Issues in SetAliases.php (master) - Issues in master - wikimedia/mediawiki-extensions-Wikibase - Measure and Improve Code Quality continuously with Scrutinizer

Issues (1401)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

repo/includes/Api/SetAliases.php (3 issues)

Labels

Severity

Minor 3

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

declare( strict_types = 1 );

namespace Wikibase\Repo\Api;

use ApiMain;
use ApiUsageException;
use IBufferingStatsdDataFactory;
use Wikibase\DataModel\Entity\EntityDocument;
use Wikibase\DataModel\Term\AliasesProvider;
use Wikibase\Lib\Summary;
use Wikibase\Repo\ChangeOp\ChangeOp;
use Wikibase\Repo\ChangeOp\ChangeOps;
use Wikibase\Repo\ChangeOp\FingerprintChangeOpFactory;
use Wikibase\Repo\WikibaseRepo;

/**
 * API module to set the aliases for a Wikibase entity.
 * Requires API write mode to be enabled.
 *
 * @license GPL-2.0-or-later
 */
class SetAliases extends ModifyEntity {

	/**
	 * @var FingerprintChangeOpFactory
	 */
	private $termChangeOpFactory;

	/** @var IBufferingStatsdDataFactory */
	private $stats;

	public function __construct(
		ApiMain $mainModule,
		string $moduleName,
		FingerprintChangeOpFactory $termChangeOpFactory,
		IBufferingStatsdDataFactory $stats,
		bool $federatedPropertiesEnabled
	) {
		parent::__construct( $mainModule, $moduleName, $federatedPropertiesEnabled );
		$this->termChangeOpFactory = $termChangeOpFactory;
		$this->stats = $stats;
	}

	public static function factory( ApiMain $mainModule, string $moduleName, IBufferingStatsdDataFactory $stats ): self {
		$wikibaseRepo = WikibaseRepo::getDefaultInstance();
		return new self(
			$mainModule,
			$moduleName,
			$wikibaseRepo->getChangeOpFactoryProvider()
				->getFingerprintChangeOpFactory(),
			$stats,
			$wikibaseRepo->inFederatedPropertyMode()
		);
	}

	/**
	 * @see ApiBase::needsToken
	 *
	 * @return string
	 */
	public function needsToken(): string {
		return 'csrf';
	}

	/**
	 * @see ApiBase::isWriteMode()
	 *
	 * @return bool Always true.
	 */
	public function isWriteMode(): bool {
		return true;
	}

	/**
	 * @see ModifyEntity::validateParameters
	 *
	 * @param array $params
	 *
	 * @throws ApiUsageException
	 */
	protected function validateParameters( array $params ): void {
		parent::validateParameters( $params );

		if ( !( ( !empty( $params['add'] ) || !empty( $params['remove'] ) )
			xor isset( $params['set'] )
		) ) {
			$this->errorReporter->dieError(

				"Parameters 'add' and 'remove' are not allowed to be set when parameter 'set' is provided",
				'invalid-list'
			);
		}
	}

	private function adjustSummary( Summary $summary, array $params, AliasesProvider $entity ): void {
		if ( !empty( $params['add'] ) && !empty( $params['remove'] ) ) {
			$language = $params['language'];

			$aliasGroups = $entity->getAliasGroups();

			$summary->setAction( 'update' );
			$summary->setLanguage( $language );

			// Get the full list of current aliases
			if ( $aliasGroups->hasGroupForLanguage( $language ) ) {
				$aliases = $aliasGroups->getByLanguage( $language )->getAliases();
				$summary->addAutoSummaryArgs( $aliases );
			}
		}
	}

	protected function modifyEntity( EntityDocument $entity, ChangeOp $changeOp, array $preparedParameters ): Summary {
		if ( !( $entity instanceof AliasesProvider ) ) {
			$this->errorReporter->dieError( 'The given entity cannot contain aliases', 'not-supported' );

		}

		$language = $preparedParameters['language'];

		// FIXME: if we have ADD and REMOVE operations in the same call,
		// we will also have two ChangeOps updating the same edit summary.
		// This will cause the edit summary to be overwritten by the last ChangeOp being applied.
		$this->stats->increment( 'wikibase.repo.api.wbsetaliases.total' );
		if ( !empty( $preparedParameters['add'] ) && !empty( $preparedParameters['remove'] ) ) {
			$this->stats->increment( 'wikibase.repo.api.wbsetaliases.addremove' );
		}

