diff --git a/htdocs/user/virtualcard.php b/htdocs/user/virtualcard.php
index d2d180ba5a2..b4ec5a45077 100644
--- a/htdocs/user/virtualcard.php
+++ b/htdocs/user/virtualcard.php
@@ -61,11 +61,14 @@ if (($object->id != $user->id) && !$user->hasRight('user', 'user', 'lire')) {
accessforbidden();
}
+$permissiontoedit = ((($object->id == $user->id) && $user->hasRight('user', 'self', 'creer')) || $user->hasRight('user', 'user', 'creer'));
+
+
/*
* Actions
*/
-if ($action == 'update') {
+if ($action == 'update' && $permissiontoedit) {
$tmparray = array();
$tmparray['USER_PUBLIC_HIDE_PHOTO'] = (GETPOST('USER_PUBLIC_HIDE_PHOTO') ? 1 : 0);
$tmparray['USER_PUBLIC_HIDE_JOBPOSITION'] = (GETPOST('USER_PUBLIC_HIDE_JOBPOSITION') ? 1 : 0);
@@ -82,7 +85,7 @@ if ($action == 'update') {
dol_set_user_param($db, $conf, $object, $tmparray);
}
-if ($action == 'setUSER_ENABLE_PUBLIC') {
+if ($action == 'setUSER_ENABLE_PUBLIC' && $permissiontoedit) {
if (GETPOST('value')) {
$tmparray = array('USER_ENABLE_PUBLIC' => 1);
} else {
diff --git a/test/phpunit/CodingPhpTest.php b/test/phpunit/CodingPhpTest.php
index cf4e5a0167c..9ffb36b5942 100644
--- a/test/phpunit/CodingPhpTest.php
+++ b/test/phpunit/CodingPhpTest.php
@@ -91,27 +91,25 @@ class CodingPhpTest extends CommonClassTest
// File functions are needed
include_once DOL_DOCUMENT_ROOT.'/core/lib/files.lib.php';
-
- $excludeRegexList
- = array(
- '\/includes\/',
- '\/install\/doctemplates\/websites\/',
- '\/custom\/',
- '\/dolimed',
- '\/nltechno',
- '\/teclib',
- );
+ $excludeRegexList = array(
+ '\/includes\/',
+ '\/install\/doctemplates\/websites\/',
+ '\/custom\/',
+ '\/dolimed',
+ '\/nltechno',
+ '\/teclib',
+ );
$fullRegex = '(?:'.implode('|', $excludeRegexList).')';
$filesarray = dol_dir_list(DOL_DOCUMENT_ROOT, 'files', 1, '\.php', [$fullRegex], 'fullname', SORT_ASC, 0, 1, '', 1);
/*
- $filteredArray = array_filter(
- $filesarray,
- static function($file) use (&$fullRegex) {
- return !preg_match($fullRegex, $file['relativename']);
- }
- ));
- */
+ $filteredArray = array_filter(
+ $filesarray,
+ static function($file) use (&$fullRegex) {
+ return !preg_match($fullRegex, $file['relativename']);
+ }
+ ));
+ */
return array_map(function ($value) {
return array($value);
}, $filesarray);
@@ -146,15 +144,15 @@ class CodingPhpTest extends CommonClassTest
|| in_array($file['name'], array('modules_boxes.php', 'TraceableDB.php'))) {
// Check Class files
if (! in_array($file['name'], array(
- 'api.class.php',
- 'commonobject.class.php',
- 'conf.class.php',
- 'html.form.class.php',
- 'translate.class.php',
- 'utils.class.php',
- 'TraceableDB.php',
- 'multicurrency.class.php'
- ))) {
+ 'api.class.php',
+ 'commonobject.class.php',
+ 'conf.class.php',
+ 'html.form.class.php',
+ 'translate.class.php',
+ 'utils.class.php',
+ 'TraceableDB.php',
+ 'multicurrency.class.php'
+ ))) {
// Must not find $db->
$ok = true;
$matches = array();
@@ -170,32 +168,32 @@ class CodingPhpTest extends CommonClassTest
}
if (preg_match('/\.class\.php$/', $file['relativename']) && ! in_array($file['relativename'], array(
- 'adherents/class/adherent.class.php',
- 'adherents/canvas/actions_adherentcard_common.class.php',
- 'contact/canvas/actions_contactcard_common.class.php',
- 'compta/facture/class/facture.class.php',
- 'core/class/commonobject.class.php',
- 'core/class/extrafields.class.php',
- 'core/class/html.form.class.php',
- 'core/class/html.formfile.class.php',
- 'core/class/html.formcategory.class.php',
- 'core/class/html.formmail.class.php',
- 'core/class/html.formother.class.php',
- 'core/class/html.formsms.class.php',
- 'core/class/html.formticket.class.php',
- 'core/class/utils.class.php',
- 'core/class/openid.class.php',
- 'fourn/class/fournisseur.facture.class.php',
- 'societe/canvas/actions_card_common.class.php',
- 'societe/canvas/individual/actions_card_individual.class.php',
- 'ticket/class/actions_ticket.class.php',
- 'ticket/class/ticket.class.php',
- 'webportal/class/context.class.php',
- 'webportal/class/html.formcardwebportal.class.php',
- 'webportal/class/html.formlistwebportal.class.php',
- 'webportal/controllers/document.controller.class.php',
- 'workstation/class/workstation.class.php',
- ))) {
