Issues in Resource.php (master) - Issues in master - tobscure/json-api - Measure and Improve Code Quality continuously with Scrutinizer

Issues (17)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Resource.php (3 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/*
 * This file is part of JSON-API.
 *
 * (c) Toby Zerner <[email protected]>
 *
 * For the full copyright and license information, please view the LICENSE
 * file that was distributed with this source code.
 */

namespace Tobscure\JsonApi;

class Resource implements ElementInterface
{
    use LinksTrait;
    use MetaTrait;

    /**
     * @var mixed
     */
    protected $data;

    /**
     * @var \Tobscure\JsonApi\SerializerInterface
     */
    protected $serializer;

    /**
     * A list of relationships to include.
     *
     * @var array
     */
    protected $includes = [];

    /**
     * A list of fields to restrict to.
     *
     * @var array|null
     */
    protected $fields;

    /**
     * An array of Resources that should be merged into this one.
     *
     * @var \Tobscure\JsonApi\Resource[]
     */
    protected $merged = [];

    /**
     * @var \Tobscure\JsonApi\Relationship[]
     */
    private $relationships;

    /**
     * @param mixed $data
     * @param \Tobscure\JsonApi\SerializerInterface $serializer
     */
    public function __construct($data, SerializerInterface $serializer)
    {
        $this->data = $data;
        $this->serializer = $serializer;
    }

    /**
     * {@inheritdoc}
     */
    public function getResources()
    {
        return [$this];
    }

    /**
     * {@inheritdoc}
     */
    public function toArray()
    {
        $array = $this->toIdentifier();

        if (! $this->isIdentifier()) {
            $attributes = $this->getAttributes();
            if ($attributes) {

                $array['attributes'] = $attributes;
            }
        }

        $relationships = $this->getRelationshipsAsArray();

        if (count($relationships)) {
            $array['relationships'] = $relationships;
        }

        $links = [];
        if (! empty($this->links)) {
            $links = $this->links;
        }
        $serializerLinks = $this->serializer->getLinks($this->data);
        if (! empty($serializerLinks)) {
            $links = array_merge($serializerLinks, $links);
        }
        if (! empty($links)) {
            $array['links'] = $links;
        }

        $meta = [];
        if (! empty($this->meta)) {
            $meta = $this->meta;
        }
        $serializerMeta = $this->serializer->getMeta($this->data);
        if (! empty($serializerMeta)) {
            $meta = array_merge($serializerMeta, $meta);
        }
        if (! empty($meta)) {
            $array['meta'] = $meta;
        }

        return $array;
    }

    /**
     * Check whether or not this resource is an identifier (i.e. does it have
     * any data attached?).
     *
     * @return bool
     */
    public function isIdentifier()
    {
        return ! is_object($this->data) && ! is_array($this->data);
    }

    /**
     * {@inheritdoc}
     */
    public function toIdentifier()
    {
        if (! $this->data) {
            return;
        }

        $array = [
            'type' => $this->getType(),
            'id' => $this->getId()
        ];

        if (! empty($this->meta)) {
            $array['meta'] = $this->meta;
        }

        return $array;
    }

    /**
     * Get the resource type.
     *
     * @return string
     */
    public function getType()
    {
        return $this->serializer->getType($this->data);
    }

    /**
     * Get the resource ID.
     *
     * @return string
     */
    public function getId()
    {
        if (! is_object($this->data) && ! is_array($this->data)) {
            return (string) $this->data;
        }

        return (string) $this->serializer->getId($this->data);
    }

    /**
     * Get the resource attributes.
     *
     * @return array
     */
    public function getAttributes()
    {
        $attributes = (array) $this->serializer->getAttributes($this->data, $this->getOwnFields());

        $attributes = $this->filterFields($attributes);

        $attributes = $this->mergeAttributes($attributes);

        return $attributes;
    }

    /**
     * Get the requested fields for this resource type.
     *
     * @return array|null
     */
    protected function getOwnFields()
    {
        $type = $this->getType();

        if (isset($this->fields[$type])) {
            return $this->fields[$type];
        }
    }

