Issues in GetClaims.php (master) - Issues in master - wikimedia/mediawiki-extensions-Wikibase - Measure and Improve Code Quality continuously with Scrutinizer

Issues (1401)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

repo/includes/Api/GetClaims.php (3 issues)

Labels

Deprecated Code 3

Severity

Minor 3

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

declare( strict_types = 1 );

namespace Wikibase\Repo\Api;

use ApiBase;
use ApiMain;
use Wikibase\DataModel\Entity\EntityDocument;
use Wikibase\DataModel\Entity\EntityId;
use Wikibase\DataModel\Entity\EntityIdParser;
use Wikibase\DataModel\Entity\EntityIdParsingException;
use Wikibase\DataModel\Services\Statement\StatementGuidParser;
use Wikibase\DataModel\Services\Statement\StatementGuidValidator;
use Wikibase\DataModel\Statement\StatementList;
use Wikibase\DataModel\Statement\StatementListProvider;
use Wikibase\Repo\StatementRankSerializer;
use Wikibase\Repo\WikibaseRepo;

/**
 * API module for getting claims.
 *
 * @license GPL-2.0-or-later
 * @author Jeroen De Dauw < [email protected] >
 * @author Addshore
 */
class GetClaims extends ApiBase {

	/**
	 * @var StatementGuidValidator
	 */
	private $guidValidator;

	/**
	 * @var StatementGuidParser
	 */
	private $guidParser;

	/**
	 * @var ApiErrorReporter
	 */
	private $errorReporter;

	/**
	 * @var EntityIdParser
	 */
	private $idParser;

	/**
	 * @var EntityLoadingHelper
	 */
	private $entityLoadingHelper;

	/**
	 * @var ResultBuilder
	 */
	private $resultBuilder;

	/**
	 * @see ApiBase::__construct
	 *
	 * @param ApiMain $mainModule
	 * @param string $moduleName
	 * @param StatementGuidValidator $guidValidator
	 * @param StatementGuidParser $guidParser
	 * @param EntityIdParser $idParser
	 * @param ApiErrorReporter $errorReporter
	 * @param callable $resultBuilderInstantiator
	 * @param callable $entityLoadingHelperInstantiator
	 */
	public function __construct(
		ApiMain $mainModule,
		string $moduleName,
		StatementGuidValidator $guidValidator,
		StatementGuidParser $guidParser,
		EntityIdParser $idParser,
		ApiErrorReporter $errorReporter,
		callable $resultBuilderInstantiator,
		callable $entityLoadingHelperInstantiator
	) {
		parent::__construct( $mainModule, $moduleName );

		$this->guidValidator = $guidValidator;
		$this->guidParser = $guidParser;
		$this->idParser = $idParser;
		$this->errorReporter = $errorReporter;
		$this->resultBuilder = $resultBuilderInstantiator( $this );
		$this->entityLoadingHelper = $entityLoadingHelperInstantiator( $this );
	}

	public static function factory( ApiMain $mainModule, string $moduleName ): self {
		$wikibaseRepo = WikibaseRepo::getDefaultInstance();
		$apiHelperFactory = $wikibaseRepo->getApiHelperFactory( $mainModule->getContext() );

		return new self(
			$mainModule,
			$moduleName,
			$wikibaseRepo->getStatementGuidValidator(),
			$wikibaseRepo->getStatementGuidParser(),
			$wikibaseRepo->getEntityIdParser(),
			$apiHelperFactory->getErrorReporter( $mainModule ),
			function ( $module ) use ( $apiHelperFactory ) {
				return $apiHelperFactory->getResultBuilder( $module );
			},
			function ( $module ) use ( $apiHelperFactory ) {
				return $apiHelperFactory->getEntityLoadingHelper( $module );
			}
		);
	}

	/**
	 * @inheritDoc
	 */
	public function execute(): void {
		$this->getMain()->setCacheMode( 'public' );

		$params = $this->extractRequestParams();
		$this->validateParameters( $params );

		list( $idString, $guid ) = $this->getIdentifiers( $params );

		try {
			$entityId = $this->idParser->parse( $idString );
		} catch ( EntityIdParsingException $e ) {
			$this->errorReporter->dieException( $e, 'param-invalid' );
		}

		/** @var EntityId $entityId */
		$entity = $this->entityLoadingHelper->loadEntity( $entityId );