+ 'adherents/class/adherent.class.php',
+ 'adherents/canvas/actions_adherentcard_common.class.php',
+ 'contact/canvas/actions_contactcard_common.class.php',
+ 'compta/facture/class/facture.class.php',
+ 'core/class/commonobject.class.php',
+ 'core/class/extrafields.class.php',
+ 'core/class/html.form.class.php',
+ 'core/class/html.formfile.class.php',
+ 'core/class/html.formcategory.class.php',
+ 'core/class/html.formmail.class.php',
+ 'core/class/html.formother.class.php',
+ 'core/class/html.formsms.class.php',
+ 'core/class/html.formticket.class.php',
+ 'core/class/utils.class.php',
+ 'core/class/openid.class.php',
+ 'fourn/class/fournisseur.facture.class.php',
+ 'societe/canvas/actions_card_common.class.php',
+ 'societe/canvas/individual/actions_card_individual.class.php',
+ 'ticket/class/actions_ticket.class.php',
+ 'ticket/class/ticket.class.php',
+ 'webportal/class/context.class.php',
+ 'webportal/class/html.formcardwebportal.class.php',
+ 'webportal/class/html.formlistwebportal.class.php',
+ 'webportal/controllers/document.controller.class.php',
+ 'workstation/class/workstation.class.php',
+ ))) {
// Must not find GETPOST
$ok = true;
$matches = array();
@@ -235,7 +233,7 @@ class CodingPhpTest extends CommonClassTest
}
}
- // Check we don't miss top_httphead() in any ajax pages
+ // Check we don't miss top_httphead() in any ajax pages
if (preg_match('/ajax\//', $file['relativename'])) {
//print "Analyze ajax page ".$file['relativename']."\n";
$ok = true;
@@ -249,27 +247,27 @@ class CodingPhpTest extends CommonClassTest
//exit;
}
- // Check for unauthorised vardumps
+ // Check for unauthorised vardumps
if (!preg_match('/test\/phpunit/', $file['fullname'])) {
$this->verifyNoActiveVardump($filecontent, $report_filepath);
}
- // Check get_class followed by __METHOD__
- $ok = true;
- $matches = array();
- preg_match_all('/'.preg_quote('get_class($this)."::".__METHOD__', '/').'/', $filecontent, $matches, PREG_SET_ORDER);
+ // Check get_class followed by __METHOD__
+ $ok = true;
+ $matches = array();
+ preg_match_all('/'.preg_quote('get_class($this)."::".__METHOD__', '/').'/', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
$ok = false;
break;
}
- //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
- $this->assertTrue($ok, 'Found string get_class($this)."::".__METHOD__ that must be replaced with __METHOD__ only in '.$file['relativename']);
- //exit;
+ //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
+ $this->assertTrue($ok, 'Found string get_class($this)."::".__METHOD__ that must be replaced with __METHOD__ only in '.$file['relativename']);
+ //exit;
- // Check string $this->db->idate without quotes
- $ok = true;
- $matches = array();
- preg_match_all('/(..)\s*\.\s*\$this->db->idate\(/', $filecontent, $matches, PREG_SET_ORDER);
+ // Check string $this->db->idate without quotes
+ $ok = true;
+ $matches = array();
+ preg_match_all('/(..)\s*\.\s*\$this->db->idate\(/', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
if ($val[1] != '\'"' && $val[1] != '\'\'') {
$ok = false;
@@ -277,17 +275,17 @@ class CodingPhpTest extends CommonClassTest
}
//if ($reg[0] != 'db') $ok=false;
}
- //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
- $this->assertTrue($ok, 'Found a $this->db->idate to forge a sql request without quotes around this date field '.$file['relativename']);
- //exit;
+ //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
+ $this->assertTrue($ok, 'Found a $this->db->idate to forge a sql request without quotes around this date field '.$file['relativename']);
+ //exit;
- // Check sql string DELETE|OR|AND|WHERE|INSERT ... yyy = ".$xxx
- // with xxx that is not 'thi' (for $this->db->sanitize) and 'db-' (for $db->sanitize). It means we forget a ' if string, or an (int) if int, when forging sql request.
- $ok = true;
- $matches = array();
- preg_match_all('/(DELETE|OR|AND|WHERE|INSERT)\s.*([^\s][^\s][^\s])\s*=\s*(\'|")\s*\.\s*\$(...)/', $filecontent, $matches, PREG_SET_ORDER);
+ // Check sql string DELETE|OR|AND|WHERE|INSERT ... yyy = ".$xxx
+ // with xxx that is not 'thi' (for $this->db->sanitize) and 'db-' (for $db->sanitize). It means we forget a ' if string, or an (int) if int, when forging sql request.