    /**
     * Filter the given fields array (attributes or relationships) according
     * to the requested fieldset.
     *
     * @param array $fields
     *
     * @return array
     */
    protected function filterFields(array $fields)
    {
        if ($requested = $this->getOwnFields()) {
            $fields = array_intersect_key($fields, array_flip($requested));
        }

        return $fields;
    }

    /**
     * Merge the attributes of merged resources into an array of attributes.
     *
     * @param array $attributes
     *
     * @return array
     */
    protected function mergeAttributes(array $attributes)
    {
        foreach ($this->merged as $resource) {
            $attributes = array_replace_recursive($attributes, $resource->getAttributes());
        }

        return $attributes;
    }

    /**
     * Get the resource relationships.
     *
     * @return \Tobscure\JsonApi\Relationship[]
     */
    public function getRelationships()
    {
        $relationships = $this->buildRelationships();

        return $this->filterFields($relationships);
    }

    /**
     * Get the resource relationships without considering requested ones.
     *
     * @return \Tobscure\JsonApi\Relationship[]
     */
    public function getUnfilteredRelationships()
    {
        return $this->buildRelationships();
    }

    /**
     * Get the resource relationships as an array.
     *
     * @return array
     */
    public function getRelationshipsAsArray()
    {
        $relationships = $this->getRelationships();

        $relationships = $this->convertRelationshipsToArray($relationships);

        return $this->mergeRelationships($relationships);
    }

    /**
     * Get an array of built relationships.
     *
     * @return \Tobscure\JsonApi\Relationship[]
     */
    protected function buildRelationships()
    {
        if (isset($this->relationships)) {
            return $this->relationships;
        }

        $paths = Util::parseRelationshipPaths($this->includes);

        $relationships = [];

        foreach ($paths as $name => $nested) {
            $relationship = $this->serializer->getRelationship($this->data, $name);
class A
{
    function getObject()
    {
        return null;
    }

}

$a = new A();
$object = $a->getObject();

            if ($relationship) {
                $relationshipData = $relationship->getData();
                if ($relationshipData instanceof ElementInterface) {
                    $relationshipData->with($nested)->fields($this->fields);
                }

                $relationships[$name] = $relationship;
            }
        }

        return $this->relationships = $relationships;
    }

    /**
     * Merge the relationships of merged resources into an array of
     * relationships.
     *
     * @param array $relationships
     *
     * @return array
     */
    protected function mergeRelationships(array $relationships)
    {
        foreach ($this->merged as $resource) {
            $relationships = array_replace_recursive($relationships, $resource->getRelationshipsAsArray());
        }

        return $relationships;
    }

    /**
     * Convert the given array of Relationship objects into an array.
     *
     * @param \Tobscure\JsonApi\Relationship[] $relationships
     *
     * @return array
     */
    protected function convertRelationshipsToArray(array $relationships)
    {
        return array_map(function (Relationship $relationship) {
            return $relationship->toArray();
        }, $relationships);
    }

    /**
     * Merge a resource into this one.
     *
     * @param \Tobscure\JsonApi\Resource $resource
     *
     * @return void
     */
    public function merge(Resource $resource)
    {
        $this->merged[] = $resource;
    }

    /**
     * {@inheritdoc}
     */
    public function with($relationships)
    {
        $this->includes = array_unique(array_merge($this->includes, (array) $relationships));

        $this->relationships = null;


        return $this;
    }

    /**
     * {@inheritdoc}
     */
    public function fields($fields)
    {
        $this->fields = $fields;

        return $this;
    }

    /**
     * @return mixed
     */
    public function getData()
    {
        return $this->data;
    }

    /**
     * @param mixed $data
     *
     * @return void
     */
    public function setData($data)
    {
        $this->data = $data;
    }

