Issues in Scripting.php (master) - Issues in master - webdcg/redis - Measure and Improve Code Quality continuously with Scrutinizer

Issues (37)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Traits/Scripting.php (1 issue)

Labels

Bug 1

Severity

Major 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace Webdcg\Redis\Traits;

use Webdcg\Redis\Exceptions\ScriptCommandException;

trait Scripting
{
    /*
     * Available Script Commands
     */
    protected $SCRIPT_COMMANDS = ['LOAD', 'FLUSH', 'KILL', 'EXISTS'];

    /**
     * Evaluate a LUA script serverside.
     *
     * See: https://redis.io/commands/eval.
     *
     * @param  string      $script
     * @param  array       $arguments
     * @param  int|integer $numKeys
     *
     * @return mixed       What is returned depends on what the LUA script
     *                     itself returns, which could be a scalar value
     *                     (int/string), or an array. Arrays that are returned
     *                     can also contain other arrays, if that's how it was
     *                     set up in your LUA script. If there is an error
     *                     executing the LUA script, the getLastError()
     *                     function can tell you the message that came back
     *                     from Redis (e.g. compile error).
     */
    public function eval(string $script, ?array $arguments = null, ?int $numKeys = null)
    {
        if (!is_null($arguments) && !is_null($numKeys)) {
            return $this->redis->eval($script, $arguments, $numKeys);
class MyClass { }

$x = new MyClass();
$x->foo = true;
        }

        return $this->redis->eval($script);
    }


    /**
     * Evaluate a LUA script serverside, from the SHA1 hash of the script instead
     * of the script itself.
     *
     * In order to run this command Redis will have to have already loaded the
     * script, either by running it or via the SCRIPT LOAD command.
     *
     * See: https://redis.io/commands/evalsha.
     *
     * @param  string     $sha1         The sha1 encoded hash of the script you want to run.
     * @param  array|null $arguments    Arguments to pass to the LUA script.
     * @param  int|null   $numKeys      The number of arguments that should go into the
     *                                  KEYS array, vs. the ARGV array when Redis spins
     *                                  the script (optional).
     *
     * @return mixed
     */
    public function evalSha(string $sha1, ?array $arguments = null, ?int $numKeys = null)
    {
        if (!is_null($arguments) && !is_null($numKeys)) {
            return $this->redis->evalSha($sha1, $arguments, $numKeys);
        }

        return $this->redis->evalSha($sha1);
    }


    /**
     * Execute the Redis SCRIPT command to perform various operations on the
     * scripting subsystem.
     *
     * See: https://redis.io/commands/script-load.
     * See: https://redis.io/commands/script-flush.
     *
     * @param  string $command
     * @param  splat $scripts
     *
     * @return mixed            SCRIPT LOAD will return the SHA1 hash of the
     *                                 passed script on success, and FALSE on
     *                                 failure.
     *                          SCRIPT FLUSH should always return TRUE
     *                          SCRIPT KILL will return true if a script was
     *                                  able to be killed and false if not.
     *                          SCRIPT EXISTS will return an array with TRUE
     *                                  or FALSE for each passed script.
     */
    public function script(string $command, ...$scripts)
    {
        $command = strtoupper($command);

        if (!in_array($command, $this->SCRIPT_COMMANDS)) {
            throw new ScriptCommandException('Script Command not supported', 1);
        }

        if ($command == 'FLUSH' || $command == 'KILL') {
            return $this->redis->script($command);
        }

        if ($command == 'EXISTS') {
            return $this->redis->script($command, ...$scripts);
        }

        if (count($scripts) != 1) {
            throw new ScriptCommandException('Invalid Number of Scripts to Load', 1);
        }

        return $this->redis->script($command, $scripts[0]);
    }


    /**
     * The last error message (if any)
     *
     *
     * @return mixed|string|null    A string with the last returned script
     *                              based error message, or NULL if there
     *                              is no error.
     */
    public function getLastError(): ?string
    {
        return $this->redis->getLastError();
    }


