Insights Code scanning report #226
Description
Hi
Thank you for your great work with this bundle and your contribution to the open source community.
I have put the bundle through Sensiolabs Insights code scanning and just wanted to share the findings with you.
The scanning found 3 Critical, 4 Major, 3 Minor and 42 Info issues/recommendations.
They are:
eval() should never be used 3
CriticalSecurity
in Security/Authorization/Expression/ExpressionVoter.php, line 119
return eval($this->getCompiler()->compileExpression($expr));
eval() is very dangerous because it allows execution of arbitrary PHP code. Avoid using it, especially when including user input.
in Security/Authorization/Expression/ExpressionVoter.php, line 171
in Security/Authorization/Expression/ReverseInterpreter.php, line 79
See https://insight.sensiolabs.com/what-we-analyse/php.use_php_eval_function
Missing use statement should be avoided
MajorBugrisk
in Security/Authorization/Voter/IddqdVoter.php, line 34
class IddqdVoter implements VoterInterface
The @Runas annotation looks like a class annotation which resolves to the JMS\SecurityExtraBundle\Security\Authorization\Voter\RunAs class which PHP does not seem to be able to autoload.
See https://insight.sensiolabs.com/what-we-analyse/php.missing_use_statement
PHP 7 reserved words should not be used as class, interfaces or traits names
MajorBugrisk
in Security/Util/String.php, line 12
final class String
This name is a reserved word since PHP 7 and should not be used as class, interface or trait name.
See https://insight.sensiolabs.com/what-we-analyse/php.php7_reserved_words
Source code should not contain FIXME comments
MajorBugrisk
in DependencyInjection/JMSSecurityExtraExtension.php, line 85
// FIXME: Also add an iddqd after invocation provider
FIXME comments are left in the code when a bug has been noticed but not fixed. You should fix the bug and remove the comment.
See https://insight.sensiolabs.com/what-we-analyse/task_fixme_comment
Files should not be executable
MajorSecurity
Your project contains files with permissive permissions. In order to avoid opening a security breach, you should restrict execution rights on following files:
Security/Acl/Expression/HasClassPermissionFunctionCompiler.php
See https://insight.sensiolabs.com/what-we-analyse/php.too_permissive_file_permissions
The Symfony Dependency Injection Container should not be passed as an argument 2
MinorArchitecture
in Security/Authorization/Expression/ContainerAwareExpressionHandler.php, line 34
public function __construct(ContainerInterface $container)
A Symfony dependency injection container has been found as an argument.
in Security/Authorization/Expression/LazyLoadingExpressionVoter.php, line 29
Source code should not contain TODO comments
MinorArchitecture
in Metadata/Driver/ConfigDriver.php, line 78
// TODO: Is it feasible to reverse-engineer the notation for service controllers?
TODO comments are left in the code when a feature (or a bug) isn't completely developed (or fixed). You should complete the implementation and remove the comment.
A full report can be seen here:
JMSSecurityExtraBundle SensioLabsInsight.pdf
KIf possible for you to fix these issues/comments/recommendations with a future commit, it will be appreciated.
Kind Regards
Renier Lewis