    /**
     * @return \Tobscure\JsonApi\SerializerInterface
     */
    public function getSerializer()
    {
        return $this->serializer;
    }

    /**
     * @param \Tobscure\JsonApi\SerializerInterface $serializer
     *
     * @return void
     */
    public function setSerializer(SerializerInterface $serializer)
    {
        $this->serializer = $serializer;
    }
}


1		<?php
2
3		/*
4		* This file is part of JSON-API.
5		*
6		* (c) Toby Zerner <[email protected]>
7		*
8		* For the full copyright and license information, please view the LICENSE
9		* file that was distributed with this source code.
10		*/
11
12		namespace Tobscure\JsonApi;
13
14		class Resource implements ElementInterface
15		{
16		use LinksTrait;
17		use MetaTrait;
18
19		/**
20		* @var mixed
21		*/
22		protected $data;
23
24		/**
25		* @var \Tobscure\JsonApi\SerializerInterface
26		*/
27		protected $serializer;
28
29		/**
30		* A list of relationships to include.
31		*
32		* @var array
33		*/
34		protected $includes = [];
35
36		/**
37		* A list of fields to restrict to.
38		*
39		* @var array\|null
40		*/
41		protected $fields;
42
43		/**
44		* An array of Resources that should be merged into this one.
45		*
46		* @var \Tobscure\JsonApi\Resource[]
47		*/
48		protected $merged = [];
49
50		/**
51		* @var \Tobscure\JsonApi\Relationship[]
52		*/
53		private $relationships;
54
55		/**
56		* @param mixed $data
57		* @param \Tobscure\JsonApi\SerializerInterface $serializer
58		*/
59	51	public function __construct($data, SerializerInterface $serializer)
60		{
61	51	$this->data = $data;
62	51	$this->serializer = $serializer;
63	51	}
64
65		/**
66		* {@inheritdoc}
67		*/
68	9	public function getResources()
69		{
70	9	return [$this];
71		}
72
73		/**
74		* {@inheritdoc}
75		*/
76	33	public function toArray()
77		{
78	33	$array = $this->toIdentifier();
79
80	33	if (! $this->isIdentifier()) {
81	33	$attributes = $this->getAttributes();
82	33	if ($attributes) {
		0 ignored issues – show Bug Best Practice introduced 2017-03-04 08:20 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$attributes` of type `array` is implicitly converted to a boolean; are you sure this is intended? If so, consider using `! empty($expr)` instead to make it clear that you intend to check for an array without elements. This check marks implicit conversions of arrays to boolean values in a comparison. While in PHP an empty array is considered to be equal (but not identical) to false, this is not always apparent. Consider making the comparison explicit by using `empty(..)` or `! empty(...)` instead. Loading history...
83	30	$array['attributes'] = $attributes;
84	30	}
85	33	}
86
87	33	$relationships = $this->getRelationshipsAsArray();
88
89	33	if (count($relationships)) {
90	12	$array['relationships'] = $relationships;
91	12	}
92
93	33	$links = [];
94	33	if (! empty($this->links)) {
95	3	$links = $this->links;
96	3	}
97	33	$serializerLinks = $this->serializer->getLinks($this->data);
98	33	if (! empty($serializerLinks)) {
99	9	$links = array_merge($serializerLinks, $links);
100	9	}
101	33	if (! empty($links)) {
102	9	$array['links'] = $links;
103	9	}
104
105	33	$meta = [];
106	33	if (! empty($this->meta)) {
107	3	$meta = $this->meta;
108	3	}
109	33	$serializerMeta = $this->serializer->getMeta($this->data);
110	33	if (! empty($serializerMeta)) {
111	9	$meta = array_merge($serializerMeta, $meta);
112	9	}
113	33	if (! empty($meta)) {
114	9	$array['meta'] = $meta;
115	9	}
116
117	33	return $array;
118		}
119
120		/**
121		* Check whether or not this resource is an identifier (i.e. does it have
122		* any data attached?).
123		*
124		* @return bool
125		*/
126	33	public function isIdentifier()
127		{
128	33	return ! is_object($this->data) && ! is_array($this->data);
129		}
130
131		/**
132		* {@inheritdoc}
133		*/