		$summary = $this->createSummary( $preparedParameters );

		$this->applyChangeOp( $changeOp, $entity, $summary );

		$this->adjustSummary( $summary, $preparedParameters, $entity );

		$aliasGroups = $entity->getAliasGroups();
interface User
{
    /** @return string */
    public function getPassword();
}

class MyUser implements User
{
    public function getPassword()
    {
        // return something
    }

    public function getDisplayName()
    {
        // return some name.
    }
}

class AuthSystem
{
    public function authenticate(User $user)
    {
        $this->logger->info(sprintf('Authenticating %s.', $user->getDisplayName()));
        // do something.
    }
}

		if ( $aliasGroups->hasGroupForLanguage( $language ) ) {
			$aliasGroupList = $aliasGroups->getWithLanguages( [ $language ] );
			$this->getResultBuilder()->addAliasGroupList( $aliasGroupList, 'entity' );
		}

		return $summary;
	}

	/**
	 * @param string[] $aliases
	 *
	 * @return string[]
	 */
	private function normalizeAliases( array $aliases ): array {
		$stringNormalizer = $this->stringNormalizer;

		$aliases = array_map(
			function( $str ) use ( $stringNormalizer ) {
				return $stringNormalizer->trimToNFC( $str );
			},
			$aliases
		);

		$aliases = array_filter(
			$aliases,
			function( $str ) {
				return $str !== '';
			}
		);

		return $aliases;
	}

	protected function getChangeOp( array $preparedParameters, EntityDocument $entity ): ChangeOp {
		$changeOps = [];
		$language = $preparedParameters['language'];

		// Set the list of aliases to a user given one OR add/ remove certain entries
		if ( isset( $preparedParameters['set'] ) ) {
			$changeOps[] =
				$this->termChangeOpFactory->newSetAliasesOp(
					$language,
					$this->normalizeAliases( $preparedParameters['set'] )
				);
		} else {
			// FIXME: if we have ADD and REMOVE operations in the same call,
			// we will also have two ChangeOps updating the same edit summary.
			// This will cause the edit summary to be overwritten by the last ChangeOp beeing applied.
			if ( !empty( $preparedParameters['add'] ) ) {
				$changeOps[] =
					$this->termChangeOpFactory->newAddAliasesOp(
						$language,
						$this->normalizeAliases( $preparedParameters['add'] )
					);
			}

			if ( !empty( $preparedParameters['remove'] ) ) {
				$changeOps[] =
					$this->termChangeOpFactory->newRemoveAliasesOp(
						$language,
						$this->normalizeAliases( $preparedParameters['remove'] )
					);
			}
		}

		return $this->termChangeOpFactory->newFingerprintChangeOp( new ChangeOps( $changeOps ) );
	}

	/**
	 * @inheritDoc
	 */
	protected function getAllowedParams(): array {
		return array_merge(
			parent::getAllowedParams(),
			[
				'add' => [
					self::PARAM_TYPE => 'string',
					self::PARAM_ISMULTI => true,
				],
				'remove' => [
					self::PARAM_TYPE => 'string',
					self::PARAM_ISMULTI => true,
				],
				'set' => [
					self::PARAM_TYPE => 'string',
					self::PARAM_ISMULTI => true,
				],
				'language' => [
					self::PARAM_TYPE => WikibaseRepo::getDefaultInstance()->getTermsLanguages()->getLanguages(),
					self::PARAM_REQUIRED => true,
				],
				'new' => [
					self::PARAM_TYPE => $this->getEntityTypesWithAliases(),
				],
			]
		);
	}

	protected function getEntityTypesWithAliases(): array {
		// TODO inject me
		$entityFactory = WikibaseRepo::getDefaultInstance()->getEntityFactory();
		$supportedEntityTypes = [];
		foreach ( $this->enabledEntityTypes as $entityType ) {
			$testEntity = $entityFactory->newEmpty( $entityType );
			if ( $testEntity instanceof AliasesProvider ) {
				$supportedEntityTypes[] = $entityType;
			}
		}
		return $supportedEntityTypes;
	}

