Issues in ChangeHandler.php (master) - Issues in master - wikimedia/mediawiki-extensions-Wikibase - Measure and Improve Code Quality continuously with Scrutinizer

Issues (1401)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

client/includes/Changes/ChangeHandler.php (1 issue)

Labels

Severity

Major 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace Wikibase\Client\Changes;

use Hooks;
use InvalidArgumentException;
use Psr\Log\LoggerInterface;
use SiteLookup;
use Title;
use TitleFactory;
use Wikibase\Client\Usage\PageEntityUsages;
use Wikibase\Lib\Changes\Change;
use Wikibase\Lib\Changes\EntityChange;

/**
 * Interface for change handling. Whenever a change is detected,
 * it should be fed to this service which then takes care handling it.
 *
 * @see @ref md_docs_topics_change-propagation for an overview of the change propagation mechanism.
 *
 * @license GPL-2.0-or-later
 * @author Daniel Kinzler
 */
class ChangeHandler {

	/**
	 * @var AffectedPagesFinder
	 */
	private $affectedPagesFinder;

	/**
	 * @var TitleFactory
	 */
	private $titleFactory;

	/**
	 * @var PageUpdater
	 */
	private $updater;

	/**
	 * @var ChangeRunCoalescer
	 */
	private $changeRunCoalescer;

	/**
	 * @var SiteLookup
	 */
	private $siteLookup;

	/**
	 * @var LoggerInterface
	 */
	private $logger;

	/**
	 * @var bool
	 */
	private $injectRecentChanges;

	/**
	 * @param AffectedPagesFinder $affectedPagesFinder
	 * @param TitleFactory $titleFactory
	 * @param PageUpdater $updater
	 * @param ChangeRunCoalescer $changeRunCoalescer
	 * @param SiteLookup $siteLookup
	 * @param LoggerInterface $logger
	 * @param bool $injectRecentChanges
	 *
	 * @throws InvalidArgumentException
	 */
	public function __construct(
		AffectedPagesFinder $affectedPagesFinder,
		TitleFactory $titleFactory,
		PageUpdater $updater,
		ChangeRunCoalescer $changeRunCoalescer,
		SiteLookup $siteLookup,
		LoggerInterface $logger,
		$injectRecentChanges = true
	) {
		if ( !is_bool( $injectRecentChanges ) ) {
			throw new InvalidArgumentException( '$injectRecentChanges must be a bool' );
		}

		$this->affectedPagesFinder = $affectedPagesFinder;
		$this->titleFactory = $titleFactory;
		$this->updater = $updater;
		$this->changeRunCoalescer = $changeRunCoalescer;
		$this->siteLookup = $siteLookup;
		$this->logger = $logger;
		$this->injectRecentChanges = $injectRecentChanges;
	}

	/**
	 * @param EntityChange[] $changes
	 * @param array $rootJobParams any relevant root job parameters to be inherited by new jobs.
	 */
	public function handleChanges( array $changes, array $rootJobParams = [] ) {
		$changes = $this->changeRunCoalescer->transformChangeList( $changes );

		if ( !Hooks::run( 'WikibaseHandleChanges', [ $changes, $rootJobParams ] ) ) {
			return;
		}

		foreach ( $changes as $change ) {
			if ( !Hooks::run( 'WikibaseHandleChange', [ $change, $rootJobParams ] ) ) {
				continue;
			}

			$this->handleChange( $change, $rootJobParams );
		}
	}

	/**
	 * Main entry point for handling changes
	 *
	 * @todo process multiple changes at once!
	 *
	 * @param EntityChange $change
	 * @param array $rootJobParams any relevant root job parameters to be inherited by new jobs.
	 */
	public function handleChange( EntityChange $change, array $rootJobParams = [] ) {
		$changeId = $this->getChangeIdForLog( $change );

		$this->logger->debug(
			'{method}: handling change #{changeId} ({changeType})',
			[
				'method' => __METHOD__,
				'changeId' => $changeId,
				'changeType' => $change->getType(),
			]
		);

		$usagesPerPage = $this->affectedPagesFinder->getAffectedUsagesByPage( $change );

		$this->logger->debug(
			'{method}: updating {pageCount} page(s) for change #{changeId}.',
			[
				'method' => __METHOD__,
				'changeId' => $changeId,
				'pageCount' => count( $usagesPerPage ),
			]
		);

