Issues in CacheDependency.php (master) - Issues in master - wikimedia/mediawiki - Measure and Improve Code Quality continuously with Scrutinizer

Issues (4122)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

includes/cache/CacheDependency.php (2 issues)

Labels

Coding Style 2

Severity

Minor 2

Tim Starling 2

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Data caching with dependencies.
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License along
 * with this program; if not, write to the Free Software Foundation, Inc.,
 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
 * http://www.gnu.org/copyleft/gpl.html
 *
 * @file
 * @ingroup Cache
 */
use MediaWiki\MediaWikiServices;

/**
 * This class stores an arbitrary value along with its dependencies.
 * Users should typically only use DependencyWrapper::getValueFromCache(),
 * rather than instantiating one of these objects directly.
 * @ingroup Cache
 */
class DependencyWrapper {
	private $value;
	/** @var CacheDependency[] */
	private $deps;

	/**
	 * Create an instance.
	 * @param mixed $value The user-supplied value
	 * @param CacheDependency|CacheDependency[] $deps A dependency or dependency
	 *   array. All dependencies must be objects implementing CacheDependency.
	 */
	function __construct( $value = false, $deps = [] ) {
		$this->value = $value;

		if ( !is_array( $deps ) ) {
			$deps = [ $deps ];
		}

		$this->deps = $deps;
	}

	/**
	 * Returns true if any of the dependencies have expired
	 *
	 * @return bool
	 */
	function isExpired() {
		foreach ( $this->deps as $dep ) {
			if ( $dep->isExpired() ) {
				return true;
			}
		}

		return false;
	}

	/**
	 * Initialise dependency values in preparation for storing. This must be
	 * called before serialization.
	 */
	function initialiseDeps() {
		foreach ( $this->deps as $dep ) {
			$dep->loadDependencyValues();
		}
	}

	/**
	 * Get the user-defined value
	 * @return bool|mixed
	 */
	function getValue() {
		return $this->value;
	}

	/**
	 * Store the wrapper to a cache
	 *
	 * @param BagOStuff $cache
	 * @param string $key
	 * @param int $expiry
	 */
	function storeToCache( $cache, $key, $expiry = 0 ) {
		$this->initialiseDeps();
		$cache->set( $key, $this, $expiry );
	}

	/**
	 * Attempt to get a value from the cache. If the value is expired or missing,
	 * it will be generated with the callback function (if present), and the newly
	 * calculated value will be stored to the cache in a wrapper.
	 *
	 * @param BagOStuff $cache A cache object
	 * @param string $key The cache key
	 * @param int $expiry The expiry timestamp or interval in seconds
	 * @param bool|callable $callback The callback for generating the value, or false
	 * @param array $callbackParams The function parameters for the callback
	 * @param array $deps The dependencies to store on a cache miss. Note: these
	 *    are not the dependencies used on a cache hit! Cache hits use the stored
	 *    dependency array.
	 *
	 * @return mixed The value, or null if it was not present in the cache and no
	 *    callback was defined.
	 */
	static function getValueFromCache( $cache, $key, $expiry = 0, $callback = false,
		$callbackParams = [], $deps = []
	) {
		$obj = $cache->get( $key );

		if ( is_object( $obj ) && $obj instanceof DependencyWrapper && !$obj->isExpired() ) {
			$value = $obj->value;
		} elseif ( $callback ) {
			$value = call_user_func_array( $callback, $callbackParams );
			# Cache the newly-generated value
			$wrapper = new DependencyWrapper( $value, $deps );
			$wrapper->storeToCache( $cache, $key, $expiry );
		} else {
			$value = null;
		}

		return $value;
	}
}

/**
 * @ingroup Cache
 */
abstract class CacheDependency {
	/**
	 * Returns true if the dependency is expired, false otherwise
	 */
	abstract function isExpired();

	/**
	 * Hook to perform any expensive pre-serialize loading of dependency values.
	 */
	function loadDependencyValues() {
	}
}

/**
 * @ingroup Cache
 */
class FileDependency extends CacheDependency {
	private $filename;
	private $timestamp;

	/**
	 * Create a file dependency
	 *
	 * @param string $filename The name of the file, preferably fully qualified
	 * @param null|bool|int $timestamp The unix last modified timestamp, or false if the
	 *        file does not exist. If omitted, the timestamp will be loaded from
	 *        the file.
	 *
	 * A dependency on a nonexistent file will be triggered when the file is
	 * created. A dependency on an existing file will be triggered when the
	 * file is changed.
	 */
	function __construct( $filename, $timestamp = null ) {
		$this->filename = $filename;
		$this->timestamp = $timestamp;
	}