	/**
	 * @inheritDoc
	 */
	protected function getExamplesMessages(): array {
		return [
			'action=wbsetaliases&language=en&id=Q1&set=Foo|Bar'
				=> 'apihelp-wbsetaliases-example-1',

			'action=wbsetaliases&language=en&id=Q1&add=Foo|Bar'
				=> 'apihelp-wbsetaliases-example-2',

			'action=wbsetaliases&language=en&id=Q1&remove=Foo|Bar'
				=> 'apihelp-wbsetaliases-example-3',

			'action=wbsetaliases&language=en&id=Q1&remove=Foo&add=Bar'
				=> 'apihelp-wbsetaliases-example-4',
		];
	}

}


Issues (1401)

Security Analysis no request data

repo/includes/Api/SetAliases.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Available Fixes

1			<?php
2
3			declare( strict_types = 1 );
4
5			namespace Wikibase\Repo\Api;
6
7			use ApiMain;
8			use ApiUsageException;
9			use IBufferingStatsdDataFactory;
10			use Wikibase\DataModel\Entity\EntityDocument;
11			use Wikibase\DataModel\Term\AliasesProvider;
12			use Wikibase\Lib\Summary;
13			use Wikibase\Repo\ChangeOp\ChangeOp;
14			use Wikibase\Repo\ChangeOp\ChangeOps;
15			use Wikibase\Repo\ChangeOp\FingerprintChangeOpFactory;
16			use Wikibase\Repo\WikibaseRepo;
17
18			/**
19			* API module to set the aliases for a Wikibase entity.
20			* Requires API write mode to be enabled.
21			*
22			* @license GPL-2.0-or-later
23			*/
24			class SetAliases extends ModifyEntity {
25
26			/**
27			* @var FingerprintChangeOpFactory
28			*/
29			private $termChangeOpFactory;
30
31			/** @var IBufferingStatsdDataFactory */
32			private $stats;
33
34			public function __construct(
35			ApiMain $mainModule,
36			string $moduleName,
37			FingerprintChangeOpFactory $termChangeOpFactory,
38			IBufferingStatsdDataFactory $stats,
39			bool $federatedPropertiesEnabled
40			) {
41			parent::__construct( $mainModule, $moduleName, $federatedPropertiesEnabled );
42			$this->termChangeOpFactory = $termChangeOpFactory;
43			$this->stats = $stats;
44			}
45
46			public static function factory( ApiMain $mainModule, string $moduleName, IBufferingStatsdDataFactory $stats ): self {
47			$wikibaseRepo = WikibaseRepo::getDefaultInstance();
48			return new self(
49			$mainModule,
50			$moduleName,
51			$wikibaseRepo->getChangeOpFactoryProvider()
52			->getFingerprintChangeOpFactory(),
53			$stats,
54			$wikibaseRepo->inFederatedPropertyMode()
55			);
56			}
57
58			/**
59			* @see ApiBase::needsToken
60			*
61			* @return string
62			*/
63			public function needsToken(): string {
64			return 'csrf';
65			}
66
67			/**
68			* @see ApiBase::isWriteMode()
69			*
70			* @return bool Always true.
71			*/
72			public function isWriteMode(): bool {
73			return true;
74			}
75
76			/**
77			* @see ModifyEntity::validateParameters
78			*
79			* @param array $params
80			*
81			* @throws ApiUsageException
82			*/
83			protected function validateParameters( array $params ): void {
84			parent::validateParameters( $params );
85
86			if ( !( ( !empty( $params['add'] ) \|\| !empty( $params['remove'] ) )
87			xor isset( $params['set'] )
88			) ) {
89			$this->errorReporter->dieError(
			0 ignored issues – show Deprecated Code introduced 2019-12-03 12:42 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `Wikibase\Repo\Api\ApiErrorReporter::dieError()` has been deprecated with message: Use dieWithError() instead. This method has been deprecated. The supplier of the class has supplied an explanatory message. The explanatory message should give you some clue as to whether and when the method will be removed from the class and what other method or class to use instead. Loading history...
90			"Parameters 'add' and 'remove' are not allowed to be set when parameter 'set' is provided",
91			'invalid-list'
92			);
93			}
94			}
95
96			private function adjustSummary( Summary $summary, array $params, AliasesProvider $entity ): void {
97			if ( !empty( $params['add'] ) && !empty( $params['remove'] ) ) {
98			$language = $params['language'];
99
100			$aliasGroups = $entity->getAliasGroups();