		// if no usages we can abort early
		if ( $usagesPerPage === [] ) {
			return;
		}

		// Run all updates on all affected pages
		$titlesToUpdate = $this->getTitlesForUsages( $usagesPerPage );

		// if no titles we can abort early
		if ( $titlesToUpdate === [] ) {
			return;
		}

		// NOTE: deduplicate
		$titleBatchSignature = $this->getTitleBatchSignature( $titlesToUpdate );
		$rootJobParams['rootJobSignature'] = $titleBatchSignature;

		if ( !isset( $rootJobParams['rootJobTimestamp'] ) ) {
			$rootJobParams['rootJobTimestamp'] = wfTimestampNow();
		}

		$this->updater->purgeWebCache(
			$titlesToUpdate,
			$rootJobParams,
			$change->getAction(),
			$change->hasField( 'user_id' ) ? 'uid:' . $change->getUserId() : 'uid:?'
		);

		// Removing root job timestamp to make it work: T233520
		$refreshLinksRootParams = $rootJobParams;
		unset( $refreshLinksRootParams['rootJobTimestamp'] );

		$this->updater->scheduleRefreshLinks(
			$titlesToUpdate,
			$refreshLinksRootParams,
			$change->getAction(),
			'uid:' . ( $change->getUserId() ?: '?' )
		);

		// NOTE: signature depends on change ID, effectively disabling deduplication
		$changeSignature = $this->getChangeSignature( $change );
		$rootJobParams['rootJobSignature'] = $titleBatchSignature . '&' . $changeSignature;
		if ( $this->injectRecentChanges ) {
			$this->updater->injectRCRecords( $titlesToUpdate, $change, $rootJobParams );
		}
	}

	/**
	 * @param Title[] $titles
	 *
	 * @return string a signature based on the hash of the given titles
	 */
	private function getTitleBatchSignature( array $titles ) {
		$pages = [];

		/** @see WikiPageUpdater::getPageParamForRefreshLinksJob */
		foreach ( $titles as $title ) {
			$id = $title->getArticleID();
			$pages[$id] = [ $title->getNamespace(), $title->getDBkey() ];
		}

		ksort( $pages );
		return 'title-batch:' . sha1( json_encode( $pages ) );
	}

	/**
	 * @param EntityChange $change
	 *
	 * @return string a signature representing the change's identity.
	 */
	private function getChangeSignature( EntityChange $change ) {
		if ( $change->getId() ) {
0   == false // true
0   == null  // true
123 == false // false
123 == null  // false

// It is often better to use strict comparison
0 === false // false
0 === null  // false
			return 'change-id:' . $change->getId();
		} else {
			// synthetic change!
			$changeData = $change->getFields();

			if ( isset( $changeData['info']['change-ids'] ) ) {
				$ids = $changeData['info']['change-ids'];
				sort( $ids );
				return 'change-batch:' . implode( ',', $ids );
			} else {
				ksort( $changeData );
				return 'change-hash:' . sha1( json_encode( $changeData ) );
			}
		}
	}

	/**
	 * @param PageEntityUsages[] $usagesPerPage
	 *
	 * @return Title[]
	 */
	private function getTitlesForUsages( $usagesPerPage ) {
		$pageIds = [];

		foreach ( $usagesPerPage as $usages ) {
			$pageIds[] = $usages->getPageId();
		}

		return $this->titleFactory->newFromIDs( $pageIds );
	}

	/**
	 * Returns a human readable change ID, containing multiple IDs in case of a
	 * coalesced change.
	 *
	 * @param Change $change
	 *
	 * @return string
	 */
	private function getChangeIdForLog( Change $change ) {
		if ( $change instanceof EntityChange ) {
			$info = $change->getInfo();

			if ( isset( $info['change-ids'] ) ) {
				return implode( '|', $info['change-ids'] );
			}
		}