    /**
     * Clear the last error message
     *
     * @return bool     true
     */
    public function clearLastError(): bool
    {
        return $this->redis->clearLastError();
    }


    /**
     * A utility method to prefix the value with the prefix setting for phpredis.
     *
     * @param  string $key  The value you wish to prefix
     *
     * @return string       If a prefix is set up, the value now prefixed.
     *                      If there is no prefix, the value will be returned
     *                      unchanged.
     */
    public function _prefix(string $key): string
    {
        return $this->redis->_prefix($key);
    }

    /**
     * A utility method to serialize values manually.
     *
     * This method allows you to serialize a value with whatever serializer is
     * configured, manually. This can be useful for serialization/unserialization
     * of data going in and out of EVAL commands as phpredis can't automatically
     * do this itself. Note that if no serializer is set, phpredis will change
     * Array values to 'Array', and Objects to 'Object'.
     *
     * @param  mixed|string|array|obhect    $value  The value to be serialized.
     *
     * @return mixed                        The serialized value.
     */
    public function _serialize($value)
    {
        return $this->redis->_serialize($value);
    }


    /**
     * A utility method to unserialize data with whatever serializer is set up.
     *
     * If there is no serializer set, the value will be returned unchanged.
     * If there is a serializer set up, and the data passed in is malformed,
     * an exception will be thrown. This can be useful if phpredis is
     * serializing values, and you return something from redis in a LUA script
     * that is serialized.
     *
     * @param  string $value    The value to be unserialized
     *
     * @return mixed            Unserialized value
     */
    public function _unserialize(string $value)
    {
        return $this->redis->_unserialize($value);
    }
}