	/**
	 * @return array
	 */
	function __sleep() {
		$this->loadDependencyValues();

		return [ 'filename', 'timestamp' ];
	}

	function loadDependencyValues() {
		if ( is_null( $this->timestamp ) ) {
			MediaWiki\suppressWarnings();
			# Dependency on a non-existent file stores "false"
			# This is a valid concept!
			$this->timestamp = filemtime( $this->filename );
			MediaWiki\restoreWarnings();
		}
	}

	/**
	 * @return bool
	 */
	function isExpired() {
		MediaWiki\suppressWarnings();
		$lastmod = filemtime( $this->filename );
		MediaWiki\restoreWarnings();
		if ( $lastmod === false ) {
			if ( $this->timestamp === false ) {
				# Still nonexistent
				return false;
			} else {
				# Deleted
				wfDebug( "Dependency triggered: {$this->filename} deleted.\n" );

				return true;
			}
		} else {
			if ( $lastmod > $this->timestamp ) {
				# Modified or created
				wfDebug( "Dependency triggered: {$this->filename} changed.\n" );

				return true;
			} else {
				# Not modified
				return false;
			}
		}
	}
}

/**
 * @ingroup Cache
 */
class GlobalDependency extends CacheDependency {
	private $name;
	private $value;

	function __construct( $name ) {
// Bad
class Router
{
    public function generate($path)
    {
        return $_SERVER['HOST'].$path;
    }
}

// Better
class Router
{
    private $host;

    public function __construct($host)
    {
        $this->host = $host;
    }

    public function generate($path)
    {
        return $this->host.$path;
    }
}

class Controller
{
    public function myAction(Request $request)
    {
        // Instead of
        $page = isset($_GET['page']) ? intval($_GET['page']) : 1;

        // Better (assuming you use the Symfony2 request)
        $page = $request->query->get('page', 1);
    }
}
		$this->name = $name;
		$this->value = $GLOBALS[$name];
	}

	/**
	 * @return bool
	 */
	function isExpired() {
// Bad
class Router
{
    public function generate($path)
    {
        return $_SERVER['HOST'].$path;
    }
}

// Better
class Router
{
    private $host;

    public function __construct($host)
    {
        $this->host = $host;
    }

    public function generate($path)
    {
        return $this->host.$path;
    }
}

class Controller
{
    public function myAction(Request $request)
    {
        // Instead of
        $page = isset($_GET['page']) ? intval($_GET['page']) : 1;

        // Better (assuming you use the Symfony2 request)
        $page = $request->query->get('page', 1);
    }
}
		if ( !isset( $GLOBALS[$this->name] ) ) {
			return true;
		}

		return $GLOBALS[$this->name] != $this->value;
	}
}

/**
 * @ingroup Cache
 */
class MainConfigDependency extends CacheDependency {
	private $name;
	private $value;

	function __construct( $name ) {
		$this->name = $name;
		$this->value = $this->getConfig()->get( $this->name );
	}

	private function getConfig() {
		return MediaWikiServices::getInstance()->getMainConfig();
	}

	/**
	 * @return bool
	 */
	function isExpired() {
		if ( !$this->getConfig()->has( $this->name ) ) {
			return true;
		}

		return $this->getConfig()->get( $this->name ) != $this->value;
	}
}

/**
 * @ingroup Cache
 */
class ConstantDependency extends CacheDependency {
	private $name;
	private $value;

	function __construct( $name ) {
		$this->name = $name;
		$this->value = constant( $name );
	}

	/**
	 * @return bool
	 */
	function isExpired() {
		return constant( $this->name ) != $this->value;
	}
}