101
102			$summary->setAction( 'update' );
103			$summary->setLanguage( $language );
104
105			// Get the full list of current aliases
106			if ( $aliasGroups->hasGroupForLanguage( $language ) ) {
107			$aliases = $aliasGroups->getByLanguage( $language )->getAliases();
108			$summary->addAutoSummaryArgs( $aliases );
109			}
110			}
111			}
112
113			protected function modifyEntity( EntityDocument $entity, ChangeOp $changeOp, array $preparedParameters ): Summary {
114			if ( !( $entity instanceof AliasesProvider ) ) {
115			$this->errorReporter->dieError( 'The given entity cannot contain aliases', 'not-supported' );
			0 ignored issues – show Deprecated Code introduced 2019-12-03 12:42 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `Wikibase\Repo\Api\ApiErrorReporter::dieError()` has been deprecated with message: Use dieWithError() instead. This method has been deprecated. The supplier of the class has supplied an explanatory message. The explanatory message should give you some clue as to whether and when the method will be removed from the class and what other method or class to use instead. Loading history...
116			}
117
118			$language = $preparedParameters['language'];
119
120			// FIXME: if we have ADD and REMOVE operations in the same call,
121			// we will also have two ChangeOps updating the same edit summary.
122			// This will cause the edit summary to be overwritten by the last ChangeOp being applied.
123			$this->stats->increment( 'wikibase.repo.api.wbsetaliases.total' );
124			if ( !empty( $preparedParameters['add'] ) && !empty( $preparedParameters['remove'] ) ) {
125			$this->stats->increment( 'wikibase.repo.api.wbsetaliases.addremove' );
126			}
127
128			$summary = $this->createSummary( $preparedParameters );
129
130			$this->applyChangeOp( $changeOp, $entity, $summary );
131
132			$this->adjustSummary( $summary, $preparedParameters, $entity );
133
134			$aliasGroups = $entity->getAliasGroups();
			0 ignored issues – show Bug introduced 2016-03-15 13:13 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you code against a concrete implementation and not the interface `Wikibase\DataModel\Entity\EntityDocument` as the method `getAliasGroups()` does only exist in the following implementations of said interface: `Wikibase\DataModel\Entity\Item`, `Wikibase\DataModel\Entity\Property`. Let’s take a look at an example: interface User { /** @return string / public function getPassword(); } class MyUser implements User { public function getPassword() { // return something } public function getDisplayName() { // return some name. } } class AuthSystem { public function authenticate(User $user) { $this->logger->info(sprintf('Authenticating %s.', $user->getDisplayName())); // do something. } } In the above example, the authenticate() method works fine as long as you just pass instances of MyUser. However, if you now also want to pass a different implementation of User which does not have a getDisplayName() method, the code will break. Available Fixes Change the type-hint for the parameter: class AuthSystem { public function authenticate(MyUser $user) { / ... / } } Add an additional type-check: class AuthSystem { public function authenticate(User $user) { if ($user instanceof MyUser) { $this->logger->info(/* ... /); } // or alternatively if ( ! $user instanceof MyUser) { throw new \LogicException( '$user must be an instance of MyUser, ' .'other instances are not supported.' ); } } } Note:* PHP Analyzer uses reverse abstract interpretation to narrow down the types inside the if block in such a case. Add the method to the interface: interface User { /** @return string / public function getPassword(); /* @return string */ public function getDisplayName(); } Loading history...
135
136			if ( $aliasGroups->hasGroupForLanguage( $language ) ) {
137			$aliasGroupList = $aliasGroups->getWithLanguages( [ $language ] );
138			$this->getResultBuilder()->addAliasGroupList( $aliasGroupList, 'entity' );