+ $ok = true;
+ $matches = array();
+ preg_match_all('/(DELETE|OR|AND|WHERE|INSERT)\s.*([^\s][^\s][^\s])\s*=\s*(\'|")\s*\.\s*\$(...)/', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
if ($val[2] == 'ity' && $val[4] == 'con') { // exclude entity = ".$conf->entity
continue;
@@ -302,14 +300,14 @@ class CodingPhpTest extends CommonClassTest
$ok = false;
break;
}
- //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
- $this->assertTrue($ok, 'Found non quoted or not casted var in sql request '.$file['relativename'].' - Bad.');
- //exit;
+ //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
+ $this->assertTrue($ok, 'Found non quoted or not casted var in sql request '.$file['relativename'].' - Bad.');
+ //exit;
- // Check that forged sql string is using ' instead of " as string PHP quotes
- $ok = true;
- $matches = array();
- preg_match_all('/\$sql \.= \'\s*VALUES.*\$/', $filecontent, $matches, PREG_SET_ORDER);
+ // Check that forged sql string is using ' instead of " as string PHP quotes
+ $ok = true;
+ $matches = array();
+ preg_match_all('/\$sql \.= \'\s*VALUES.*\$/', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
//if ($val[1] != '\'"' && $val[1] != '\'\'') {
var_dump($matches);
@@ -318,26 +316,26 @@ class CodingPhpTest extends CommonClassTest
//}
//if ($reg[0] != 'db') $ok=false;
}
- //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
- $this->assertTrue($ok, 'Found a forged SQL string that mix on same line the use of \' for PHP string and PHP variables in file '.$file['relativename'].' Use " to forge PHP string like this: $sql = "SELECT ".$myvar...');
- //exit;
+ //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
+ $this->assertTrue($ok, 'Found a forged SQL string that mix on same line the use of \' for PHP string and PHP variables in file '.$file['relativename'].' Use " to forge PHP string like this: $sql = "SELECT ".$myvar...');
+ //exit;
- // Check that forged sql string is using ' instead of " as string PHP quotes
- $ok = true;
- $matches = array();
- preg_match_all('/\$sql \.?= \'SELECT.*\$/', $filecontent, $matches, PREG_SET_ORDER);
+ // Check that forged sql string is using ' instead of " as string PHP quotes
+ $ok = true;
+ $matches = array();
+ preg_match_all('/\$sql \.?= \'SELECT.*\$/', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
var_dump($matches);
$ok = false;
break;
}
- $this->assertTrue($ok, 'Found a forged SQL string that mix on same line the use of \' for PHP string and PHP variables in file '.$file['relativename'].' Use " to forge PHP string like this: $sql = "SELECT ".$myvar...');
+ $this->assertTrue($ok, 'Found a forged SQL string that mix on same line the use of \' for PHP string and PHP variables in file '.$file['relativename'].' Use " to forge PHP string like this: $sql = "SELECT ".$myvar...');
- // Check sql string VALUES ... , ".$xxx
- // with xxx that is not 'db-' (for $db->escape). It means we forget a ' if string, or an (int) if int, when forging sql request.
- $ok = true;
- $matches = array();
- preg_match_all('/(VALUES).*,\s*"\s*\.\s*\$(...)/', $filecontent, $matches, PREG_SET_ORDER);
+ // Check sql string VALUES ... , ".$xxx
+ // with xxx that is not 'db-' (for $db->escape). It means we forget a ' if string, or an (int) if int, when forging sql request.
+ $ok = true;
+ $matches = array();
+ preg_match_all('/(VALUES).*,\s*"\s*\.\s*\$(...)/', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
if ($val[1] == 'VALUES' && $val[2] == 'db-') { // exclude $db->escape(
continue;
@@ -349,30 +347,30 @@ class CodingPhpTest extends CommonClassTest
$ok = false;
break;
}
- //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
- $this->assertTrue($ok, 'Found non quoted or not casted var in sql request '.$file['relativename'].' - Bad.');
- //exit;
+ //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
+ $this->assertTrue($ok, 'Found non quoted or not casted var in sql request '.$file['relativename'].' - Bad.');
+ //exit;
- // Check '".$xxx non escaped
+ // Check '".$xxx non escaped
- // Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
- $ok = true;
- $matches = array();
- preg_match_all('/=\s*\'"\s*\.\s*\$this->(....)/', $filecontent, $matches, PREG_SET_ORDER);
+ // Check string ='".$this->xxx with xxx that is not 'escape'. It means we forget a db->escape when forging sql request.
+ $ok = true;
+ $matches = array();
+ preg_match_all('/=\s*\'"\s*\.\s*\$this->(....)/', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
if ($val[1] != 'db->' && $val[1] != 'esca') {
$ok = false;
break;
}
}
- //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
- $this->assertTrue($ok, 'Found non escaped string in building of a sql request (case 1) in '.$file['relativename'].' - Bad.');
+ //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
+ $this->assertTrue($ok, 'Found non escaped string in building of a sql request (case 1) in '.$file['relativename'].' - Bad.');
- // Check string sql|set|WHERE|...'".$yyy->xxx with xxx that is not 'escape', 'idate', .... It means we forget a db->escape when forging sql request.
- $ok = true;
- $matches = array();
- $found = "";
- preg_match_all('/(sql|SET|WHERE|where|INSERT|insert|VALUES|LIKE).+\s*\'"\s*\.\s*\$(.......)/', $filecontent, $matches, PREG_SET_ORDER);
+ // Check string sql|set|WHERE|...'".$yyy->xxx with xxx that is not 'escape', 'idate', .... It means we forget a db->escape when forging sql request.
