Issues in PageProps.php (master) - Issues in master - wikimedia/mediawiki - Measure and Improve Code Quality continuously with Scrutinizer

Issues (4122)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

includes/PageProps.php (3 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Access to properties of a page.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License along
 * with this program; if not, write to the Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
 * http://www.gnu.org/copyleft/gpl.html
 *
 * @file
 */
use Wikimedia\ScopedCallback;
.
|-- OtherDir
|   |-- Bar.php
|   `-- Foo.php
`-- SomeDir
    `-- Foo.php

/**
 * Gives access to properties of a page.
 *
 * @since 1.27
 *
 */
class PageProps {


	/**
	 * @var PageProps
	 */
	private static $instance;

	/**
	 * Overrides the default instance of this class
	 * This is intended for use while testing and will fail if MW_PHPUNIT_TEST is not defined.
	 *
	 * If this method is used it MUST also be called with null after a test to ensure a new
	 * default instance is created next time getInstance is called.
	 *
	 * @since 1.27
	 *
	 * @param PageProps|null $store
	 *
	 * @return ScopedCallback to reset the overridden value
	 * @throws MWException
	 */
	public static function overrideInstance( PageProps $store = null ) {
		if ( !defined( 'MW_PHPUNIT_TEST' ) ) {
			throw new MWException(
				'Cannot override ' . __CLASS__ . 'default instance in operation.'
			);
		}
		$previousValue = self::$instance;
		self::$instance = $store;
		return new ScopedCallback( function() use ( $previousValue ) {
			self::$instance = $previousValue;
		} );
	}

	/**
	 * @return PageProps
	 */
	public static function getInstance() {
		if ( self::$instance === null ) {
			self::$instance = new self();
		}
		return self::$instance;
	}

	/** Cache parameters */
	const CACHE_TTL = 10; // integer; TTL in seconds
	const CACHE_SIZE = 100; // integer; max cached pages

	/** Property cache */
	private $cache = null;

	/**
	 * Create a PageProps object
	 */
	private function __construct() {
		$this->cache = new ProcessCacheLRU( self::CACHE_SIZE );
	}

	/**
	 * Ensure that cache has at least this size
	 * @param int $size
	 */
	public function ensureCacheSize( $size ) {
		if ( $this->cache->getSize() < $size ) {
			$this->cache->resize( $size );
		}
	}

	/**
	 * Given one or more Titles and one or more names of properties,
	 * returns an associative array mapping page ID to property value.
	 * Pages in the provided set of Titles that do not have a value for
	 * the given properties will not appear in the returned array. If a
	 * single Title is provided, it does not need to be passed in an array,
	 * but an array will always be returned. If a single property name is
	 * provided, it does not need to be passed in an array. In that case,
	 * an associative array mapping page ID to property value will be
	 * returned; otherwise, an associative array mapping page ID to
	 * an associative array mapping property name to property value will be
	 * returned. An empty array will be returned if no matching properties
	 * were found.
	 *
	 * @param Title[]|Title $titles
	 * @param string[]|string $propertyNames
	 * @return array associative array mapping page ID to property value
	 */
	public function getProperties( $titles, $propertyNames ) {
		if ( is_array( $propertyNames ) ) {
			$gotArray = true;
		} else {
			$propertyNames = [ $propertyNames ];
			$gotArray = false;
		}

		$values = [];
		$goodIDs = $this->getGoodIDs( $titles );
		$queryIDs = [];
		foreach ( $goodIDs as $pageID ) {
			foreach ( $propertyNames as $propertyName ) {
				$propertyValue = $this->getCachedProperty( $pageID, $propertyName );
				if ( $propertyValue === false ) {
					$queryIDs[] = $pageID;
					break;
				} else {
					if ( $gotArray ) {
						$values[$pageID][$propertyName] = $propertyValue;
					} else {
						$values[$pageID] = $propertyValue;
					}
				}
			}
		}

		if ( $queryIDs ) {
			$dbr = wfGetDB( DB_REPLICA );
			$result = $dbr->select(
				'page_props',
				[
					'pp_page',
					'pp_propname',
					'pp_value'
				],
				[
					'pp_page' => $queryIDs,
					'pp_propname' => $propertyNames
				],
				__METHOD__
			);