139			}
140
141			return $summary;
142			}
143
144			/**
145			* @param string[] $aliases
146			*
147			* @return string[]
148			*/
149			private function normalizeAliases( array $aliases ): array {
150			$stringNormalizer = $this->stringNormalizer;
151
152			$aliases = array_map(
153			function( $str ) use ( $stringNormalizer ) {
154			return $stringNormalizer->trimToNFC( $str );
155			},
156			$aliases
157			);
158
159			$aliases = array_filter(
160			$aliases,
161			function( $str ) {
162			return $str !== '';
163			}
164			);
165
166			return $aliases;
167			}
168
169			protected function getChangeOp( array $preparedParameters, EntityDocument $entity ): ChangeOp {
170			$changeOps = [];
171			$language = $preparedParameters['language'];
172
173			// Set the list of aliases to a user given one OR add/ remove certain entries
174			if ( isset( $preparedParameters['set'] ) ) {
175			$changeOps[] =
176			$this->termChangeOpFactory->newSetAliasesOp(
177			$language,
178			$this->normalizeAliases( $preparedParameters['set'] )
179			);
180			} else {
181			// FIXME: if we have ADD and REMOVE operations in the same call,
182			// we will also have two ChangeOps updating the same edit summary.
183			// This will cause the edit summary to be overwritten by the last ChangeOp beeing applied.
184			if ( !empty( $preparedParameters['add'] ) ) {
185			$changeOps[] =
186			$this->termChangeOpFactory->newAddAliasesOp(
187			$language,
188			$this->normalizeAliases( $preparedParameters['add'] )
189			);
190			}
191
192			if ( !empty( $preparedParameters['remove'] ) ) {
193			$changeOps[] =
194			$this->termChangeOpFactory->newRemoveAliasesOp(
195			$language,
196			$this->normalizeAliases( $preparedParameters['remove'] )
197			);
198			}
199			}
200
201			return $this->termChangeOpFactory->newFingerprintChangeOp( new ChangeOps( $changeOps ) );
202			}
203
204			/**
205			* @inheritDoc
206			*/
207			protected function getAllowedParams(): array {
208			return array_merge(
209			parent::getAllowedParams(),
210			[
211			'add' => [
212			self::PARAM_TYPE => 'string',
213			self::PARAM_ISMULTI => true,
214			],
215			'remove' => [
216			self::PARAM_TYPE => 'string',
217			self::PARAM_ISMULTI => true,
218			],
219			'set' => [
220			self::PARAM_TYPE => 'string',
221			self::PARAM_ISMULTI => true,
222			],
223			'language' => [
224			self::PARAM_TYPE => WikibaseRepo::getDefaultInstance()->getTermsLanguages()->getLanguages(),
225			self::PARAM_REQUIRED => true,
226			],
227			'new' => [
228			self::PARAM_TYPE => $this->getEntityTypesWithAliases(),
229			],
230			]
231			);
232			}
233
234			protected function getEntityTypesWithAliases(): array {
235			// TODO inject me
236			$entityFactory = WikibaseRepo::getDefaultInstance()->getEntityFactory();
237			$supportedEntityTypes = [];
238			foreach ( $this->enabledEntityTypes as $entityType ) {
239			$testEntity = $entityFactory->newEmpty( $entityType );
240			if ( $testEntity instanceof AliasesProvider ) {
241			$supportedEntityTypes[] = $entityType;
242			}
243			}
244			return $supportedEntityTypes;
245			}
246
247			/**
248			* @inheritDoc
249			*/
250			protected function getExamplesMessages(): array {
251			return [
252			'action=wbsetaliases&language=en&id=Q1&set=Foo\|Bar'
253			=> 'apihelp-wbsetaliases-example-1',
254
255			'action=wbsetaliases&language=en&id=Q1&add=Foo\|Bar'
256			=> 'apihelp-wbsetaliases-example-2',
257
258			'action=wbsetaliases&language=en&id=Q1&remove=Foo\|Bar'
259			=> 'apihelp-wbsetaliases-example-3',
260
261			'action=wbsetaliases&language=en&id=Q1&remove=Foo&add=Bar'
262			=> 'apihelp-wbsetaliases-example-4',
263			];
264			}
265
266			}
267

wikimedia / mediawiki-extensions-Wikibase

Issues (1401)

Security Analysis no request data

repo/includes/Api/SetAliases.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Available Fixes

Duplication Side-by-Side

Filter issues like