		$statements = $this->getStatements( $entity, $guid );
		$this->resultBuilder->addStatements( $statements, null, $params['props'] );
	}

	private function validateParameters( array $params ): void {
		if ( !isset( $params['entity'] ) && !isset( $params['claim'] ) ) {
			$this->errorReporter->dieError(

				'Either the entity parameter or the claim parameter need to be set',
				'param-missing'
			);
		}
	}

	private function getStatements( EntityDocument $entity, ?string $guid ): StatementList {
		if ( !( $entity instanceof StatementListProvider ) ) {
			return new StatementList();
		}

		$statements = $entity->getStatements();

		if ( $guid === null ) {
			return $statements->filter( $this->newRequestParamsBasedFilter() );
		}

		$statement = $statements->getFirstStatementWithGuid( $guid );
		return new StatementList( $statement === null ? [] : $statement );
	}

	private function newRequestParamsBasedFilter(): GetClaimsStatementFilter {
		return new GetClaimsStatementFilter(
			$this->idParser,
			$this->errorReporter,
			$this->extractRequestParams()
		);
	}

	/**
	 * Obtains the id of the entity for which to obtain claims and the claim GUID
	 * in case it was also provided.
	 *
	 * @param array $params
	 *
	 * @return array
	 * First element is a prefixed entity id string.
	 * Second element is either null or a statements GUID.
	 */
	private function getIdentifiers( array $params ): array {
		$guid = null;

		if ( isset( $params['claim'] ) ) {
			$guid = $params['claim'];
			$idString = $this->getEntityIdFromStatementGuid( $params['claim'] );

			if ( isset( $params['entity'] ) && $idString !== $params['entity'] ) {
				$this->errorReporter->dieError(

					'If both entity id and claim key are provided they need to point to the same entity',
					'param-illegal'
				);
			}
		} else {
			$idString = $params['entity'];
		}

		return [ $idString, $guid ];
	}

	private function getEntityIdFromStatementGuid( string $guid ): string {
		if ( $this->guidValidator->validateFormat( $guid ) === false ) {
			$this->errorReporter->dieError( 'Invalid claim guid', 'invalid-guid' );

		}

		return $this->guidParser->parse( $guid )->getEntityId()->getSerialization();
	}

	/**
	 * @inheritDoc
	 */
	protected function getAllowedParams(): array {
		return [
			'entity' => [
				self::PARAM_TYPE => 'string',
			],
			'property' => [
				self::PARAM_TYPE => 'string',
			],
			'claim' => [
				self::PARAM_TYPE => 'string',
			],
			'rank' => [
				self::PARAM_TYPE => StatementRankSerializer::getRanks(),
			],
			'props' => [
				self::PARAM_TYPE => [
					'references',
				],
				self::PARAM_DFLT => 'references',
				self::PARAM_ISMULTI => true,
			],
		];
	}

	/**
	 * @inheritDoc
	 */
	protected function getExamplesMessages(): array {
		return [
			"action=wbgetclaims&entity=Q42" =>
				"apihelp-wbgetclaims-example-1",
			"action=wbgetclaims&entity=Q42&property=P31" =>
				"apihelp-wbgetclaims-example-2",
			"action=wbgetclaims&entity=Q42&rank=normal" =>
				"apihelp-wbgetclaims-example-3",
			'action=wbgetclaims&claim=Q42$D8404CDA-25E4-4334-AF13-A3290BCD9C0F' =>
				'apihelp-wbgetclaims-example-4',
		];
	}