+ $ok = true;
+ $matches = array();
+ $found = "";
+ preg_match_all('/(sql|SET|WHERE|where|INSERT|insert|VALUES|LIKE).+\s*\'"\s*\.\s*\$(.......)/', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
if (! in_array($val[2], array('this->d', 'this->e', 'db->esc', 'dbs->es', 'dbs->id', 'mydb->e', 'dbsessi', 'db->ida', 'escaped', 'exclude', 'include'))) {
$found = $val[0];
@@ -381,15 +379,15 @@ class CodingPhpTest extends CommonClassTest
}
//if ($reg[0] != 'db') $ok=false;
}
- //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
- $this->assertTrue($ok, 'Found non escaped string in building of a sql request (case 2) in '.$file['relativename'].': '.$found.' - Bad.');
- //exit;
+ //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
+ $this->assertTrue($ok, 'Found non escaped string in building of a sql request (case 2) in '.$file['relativename'].': '.$found.' - Bad.');
+ //exit;
- // Check string sql|set...'.$yyy->xxx with xxx that is not 'escape', 'idate', .... It means we forget a db->escape when forging sql request.
- $ok = true;
- $matches = array();
- $found = "";
- preg_match_all('/(\$sql|SET\s|WHERE\s|INSERT\s|VALUES\s|VALUES\().+\s*\'\s*\.\s*\$(.........)/', $filecontent, $matches, PREG_SET_ORDER);
+ // Check string sql|set...'.$yyy->xxx with xxx that is not 'escape', 'idate', .... It means we forget a db->escape when forging sql request.
+ $ok = true;
+ $matches = array();
+ $found = "";
+ preg_match_all('/(\$sql|SET\s|WHERE\s|INSERT\s|VALUES\s|VALUES\().+\s*\'\s*\.\s*\$(.........)/', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
if (! in_array($val[2], array('this->db-', 'db->prefi', 'db->sanit', 'dbs->pref', 'dbs->sani', 'conf->ent', 'key : \'\')', 'key])."\')', 'excludefi', 'regexstri', ''))) {
$found = $val[0];
@@ -399,62 +397,62 @@ class CodingPhpTest extends CommonClassTest
}
//if ($reg[0] != 'db') $ok=false;
}
- //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
- $this->assertTrue($ok, 'Found non escaped string in building of a sql request (case 3) in '.$file['relativename'].': '.$found.' - Bad.');
- //exit;
+ //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
+ $this->assertTrue($ok, 'Found non escaped string in building of a sql request (case 3) in '.$file['relativename'].': '.$found.' - Bad.');
+ //exit;
- // Check string sql|set...=".... without (int). It means we forget a cast (int) when forging sql request.
- $ok = true;
- $matches = array();
- $found = "";
- // $sql .= " field = ".(isset($this->field) ? $this->escape($this->field) : "null")... is KO
- // $sql .= " field = ".(isset($this->field) ? "'".$this->escape($this->field)."'" : "null")... is OK
- /*
- preg_match_all('/(\$sql|VALUES\()[^\'\n]*[^\'\n]"\s*\.\s*([^\n]+)\n/m', $filecontent, $matches, PREG_SET_ORDER);
- foreach ($matches as $key => $val) {
- if (! preg_match('/^(implode\(\' OR \', \$search|implode\(\' AND \', \$search|MAIN_DB_PREFIX|accountancy_code|\w+::|\$key|\$db->prefix|\$this->db->prefix|\$predefinedgroupwhere|\$db->sanitize|\$this->db->sanitize|\$db->ifsql|\$db->decrypt|\(int\)|\(float\)|\(\(int\)|\(\(float\)|\$conf->entity|getEntity|\$this->from)/', $val[2])) {
- //print "Found a suspicious string: ".$val[2]."\n";
- if (preg_match('/.+\?.+:.+/', $val[2])) {
- // We found a string that follow the " in $sql .= " "..... and does not contains simple quote for escapement nor casting
- // May be it is later, into the b or c in case of a ? b : c
- // Example:
- // $val[2] is (isset($this->field) ? $this->escape($this->field) : "null")... is KO
- // $val[2] is (isset($this->field) ? "'".$this->escape($this->field)."'" : "null")... is OK
- $tmps = $val[2];
- $tmps = preg_replace('/^[^\?]+\?/', '', $tmps);
- $tmps2 = explode(':', $tmps, 2);
- $tmps2a = trim($tmps2[0]);
- if (!empty($tmps2[1])) {
- $tmps2b = trim($tmps2[1]);
- } else {
- $tmps2b = '';
- }
- } else {
- $tmps2a = $val[2];
- $tmps2b = '';
- }
- if (preg_match('/^(\(*["\']|\(+int\)|\(+float\)|\(*\d|GETPOSTINT|getDolGlobalInt|dolSqlDateFilter|\$user->id|\$conf->entity|\$this->entity|\$this->where|\(?\$this->societe|str_pad\(\(int)/', $tmps2a)
- && (empty($tmps2b) || preg_match('/^(\(*["\']|\(+int\)|\(+float\)|\(*\d|GETPOSTINT|getDolGlobalInt|dolSqlDateFilter|\$user->id|\$conf->entity|\$this->entity|\$this->where|\(?\$this->societe|str_pad\(\(int)/', $tmps2b))) {
- continue; // No problem
- }
+ // Check string sql|set...=".... without (int). It means we forget a cast (int) when forging sql request.