		return $change->getId();
	}

}


1			<?php
2
3			namespace Wikibase\Client\Changes;
4
5			use Hooks;
6			use InvalidArgumentException;
7			use Psr\Log\LoggerInterface;
8			use SiteLookup;
9			use Title;
10			use TitleFactory;
11			use Wikibase\Client\Usage\PageEntityUsages;
12			use Wikibase\Lib\Changes\Change;
13			use Wikibase\Lib\Changes\EntityChange;
14
15			/**
16			* Interface for change handling. Whenever a change is detected,
17			* it should be fed to this service which then takes care handling it.
18			*
19			* @see @ref md_docs_topics_change-propagation for an overview of the change propagation mechanism.
20			*
21			* @license GPL-2.0-or-later
22			* @author Daniel Kinzler
23			*/
24			class ChangeHandler {
25
26			/**
27			* @var AffectedPagesFinder
28			*/
29			private $affectedPagesFinder;
30
31			/**
32			* @var TitleFactory
33			*/
34			private $titleFactory;
35
36			/**
37			* @var PageUpdater
38			*/
39			private $updater;
40
41			/**
42			* @var ChangeRunCoalescer
43			*/
44			private $changeRunCoalescer;
45
46			/**
47			* @var SiteLookup
48			*/
49			private $siteLookup;
50
51			/**
52			* @var LoggerInterface
53			*/
54			private $logger;
55
56			/**
57			* @var bool
58			*/
59			private $injectRecentChanges;
60
61			/**
62			* @param AffectedPagesFinder $affectedPagesFinder
63			* @param TitleFactory $titleFactory
64			* @param PageUpdater $updater
65			* @param ChangeRunCoalescer $changeRunCoalescer
66			* @param SiteLookup $siteLookup
67			* @param LoggerInterface $logger
68			* @param bool $injectRecentChanges
69			*
70			* @throws InvalidArgumentException
71			*/
72			public function __construct(
73			AffectedPagesFinder $affectedPagesFinder,
74			TitleFactory $titleFactory,
75			PageUpdater $updater,
76			ChangeRunCoalescer $changeRunCoalescer,
77			SiteLookup $siteLookup,
78			LoggerInterface $logger,
79			$injectRecentChanges = true
80			) {
81			if ( !is_bool( $injectRecentChanges ) ) {
82			throw new InvalidArgumentException( '$injectRecentChanges must be a bool' );
83			}
84
85			$this->affectedPagesFinder = $affectedPagesFinder;
86			$this->titleFactory = $titleFactory;
87			$this->updater = $updater;
88			$this->changeRunCoalescer = $changeRunCoalescer;
89			$this->siteLookup = $siteLookup;
90			$this->logger = $logger;
91			$this->injectRecentChanges = $injectRecentChanges;
92			}
93
94			/**
95			* @param EntityChange[] $changes
96			* @param array $rootJobParams any relevant root job parameters to be inherited by new jobs.
97			*/
98			public function handleChanges( array $changes, array $rootJobParams = [] ) {
99			$changes = $this->changeRunCoalescer->transformChangeList( $changes );
100
101			if ( !Hooks::run( 'WikibaseHandleChanges', [ $changes, $rootJobParams ] ) ) {
102			return;
103			}
104
105			foreach ( $changes as $change ) {
106			if ( !Hooks::run( 'WikibaseHandleChange', [ $change, $rootJobParams ] ) ) {
107			continue;
108			}
109
110			$this->handleChange( $change, $rootJobParams );
111			}
112			}
113
114			/**
115			* Main entry point for handling changes
116			*
117			* @todo process multiple changes at once!
118			*
119			* @param EntityChange $change
120			* @param array $rootJobParams any relevant root job parameters to be inherited by new jobs.
121			*/
122			public function handleChange( EntityChange $change, array $rootJobParams = [] ) {
123			$changeId = $this->getChangeIdForLog( $change );
124
125			$this->logger->debug(
126			'{method}: handling change #{changeId} ({changeType})',
127			[
128			'method' => __METHOD__,
129			'changeId' => $changeId,
130			'changeType' => $change->getType(),
131			]
132			);
133
134			$usagesPerPage = $this->affectedPagesFinder->getAffectedUsagesByPage( $change );
135
136			$this->logger->debug(
137			'{method}: updating {pageCount} page(s) for change #{changeId}.',
138			[
139			'method' => __METHOD__,
140			'changeId' => $changeId,
141			'pageCount' => count( $usagesPerPage ),
142			]
143			);
144
145			// if no usages we can abort early
146			if ( $usagesPerPage === [] ) {
147			return;
148			}
149
150			// Run all updates on all affected pages
151			$titlesToUpdate = $this->getTitlesForUsages( $usagesPerPage );
152
153			// if no titles we can abort early
154			if ( $titlesToUpdate === [] ) {