1			<?php
2
3			namespace Webdcg\Redis\Traits;
4
5			use Webdcg\Redis\Exceptions\ScriptCommandException;
6
7			trait Scripting
8			{
9			/*
10			* Available Script Commands
11			*/
12			protected $SCRIPT_COMMANDS = ['LOAD', 'FLUSH', 'KILL', 'EXISTS'];
13
14			/**
15			* Evaluate a LUA script serverside.
16			*
17			* See: https://redis.io/commands/eval.
18			*
19			* @param string $script
20			* @param array $arguments
21			* @param int\|integer $numKeys
22			*
23			* @return mixed What is returned depends on what the LUA script
24			* itself returns, which could be a scalar value
25			* (int/string), or an array. Arrays that are returned
26			* can also contain other arrays, if that's how it was
27			* set up in your LUA script. If there is an error
28			* executing the LUA script, the getLastError()
29			* function can tell you the message that came back
30			* from Redis (e.g. compile error).
31			*/
32			public function eval(string $script, ?array $arguments = null, ?int $numKeys = null)
33			{
34			if (!is_null($arguments) && !is_null($numKeys)) {
35			return $this->redis->eval($script, $arguments, $numKeys);
			0 ignored issues – show Bug introduced 2020-02-13 04:48 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `redis` does not exist. Did you maybe forget to declare it? In PHP it is possible to write to properties without declaring them. For example, the following is perfectly valid PHP code: class MyClass { } $x = new MyClass(); $x->foo = true; Generally, it is a good practice to explictly declare properties to avoid accidental typos and provide IDE auto-completion: class MyClass { public $foo; } $x = new MyClass(); $x->foo = true; Loading history...
36			}
37
38			return $this->redis->eval($script);
39			}
40
41
42			/**
43			* Evaluate a LUA script serverside, from the SHA1 hash of the script instead
44			* of the script itself.
45			*
46			* In order to run this command Redis will have to have already loaded the
47			* script, either by running it or via the SCRIPT LOAD command.
48			*
49			* See: https://redis.io/commands/evalsha.
50			*
51			* @param string $sha1 The sha1 encoded hash of the script you want to run.
52			* @param array\|null $arguments Arguments to pass to the LUA script.
53			* @param int\|null $numKeys The number of arguments that should go into the
54			* KEYS array, vs. the ARGV array when Redis spins
55			* the script (optional).
56			*
57			* @return mixed
58			*/
59			public function evalSha(string $sha1, ?array $arguments = null, ?int $numKeys = null)
60			{
61			if (!is_null($arguments) && !is_null($numKeys)) {
62			return $this->redis->evalSha($sha1, $arguments, $numKeys);
63			}
64
65			return $this->redis->evalSha($sha1);
66			}
67
68
69			/**
70			* Execute the Redis SCRIPT command to perform various operations on the
71			* scripting subsystem.
72			*
73			* See: https://redis.io/commands/script-load.
74			* See: https://redis.io/commands/script-flush.
75			*
76			* @param string $command
77			* @param splat $scripts
78			*
79			* @return mixed SCRIPT LOAD will return the SHA1 hash of the
80			* passed script on success, and FALSE on
81			* failure.
82			* SCRIPT FLUSH should always return TRUE
83			* SCRIPT KILL will return true if a script was
84			* able to be killed and false if not.
85			* SCRIPT EXISTS will return an array with TRUE
86			* or FALSE for each passed script.
87			*/
88			public function script(string $command, ...$scripts)
89			{
90			$command = strtoupper($command);
91
92			if (!in_array($command, $this->SCRIPT_COMMANDS)) {
93			throw new ScriptCommandException('Script Command not supported', 1);
94			}
95
96			if ($command == 'FLUSH' \|\| $command == 'KILL') {
97			return $this->redis->script($command);
98			}
99
100			if ($command == 'EXISTS') {
101			return $this->redis->script($command, ...$scripts);
102			}
103
104			if (count($scripts) != 1) {
105			throw new ScriptCommandException('Invalid Number of Scripts to Load', 1);
106			}
107
108			return $this->redis->script($command, $scripts[0]);
109			}
110
111
112			/**
113			* The last error message (if any)
114			*
115			*
116			* @return mixed\|string\|null A string with the last returned script
117			* based error message, or NULL if there
118			* is no error.
119			*/
120			public function getLastError(): ?string
121			{
122			return $this->redis->getLastError();
123			}
124
125
126			/**
127			* Clear the last error message
128			*
129			* @return bool true
130			*/
131			public function clearLastError(): bool
132			{
133			return $this->redis->clearLastError();
134			}
135
136
137			/**
138			* A utility method to prefix the value with the prefix setting for phpredis.
139			*
140			* @param string $key The value you wish to prefix
141			*
142			* @return string If a prefix is set up, the value now prefixed.
143			* If there is no prefix, the value will be returned
144			* unchanged.
145			*/
146			public function _prefix(string $key): string
147			{
148			return $this->redis->_prefix($key);
149			}
150
151			/**
152			* A utility method to serialize values manually.
153			*
154			* This method allows you to serialize a value with whatever serializer is
155			* configured, manually. This can be useful for serialization/unserialization
156			* of data going in and out of EVAL commands as phpredis can't automatically
157			* do this itself. Note that if no serializer is set, phpredis will change
158			* Array values to 'Array', and Objects to 'Object'.
159			*
160			* @param mixed\|string\|array\|obhect $value The value to be serialized.
161			*
162			* @return mixed The serialized value.
163			*/
164			public function _serialize($value)
165			{
166			return $this->redis->_serialize($value);
167			}
168
169
170			/**
171			* A utility method to unserialize data with whatever serializer is set up.
172			*
173			* If there is no serializer set, the value will be returned unchanged.
174			* If there is a serializer set up, and the data passed in is malformed,
175			* an exception will be thrown. This can be useful if phpredis is
176			* serializing values, and you return something from redis in a LUA script
177			* that is serialized.
178			*
179			* @param string $value The value to be unserialized
180			*
181			* @return mixed Unserialized value
182			*/
183			public function _unserialize(string $value)
184			{
185			return $this->redis->_unserialize($value);
186			}
187			}
188

webdcg / redis

Issues (37)

Security Analysis no request data

src/Traits/Scripting.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like