Issues in Widget.php (master) - Issues in master - vova07/yii2-imperavi-widget - Measure and Improve Code Quality continuously with Scrutinizer

Issues (5)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Widget.php (3 issues)

Labels

Severity

Minor 3

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * This file is part of yii2-imperavi-widget.
 *
 * For the full copyright and license information, please view the LICENSE
 * file that was distributed with this source code.
 *
 * @see https://github.com/vova07/yii2-imperavi-widget
 */

namespace vova07\imperavi;

use Yii;
use yii\base\InvalidConfigException;
use yii\base\Model;
use yii\base\Widget as BaseWidget;
use yii\helpers\ArrayHelper;
use yii\helpers\Html;
use yii\helpers\Json;
use yii\web\JsExpression;

/**
 * Imperavi Redactor widget.
 *
 * @property array $settings JS Redactor settings
 * @property string|null $selector Textarea selector
 * @property array $plugins JS Redactor plugins
 *
 * @author Vasile Crudu <[email protected]>
 *
 * @link https://github.com/vova07/yii2-imperavi-widget
 * @link https://imperavi.com/assets/pdf/redactor-documentation-10.pdf
 *
 * @license https://github.com/vova07/yii2-imperavi-widget/blob/master/LICENSE.md
 */
class Widget extends BaseWidget
{
    /** Name of inline JavaScript package that is registered by the widget */
    const INLINE_JS_KEY = 'vova07/imperavi/';

    /**
     * @var Model|null The data model that this widget is associated with.
     */
    public $model;

    /**
     * @var string|null The model attribute that this widget is associated with.
     */
    public $attribute;

    /**
     * @var string|null The input name. This must be set if `model` and `attribute` are not set.
     */
    public $name;

    /**
     * @var string|null The input value.
     */
    public $value;

    /**
     * @var string|null Selector pointing to textarea to initialize redactor for.
     * Defaults to `null` meaning that textarea does not exist yet and will be rendered by this widget.
     */
    public $selector;

    /**
     * @var array The HTML attribute options for the input tag.
     *
     * @see \yii\helpers\Html::renderTagAttributes() for details on how attributes are being rendered.
     */
    public $options = [];

    /**
     * @var array {@link https://imperavi.com/assets/pdf/redactor-documentation-10.pdf redactor options} to manage the redactor itself.
     */
    public $settings = [];

    /**
     * @var array Default settings that will be merged with {@link $settings}. Useful with DI container.
     */
    public $defaultSettings = [];

    /**
     * This property must be used only for registering widget's custom plugins.
     * The `key` is the name of the plugin, and the `value` must be the class name of the plugin bundle.
     *
     * @var array Widget custom plugins ['key' => 'value'] array.
     *
     * @example `['my-custom-plugin' => MyCustomPlugin::className(), ...]`
     */
    public $plugins = [];

    /**
     * @var boolean Whether to render the `textarea` or not.
     */
    private $_renderTextarea = true;

    /**
     * @inheritdoc
     */
    public function init()
    {
        if ($this->name === null && $this->selector === null && !$this->hasModel()) {
            throw new InvalidConfigException("Either 'name', or 'model' and 'attribute' properties must be specified.");
        }
        if (!isset($this->options['id'])) {
            $this->options['id'] = $this->hasModel() ? Html::getInputId($this->model, $this->attribute) : $this->getId();
/** @return stdClass|null */
function mayReturnNull() { }

function doesNotAcceptNull(stdClass $x) { }

// With potential error.
function withoutCheck() {
    $x = mayReturnNull();
    doesNotAcceptNull($x); // Potential error here.
}

// Safe - Alternative 1
function withCheck1() {
    $x = mayReturnNull();
    if ( ! $x instanceof stdClass) {
        throw new \LogicException('$x must be defined.');
    }
    doesNotAcceptNull($x);
}