1		<?php
2		/**
3		* Data caching with dependencies.
4		*
5		* This program is free software; you can redistribute it and/or modify
6		* it under the terms of the GNU General Public License as published by
7		* the Free Software Foundation; either version 2 of the License, or
8		* (at your option) any later version.
9		*
10		* This program is distributed in the hope that it will be useful,
11		* but WITHOUT ANY WARRANTY; without even the implied warranty of
12		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13		* GNU General Public License for more details.
14		*
15		* You should have received a copy of the GNU General Public License along
16		* with this program; if not, write to the Free Software Foundation, Inc.,
17		* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
18		* http://www.gnu.org/copyleft/gpl.html
19		*
20		* @file
21		* @ingroup Cache
22		*/
23		use MediaWiki\MediaWikiServices;
24
25		/**
26		* This class stores an arbitrary value along with its dependencies.
27		* Users should typically only use DependencyWrapper::getValueFromCache(),
28		* rather than instantiating one of these objects directly.
29		* @ingroup Cache
30		*/
31		class DependencyWrapper {
32		private $value;
33		/** @var CacheDependency[] */
34		private $deps;
35
36		/**
37		* Create an instance.
38		* @param mixed $value The user-supplied value
39		* @param CacheDependency\|CacheDependency[] $deps A dependency or dependency
40		* array. All dependencies must be objects implementing CacheDependency.
41		*/
42		function __construct( $value = false, $deps = [] ) {
43		$this->value = $value;
44
45		if ( !is_array( $deps ) ) {
46		$deps = [ $deps ];
47		}
48
49		$this->deps = $deps;
50		}
51
52		/**
53		* Returns true if any of the dependencies have expired
54		*
55		* @return bool
56		*/
57		function isExpired() {
58		foreach ( $this->deps as $dep ) {
59		if ( $dep->isExpired() ) {
60		return true;
61		}
62		}
63
64		return false;
65		}
66
67		/**
68		* Initialise dependency values in preparation for storing. This must be
69		* called before serialization.
70		*/
71		function initialiseDeps() {
72		foreach ( $this->deps as $dep ) {
73		$dep->loadDependencyValues();
74		}
75		}
76
77		/**
78		* Get the user-defined value
79		* @return bool\|mixed
80		*/
81		function getValue() {
82		return $this->value;
83		}
84
85		/**
86		* Store the wrapper to a cache
87		*
88		* @param BagOStuff $cache
89		* @param string $key
90		* @param int $expiry
91		*/
92		function storeToCache( $cache, $key, $expiry = 0 ) {
93		$this->initialiseDeps();
94		$cache->set( $key, $this, $expiry );
95		}
96
97		/**
98		* Attempt to get a value from the cache. If the value is expired or missing,
99		* it will be generated with the callback function (if present), and the newly
100		* calculated value will be stored to the cache in a wrapper.
101		*
102		* @param BagOStuff $cache A cache object
103		* @param string $key The cache key
104		* @param int $expiry The expiry timestamp or interval in seconds
105		* @param bool\|callable $callback The callback for generating the value, or false
106		* @param array $callbackParams The function parameters for the callback
107		* @param array $deps The dependencies to store on a cache miss. Note: these
108		* are not the dependencies used on a cache hit! Cache hits use the stored
109		* dependency array.
110		*
111		* @return mixed The value, or null if it was not present in the cache and no
112		* callback was defined.
113		*/
114		static function getValueFromCache( $cache, $key, $expiry = 0, $callback = false,
115		$callbackParams = [], $deps = []
116		) {
117		$obj = $cache->get( $key );
118
119		if ( is_object( $obj ) && $obj instanceof DependencyWrapper && !$obj->isExpired() ) {
120		$value = $obj->value;
121		} elseif ( $callback ) {
122		$value = call_user_func_array( $callback, $callbackParams );
123		# Cache the newly-generated value
124		$wrapper = new DependencyWrapper( $value, $deps );
125		$wrapper->storeToCache( $cache, $key, $expiry );
126		} else {
127		$value = null;
128		}
129
130		return $value;
131		}
132		}
133
134		/**
135		* @ingroup Cache
136		*/
137		abstract class CacheDependency {
138		/**
139		* Returns true if the dependency is expired, false otherwise
140		*/
141		abstract function isExpired();
142
143		/**
144		* Hook to perform any expensive pre-serialize loading of dependency values.
145		*/
146		function loadDependencyValues() {
147		}
148		}
149
150		/**
151		* @ingroup Cache
152		*/
153		class FileDependency extends CacheDependency {
154		private $filename;
155		private $timestamp;
156
157		/**
158		* Create a file dependency
159		*
160		* @param string $filename The name of the file, preferably fully qualified
161		* @param null\|bool\|int $timestamp The unix last modified timestamp, or false if the
162		* file does not exist. If omitted, the timestamp will be loaded from
163		* the file.
164		*