			foreach ( $result as $row ) {
				$pageID = $row->pp_page;
				$propertyName = $row->pp_propname;
				$propertyValue = $row->pp_value;
				$this->cacheProperty( $pageID, $propertyName, $propertyValue );
				if ( $gotArray ) {
					$values[$pageID][$propertyName] = $propertyValue;
				} else {
					$values[$pageID] = $propertyValue;
				}
			}
		}

		return $values;
	}

	/**
	 * Get all page property values.
	 * Given one or more Titles, returns an associative array mapping page
	 * ID to an associative array mapping property names to property
	 * values. Pages in the provided set of Titles that do not have any
	 * properties will not appear in the returned array. If a single Title
	 * is provided, it does not need to be passed in an array, but an array
	 * will always be returned. An empty array will be returned if no
	 * matching properties were found.
	 *
	 * @param Title[]|Title $titles
	 * @return array associative array mapping page ID to property value array
	 */
	public function getAllProperties( $titles ) {
		$values = [];
		$goodIDs = $this->getGoodIDs( $titles );
		$queryIDs = [];
		foreach ( $goodIDs as $pageID ) {
			$pageProperties = $this->getCachedProperties( $pageID );
			if ( $pageProperties === false ) {
				$queryIDs[] = $pageID;
			} else {
				$values[$pageID] = $pageProperties;
			}
		}

		if ( $queryIDs != [] ) {
			$dbr = wfGetDB( DB_REPLICA );
			$result = $dbr->select(
				'page_props',
				[
					'pp_page',
					'pp_propname',
					'pp_value'
				],
				[
					'pp_page' => $queryIDs,
				],
				__METHOD__
			);

			$currentPageID = 0;
			$pageProperties = [];
			foreach ( $result as $row ) {
				$pageID = $row->pp_page;
				if ( $currentPageID != $pageID ) {
					if ( $pageProperties != [] ) {
						$this->cacheProperties( $currentPageID, $pageProperties );
						$values[$currentPageID] = $pageProperties;
					}
					$currentPageID = $pageID;
					$pageProperties = [];
				}
				$pageProperties[$row->pp_propname] = $row->pp_value;
			}
			if ( $pageProperties != [] ) {
				$this->cacheProperties( $pageID, $pageProperties );
function myFunction($a) {
    switch ($a) {
        case 'foo':
            $x = 1;
            break;

        case 'bar':
            $x = 2;
            break;
    }

    // $x is potentially undefined here.
    echo $x;
}
				$values[$pageID] = $pageProperties;
			}
		}

		return $values;
	}

	/**
	 * @param Title[]|Title $titles
	 * @return array array of good page IDs
	 */
	private function getGoodIDs( $titles ) {
		$result = [];
		if ( is_array( $titles ) ) {
			foreach ( $titles as $title ) {
				$pageID = $title->getArticleID();
				if ( $pageID > 0 ) {
					$result[] = $pageID;
				}
			}
		} else {
			$pageID = $titles->getArticleID();
			if ( $pageID > 0 ) {
				$result[] = $pageID;
			}
		}
		return $result;
	}

	/**
	 * Get a property from the cache.
	 *
	 * @param int $pageID page ID of page being queried
	 * @param string $propertyName name of property being queried
	 * @return string|bool property value array or false if not found
	 */
	private function getCachedProperty( $pageID, $propertyName ) {
		if ( $this->cache->has( $pageID, $propertyName, self::CACHE_TTL ) ) {
			return $this->cache->get( $pageID, $propertyName );
		}
		if ( $this->cache->has( 0, $pageID, self::CACHE_TTL ) ) {
			$pageProperties = $this->cache->get( 0, $pageID );
			if ( isset( $pageProperties[$propertyName] ) ) {
				return $pageProperties[$propertyName];
			}
		}
		return false;
	}

	/**
	 * Get properties from the cache.
	 *
	 * @param int $pageID page ID of page being queried
	 * @return string|bool property value array or false if not found
	 */
	private function getCachedProperties( $pageID ) {
		if ( $this->cache->has( 0, $pageID, self::CACHE_TTL ) ) {
			return $this->cache->get( 0, $pageID );
		}
		return false;
	}

	/**
	 * Save a property to the cache.
	 *
	 * @param int $pageID page ID of page being cached
	 * @param string $propertyName name of property being cached
	 * @param mixed $propertyValue value of property
	 */
	private function cacheProperty( $pageID, $propertyName, $propertyValue ) {
		$this->cache->set( $pageID, $propertyName, $propertyValue );
	}