}


1			<?php
2
3			declare( strict_types = 1 );
4
5			namespace Wikibase\Repo\Api;
6
7			use ApiBase;
8			use ApiMain;
9			use Wikibase\DataModel\Entity\EntityDocument;
10			use Wikibase\DataModel\Entity\EntityId;
11			use Wikibase\DataModel\Entity\EntityIdParser;
12			use Wikibase\DataModel\Entity\EntityIdParsingException;
13			use Wikibase\DataModel\Services\Statement\StatementGuidParser;
14			use Wikibase\DataModel\Services\Statement\StatementGuidValidator;
15			use Wikibase\DataModel\Statement\StatementList;
16			use Wikibase\DataModel\Statement\StatementListProvider;
17			use Wikibase\Repo\StatementRankSerializer;
18			use Wikibase\Repo\WikibaseRepo;
19
20			/**
21			* API module for getting claims.
22			*
23			* @license GPL-2.0-or-later
24			* @author Jeroen De Dauw < [email protected] >
25			* @author Addshore
26			*/
27			class GetClaims extends ApiBase {
28
29			/**
30			* @var StatementGuidValidator
31			*/
32			private $guidValidator;
33
34			/**
35			* @var StatementGuidParser
36			*/
37			private $guidParser;
38
39			/**
40			* @var ApiErrorReporter
41			*/
42			private $errorReporter;
43
44			/**
45			* @var EntityIdParser
46			*/
47			private $idParser;
48
49			/**
50			* @var EntityLoadingHelper
51			*/
52			private $entityLoadingHelper;
53
54			/**
55			* @var ResultBuilder
56			*/
57			private $resultBuilder;
58
59			/**
60			* @see ApiBase::__construct
61			*
62			* @param ApiMain $mainModule
63			* @param string $moduleName
64			* @param StatementGuidValidator $guidValidator
65			* @param StatementGuidParser $guidParser
66			* @param EntityIdParser $idParser
67			* @param ApiErrorReporter $errorReporter
68			* @param callable $resultBuilderInstantiator
69			* @param callable $entityLoadingHelperInstantiator
70			*/
71			public function __construct(
72			ApiMain $mainModule,
73			string $moduleName,
74			StatementGuidValidator $guidValidator,
75			StatementGuidParser $guidParser,
76			EntityIdParser $idParser,
77			ApiErrorReporter $errorReporter,
78			callable $resultBuilderInstantiator,
79			callable $entityLoadingHelperInstantiator
80			) {
81			parent::__construct( $mainModule, $moduleName );
82
83			$this->guidValidator = $guidValidator;
84			$this->guidParser = $guidParser;
85			$this->idParser = $idParser;
86			$this->errorReporter = $errorReporter;
87			$this->resultBuilder = $resultBuilderInstantiator( $this );
88			$this->entityLoadingHelper = $entityLoadingHelperInstantiator( $this );
89			}
90
91			public static function factory( ApiMain $mainModule, string $moduleName ): self {
92			$wikibaseRepo = WikibaseRepo::getDefaultInstance();
93			$apiHelperFactory = $wikibaseRepo->getApiHelperFactory( $mainModule->getContext() );
94
95			return new self(
96			$mainModule,
97			$moduleName,
98			$wikibaseRepo->getStatementGuidValidator(),
99			$wikibaseRepo->getStatementGuidParser(),
100			$wikibaseRepo->getEntityIdParser(),
101			$apiHelperFactory->getErrorReporter( $mainModule ),
102			function ( $module ) use ( $apiHelperFactory ) {
103			return $apiHelperFactory->getResultBuilder( $module );
104			},
105			function ( $module ) use ( $apiHelperFactory ) {
106			return $apiHelperFactory->getEntityLoadingHelper( $module );
107			}
108			);
109			}
110
111			/**
112			* @inheritDoc
113			*/
114			public function execute(): void {
115			$this->getMain()->setCacheMode( 'public' );
116
117			$params = $this->extractRequestParams();
118			$this->validateParameters( $params );
119
120			list( $idString, $guid ) = $this->getIdentifiers( $params );
121
122			try {
123			$entityId = $this->idParser->parse( $idString );
124			} catch ( EntityIdParsingException $e ) {
125			$this->errorReporter->dieException( $e, 'param-invalid' );
126			}
127
128			/** @var EntityId $entityId */
129			$entity = $this->entityLoadingHelper->loadEntity( $entityId );
130
131			$statements = $this->getStatements( $entity, $guid );
132			$this->resultBuilder->addStatements( $statements, null, $params['props'] );
133			}
134
135			private function validateParameters( array $params ): void {
136			if ( !isset( $params['entity'] ) && !isset( $params['claim'] ) ) {
137			$this->errorReporter->dieError(
			0 ignored issues – show Deprecated Code introduced 2019-12-03 12:42 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `Wikibase\Repo\Api\ApiErrorReporter::dieError()` has been deprecated with message: Use dieWithError() instead. This method has been deprecated. The supplier of the class has supplied an explanatory message. The explanatory message should give you some clue as to whether and when the method will be removed from the class and what other method or class to use instead. Loading history...
