			* @throws ParameterNotFoundException
158			*/
159	6		private function resolveStringKey($value, array $resolving)
160			{
161	6		if (0 === preg_match('/^%([^%\s]+)%$/', $value, $match)) {
162	6		if (false === array_key_exists($value, $resolving)) {
163			return $value;
164			}
165	6		$key = $value;
166	3		} else {
167			$key = $match[1];
168			}
169	6		if (array_key_exists($key, $this->parameters)) {
170	4		return $this->resolveParameter($key, $resolving);
171			}
172	4		if ($this->config->has($key)) {
173	2		return $this->config->get($key);
174			}
175
176	4		return $this->resolveEnvironmentValue($key);
177			}
178
179			/**
180			* @param string $key
181			* @param array $resolving
182			*
183			* @return array\|mixed
184			* @throws ParameterCircularReferenceException
185			* @throws ParameterNotFoundException
186			*/
187	4		private function resolveParameter($key, array $resolving)
188			{
189	4		if (array_key_exists($key, $this->resolved)) {
190	2		return $this->resolved[$key];
191			}
192
193	4		if (array_key_exists($key, $resolving) && $resolving[$key] >= 10) {
194	2		throw new ParameterCircularReferenceException(
195	1		sprintf(
196	2		'Circular reference detected for the parameter "%s" while resolving [%s]',
197	1		$key,
198	2		implode(', ', array_keys($resolving))
199	1		)
200	1		);
201			}
202	4		$resolving = $this->addToResolving($resolving, $key);
203	4		$this->resolved[$key] = $this->resolveValue($this->parameters[$key], $resolving);
204
205	2		return $this->resolved[$key];
206			}
207
208			/**
209			* @param string $key
210			*
211			* @return string\|int\|bool\|null
212			* @throws ParameterNotFoundException
213			*/
214	4	View Code Duplication	private function resolveEnvironmentValue($key)
			0 ignored issues – show Duplication introduced 2016-03-06 03:05 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
215			{
216	4		$environmentKey = strtoupper(str_replace('.', '_', $key));
217	4		$value = env($environmentKey, $this->defaultValue);
218	4		if ($this->defaultValue !== $value) {
219	2		return $value;
220			}
221
222	2		throw new ParameterNotFoundException(sprintf('No parameter "%s" found', $key));
223			}
224
225			/**
226			* @return ExpressionLanguage
227			* @throws RuntimeException
228			*/
229			private function getExpressionLanguage()
230			{
231			if (null === $this->expressionLanguage) {
232			if (!class_exists('Symfony\Component\ExpressionLanguage\ExpressionLanguage')) {
233			throw new RuntimeException('Unable to use expressions as the Symfony ExpressionLanguage component is not installed.');
234			}
235			$this->expressionLanguage = new ExpressionLanguage();
236			}
237
238			return $this->expressionLanguage;
239			}
240
241			/**
242			* @param array $resolving
243			* @param string $key
244			*
245			* @return array
246			*/
247	6		private function addToResolving(array $resolving, $key)
248			{
249	6		if (array_key_exists($key, $resolving)) {
250	4		$resolving[$key]++;
251	2		} else {
252	6		$resolving[$key] = 1;
253			}
254	6		return $resolving;
255			}
256			}
257

theofidry / LaravelYaml

Issues (17)

Security Analysis not enabled

Resolver/BaseParametersResolver.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Change not visible in outer-scope

Change visible in outer-scope

Duplication Side-by-Side

Filter issues like