	/**
	 * Save properties to the cache.
	 *
	 * @param int $pageID page ID of page being cached
	 * @param string[] $pageProperties associative array of page properties to be cached
	 */
	private function cacheProperties( $pageID, $pageProperties ) {
		$this->cache->clear( $pageID );
		$this->cache->set( 0, $pageID, $pageProperties );
	}
}


Issues (4122)

Security Analysis not enabled

includes/PageProps.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Available Fixes

1			<?php
2			/**
3			* Access to properties of a page.
4			*
5			* This program is free software; you can redistribute it and/or modify
6			* it under the terms of the GNU General Public License as published by
7			* the Free Software Foundation; either version 2 of the License, or
8			* (at your option) any later version.
9			*
10			* This program is distributed in the hope that it will be useful,
11			* but WITHOUT ANY WARRANTY; without even the implied warranty of
12			* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13			* GNU General Public License for more details.
14			*
15			* You should have received a copy of the GNU General Public License along
16			* with this program; if not, write to the Free Software Foundation, Inc.,
17			* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
18			* http://www.gnu.org/copyleft/gpl.html
19			*
20			* @file
21			*/
22			use Wikimedia\ScopedCallback;
			0 ignored issues – show Bug introduced 2016-09-29 17:29 UTC by Report Bug Copy Issue Report Show Similar Issues like this This use statement conflicts with another class in this namespace, `ScopedCallback`. Let’s assume that you have a directory layout like this: . \|-- OtherDir \| \|-- Bar.php \| `-- Foo.php `-- SomeDir `-- Foo.php and let’s assume the following content of `Bar.php`: // Bar.php namespace OtherDir; use SomeDir\Foo; // This now conflicts the class OtherDir\Foo If both files `OtherDir/Foo.php` and `SomeDir/Foo.php` are loaded in the same runtime, you will see a PHP error such as the following: PHP Fatal error: Cannot use SomeDir\Foo as Foo because the name is already in use in OtherDir/Foo.php However, as `OtherDir/Foo.php` does not necessarily have to be loaded and the error is only triggered if it is loaded before `OtherDir/Bar.php`, this problem might go unnoticed for a while. In order to prevent this error from surfacing, you must import the namespace with a different alias: // Bar.php namespace OtherDir; use SomeDir\Foo as SomeDirFoo; // There is no conflict anymore. Loading history...
23
24			/**
25			* Gives access to properties of a page.
26			*
27			* @since 1.27
28			*
29			*/
30			class PageProps {
			0 ignored issues – show Coding Style introduced 2016-01-25 18:14 UTC by Report Bug Copy Issue Report Show Similar Issues like this Since you have declared the constructor as private, maybe you should also declare the class as final. Loading history...
31
32			/**
33			* @var PageProps
34			*/
35			private static $instance;
36
37			/**
38			* Overrides the default instance of this class
39			* This is intended for use while testing and will fail if MW_PHPUNIT_TEST is not defined.
40			*
41			* If this method is used it MUST also be called with null after a test to ensure a new
42			* default instance is created next time getInstance is called.
43			*
44			* @since 1.27
45			*
46			* @param PageProps\|null $store
47			*
48			* @return ScopedCallback to reset the overridden value
49			* @throws MWException
50			*/
51			public static function overrideInstance( PageProps $store = null ) {
52			if ( !defined( 'MW_PHPUNIT_TEST' ) ) {
53			throw new MWException(
54			'Cannot override ' . __CLASS__ . 'default instance in operation.'
55			);
56			}
57			$previousValue = self::$instance;
58			self::$instance = $store;
59			return new ScopedCallback( function() use ( $previousValue ) {
60			self::$instance = $previousValue;
61			} );
62			}
63
64			/**
65			* @return PageProps
66			*/
67			public static function getInstance() {
68			if ( self::$instance === null ) {
69			self::$instance = new self();
70			}
71			return self::$instance;
72			}
73
74			/** Cache parameters */
75			const CACHE_TTL = 10; // integer; TTL in seconds
76			const CACHE_SIZE = 100; // integer; max cached pages
77
78			/** Property cache */
79			private $cache = null;
80
81			/**
82			* Create a PageProps object
83			*/
84			private function __construct() {