+ $ok = true;
+ $matches = array();
+ $found = "";
+ // $sql .= " field = ".(isset($this->field) ? $this->escape($this->field) : "null")... is KO
+ // $sql .= " field = ".(isset($this->field) ? "'".$this->escape($this->field)."'" : "null")... is OK
+ /*
+ preg_match_all('/(\$sql|VALUES\()[^\'\n]*[^\'\n]"\s*\.\s*([^\n]+)\n/m', $filecontent, $matches, PREG_SET_ORDER);
+ foreach ($matches as $key => $val) {
+ if (! preg_match('/^(implode\(\' OR \', \$search|implode\(\' AND \', \$search|MAIN_DB_PREFIX|accountancy_code|\w+::|\$key|\$db->prefix|\$this->db->prefix|\$predefinedgroupwhere|\$db->sanitize|\$this->db->sanitize|\$db->ifsql|\$db->decrypt|\(int\)|\(float\)|\(\(int\)|\(\(float\)|\$conf->entity|getEntity|\$this->from)/', $val[2])) {
+ //print "Found a suspicious string: ".$val[2]."\n";
+ if (preg_match('/.+\?.+:.+/', $val[2])) {
+ // We found a string that follow the " in $sql .= " "..... and does not contains simple quote for escapement nor casting
+ // May be it is later, into the b or c in case of a ? b : c
+ // Example:
+ // $val[2] is (isset($this->field) ? $this->escape($this->field) : "null")... is KO
+ // $val[2] is (isset($this->field) ? "'".$this->escape($this->field)."'" : "null")... is OK
+ $tmps = $val[2];
+ $tmps = preg_replace('/^[^\?]+\?/', '', $tmps);
+ $tmps2 = explode(':', $tmps, 2);
+ $tmps2a = trim($tmps2[0]);
+ if (!empty($tmps2[1])) {
+ $tmps2b = trim($tmps2[1]);
+ } else {
+ $tmps2b = '';
+ }
+ } else {
+ $tmps2a = $val[2];
+ $tmps2b = '';
+ }
+ if (preg_match('/^(\(*["\']|\(+int\)|\(+float\)|\(*\d|GETPOSTINT|getDolGlobalInt|dolSqlDateFilter|\$user->id|\$conf->entity|\$this->entity|\$this->where|\(?\$this->societe|str_pad\(\(int)/', $tmps2a)
+ && (empty($tmps2b) || preg_match('/^(\(*["\']|\(+int\)|\(+float\)|\(*\d|GETPOSTINT|getDolGlobalInt|dolSqlDateFilter|\$user->id|\$conf->entity|\$this->entity|\$this->where|\(?\$this->societe|str_pad\(\(int)/', $tmps2b))) {
+ continue; // No problem
+ }
- var_dump($val);
+ var_dump($val);
- $found = $val[0];
- $ok = false;
- break;
- }
- }
- //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
- $this->assertTrue($ok, 'Found non escaped or non casted string in building of a sql request (case 4) in '.$file['relativename'].': '.$found.' - Bad.');
- */
+ $found = $val[0];
+ $ok = false;
+ break;
+ }
+ }
+ //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
+ $this->assertTrue($ok, 'Found non escaped or non casted string in building of a sql request (case 4) in '.$file['relativename'].': '.$found.' - Bad.');
+ */
- // Checks with IN
+ // Checks with IN
- // Check string ' IN (".xxx' or ' IN (\'.xxx' with xxx that is not '$this->db->sanitize' and not '$db->sanitize'. It means we forget a db->sanitize when forging sql request.
- $ok = true;
- $matches = array();
- preg_match_all('/\s+IN\s*\([\'"]\s*\.\s*(.........)/i', $filecontent, $matches, PREG_SET_ORDER);
+ // Check string ' IN (".xxx' or ' IN (\'.xxx' with xxx that is not '$this->db->sanitize' and not '$db->sanitize'. It means we forget a db->sanitize when forging sql request.
+ $ok = true;
+ $matches = array();
+ preg_match_all('/\s+IN\s*\([\'"]\s*\.\s*(.........)/i', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
//var_dump($val);
if (!in_array($val[1], array('$db->sani', '$this->db', 'getEntity', 'WON\',\'L', 'self::STA', 'Commande:', 'CommandeF', 'Entrepot:', 'Facture::', 'FactureFo', 'ExpenseRe', 'Societe::', 'Ticket::S'))) {
@@ -463,14 +461,14 @@ class CodingPhpTest extends CommonClassTest
}
//if ($reg[0] != 'db') $ok=false;
}
- //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
- $this->assertTrue($ok, 'Found non sanitized string in building of a IN or NOT IN sql request '.$file['relativename'].' - Bad.');
- //exit;
+ //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
+ $this->assertTrue($ok, 'Found non sanitized string in building of a IN or NOT IN sql request '.$file['relativename'].' - Bad.');
+ //exit;
- // Check string ' IN (\'".xxx' with xxx that is not '$this->db->sanitize' and not '$db->sanitize'. It means we forget a db->sanitize when forging sql request.
- $ok = true;
- $matches = array();
- preg_match_all('/\s+IN\s*\(\'"\s*\.\s*(.........)/i', $filecontent, $matches, PREG_SET_ORDER);
+ // Check string ' IN (\'".xxx' with xxx that is not '$this->db->sanitize' and not '$db->sanitize'. It means we forget a db->sanitize when forging sql request.