// Safe - Alternative 2
function withCheck2() {
    $x = mayReturnNull();
    if ($x instanceof stdClass) {
        doesNotAcceptNull($x);
    }
}
        }
        if (!empty($this->defaultSettings)) {
            $this->settings = ArrayHelper::merge($this->defaultSettings, $this->settings);
        }
        if (isset($this->settings['plugins']) && !is_array($this->settings['plugins']) || !is_array($this->plugins)) {
            throw new InvalidConfigException('The "plugins" property must be an array.');
        }
        if (!isset($this->settings['lang']) && Yii::$app->language !== 'en-US') {
            $this->settings['lang'] = substr(Yii::$app->language, 0, 2);
        }
        if ($this->selector === null) {
            $this->selector = '#' . $this->options['id'];
        } else {
            $this->_renderTextarea = false;
        }

        // @codeCoverageIgnoreStart
        $request = Yii::$app->getRequest();

        if ($request->enableCsrfValidation) {
            $this->settings['uploadImageFields'][$request->csrfParam] = $request->getCsrfToken();
            $this->settings['uploadFileFields'][$request->csrfParam] = $request->getCsrfToken();
        }
        // @codeCoverageIgnoreEnd

        parent::init();
    }

    /**
     * @inheritdoc
     */
    public function run()
    {
        $this->register();

        if ($this->_renderTextarea === true) {
            if ($this->hasModel()) {
                return Html::activeTextarea($this->model, $this->attribute, $this->options);
/** @return stdClass|null */
function mayReturnNull() { }

function doesNotAcceptNull(stdClass $x) { }

// With potential error.
function withoutCheck() {
    $x = mayReturnNull();
    doesNotAcceptNull($x); // Potential error here.
}

// Safe - Alternative 1
function withCheck1() {
    $x = mayReturnNull();
    if ( ! $x instanceof stdClass) {
        throw new \LogicException('$x must be defined.');
    }
    doesNotAcceptNull($x);
}

// Safe - Alternative 2
function withCheck2() {
    $x = mayReturnNull();
    if ($x instanceof stdClass) {
        doesNotAcceptNull($x);
    }
}
            } else {
                return Html::textarea($this->name, $this->value, $this->options);
            }
        }

        return '';
    }

    /**
     * Register widget translations.
     */
    public static function registerTranslations()
    {
        if (!isset(Yii::$app->i18n->translations['vova07/imperavi']) && !isset(Yii::$app->i18n->translations['vova07/imperavi*'])) {
            Yii::$app->i18n->translations['vova07/imperavi'] = [
                'class' => 'yii\i18n\PhpMessageSource',
                'basePath' => '@vova07/imperavi/messages',
                'forceTranslation' => true,
                'fileMap' => [
                    'vova07/imperavi' => 'imperavi.php',
                ],
            ];
        }
    }

    /**
     * @return boolean whether this widget is associated with a data model.
     */
    protected function hasModel()
    {
        return $this->model instanceof Model && $this->attribute !== null;
    }

    /**
     * Register all widget logic.
     */
    protected function register()
    {
        self::registerTranslations();
        $this->registerDefaultCallbacks();
        $this->registerClientScripts();
    }

    /**
     * Register default callbacks.
     */
    protected function registerDefaultCallbacks()
    {
        if (isset($this->settings['imageUpload']) && !isset($this->settings['imageUploadErrorCallback'])) {
            $message = Yii::t('vova07/imperavi', 'ERROR_DURING_UPLOAD_PROCESS');

            $this->settings['imageUploadErrorCallback'] = new JsExpression('function (response) { alert("' . $message . '"); }');
        }
        if (isset($this->settings['fileUpload']) && !isset($this->settings['fileUploadErrorCallback'])) {
            $message = Yii::t('vova07/imperavi', 'ERROR_DURING_UPLOAD_PROCESS');

            $this->settings['fileUploadErrorCallback'] = new JsExpression('function (response) { alert("' . $message . '"); }');
        }
    }

