Issues in StatementModificationHelper.php (master) - Issues in master - wikimedia/mediawiki-extensions-Wikibase - Measure and Improve Code Quality continuously with Scrutinizer

Issues (1401)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

repo/includes/Api/StatementModificationHelper.php (3 issues)

Labels

Deprecated Code 3

Severity

Minor 3

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace Wikibase\Repo\Api;

use ApiBase;
use ApiUsageException;
use InvalidArgumentException;
use LogicException;
use OutOfBoundsException;
use Wikibase\DataModel\Entity\EntityDocument;
use Wikibase\DataModel\Entity\EntityId;
use Wikibase\DataModel\Entity\EntityIdParser;
use Wikibase\DataModel\Entity\EntityIdParsingException;
use Wikibase\DataModel\Entity\PropertyId;
use Wikibase\DataModel\Services\Lookup\PropertyDataTypeLookupException;
use Wikibase\DataModel\Services\Statement\StatementGuidValidator;
use Wikibase\DataModel\Snak\Snak;
use Wikibase\DataModel\Statement\Statement;
use Wikibase\DataModel\Statement\StatementListProvider;
use Wikibase\Lib\Summary;
use Wikibase\Repo\ChangeOp\ChangeOp;
use Wikibase\Repo\ChangeOp\ChangeOpException;
use Wikibase\Repo\ChangeOp\ChangeOpValidationException;
use Wikibase\Repo\SnakFactory;

/**
 * Helper class for modifying an entities statements.
 *
 * @license GPL-2.0-or-later
 */
class StatementModificationHelper {

	/**
	 * @var SnakFactory
	 */
	private $snakFactory;

	/**
	 * @var EntityIdParser
	 */
	private $entityIdParser;

	/**
	 * @var StatementGuidValidator
	 */
	private $guidValidator;

	/**
	 * @var ApiErrorReporter
	 */
	private $errorReporter;

	public function __construct(
		SnakFactory $snakFactory,
		EntityIdParser $entityIdParser,
		StatementGuidValidator $guidValidator,
		ApiErrorReporter $errorReporter
	) {
		$this->snakFactory = $snakFactory;
		$this->entityIdParser = $entityIdParser;
		$this->guidValidator = $guidValidator;
		$this->errorReporter = $errorReporter;
	}

	/**
	 * @param string $guid
	 *
	 * @return bool
	 */
	public function validateStatementGuid( $guid ) {
		return $this->guidValidator->validate( $guid );
	}

	/**
	 * @param string $guid
	 * @param EntityDocument $entity
	 *
	 * @throws ApiUsageException
	 * @return Statement
	 */
	public function getStatementFromEntity( $guid, EntityDocument $entity ) {
		if ( !( $entity instanceof StatementListProvider ) ) {
			$this->errorReporter->dieError( 'Entity type does not support statements', 'no-such-claim' );

		}

		$statement = $entity->getStatements()->getFirstStatementWithGuid( $guid );

		if ( $statement === null ) {
			$this->errorReporter->dieError( 'Could not find the statement', 'no-such-claim' );

		}

		return $statement;
	}

	/**
	 * @param string[] $params Array with a 'snaktype' and an optional 'value' element.
	 * @param PropertyId $propertyId
	 *
	 * @throws ApiUsageException
	 * @throws LogicException
	 * @return Snak
	 */
	public function getSnakInstance( array $params, PropertyId $propertyId ) {
		$valueData = null;

		if ( isset( $params['value'] ) ) {
			$valueData = json_decode( $params['value'], true );

			if ( $valueData === null ) {
				$this->errorReporter->dieError( 'Could not decode snak value', 'invalid-snak' );

			}
		}

		try {
			$snak = $this->snakFactory->newSnak( $propertyId, $params['snaktype'], $valueData );
			return $snak;
		} catch ( InvalidArgumentException $ex ) {
			$this->errorReporter->dieException( $ex, 'invalid-snak' );
		} catch ( OutOfBoundsException $ex ) {
			$this->errorReporter->dieException( $ex, 'invalid-snak' );
		} catch ( PropertyDataTypeLookupException $ex ) {
			$this->errorReporter->dieException( $ex, 'invalid-snak' );
		}

		throw new LogicException( 'ApiErrorReporter::dieException did not throw an exception' );
	}

	/**
	 * Parses an entity id string coming from the user
	 *
	 * @param string $entityIdParam
	 *
	 * @throws ApiUsageException
	 * @return EntityId
	 * @todo this could go into an EntityModificationHelper or even in a ApiWikibaseHelper
	 */
	public function getEntityIdFromString( $entityIdParam ) {
		try {
			$entityId = $this->entityIdParser->parse( $entityIdParam );
		} catch ( EntityIdParsingException $ex ) {
			$this->errorReporter->dieException( $ex, 'invalid-entity-id' );
		}

