Insights Code scanning report

[RenierLewis]

Hi

Thank you for your great work with this bundle and your contribution to the open source community.

I have put the bundle through Sensiolabs Insights code scanning and just wanted to share the findings with you.

The scanning found 3 Critical, 4 Major, 3 Minor and 42 Info issues/recommendations.

They are:

eval() should never be used 3 CriticalSecurity in Security/Authorization/Expression/ExpressionVoter.php, line 119 return eval($this->getCompiler()->compileExpression($expr)); eval() is very dangerous because it allows execution of arbitrary PHP code. Avoid using it, especially when including user input.

in Security/Authorization/Expression/ExpressionVoter.php, line 171 in Security/Authorization/Expression/ReverseInterpreter.php, line 79 See https://insight.sensiolabs.com/what-we-analyse/php.use_php_eval_function

---

Missing use statement should be avoided MajorBugrisk in Security/Authorization/Voter/IddqdVoter.php, line 34 class IddqdVoter implements VoterInterface The @RunAs annotation looks like a class annotation which resolves to the JMS\SecurityExtraBundle\Security\Authorization\Voter\RunAs class which PHP does not seem to be able to autoload.

See https://insight.sensiolabs.com/what-we-analyse/php.missing_use_statement

---

PHP 7 reserved words should not be used as class, interfaces or traits names MajorBugrisk in Security/Util/String.php, line 12 final class String This name is a reserved word since PHP 7 and should not be used as class, interface or trait name.

See https://insight.sensiolabs.com/what-we-analyse/php.php7_reserved_words

---

Source code should not contain FIXME comments MajorBugrisk in DependencyInjection/JMSSecurityExtraExtension.php, line 85 // FIXME: Also add an iddqd after invocation provider FIXME comments are left in the code when a bug has been noticed but not fixed. You should fix the bug and remove the comment.

See https://insight.sensiolabs.com/what-we-analyse/task_fixme_comment

---

Files should not be executable MajorSecurity Your project contains files with permissive permissions. In order to avoid opening a security breach, you should restrict execution rights on following files:

Security/Acl/Expression/HasClassPermissionFunctionCompiler.php

See https://insight.sensiolabs.com/what-we-analyse/php.too_permissive_file_permissions

---

The Symfony Dependency Injection Container should not be passed as an argument 2 MinorArchitecture in Security/Authorization/Expression/ContainerAwareExpressionHandler.php, line 34 public function __construct(ContainerInterface $container) A Symfony dependency injection container has been found as an argument.

in Security/Authorization/Expression/LazyLoadingExpressionVoter.php, line 29

See https://insight.sensiolabs.com/what-we-analyse/symfony.dependency_injection.no_container_as_parameter

---

Source code should not contain TODO comments MinorArchitecture in Metadata/Driver/ConfigDriver.php, line 78 // TODO: Is it feasible to reverse-engineer the notation for service controllers? TODO comments are left in the code when a feature (or a bug) isn't completely developed (or fixed). You should complete the implementation and remove the comment.

A full report can be seen here:

JMSSecurityExtraBundle SensioLabsInsight.pdf

KIf possible for you to fix these issues/comments/recommendations with a future commit, it will be appreciated.

Kind Regards Renier Lewis