Issues in Config.php (master) - Issues in master - vanilla/garden - Measure and Improve Code Quality continuously with Scrutinizer

Issues (48)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Config.php (1 issue)

Labels

Severity

Major 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace Garden;

/**
 * Application configuration management.
 *
 * This class provides access to the application configuration information through one or more config files.
 * You can load/save config files in several formats. The file extension of the file determines what format will the file will use.
 * The following file formats are supported.
 *
 * - javascript object notation (json): .json or .json.php
 * - php source code: .php
 * - php serialized arrays: .ser or .ser.php
 * - yaml: .yml or .yml.php
 *
 * When using config files we recommend always using the .*.php extension so that the file cannot be read through its url.
 *
 * @author Todd Burry <[email protected]>
 * @copyright 2009 Vanilla Forums Inc.
 * @license LGPL-2.1
 * @package Vanilla
 * @since 1.0
 */
class Config {
    /// Properties ///

    /**
     * @var array The config data.
     */
    protected static $data = [];

    /**
     * @var string The default path to load/save to.
     */
    protected static $defaultPath;

    /// Methods ///

    /**
     * Get or set the default path.
     *
     * @param string $value Pass a value to set a new default path.
     * @return string Returns the current default path.
     */
    public static function defaultPath($value = '') {
        if ($value) {
            self::$defaultPath = $value;
        } elseif (!self::$defaultPath) {
            self::$defaultPath = PATH_ROOT.'/conf/config.json.php';
        }
        return self::$defaultPath;
    }

    /**
     * Return all of the config data.
     *
     * @return array Returns an array of config data.
     */
    public static function data() {
        return self::$data;
    }

    /**
     * Get a setting from the config.
     *
     * @param string $key The config key.
     * @param mixed $default The default value if the config file doesn't exist.
     * @return mixed The value at {@link $key} or {@link $default} if the key isn't found.
     * @see \config()
     */
    public static function get($key, $default = null) {
        if (array_key_exists($key, self::$data)) {
            return self::$data[$key];
        } else {
            return $default;
        }
    }

    /**
     * Encode an array in ini format.
     * The resulting array will work with parse_ini_file() and parse_ini_string().
     *
     * @param array $data A flat, associative array of data.
     * @return string The data in ini format.
     */
//    public static function iniEncode($data) {
//        ksort($data, SORT_NATURAL | SORT_FLAG_CASE);
//
//        $result = '';
//
//        $lastSection = null;
//
//        foreach ($data as $key => $value) {
//            $section = trim(strstr($key, '.', true), '.');
//
//            if ($section !== $lastSection) {
//                if ($section) {
//                    $result .= "\n[$section]\n";
//                }
//                $lastSection = $section;
//            }
//
//            $result .= $key . ' = ';
//
//            if (is_bool($value)) {
//                $str = $value ? 'true' : 'false';
//            } elseif (is_numeric($value)) {
//                $str = $value;
//            } elseif (is_string($value)) {
//                $str = '"' . addcslashes($value, "\"") . '"';
//            }
//            $result .= $str . "\n";
//        }
//
//        return $result;
//    }

    /**
     * Load configuration data from a file.
     *
     * @param string $path An optional path to load the file from.
     * @param string $path If true the config will be put under the current config, not over it.
     * @param string $php_var The name of the php variable to load from if using the php file type.
     */
    public static function load($path = '', $underlay = false, $php_var = 'config') {
        if (!$path) {
            $path = self::$defaultPath;
        }

        $loaded = array_load($path, $php_var);

        if (empty($loaded)) {
            return;
        }

        if (!is_array(self::$data)) {
            self::$data = [];
        }

        if ($underlay) {
            self::$data = array_replace($loaded, self::$data);
        } else {
            self::$data = array_replace(self::$data, $loaded);
        }
    }

    /**
     * Save data to the config file.
     *
     * @param array $data The config data to save.
     * @param string $path An optional path to save the data to.
     * @param string $php_var The name of the php variable to load from if using the php file type.
     * @return bool Returns true if the save was successful or false otherwise.
     * @throws \InvalidArgumentException Throws an exception when the saved data isn't an array.
     */
    public static function save($data, $path = null, $php_var = 'config') {
        if (!is_array($data)) {
            throw new \InvalidArgumentException('Config::save(): Argument #1 is not an array.', 400);
        }

        if (!$path) {
''   == false // true
''   == null  // true
'ab' == false // false
'ab' == null  // false

// It is often better to use strict comparison
'' === false // false
'' === null  // false
            $path = static::defaultPath();
        }

        // Load the current config information so we know what to replace.
        $config = array_load($path, $php_var);
        // Merge the new config into the current config.
        $config = array_replace($config, $data);
        // Remove null config values.
        $config = array_filter($config, function ($value) {
            return $value !== null;
        });

        ksort($config, SORT_NATURAL | SORT_FLAG_CASE);