+ $ok = true;
+ $matches = array();
+ preg_match_all('/\s+IN\s*\(\'"\s*\.\s*(.........)/i', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
//var_dump($val);
if (!in_array($val[1], array('$db->sani', '$this->db', 'getEntity', 'WON\',\'L', 'self::STA', 'Commande:', 'CommandeF', 'Entrepot:', 'Facture::', 'FactureFo', 'ExpenseRe', 'Societe::', 'Ticket::S'))) {
@@ -479,143 +477,143 @@ class CodingPhpTest extends CommonClassTest
}
//if ($reg[0] != 'db') $ok=false;
}
- //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
- $this->assertTrue($ok, 'Found non sanitized string in building of a IN or NOT IN sql request '.$file['relativename'].' - Bad.');
- //exit;
+ //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
+ $this->assertTrue($ok, 'Found non sanitized string in building of a IN or NOT IN sql request '.$file['relativename'].' - Bad.');
+ //exit;
- // Test that output of $_SERVER\[\'QUERY_STRING\'\] is escaped.
- $ok = true;
- $matches = array();
- preg_match_all('/(..............)\$_SERVER\[\'QUERY_STRING\'\]/', $filecontent, $matches, PREG_SET_ORDER);
+ // Test that output of $_SERVER\[\'QUERY_STRING\'\] is escaped.
+ $ok = true;
+ $matches = array();
+ preg_match_all('/(..............)\$_SERVER\[\'QUERY_STRING\'\]/', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
if ($val[1] != 'scape_htmltag(' && $val[1] != 'ing_nohtmltag(' && $val[1] != 'dol_escape_js(') {
$ok = false;
break;
}
}
- $this->assertTrue($ok, 'Found a $_SERVER[\'QUERY_STRING\'] without dol_escape_htmltag neither dol_string_nohtmltag around it, in file '.$file['relativename'].'. Bad.');
+ $this->assertTrue($ok, 'Found a $_SERVER[\'QUERY_STRING\'] without dol_escape_htmltag neither dol_string_nohtmltag around it, in file '.$file['relativename'].'. Bad.');
- // Check GETPOST(... 'none');
- $ok = true;
- $matches = array();
- preg_match_all('/GETPOST\s*\(([^\)]+),\s*["\']none["\']/i', $filecontent, $matches, PREG_SET_ORDER);
+ // Check GETPOST(... 'none');
+ $ok = true;
+ $matches = array();
+ preg_match_all('/GETPOST\s*\(([^\)]+),\s*["\']none["\']/i', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
//var_dump($val);
if (!in_array($val[1], array(
"'content'", "'replacestring'", "'htmlheader'", "'WEBSITE_HTML_HEADER'", "'WEBSITE_CSS_INLINE'", "'WEBSITE_JS_INLINE'", "'WEBSITE_MANIFEST_JSON'", "'PAGE_CONTENT'", "'WEBSITE_README'", "'WEBSITE_LICENSE'",
- '"mysqldump"', '"postgresqldump"',
- "'db_pass_root'", "'db_pass'", '"pass"', '"pass1"', '"pass2"', '"password"', "'password'"))) {
+ '"mysqldump"', '"postgresqldump"',
+ "'db_pass_root'", "'db_pass'", '"pass"', '"pass1"', '"pass2"', '"password"', "'password'"))) {
$ok = false;
break;
}
//if ($reg[0] != 'db') $ok=false;
}
- //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
- $this->assertTrue($ok, 'Found a GETPOST that use \'none\' as a parameter in file '.$file['relativename'].' and param is not an allowed parameter for using none - Bad.');
- //exit;
+ //print __METHOD__." Result for checking we don't have non escaped string in sql requests for file ".$file."\n";
+ $this->assertTrue($ok, 'Found a GETPOST that use \'none\' as a parameter in file '.$file['relativename'].' and param is not an allowed parameter for using none - Bad.');
+ //exit;
- // Test that first param of print_liste_field_titre is a translation key and not the translated value
- $ok = true;
- $matches = array();
- // Check string ='print_liste_field_titre\(\$langs'.
- preg_match_all('/print_liste_field_titre\(\$langs/', $filecontent, $matches, PREG_SET_ORDER);
+ // Test that first param of print_liste_field_titre is a translation key and not the translated value
+ $ok = true;
+ $matches = array();
+ // Check string ='print_liste_field_titre\(\$langs'.
+ preg_match_all('/print_liste_field_titre\(\$langs/', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
$ok = false;
break;
}
- $this->assertTrue($ok, 'Found a use of print_liste_field_titre with first parameter that is a translated value instead of just the translation key in file '.$file['relativename'].'. Bad.');
+ $this->assertTrue($ok, 'Found a use of print_liste_field_titre with first parameter that is a translated value instead of just the translation key in file '.$file['relativename'].'. Bad.');
- // Test we don't have
- $ok = true;
- $matches = array();
- preg_match_all('//', $filecontent, $matches, PREG_SET_ORDER);
+ // Test we don't have
+ $ok = true;
+ $matches = array();
+ preg_match_all('//', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
if ($file['name'] != 'functions.lib.php') {
$ok = false;
break;
}
}
- $this->assertTrue($ok, 'Found a tag
that is for xml in file '.$file['relativename'].'. You must use html syntax
instead.');
+ $this->assertTrue($ok, 'Found a tag
that is for xml in file '.$file['relativename'].'. You must use html syntax
instead.');
- // Test we don't have name="token" value="'.$_SESSION['newtoken'], we must use name="token" value="'.newToken() instead.