134	39	public function toIdentifier()
135		{
136	39	if (! $this->data) {
137	3	return;
138		}
139
140		$array = [
141	39	'type' => $this->getType(),
142	39	'id' => $this->getId()
143	39	];
144
145	39	if (! empty($this->meta)) {
146	6	$array['meta'] = $this->meta;
147	6	}
148
149	39	return $array;
150		}
151
152		/**
153		* Get the resource type.
154		*
155		* @return string
156		*/
157	39	public function getType()
158		{
159	39	return $this->serializer->getType($this->data);
160		}
161
162		/**
163		* Get the resource ID.
164		*
165		* @return string
166		*/
167	45	public function getId()
168		{
169	45	if (! is_object($this->data) && ! is_array($this->data)) {
170	6	return (string) $this->data;
171		}
172
173	42	return (string) $this->serializer->getId($this->data);
174		}
175
176		/**
177		* Get the resource attributes.
178		*
179		* @return array
180		*/
181	33	public function getAttributes()
182		{
183	33	$attributes = (array) $this->serializer->getAttributes($this->data, $this->getOwnFields());
184
185	33	$attributes = $this->filterFields($attributes);
186
187	33	$attributes = $this->mergeAttributes($attributes);
188
189	33	return $attributes;
190		}
191
192		/**
193		* Get the requested fields for this resource type.
194		*
195		* @return array\|null
196		*/
197	33	protected function getOwnFields()
198		{
199	33	$type = $this->getType();
200
201	33	if (isset($this->fields[$type])) {
202	3	return $this->fields[$type];
203		}
204	30	}
205
206		/**
207		* Filter the given fields array (attributes or relationships) according
208		* to the requested fieldset.
209		*
210		* @param array $fields
211		*
212		* @return array
213		*/
214	33	protected function filterFields(array $fields)
215		{
216	33	if ($requested = $this->getOwnFields()) {
217	3	$fields = array_intersect_key($fields, array_flip($requested));
218	3	}
219
220	33	return $fields;
221		}
222
223		/**
224		* Merge the attributes of merged resources into an array of attributes.
225		*
226		* @param array $attributes
227		*
228		* @return array
229		*/
230	33	protected function mergeAttributes(array $attributes)
231		{
232	33	foreach ($this->merged as $resource) {
233	3	$attributes = array_replace_recursive($attributes, $resource->getAttributes());
234	33	}
235
236	33	return $attributes;
237		}
238
239		/**
240		* Get the resource relationships.
241		*
242		* @return \Tobscure\JsonApi\Relationship[]
243		*/
244	33	public function getRelationships()
245		{
246	33	$relationships = $this->buildRelationships();
247
248	33	return $this->filterFields($relationships);
249		}
250
251		/**
252		* Get the resource relationships without considering requested ones.
253		*
254		* @return \Tobscure\JsonApi\Relationship[]
255		*/
256	9	public function getUnfilteredRelationships()
257		{
258	9	return $this->buildRelationships();
259		}
260
261		/**
262		* Get the resource relationships as an array.
263		*
264		* @return array
265		*/
266	33	public function getRelationshipsAsArray()
267		{
268	33	$relationships = $this->getRelationships();
269
270	33	$relationships = $this->convertRelationshipsToArray($relationships);
271
272	33	return $this->mergeRelationships($relationships);
273		}
274
275		/**
276		* Get an array of built relationships.
277		*
278		* @return \Tobscure\JsonApi\Relationship[]
279		*/
280	33	protected function buildRelationships()
281		{
282	33	if (isset($this->relationships)) {
283	12	return $this->relationships;
284		}
285
286	33	$paths = Util::parseRelationshipPaths($this->includes);
287
288	33	$relationships = [];
289
290	33	foreach ($paths as $name => $nested) {
291	12	$relationship = $this->serializer->getRelationship($this->data, $name);