138			'Either the entity parameter or the claim parameter need to be set',
139			'param-missing'
140			);
141			}
142			}
143
144			private function getStatements( EntityDocument $entity, ?string $guid ): StatementList {
145			if ( !( $entity instanceof StatementListProvider ) ) {
146			return new StatementList();
147			}
148
149			$statements = $entity->getStatements();
150
151			if ( $guid === null ) {
152			return $statements->filter( $this->newRequestParamsBasedFilter() );
153			}
154
155			$statement = $statements->getFirstStatementWithGuid( $guid );
156			return new StatementList( $statement === null ? [] : $statement );
157			}
158
159			private function newRequestParamsBasedFilter(): GetClaimsStatementFilter {
160			return new GetClaimsStatementFilter(
161			$this->idParser,
162			$this->errorReporter,
163			$this->extractRequestParams()
164			);
165			}
166
167			/**
168			* Obtains the id of the entity for which to obtain claims and the claim GUID
169			* in case it was also provided.
170			*
171			* @param array $params
172			*
173			* @return array
174			* First element is a prefixed entity id string.
175			* Second element is either null or a statements GUID.
176			*/
177			private function getIdentifiers( array $params ): array {
178			$guid = null;
179
180			if ( isset( $params['claim'] ) ) {
181			$guid = $params['claim'];
182			$idString = $this->getEntityIdFromStatementGuid( $params['claim'] );
183
184			if ( isset( $params['entity'] ) && $idString !== $params['entity'] ) {
185			$this->errorReporter->dieError(
			0 ignored issues – show Deprecated Code introduced 2019-12-03 12:42 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `Wikibase\Repo\Api\ApiErrorReporter::dieError()` has been deprecated with message: Use dieWithError() instead. This method has been deprecated. The supplier of the class has supplied an explanatory message. The explanatory message should give you some clue as to whether and when the method will be removed from the class and what other method or class to use instead. Loading history...
186			'If both entity id and claim key are provided they need to point to the same entity',
187			'param-illegal'
188			);
189			}
190			} else {
191			$idString = $params['entity'];
192			}
193
194			return [ $idString, $guid ];
195			}
196
197			private function getEntityIdFromStatementGuid( string $guid ): string {
198			if ( $this->guidValidator->validateFormat( $guid ) === false ) {
199			$this->errorReporter->dieError( 'Invalid claim guid', 'invalid-guid' );
			0 ignored issues – show Deprecated Code introduced 2019-12-03 12:42 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `Wikibase\Repo\Api\ApiErrorReporter::dieError()` has been deprecated with message: Use dieWithError() instead. This method has been deprecated. The supplier of the class has supplied an explanatory message. The explanatory message should give you some clue as to whether and when the method will be removed from the class and what other method or class to use instead. Loading history...
200			}
201
202			return $this->guidParser->parse( $guid )->getEntityId()->getSerialization();
203			}
204
205			/**
206			* @inheritDoc
207			*/
208			protected function getAllowedParams(): array {
209			return [
210			'entity' => [
211			self::PARAM_TYPE => 'string',
212			],
213			'property' => [
214			self::PARAM_TYPE => 'string',
215			],
216			'claim' => [
217			self::PARAM_TYPE => 'string',
218			],
219			'rank' => [
220			self::PARAM_TYPE => StatementRankSerializer::getRanks(),
221			],
222			'props' => [
223			self::PARAM_TYPE => [
224			'references',
225			],
226			self::PARAM_DFLT => 'references',
227			self::PARAM_ISMULTI => true,
228			],
229			];
230			}
231
232			/**
233			* @inheritDoc
234			*/
235			protected function getExamplesMessages(): array {
236			return [
237			"action=wbgetclaims&entity=Q42" =>
238			"apihelp-wbgetclaims-example-1",
239			"action=wbgetclaims&entity=Q42&property=P31" =>
240			"apihelp-wbgetclaims-example-2",
241			"action=wbgetclaims&entity=Q42&rank=normal" =>
242			"apihelp-wbgetclaims-example-3",
243			'action=wbgetclaims&claim=Q42$D8404CDA-25E4-4334-AF13-A3290BCD9C0F' =>
244			'apihelp-wbgetclaims-example-4',
245			];
246			}
247
248			}
249

wikimedia / mediawiki-extensions-Wikibase

Issues (1401)

Security Analysis no request data

repo/includes/Api/GetClaims.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like