        $result = array_save($config, $path, $php_var);
        return $result;
    }
}


1			<?php
2
3			namespace Garden;
4
5			/**
6			* Application configuration management.
7			*
8			* This class provides access to the application configuration information through one or more config files.
9			* You can load/save config files in several formats. The file extension of the file determines what format will the file will use.
10			* The following file formats are supported.
11			*
12			* - javascript object notation (json): .json or .json.php
13			* - php source code: .php
14			* - php serialized arrays: .ser or .ser.php
15			* - yaml: .yml or .yml.php
16			*
17			* When using config files we recommend always using the .*.php extension so that the file cannot be read through its url.
18			*
19			* @author Todd Burry <[email protected]>
20			* @copyright 2009 Vanilla Forums Inc.
21			* @license LGPL-2.1
22			* @package Vanilla
23			* @since 1.0
24			*/
25			class Config {
26			/// Properties ///
27
28			/**
29			* @var array The config data.
30			*/
31			protected static $data = [];
32
33			/**
34			* @var string The default path to load/save to.
35			*/
36			protected static $defaultPath;
37
38			/// Methods ///
39
40			/**
41			* Get or set the default path.
42			*
43			* @param string $value Pass a value to set a new default path.
44			* @return string Returns the current default path.
45			*/
46			public static function defaultPath($value = '') {
47			if ($value) {
48			self::$defaultPath = $value;
49			} elseif (!self::$defaultPath) {
50			self::$defaultPath = PATH_ROOT.'/conf/config.json.php';
51			}
52			return self::$defaultPath;
53			}
54
55			/**
56			* Return all of the config data.
57			*
58			* @return array Returns an array of config data.
59			*/
60			public static function data() {
61			return self::$data;
62			}
63
64			/**
65			* Get a setting from the config.
66			*
67			* @param string $key The config key.
68			* @param mixed $default The default value if the config file doesn't exist.
69			* @return mixed The value at {@link $key} or {@link $default} if the key isn't found.
70			* @see \config()
71			*/
72			public static function get($key, $default = null) {
73			if (array_key_exists($key, self::$data)) {
74			return self::$data[$key];
75			} else {
76			return $default;
77			}
78			}
79
80			/**
81			* Encode an array in ini format.
82			* The resulting array will work with parse_ini_file() and parse_ini_string().
83			*
84			* @param array $data A flat, associative array of data.
85			* @return string The data in ini format.
86			*/
87			// public static function iniEncode($data) {
88			// ksort($data, SORT_NATURAL \| SORT_FLAG_CASE);
89			//
90			// $result = '';
91			//
92			// $lastSection = null;
93			//
94			// foreach ($data as $key => $value) {
95			// $section = trim(strstr($key, '.', true), '.');
96			//
97			// if ($section !== $lastSection) {
98			// if ($section) {
99			// $result .= "\n[$section]\n";
100			// }
101			// $lastSection = $section;
102			// }
103			//
104			// $result .= $key . ' = ';
105			//
106			// if (is_bool($value)) {
107			// $str = $value ? 'true' : 'false';
108			// } elseif (is_numeric($value)) {
109			// $str = $value;
110			// } elseif (is_string($value)) {
111			// $str = '"' . addcslashes($value, "\"") . '"';
112			// }
113			// $result .= $str . "\n";
114			// }
115			//
116			// return $result;
117			// }
118
119			/**
120			* Load configuration data from a file.
121			*
122			* @param string $path An optional path to load the file from.
123			* @param string $path If true the config will be put under the current config, not over it.
124			* @param string $php_var The name of the php variable to load from if using the php file type.
125			*/
126			public static function load($path = '', $underlay = false, $php_var = 'config') {
127			if (!$path) {
128			$path = self::$defaultPath;
129			}
130
131			$loaded = array_load($path, $php_var);
132
133			if (empty($loaded)) {
134			return;
135			}
136
137			if (!is_array(self::$data)) {
138			self::$data = [];
139			}
140
141			if ($underlay) {
142			self::$data = array_replace($loaded, self::$data);
143			} else {
144			self::$data = array_replace(self::$data, $loaded);
145			}
146			}
147
148			/**
149			* Save data to the config file.
150			*
151			* @param array $data The config data to save.
152			* @param string $path An optional path to save the data to.
153			* @param string $php_var The name of the php variable to load from if using the php file type.
154			* @return bool Returns true if the save was successful or false otherwise.
155			* @throws \InvalidArgumentException Throws an exception when the saved data isn't an array.
156			*/
157			public static function save($data, $path = null, $php_var = 'config') {
158			if (!is_array($data)) {
159			throw new \InvalidArgumentException('Config::save(): Argument #1 is not an array.', 400);
160			}
161
162			if (!$path) {
			0 ignored issues – show Bug Best Practice introduced 2015-11-24 19:27 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$path` of type `string\|null` is loosely compared to `false`; this is ambiguous if the string can be empty. You might want to explicitly use `=== null` instead. In PHP, under loose comparison (like `==`, or `!=`, or `switch` conditions), values of different types might be equal. For `string` values, the empty string `''` is a special case, in particular the following results might be unexpected: '' == false // true '' == null // true 'ab' == false // false 'ab' == null // false // It is often better to use strict comparison '' === false // false '' === null // false Loading history...
163			$path = static::defaultPath();
164			}
165
166			// Load the current config information so we know what to replace.
167			$config = array_load($path, $php_var);
168			// Merge the new config into the current config.
169			$config = array_replace($config, $data);
170			// Remove null config values.
171			$config = array_filter($config, function ($value) {
172			return $value !== null;
173			});
174
175			ksort($config, SORT_NATURAL \| SORT_FLAG_CASE);
176
177			$result = array_save($config, $path, $php_var);
178			return $result;
179			}
180			}
181

vanilla / garden

Issues (48)

Security Analysis not enabled

src/Config.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like