		/** @var EntityId $entityId */
		return $entityId;
	}

	/**
	 * Creates a new Summary instance suitable for representing the action performed by this module.
	 *
	 * @param array $params
	 * @param ApiBase $module
	 *
	 * @return Summary
	 */
	public function createSummary( array $params, ApiBase $module ) {
		$summary = new Summary( $module->getModuleName() );
		if ( isset( $params['summary'] ) ) {
			$summary->setUserSummary( $params['summary'] );
		}
		return $summary;
	}

	/**
	 * Applies the given ChangeOp to the given Entity.
	 * Any ChangeOpException is converted into an ApiUsageException with the code 'modification-failed'.
	 *
	 * @param ChangeOp $changeOp
	 * @param EntityDocument $entity
	 * @param Summary|null $summary The summary object to update with information about the change.
	 */
	public function applyChangeOp( ChangeOp $changeOp, EntityDocument $entity, Summary $summary = null ) {
		try {
			$result = $changeOp->validate( $entity );

			if ( !$result->isValid() ) {
				throw new ChangeOpValidationException( $result );
			}

			$changeOp->apply( $entity, $summary );
		} catch ( ChangeOpException $ex ) {
			$this->errorReporter->dieException( $ex, 'modification-failed' );
		}
	}

}


1			<?php
2
3			namespace Wikibase\Repo\Api;
4
5			use ApiBase;
6			use ApiUsageException;
7			use InvalidArgumentException;
8			use LogicException;
9			use OutOfBoundsException;
10			use Wikibase\DataModel\Entity\EntityDocument;
11			use Wikibase\DataModel\Entity\EntityId;
12			use Wikibase\DataModel\Entity\EntityIdParser;
13			use Wikibase\DataModel\Entity\EntityIdParsingException;
14			use Wikibase\DataModel\Entity\PropertyId;
15			use Wikibase\DataModel\Services\Lookup\PropertyDataTypeLookupException;
16			use Wikibase\DataModel\Services\Statement\StatementGuidValidator;
17			use Wikibase\DataModel\Snak\Snak;
18			use Wikibase\DataModel\Statement\Statement;
19			use Wikibase\DataModel\Statement\StatementListProvider;
20			use Wikibase\Lib\Summary;
21			use Wikibase\Repo\ChangeOp\ChangeOp;
22			use Wikibase\Repo\ChangeOp\ChangeOpException;
23			use Wikibase\Repo\ChangeOp\ChangeOpValidationException;
24			use Wikibase\Repo\SnakFactory;
25
26			/**
27			* Helper class for modifying an entities statements.
28			*
29			* @license GPL-2.0-or-later
30			*/
31			class StatementModificationHelper {
32
33			/**
34			* @var SnakFactory
35			*/
36			private $snakFactory;
37
38			/**
39			* @var EntityIdParser
40			*/
41			private $entityIdParser;
42
43			/**
44			* @var StatementGuidValidator
45			*/
46			private $guidValidator;
47
48			/**
49			* @var ApiErrorReporter
50			*/
51			private $errorReporter;
52
53			public function __construct(
54			SnakFactory $snakFactory,
55			EntityIdParser $entityIdParser,
56			StatementGuidValidator $guidValidator,
57			ApiErrorReporter $errorReporter
58			) {
59			$this->snakFactory = $snakFactory;
60			$this->entityIdParser = $entityIdParser;
61			$this->guidValidator = $guidValidator;
62			$this->errorReporter = $errorReporter;
63			}
64
65			/**
66			* @param string $guid
67			*
68			* @return bool
69			*/
70			public function validateStatementGuid( $guid ) {
71			return $this->guidValidator->validate( $guid );
72			}
73
74			/**
75			* @param string $guid
76			* @param EntityDocument $entity
77			*
78			* @throws ApiUsageException
79			* @return Statement
80			*/
81			public function getStatementFromEntity( $guid, EntityDocument $entity ) {
82			if ( !( $entity instanceof StatementListProvider ) ) {
83			$this->errorReporter->dieError( 'Entity type does not support statements', 'no-such-claim' );
			0 ignored issues – show Deprecated Code introduced 2019-12-03 12:42 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `Wikibase\Repo\Api\ApiErrorReporter::dieError()` has been deprecated with message: Use dieWithError() instead. This method has been deprecated. The supplier of the class has supplied an explanatory message. The explanatory message should give you some clue as to whether and when the method will be removed from the class and what other method or class to use instead. Loading history...
84			}
85
86			$statement = $entity->getStatements()->getFirstStatementWithGuid( $guid );
87
88			if ( $statement === null ) {
89			$this->errorReporter->dieError( 'Could not find the statement', 'no-such-claim' );