- $ok = true;
- $matches = array();
- preg_match_all('/name="token" value="\'\s*\.\s*\$_SESSION/', $filecontent, $matches, PREG_SET_ORDER);
+ // Test we don't have name="token" value="'.$_SESSION['newtoken'], we must use name="token" value="'.newToken() instead.
+ $ok = true;
+ $matches = array();
+ preg_match_all('/name="token" value="\'\s*\.\s*\$_SESSION/', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
if ($file['name'] != 'excludefile.php') {
$ok = false;
break;
}
}
- $this->assertTrue($ok, 'Found a forbidden string sequence in '.$file['relativename'].' : name="token" value="\'.$_SESSION[..., you must use a newToken() instead of $_SESSION[\'newtoken\'].');
+ $this->assertTrue($ok, 'Found a forbidden string sequence in '.$file['relativename'].' : name="token" value="\'.$_SESSION[..., you must use a newToken() instead of $_SESSION[\'newtoken\'].');
- // Test we don't have preg_grep with a param without preg_quote
- $ok = true;
- $matches = array();
- preg_match_all('/preg_grep\(.*\$/', $filecontent, $matches, PREG_SET_ORDER);
+ // Test we don't have preg_grep with a param without preg_quote
+ $ok = true;
+ $matches = array();
+ preg_match_all('/preg_grep\(.*\$/', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
if (strpos($val[0], 'preg_quote') === false) {
$ok = false;
break;
}
}
- $this->assertTrue($ok, 'Found a preg_grep with a param that is a $var but without preg_quote in file '.$file['relativename'].'.');
+ $this->assertTrue($ok, 'Found a preg_grep with a param that is a $var but without preg_quote in file '.$file['relativename'].'.');
- // Test we don't have "if ($resql >"
- $ok = true;
- $matches = array();
- preg_match_all('/if \(\$resql >/', $filecontent, $matches, PREG_SET_ORDER);
+ // Test we don't have "if ($resql >"
+ $ok = true;
+ $matches = array();
+ preg_match_all('/if \(\$resql >/', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
$ok = false;
break;
}
- $this->assertTrue($ok, 'Found a if $resql with a > operator (when $resql is a boolean or resource) in file '.$file['relativename'].'. Please remove the > ... part.');
+ $this->assertTrue($ok, 'Found a if $resql with a > operator (when $resql is a boolean or resource) in file '.$file['relativename'].'. Please remove the > ... part.');
- // Test we don't have empty($user->hasRight
- $ok = true;
- $matches = array();
- preg_match_all('/empty\(\$user->hasRight/', $filecontent, $matches, PREG_SET_ORDER);
+ // Test we don't have empty($user->hasRight
+ $ok = true;
+ $matches = array();
+ preg_match_all('/empty\(\$user->hasRight/', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
$ok = false;
break;
}
- $this->assertTrue($ok, 'Found code empty($user->hasRight in file '.$file['relativename'].'. empty() must not be used on a var not on a function.');
+ $this->assertTrue($ok, 'Found code empty($user->hasRight in file '.$file['relativename'].'. empty() must not be used on a var not on a function.');
- // Test we don't have empty(DolibarrApiAccess::$user->hasRight
- $ok = true;
- $matches = array();
- preg_match_all('/empty\(DolibarrApiAccess::\$user->hasRight/', $filecontent, $matches, PREG_SET_ORDER);
+ // Test we don't have empty(DolibarrApiAccess::$user->hasRight
+ $ok = true;
+ $matches = array();
+ preg_match_all('/empty\(DolibarrApiAccess::\$user->hasRight/', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
$ok = false;
break;
}
- $this->assertTrue($ok, 'Found code empty(DolibarrApiAccess::$user->hasRight in file '.$file['relativename'].'. empty() must not be used on a var not on a function.');
+ $this->assertTrue($ok, 'Found code empty(DolibarrApiAccess::$user->hasRight in file '.$file['relativename'].'. empty() must not be used on a var not on a function.');
- // Test we don't have empty($user->hasRight
- $ok = true;
- $matches = array();
- preg_match_all('/empty\(getDolGlobal/', $filecontent, $matches, PREG_SET_ORDER);
+ // Test we don't have empty($user->hasRight
+ $ok = true;
+ $matches = array();
+ preg_match_all('/empty\(getDolGlobal/', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
$ok = false;
break;
}
- $this->assertTrue($ok, 'Found code empty(getDolGlobal... in file '.$file['relativename'].'. empty() must be used on a var not on a function.');
+ $this->assertTrue($ok, 'Found code empty(getDolGlobal... in file '.$file['relativename'].'. empty() must be used on a var not on a function.');
- // Test we don't have @var array(
- $ok = true;
- $matches = array();
- preg_match_all('/@var\s+array\(/', $filecontent, $matches, PREG_SET_ORDER);
+ // Test we don't have @var array(