    /**
     * Register widget asset.
     */
    protected function registerClientScripts()
    {
        $view = $this->getView();
        /** @var Asset $asset */
        $asset = Yii::$container->get(Asset::className());

        $asset = $asset::register($view);

        if (isset($this->settings['lang'])) {
            $asset->addLanguage($this->settings['lang']);
        }
        if (isset($this->settings['plugins'])) {
            $asset->addPlugins($this->settings['plugins']);
        }
        if (!empty($this->plugins)) {
            /** @var \yii\web\AssetBundle $bundle Asset bundle */
            foreach ($this->plugins as $plugin => $bundle) {
                $this->settings['plugins'][] = $plugin;
                $bundle::register($view);
            }
        }

        $selector = Json::encode($this->selector);
        $settings = !empty($this->settings) ? Json::encode($this->settings) : '';

        $view->registerJs("jQuery($selector).redactor($settings);", $view::POS_READY, self::INLINE_JS_KEY . $this->options['id']);
    }
}


1		<?php
2		/**
3		* This file is part of yii2-imperavi-widget.
4		*
5		* For the full copyright and license information, please view the LICENSE
6		* file that was distributed with this source code.
7		*
8		* @see https://github.com/vova07/yii2-imperavi-widget
9		*/
10
11		namespace vova07\imperavi;
12
13		use Yii;
14		use yii\base\InvalidConfigException;
15		use yii\base\Model;
16		use yii\base\Widget as BaseWidget;
17		use yii\helpers\ArrayHelper;
18		use yii\helpers\Html;
19		use yii\helpers\Json;
20		use yii\web\JsExpression;
21
22		/**
23		* Imperavi Redactor widget.
24		*
25		* @property array $settings JS Redactor settings
26		* @property string\|null $selector Textarea selector
27		* @property array $plugins JS Redactor plugins
28		*
29		* @author Vasile Crudu <[email protected]>
30		*
31		* @link https://github.com/vova07/yii2-imperavi-widget
32		* @link https://imperavi.com/assets/pdf/redactor-documentation-10.pdf
33		*
34		* @license https://github.com/vova07/yii2-imperavi-widget/blob/master/LICENSE.md
35		*/
36		class Widget extends BaseWidget
37		{
38		/** Name of inline JavaScript package that is registered by the widget */
39		const INLINE_JS_KEY = 'vova07/imperavi/';
40
41		/**
42		* @var Model\|null The data model that this widget is associated with.
43		*/
44		public $model;
45
46		/**
47		* @var string\|null The model attribute that this widget is associated with.
48		*/
49		public $attribute;
50
51		/**
52		* @var string\|null The input name. This must be set if `model` and `attribute` are not set.
53		*/
54		public $name;
55
56		/**
57		* @var string\|null The input value.
58		*/
59		public $value;
60
61		/**
62		* @var string\|null Selector pointing to textarea to initialize redactor for.
63		* Defaults to `null` meaning that textarea does not exist yet and will be rendered by this widget.
64		*/
65		public $selector;
66
67		/**
68		* @var array The HTML attribute options for the input tag.
69		*
70		* @see \yii\helpers\Html::renderTagAttributes() for details on how attributes are being rendered.
71		*/
72		public $options = [];
73
74		/**
75		* @var array {@link https://imperavi.com/assets/pdf/redactor-documentation-10.pdf redactor options} to manage the redactor itself.
76		*/
77		public $settings = [];
78
79		/**
80		* @var array Default settings that will be merged with {@link $settings}. Useful with DI container.
81		*/
82		public $defaultSettings = [];
83
84		/**
85		* This property must be used only for registering widget's custom plugins.
86		* The `key` is the name of the plugin, and the `value` must be the class name of the plugin bundle.
87		*
88		* @var array Widget custom plugins ['key' => 'value'] array.