			0 ignored issues – show Deprecated Code introduced 2019-12-03 12:42 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `Wikibase\Repo\Api\ApiErrorReporter::dieError()` has been deprecated with message: Use dieWithError() instead. This method has been deprecated. The supplier of the class has supplied an explanatory message. The explanatory message should give you some clue as to whether and when the method will be removed from the class and what other method or class to use instead. Loading history...
90			}
91
92			return $statement;
93			}
94
95			/**
96			* @param string[] $params Array with a 'snaktype' and an optional 'value' element.
97			* @param PropertyId $propertyId
98			*
99			* @throws ApiUsageException
100			* @throws LogicException
101			* @return Snak
102			*/
103			public function getSnakInstance( array $params, PropertyId $propertyId ) {
104			$valueData = null;
105
106			if ( isset( $params['value'] ) ) {
107			$valueData = json_decode( $params['value'], true );
108
109			if ( $valueData === null ) {
110			$this->errorReporter->dieError( 'Could not decode snak value', 'invalid-snak' );
			0 ignored issues – show Deprecated Code introduced 2019-12-03 12:42 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `Wikibase\Repo\Api\ApiErrorReporter::dieError()` has been deprecated with message: Use dieWithError() instead. This method has been deprecated. The supplier of the class has supplied an explanatory message. The explanatory message should give you some clue as to whether and when the method will be removed from the class and what other method or class to use instead. Loading history...
111			}
112			}
113
114			try {
115			$snak = $this->snakFactory->newSnak( $propertyId, $params['snaktype'], $valueData );
116			return $snak;
117			} catch ( InvalidArgumentException $ex ) {
118			$this->errorReporter->dieException( $ex, 'invalid-snak' );
119			} catch ( OutOfBoundsException $ex ) {
120			$this->errorReporter->dieException( $ex, 'invalid-snak' );
121			} catch ( PropertyDataTypeLookupException $ex ) {
122			$this->errorReporter->dieException( $ex, 'invalid-snak' );
123			}
124
125			throw new LogicException( 'ApiErrorReporter::dieException did not throw an exception' );
126			}
127
128			/**
129			* Parses an entity id string coming from the user
130			*
131			* @param string $entityIdParam
132			*
133			* @throws ApiUsageException
134			* @return EntityId
135			* @todo this could go into an EntityModificationHelper or even in a ApiWikibaseHelper
136			*/
137			public function getEntityIdFromString( $entityIdParam ) {
138			try {
139			$entityId = $this->entityIdParser->parse( $entityIdParam );
140			} catch ( EntityIdParsingException $ex ) {
141			$this->errorReporter->dieException( $ex, 'invalid-entity-id' );
142			}
143
144			/** @var EntityId $entityId */
145			return $entityId;
146			}
147
148			/**
149			* Creates a new Summary instance suitable for representing the action performed by this module.
150			*
151			* @param array $params
152			* @param ApiBase $module
153			*
154			* @return Summary
155			*/
156			public function createSummary( array $params, ApiBase $module ) {
157			$summary = new Summary( $module->getModuleName() );
158			if ( isset( $params['summary'] ) ) {
159			$summary->setUserSummary( $params['summary'] );
160			}
161			return $summary;
162			}
163
164			/**
165			* Applies the given ChangeOp to the given Entity.
166			* Any ChangeOpException is converted into an ApiUsageException with the code 'modification-failed'.
167			*
168			* @param ChangeOp $changeOp
169			* @param EntityDocument $entity
170			* @param Summary\|null $summary The summary object to update with information about the change.
171			*/
172			public function applyChangeOp( ChangeOp $changeOp, EntityDocument $entity, Summary $summary = null ) {
173			try {
174			$result = $changeOp->validate( $entity );
175
176			if ( !$result->isValid() ) {
177			throw new ChangeOpValidationException( $result );
178			}
179
180			$changeOp->apply( $entity, $summary );
181			} catch ( ChangeOpException $ex ) {
182			$this->errorReporter->dieException( $ex, 'modification-failed' );
183			}
184			}
185
186			}
187

wikimedia / mediawiki-extensions-Wikibase

Issues (1401)

Security Analysis no request data

repo/includes/Api/StatementModificationHelper.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like