+ $ok = true;
+ $matches = array();
+ preg_match_all('/@var\s+array\(/', $filecontent, $matches, PREG_SET_ORDER);
foreach ($matches as $key => $val) {
$ok = false;
break;
}
- $this->assertTrue($ok, 'Found a declaration @var array() instead of @var array in file '.$file['relativename'].'.');
+ $this->assertTrue($ok, 'Found a declaration @var array() instead of @var array in file '.$file['relativename'].'.');
// Test we don't have CURDATE()
@@ -627,6 +625,42 @@ class CodingPhpTest extends CommonClassTest
break;
}
$this->assertTrue($ok, 'Found a CURDATE\(\) in code. Do not use this SQL method in file '.$file['relativename'].'. You must use the PHP function dol_now() instead.');
+
+
+ // Test we don't have if ($action == 'xxx'... without test on permission
+ // We do not test on file into admin, protection is done on page on user->admin
+ if (!preg_match('/admin\//', $file['fullname'])
+ && !preg_match('/\.tpl\.php/', $file['fullname'])
+ && !preg_match('/\.lib\.php/', $file['fullname'])
+ && !preg_match('/\.inc\.php/', $file['fullname'])
+ && !preg_match('/\.class\.php/', $file['fullname'])
+ && !preg_match('/NORUN$/', $file['fullname'])) {
+ $ok = true;
+ $matches = array();
+
+ // Get to part of string to use for analysis
+ $reg = array();
+ if (preg_match('/\*\s+Action(.*)\*\s+View/ims', $filecontentorigin, $reg)) {
+ $filecontentaction = $reg[1];
+ } else {
+ $filecontentaction = $filecontent;
+ }
+
+ preg_match_all('/if\s*\(\s*\$action\s*==\s*[\'"][a-z]+[\'"].*/', $filecontentaction, $matches, PREG_SET_ORDER);
+ foreach ($matches as $key => $val) {
+ if (!preg_match('/\$user->hasR/', $val[0])
+ && !preg_match('/\$permission/', $val[0])
+ && !preg_match('/\$usercan/', $val[0])
+ && !preg_match('/\$canedit/', $val[0])
+ && !preg_match('/already done/i', $val[0])
+ && !preg_match('/not required/i', $val[0])) {
+ $ok = false;
+ print "Line: ".$val[0]."\n";
+ break;
+ }
+ }
+ $this->assertTrue($ok, 'Found a test on action without check on permission and without comment to say this is expected, in file '.$file['relativename'].'.');
+ }
}
@@ -670,13 +704,13 @@ class CodingPhpTest extends CommonClassTest
public function vardumpTesterProvider()
{
return [
- 'var_dump at start of file' => ["var_dump(\$help)\n", true],
- 'var_dump at start of line' => ["\nvar_dump(\$help)\n", true],
- 'var_dump after comment next line' => ["/* Hello */\nvar_dump(\$help)\n", true],
- 'var_dump with space' => [" var_dump(\$help)\n", true],
- 'var_dump after comment' => [" // var_dump(\$help)\n", false],
- '2 var_dumps after comment' => [" // var_dump(\$help); var_dump(\$help)\n", false],
- 'var_dump before and after comment' => [" var_dump(\$help); // var_dump(\$help)\n", true],
+ 'var_dump at start of file' => ["var_dump(\$help)\n", true],
+ 'var_dump at start of line' => ["\nvar_dump(\$help)\n", true],
+ 'var_dump after comment next line' => ["/* Hello */\nvar_dump(\$help)\n", true],
+ 'var_dump with space' => [" var_dump(\$help)\n", true],
+ 'var_dump after comment' => [" // var_dump(\$help)\n", false],
+ '2 var_dumps after comment' => [" // var_dump(\$help); var_dump(\$help)\n", false],
+ 'var_dump before and after comment' => [" var_dump(\$help); // var_dump(\$help)\n", true],
];
}
@@ -753,7 +787,7 @@ class CodingPhpTest extends CommonClassTest
array_key_exists($module_name, self::VALID_MODULE_MAPPING)
|| array_key_exists($module_name, self::DEPRECATED_MODULE_MAPPING),
"Unknown module: $message"
- );
+ );
}
}
@@ -787,7 +821,7 @@ class CodingPhpTest extends CommonClassTest
}
},
$string
- );
+ );
}
/**
@@ -798,13 +832,13 @@ class CodingPhpTest extends CommonClassTest
public function commentRemovalTestProvider()
{
return [
- 'complete line 1' => ["/*Comment complete line*/", " "],
- 'complete line 2' => ["// Comment complete line", ""],
- 'partial line 1' => ["a/*Comment complete line*/b", "a b"],
- 'partial line 2' => ["a// Comment complete line", "a"],
- 'multi line full 1' => ["/*Comment\ncomplete line*/", "\n"],
- 'multi line full 2' => ["/*Comment\ncomplete line*/\n", "\n\n"],
- 'multi line partials 1' => ["a/*Comment\ncomplete line*/b", "a\nb"],
+ 'complete line 1' => ["/*Comment complete line*/", " "],
+ 'complete line 2' => ["// Comment complete line", ""],
+ 'partial line 1' => ["a/*Comment complete line*/b", "a b"],
+ 'partial line 2' => ["a// Comment complete line", "a"],
+ 'multi line full 1' => ["/*Comment\ncomplete line*/", "\n"],
+ 'multi line full 2' => ["/*Comment\ncomplete line*/\n", "\n\n"],
+ 'multi line partials 1' => ["a/*Comment\ncomplete line*/b", "a\nb"],
];
}