89		*
90		* @example `['my-custom-plugin' => MyCustomPlugin::className(), ...]`
91		*/
92		public $plugins = [];
93
94		/**
95		* @var boolean Whether to render the `textarea` or not.
96		*/
97		private $_renderTextarea = true;
98
99		/**
100		* @inheritdoc
101		*/
102	42	public function init()
103		{
104	42	if ($this->name === null && $this->selector === null && !$this->hasModel()) {
105	3	throw new InvalidConfigException("Either 'name', or 'model' and 'attribute' properties must be specified.");
106		}
107	39	if (!isset($this->options['id'])) {
108	27	$this->options['id'] = $this->hasModel() ? Html::getInputId($this->model, $this->attribute) : $this->getId();
		0 ignored issues – show Bug introduced 2017-12-03 13:12 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$this->model` can be `null`; however, `getInputId()` does not accept `null`, maybe add an additional type check? Unless you are absolutely sure that the expression can never be null because of other conditions, we strongly recommend to add an additional type check to your code: /** @return stdClass\|null */ function mayReturnNull() { } function doesNotAcceptNull(stdClass $x) { } // With potential error. function withoutCheck() { $x = mayReturnNull(); doesNotAcceptNull($x); // Potential error here. } // Safe - Alternative 1 function withCheck1() { $x = mayReturnNull(); if ( ! $x instanceof stdClass) { throw new \LogicException('$x must be defined.'); } doesNotAcceptNull($x); } // Safe - Alternative 2 function withCheck2() { $x = mayReturnNull(); if ($x instanceof stdClass) { doesNotAcceptNull($x); } } Loading history...
109	9	}
110	39	if (!empty($this->defaultSettings)) {
111	3	$this->settings = ArrayHelper::merge($this->defaultSettings, $this->settings);
112	1	}
113	39	if (isset($this->settings['plugins']) && !is_array($this->settings['plugins']) \|\| !is_array($this->plugins)) {
114	6	throw new InvalidConfigException('The "plugins" property must be an array.');
115		}
116	33	if (!isset($this->settings['lang']) && Yii::$app->language !== 'en-US') {
117	3	$this->settings['lang'] = substr(Yii::$app->language, 0, 2);
118	1	}
119	33	if ($this->selector === null) {
120	30	$this->selector = '#' . $this->options['id'];
121	10	} else {
122	6	$this->_renderTextarea = false;
123		}
124
125		// @codeCoverageIgnoreStart
126		$request = Yii::$app->getRequest();
127
128		if ($request->enableCsrfValidation) {
129		$this->settings['uploadImageFields'][$request->csrfParam] = $request->getCsrfToken();
130		$this->settings['uploadFileFields'][$request->csrfParam] = $request->getCsrfToken();
131		}
132		// @codeCoverageIgnoreEnd
133
134	33	parent::init();
135	33	}
136
137		/**
138		* @inheritdoc
139		*/
140	18	public function run()
141		{
142	18	$this->register();
143
144	18	if ($this->_renderTextarea === true) {
145	15	if ($this->hasModel()) {
146	9	return Html::activeTextarea($this->model, $this->attribute, $this->options);
		0 ignored issues – show Bug introduced 2017-12-03 13:12 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$this->model` can be `null`; however, `activeTextarea()` does not accept `null`, maybe add an additional type check? Unless you are absolutely sure that the expression can never be null because of other conditions, we strongly recommend to add an additional type check to your code: /** @return stdClass\|null */ function mayReturnNull() { } function doesNotAcceptNull(stdClass $x) { } // With potential error. function withoutCheck() { $x = mayReturnNull(); doesNotAcceptNull($x); // Potential error here. } // Safe - Alternative 1 function withCheck1() { $x = mayReturnNull(); if ( ! $x instanceof stdClass) { throw new \LogicException('$x must be defined.'); } doesNotAcceptNull($x); } // Safe - Alternative 2 function withCheck2() { $x = mayReturnNull(); if ($x instanceof stdClass) { doesNotAcceptNull($x); } } Loading history...