85			$this->cache = new ProcessCacheLRU( self::CACHE_SIZE );
86			}
87
88			/**
89			* Ensure that cache has at least this size
90			* @param int $size
91			*/
92			public function ensureCacheSize( $size ) {
93			if ( $this->cache->getSize() < $size ) {
94			$this->cache->resize( $size );
95			}
96			}
97
98			/**
99			* Given one or more Titles and one or more names of properties,
100			* returns an associative array mapping page ID to property value.
101			* Pages in the provided set of Titles that do not have a value for
102			* the given properties will not appear in the returned array. If a
103			* single Title is provided, it does not need to be passed in an array,
104			* but an array will always be returned. If a single property name is
105			* provided, it does not need to be passed in an array. In that case,
106			* an associative array mapping page ID to property value will be
107			* returned; otherwise, an associative array mapping page ID to
108			* an associative array mapping property name to property value will be
109			* returned. An empty array will be returned if no matching properties
110			* were found.
111			*
112			* @param Title[]\|Title $titles
113			* @param string[]\|string $propertyNames
114			* @return array associative array mapping page ID to property value
115			*/
116			public function getProperties( $titles, $propertyNames ) {
117			if ( is_array( $propertyNames ) ) {
118			$gotArray = true;
119			} else {
120			$propertyNames = [ $propertyNames ];
121			$gotArray = false;
122			}
123
124			$values = [];
125			$goodIDs = $this->getGoodIDs( $titles );
126			$queryIDs = [];
127			foreach ( $goodIDs as $pageID ) {
128			foreach ( $propertyNames as $propertyName ) {
129			$propertyValue = $this->getCachedProperty( $pageID, $propertyName );
130			if ( $propertyValue === false ) {
131			$queryIDs[] = $pageID;
132			break;
133			} else {
134			if ( $gotArray ) {
135			$values[$pageID][$propertyName] = $propertyValue;
136			} else {
137			$values[$pageID] = $propertyValue;
138			}
139			}
140			}
141			}
142
143			if ( $queryIDs ) {
144			$dbr = wfGetDB( DB_REPLICA );
145			$result = $dbr->select(
146			'page_props',
147			[
148			'pp_page',
149			'pp_propname',
150			'pp_value'
151			],
152			[
153			'pp_page' => $queryIDs,
154			'pp_propname' => $propertyNames
155			],
156			__METHOD__
157			);
158
159			foreach ( $result as $row ) {
160			$pageID = $row->pp_page;
161			$propertyName = $row->pp_propname;
162			$propertyValue = $row->pp_value;
163			$this->cacheProperty( $pageID, $propertyName, $propertyValue );
164			if ( $gotArray ) {
165			$values[$pageID][$propertyName] = $propertyValue;
166			} else {
167			$values[$pageID] = $propertyValue;
168			}
169			}
170			}
171
172			return $values;
173			}
174
175			/**
176			* Get all page property values.
177			* Given one or more Titles, returns an associative array mapping page
178			* ID to an associative array mapping property names to property
179			* values. Pages in the provided set of Titles that do not have any
180			* properties will not appear in the returned array. If a single Title
181			* is provided, it does not need to be passed in an array, but an array
182			* will always be returned. An empty array will be returned if no
183			* matching properties were found.
184			*
185			* @param Title[]\|Title $titles
186			* @return array associative array mapping page ID to property value array
187			*/
188			public function getAllProperties( $titles ) {
189			$values = [];
190			$goodIDs = $this->getGoodIDs( $titles );
191			$queryIDs = [];
192			foreach ( $goodIDs as $pageID ) {
193			$pageProperties = $this->getCachedProperties( $pageID );
194			if ( $pageProperties === false ) {
195			$queryIDs[] = $pageID;
196			} else {
197			$values[$pageID] = $pageProperties;
198			}
199			}
200
201			if ( $queryIDs != [] ) {
202			$dbr = wfGetDB( DB_REPLICA );
203			$result = $dbr->select(
204			'page_props',
205			[
206			'pp_page',
207			'pp_propname',
208			'pp_value'
209			],
210			[
211			'pp_page' => $queryIDs,
212			],
213			__METHOD__
214			);
215
216			$currentPageID = 0;
217			$pageProperties = [];
218			foreach ( $result as $row ) {
219			$pageID = $row->pp_page;
220			if ( $currentPageID != $pageID ) {
221			if ( $pageProperties != [] ) {
222			$this->cacheProperties( $currentPageID, $pageProperties );
223			$values[$currentPageID] = $pageProperties;