155			return;
156			}
157
158			// NOTE: deduplicate
159			$titleBatchSignature = $this->getTitleBatchSignature( $titlesToUpdate );
160			$rootJobParams['rootJobSignature'] = $titleBatchSignature;
161
162			if ( !isset( $rootJobParams['rootJobTimestamp'] ) ) {
163			$rootJobParams['rootJobTimestamp'] = wfTimestampNow();
164			}
165
166			$this->updater->purgeWebCache(
167			$titlesToUpdate,
168			$rootJobParams,
169			$change->getAction(),
170			$change->hasField( 'user_id' ) ? 'uid:' . $change->getUserId() : 'uid:?'
171			);
172
173			// Removing root job timestamp to make it work: T233520
174			$refreshLinksRootParams = $rootJobParams;
175			unset( $refreshLinksRootParams['rootJobTimestamp'] );
176
177			$this->updater->scheduleRefreshLinks(
178			$titlesToUpdate,
179			$refreshLinksRootParams,
180			$change->getAction(),
181			'uid:' . ( $change->getUserId() ?: '?' )
182			);
183
184			// NOTE: signature depends on change ID, effectively disabling deduplication
185			$changeSignature = $this->getChangeSignature( $change );
186			$rootJobParams['rootJobSignature'] = $titleBatchSignature . '&' . $changeSignature;
187			if ( $this->injectRecentChanges ) {
188			$this->updater->injectRCRecords( $titlesToUpdate, $change, $rootJobParams );
189			}
190			}
191
192			/**
193			* @param Title[] $titles
194			*
195			* @return string a signature based on the hash of the given titles
196			*/
197			private function getTitleBatchSignature( array $titles ) {
198			$pages = [];
199
200			/** @see WikiPageUpdater::getPageParamForRefreshLinksJob */
201			foreach ( $titles as $title ) {
202			$id = $title->getArticleID();
203			$pages[$id] = [ $title->getNamespace(), $title->getDBkey() ];
204			}
205
206			ksort( $pages );
207			return 'title-batch:' . sha1( json_encode( $pages ) );
208			}
209
210			/**
211			* @param EntityChange $change
212			*
213			* @return string a signature representing the change's identity.
214			*/
215			private function getChangeSignature( EntityChange $change ) {
216			if ( $change->getId() ) {
			0 ignored issues – show Bug Best Practice introduced 2017-09-18 16:31 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$change->getId()` of type `integer\|null` is loosely compared to `true`; this is ambiguous if the integer can be zero. You might want to explicitly use `!== null` instead. In PHP, under loose comparison (like `==`, or `!=`, or `switch` conditions), values of different types might be equal. For `integer` values, zero is a special case, in particular the following results might be unexpected: 0 == false // true 0 == null // true 123 == false // false 123 == null // false // It is often better to use strict comparison 0 === false // false 0 === null // false Loading history...
217			return 'change-id:' . $change->getId();
218			} else {
219			// synthetic change!
220			$changeData = $change->getFields();
221
222			if ( isset( $changeData['info']['change-ids'] ) ) {
223			$ids = $changeData['info']['change-ids'];
224			sort( $ids );
225			return 'change-batch:' . implode( ',', $ids );
226			} else {
227			ksort( $changeData );
228			return 'change-hash:' . sha1( json_encode( $changeData ) );
229			}
230			}
231			}
232
233			/**
234			* @param PageEntityUsages[] $usagesPerPage
235			*
236			* @return Title[]
237			*/
238			private function getTitlesForUsages( $usagesPerPage ) {
239			$pageIds = [];
240
241			foreach ( $usagesPerPage as $usages ) {
242			$pageIds[] = $usages->getPageId();
243			}
244
245			return $this->titleFactory->newFromIDs( $pageIds );
246			}
247
248			/**
249			* Returns a human readable change ID, containing multiple IDs in case of a
250			* coalesced change.
251			*
252			* @param Change $change
253			*
254			* @return string
255			*/
256			private function getChangeIdForLog( Change $change ) {
257			if ( $change instanceof EntityChange ) {
258			$info = $change->getInfo();
259
260			if ( isset( $info['change-ids'] ) ) {
261			return implode( '\|', $info['change-ids'] );
262			}
263			}
264
265			return $change->getId();
266			}
267
268			}
269

wikimedia / mediawiki-extensions-Wikibase

Issues (1401)

Security Analysis no request data

client/includes/Changes/ChangeHandler.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like