165		* A dependency on a nonexistent file will be triggered when the file is
166		* created. A dependency on an existing file will be triggered when the
167		* file is changed.
168		*/
169		function __construct( $filename, $timestamp = null ) {
170		$this->filename = $filename;
171		$this->timestamp = $timestamp;
172		}
173
174		/**
175		* @return array
176		*/
177		function __sleep() {
178		$this->loadDependencyValues();
179
180		return [ 'filename', 'timestamp' ];
181		}
182
183		function loadDependencyValues() {
184		if ( is_null( $this->timestamp ) ) {
185		MediaWiki\suppressWarnings();
186		# Dependency on a non-existent file stores "false"
187		# This is a valid concept!
188		$this->timestamp = filemtime( $this->filename );
189		MediaWiki\restoreWarnings();
190		}
191		}
192
193		/**
194		* @return bool
195		*/
196		function isExpired() {
197		MediaWiki\suppressWarnings();
198		$lastmod = filemtime( $this->filename );
199		MediaWiki\restoreWarnings();
200		if ( $lastmod === false ) {
201	View Code Duplication	if ( $this->timestamp === false ) {
202		# Still nonexistent
203		return false;
204		} else {
205		# Deleted
206		wfDebug( "Dependency triggered: {$this->filename} deleted.\n" );
207
208		return true;
209		}
210	View Code Duplication	} else {
211		if ( $lastmod > $this->timestamp ) {
212		# Modified or created
213		wfDebug( "Dependency triggered: {$this->filename} changed.\n" );
214
215		return true;
216		} else {
217		# Not modified
218		return false;
219		}
220		}
221		}
222		}
223
224		/**
225		* @ingroup Cache
226		*/
227		class GlobalDependency extends CacheDependency {
228		private $name;
229		private $value;
230
231		function __construct( $name ) {
		0 ignored issues – show Coding Style introduced 2016-01-16 18:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this `__construct` uses the super-global variable `$GLOBALS` which is generally not recommended. Instead of super-globals, we recommend to explicitly inject the dependencies of your class. This makes your code less dependent on global state and it becomes generally more testable: // Bad class Router { public function generate($path) { return $_SERVER['HOST'].$path; } } // Better class Router { private $host; public function __construct($host) { $this->host = $host; } public function generate($path) { return $this->host.$path; } } class Controller { public function myAction(Request $request) { // Instead of $page = isset($_GET['page']) ? intval($_GET['page']) : 1; // Better (assuming you use the Symfony2 request) $page = $request->query->get('page', 1); } } Loading history...
232		$this->name = $name;
233		$this->value = $GLOBALS[$name];
234		}
235
236		/**
237		* @return bool
238		*/
239		function isExpired() {
		0 ignored issues – show Coding Style introduced 2016-01-16 18:00 UTC by Report Bug Copy Issue Report Show Similar Issues like this `isExpired` uses the super-global variable `$GLOBALS` which is generally not recommended. Instead of super-globals, we recommend to explicitly inject the dependencies of your class. This makes your code less dependent on global state and it becomes generally more testable: // Bad class Router { public function generate($path) { return $_SERVER['HOST'].$path; } } // Better class Router { private $host; public function __construct($host) { $this->host = $host; } public function generate($path) { return $this->host.$path; } } class Controller { public function myAction(Request $request) { // Instead of $page = isset($_GET['page']) ? intval($_GET['page']) : 1; // Better (assuming you use the Symfony2 request) $page = $request->query->get('page', 1); } } Loading history...
240		if ( !isset( $GLOBALS[$this->name] ) ) {
241		return true;
242		}
243
244		return $GLOBALS[$this->name] != $this->value;
245		}
246		}
247
248		/**
249		* @ingroup Cache
250		*/
251		class MainConfigDependency extends CacheDependency {
252		private $name;
253		private $value;
254
255		function __construct( $name ) {
256		$this->name = $name;
257		$this->value = $this->getConfig()->get( $this->name );
258		}
259
260		private function getConfig() {
261		return MediaWikiServices::getInstance()->getMainConfig();
262		}
263
264		/**
265		* @return bool
266		*/
267		function isExpired() {
268		if ( !$this->getConfig()->has( $this->name ) ) {
269		return true;
270		}
271
272		return $this->getConfig()->get( $this->name ) != $this->value;
273		}
274		}
275
276		/**
277		* @ingroup Cache
278		*/
279		class ConstantDependency extends CacheDependency {
280		private $name;
281		private $value;
282
283		function __construct( $name ) {
284		$this->name = $name;
285		$this->value = constant( $name );
286		}
287
288		/**
289		* @return bool
290		*/
291		function isExpired() {
292		return constant( $this->name ) != $this->value;
293		}
294		}
295

wikimedia / mediawiki

Issues (4122)

Security Analysis not enabled

includes/cache/CacheDependency.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like