224			}
225			$currentPageID = $pageID;
226			$pageProperties = [];
227			}
228			$pageProperties[$row->pp_propname] = $row->pp_value;
229			}
230			if ( $pageProperties != [] ) {
231			$this->cacheProperties( $pageID, $pageProperties );
			0 ignored issues – show Bug introduced 2016-01-25 18:14 UTC by Report Bug Copy Issue Report Show Similar Issues like this The variable `$pageID` does not seem to be defined for all execution paths leading up to this point. If you define a variable conditionally, it can happen that it is not defined for all execution paths. Let’s take a look at an example: function myFunction($a) { switch ($a) { case 'foo': $x = 1; break; case 'bar': $x = 2; break; } // $x is potentially undefined here. echo $x; } In the above example, the variable `$x` is defined if you pass “foo” or “bar” as argument for `$a`. However, since the `switch` statement has no default case statement, if you pass any other value, the variable `$x` would be undefined. Available Fixes Check for existence of the variable explicitly: function myFunction($a) { switch ($a) { case 'foo': $x = 1; break; case 'bar': $x = 2; break; } if (isset($x)) { // Make sure it's always set. echo $x; } } Define a default value for the variable: function myFunction($a) { $x = ''; // Set a default which gets overridden for certain paths. switch ($a) { case 'foo': $x = 1; break; case 'bar': $x = 2; break; } echo $x; } Add a value for the missing path: function myFunction($a) { switch ($a) { case 'foo': $x = 1; break; case 'bar': $x = 2; break; // We add support for the missing case. default: $x = ''; break; } echo $x; } Loading history...
232			$values[$pageID] = $pageProperties;
233			}
234			}
235
236			return $values;
237			}
238
239			/**
240			* @param Title[]\|Title $titles
241			* @return array array of good page IDs
242			*/
243			private function getGoodIDs( $titles ) {
244			$result = [];
245			if ( is_array( $titles ) ) {
246			foreach ( $titles as $title ) {
247			$pageID = $title->getArticleID();
248			if ( $pageID > 0 ) {
249			$result[] = $pageID;
250			}
251			}
252			} else {
253			$pageID = $titles->getArticleID();
254			if ( $pageID > 0 ) {
255			$result[] = $pageID;
256			}
257			}
258			return $result;
259			}
260
261			/**
262			* Get a property from the cache.
263			*
264			* @param int $pageID page ID of page being queried
265			* @param string $propertyName name of property being queried
266			* @return string\|bool property value array or false if not found
267			*/
268			private function getCachedProperty( $pageID, $propertyName ) {
269			if ( $this->cache->has( $pageID, $propertyName, self::CACHE_TTL ) ) {
270			return $this->cache->get( $pageID, $propertyName );
271			}
272			if ( $this->cache->has( 0, $pageID, self::CACHE_TTL ) ) {
273			$pageProperties = $this->cache->get( 0, $pageID );
274			if ( isset( $pageProperties[$propertyName] ) ) {
275			return $pageProperties[$propertyName];
276			}
277			}
278			return false;
279			}
280
281			/**
282			* Get properties from the cache.
283			*
284			* @param int $pageID page ID of page being queried
285			* @return string\|bool property value array or false if not found
286			*/
287			private function getCachedProperties( $pageID ) {
288			if ( $this->cache->has( 0, $pageID, self::CACHE_TTL ) ) {
289			return $this->cache->get( 0, $pageID );
290			}
291			return false;
292			}
293
294			/**
295			* Save a property to the cache.
296			*
297			* @param int $pageID page ID of page being cached
298			* @param string $propertyName name of property being cached
299			* @param mixed $propertyValue value of property
300			*/
301			private function cacheProperty( $pageID, $propertyName, $propertyValue ) {
302			$this->cache->set( $pageID, $propertyName, $propertyValue );
303			}
304
305			/**
306			* Save properties to the cache.
307			*
308			* @param int $pageID page ID of page being cached
309			* @param string[] $pageProperties associative array of page properties to be cached
310			*/
311			private function cacheProperties( $pageID, $pageProperties ) {
312			$this->cache->clear( $pageID );
313			$this->cache->set( 0, $pageID, $pageProperties );
314			}
315			}
316

wikimedia / mediawiki

Issues (4122)

Security Analysis not enabled

includes/PageProps.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Available Fixes

Duplication Side-by-Side

Filter issues like