147		} else {
148	6	return Html::textarea($this->name, $this->value, $this->options);
149		}
150		}
151
152	3	return '';
153		}
154
155		/**
156		* Register widget translations.
157		*/
158	45	public static function registerTranslations()
159		{
160	45	if (!isset(Yii::$app->i18n->translations['vova07/imperavi']) && !isset(Yii::$app->i18n->translations['vova07/imperavi*'])) {
161	45	Yii::$app->i18n->translations['vova07/imperavi'] = [
162	15	'class' => 'yii\i18n\PhpMessageSource',
163	15	'basePath' => '@vova07/imperavi/messages',
164	15	'forceTranslation' => true,
165		'fileMap' => [
166	15	'vova07/imperavi' => 'imperavi.php',
167	15	],
168		];
169	15	}
170	45	}
171
172		/**
173		* @return boolean whether this widget is associated with a data model.
174		*/
175	42	protected function hasModel()
176		{
177	42	return $this->model instanceof Model && $this->attribute !== null;
178		}
179
180		/**
181		* Register all widget logic.
182		*/
183	18	protected function register()
184		{
185	18	self::registerTranslations();
186	18	$this->registerDefaultCallbacks();
187	18	$this->registerClientScripts();
188	18	}
189
190		/**
191		* Register default callbacks.
192		*/
193	21	protected function registerDefaultCallbacks()
194		{
195	21	if (isset($this->settings['imageUpload']) && !isset($this->settings['imageUploadErrorCallback'])) {
196	3	$message = Yii::t('vova07/imperavi', 'ERROR_DURING_UPLOAD_PROCESS');
197
198	3	$this->settings['imageUploadErrorCallback'] = new JsExpression('function (response) { alert("' . $message . '"); }');
199	1	}
200	21	if (isset($this->settings['fileUpload']) && !isset($this->settings['fileUploadErrorCallback'])) {
201	3	$message = Yii::t('vova07/imperavi', 'ERROR_DURING_UPLOAD_PROCESS');
202
203	3	$this->settings['fileUploadErrorCallback'] = new JsExpression('function (response) { alert("' . $message . '"); }');
204	1	}
205	21	}
206
207		/**
208		* Register widget asset.
209		*/
210	24	protected function registerClientScripts()
211		{
212	24	$view = $this->getView();
213		/** @var Asset $asset */
214	24	$asset = Yii::$container->get(Asset::className());
		0 ignored issues – show Deprecated Code introduced 2018-03-19 11:08 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `yii\base\BaseObject::className()` has been deprecated with message: since 2.0.14. On PHP >=5.5, use `::class` instead. This method has been deprecated. The supplier of the class has supplied an explanatory message. The explanatory message should give you some clue as to whether and when the method will be removed from the class and what other method or class to use instead. Loading history...
215	24	$asset = $asset::register($view);
216
217	24	if (isset($this->settings['lang'])) {
218	6	$asset->addLanguage($this->settings['lang']);
219	2	}
220	24	if (isset($this->settings['plugins'])) {
221	3	$asset->addPlugins($this->settings['plugins']);
222	1	}
223	24	if (!empty($this->plugins)) {
224		/** @var \yii\web\AssetBundle $bundle Asset bundle */
225	3	foreach ($this->plugins as $plugin => $bundle) {
226	3	$this->settings['plugins'][] = $plugin;
227	3	$bundle::register($view);
228	1	}
229	1	}
230
231	24	$selector = Json::encode($this->selector);
232	24	$settings = !empty($this->settings) ? Json::encode($this->settings) : '';
233
234	24	$view->registerJs("jQuery($selector).redactor($settings);", $view::POS_READY, self::INLINE_JS_KEY . $this->options['id']);
235	24	}
236		}
237

vova07 / yii2-imperavi-widget

Issues (5)

Security Analysis no request data

src/Widget.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like