		0 ignored issues – show Bug introduced 2015-12-03 01:15 UTC by Report Bug Copy Issue Report Show Similar Issues like this Are you sure the assignment to `$relationship` is correct as `$this->serializer->getRe...hip($this->data, $name)` (which targets `Tobscure\JsonApi\Seriali...face::getRelationship()`) seems to always return null. This check looks for function or method calls that always return null and whose return value is assigned to a variable. class A { function getObject() { return null; } } $a = new A(); $object = $a->getObject(); The method `getObject()` can return nothing but null, so it makes no sense to assign that value to a variable. The reason is most likely that a function or method is imcomplete or has been reduced for debug purposes. Loading history...
292
293	12	if ($relationship) {
294	12	$relationshipData = $relationship->getData();
295	12	if ($relationshipData instanceof ElementInterface) {
296	12	$relationshipData->with($nested)->fields($this->fields);
297	12	}
298
299	12	$relationships[$name] = $relationship;
300	12	}
301	33	}
302
303	33	return $this->relationships = $relationships;
304		}
305
306		/**
307		* Merge the relationships of merged resources into an array of
308		* relationships.
309		*
310		* @param array $relationships
311		*
312		* @return array
313		*/
314	33	protected function mergeRelationships(array $relationships)
315		{
316	33	foreach ($this->merged as $resource) {
317	3	$relationships = array_replace_recursive($relationships, $resource->getRelationshipsAsArray());
318	33	}
319
320	33	return $relationships;
321		}
322
323		/**
324		* Convert the given array of Relationship objects into an array.
325		*
326		* @param \Tobscure\JsonApi\Relationship[] $relationships
327		*
328		* @return array
329		*/
330		protected function convertRelationshipsToArray(array $relationships)
331		{
332	33	return array_map(function (Relationship $relationship) {
333	12	return $relationship->toArray();
334	33	}, $relationships);
335		}
336
337		/**
338		* Merge a resource into this one.
339		*
340		* @param \Tobscure\JsonApi\Resource $resource
341		*
342		* @return void
343		*/
344	3	public function merge(Resource $resource)
345		{
346	3	$this->merged[] = $resource;
347	3	}
348
349		/**
350		* {@inheritdoc}
351		*/
352	12	public function with($relationships)
353		{
354	12	$this->includes = array_unique(array_merge($this->includes, (array) $relationships));
355
356	12	$this->relationships = null;
		0 ignored issues – show Documentation Bug introduced 2016-11-10 00:18 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `null` of type `null` is incompatible with the declared type `array<integer,object<Tob...\JsonApi\Relationship>>` of property `$relationships`. Our type inference engine has found an assignment to a property that is incompatible with the declared type of that property. Either this assignment is in error or the assigned type should be added to the documentation/type hint for that property.. Loading history...
357
358	12	return $this;
359		}
360
361		/**
362		* {@inheritdoc}
363		*/
364	12	public function fields($fields)
365		{
366	12	$this->fields = $fields;
367
368	12	return $this;
369		}
370
371		/**
372		* @return mixed
373		*/
374		public function getData()
375		{
376		return $this->data;
377		}
378
379		/**
380		* @param mixed $data
381		*
382		* @return void
383		*/
384		public function setData($data)
385		{
386		$this->data = $data;
387		}
388
389		/**
390		* @return \Tobscure\JsonApi\SerializerInterface
391		*/
392		public function getSerializer()
393		{
394		return $this->serializer;
395		}
396
397		/**
398		* @param \Tobscure\JsonApi\SerializerInterface $serializer
399		*
400		* @return void
401		*/
402		public function setSerializer(SerializerInterface $serializer)
403		{
404		$this->serializer = $serializer;
405		}
406		}
407

tobscure / json-api

Issues (17)

Security Analysis no request data

src/Resource.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like