Symfony secret should be changed

  • Critical
  • Security

More information: https://insight.symfony.com/what-we-analyse/symfony.obvious_csrf_key

The secret is the default one from the Symfony Standard Edition

Time to fix: about 15 minutes
Open Issue Permalink
Collective

Website should be protected against XSSVulnerability 3

  • Critical
  • Security

More information: https://insight.symfony.com/what-we-analyse/twig.xss_vulnerability

  1. </div>
  2. <br>
  3. <blockquote><p>{{ post.intro }}</p></blockquote>
  4. <p>{{ post.content|raw }}</p>

    Using the |raw filter or the {% autoescape false %} block in a Twig template exposes users to Cross-Site Scripting (XSS) attacks

    Time to fix: about 3 hours
    Open Issue Permalink
    Last edited by Peter Kokot
  5. <div id="disqus_thread"></div>
  6. <script>
  7. /**
  8. * RECOMMENDED CONFIGURATION VARIABLES: EDIT AND UNCOMMENT THE SECTION BELOW TO INSERT DYNAMIC VALUES FROM YOUR PLATFORM OR CMS.
  1. <ul>
  2. {% for bundle in bundles %}
  3. <li>
  4. <a href="{{ bundle.url }}" target="_blank">{{ bundle.name }}</a><br>
  5. <small>{{ bundle.description|raw }}</small>

    Using the |raw filter or the {% autoescape false %} block in a Twig template exposes users to Cross-Site Scripting (XSS) attacks

    Time to fix: about 3 hours
    Open Issue Permalink
    Last edited by Peter Kokot
  6. </li>
  7. {% endfor %}
  8. </ul>
  9. {% endblock %}
  1. <div class="text-left">
  2. <span class="glyphicon glyphicon-time" aria-hidden="true"></span> <em>Čas branja: {{ psr.readTime }}</em> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
  3. <span class="glyphicon glyphicon-edit" aria-hidden="true"></span> <em>Zadnja sprememba: {{ psr.updated|date("d.m.Y") }}</em>
  4. </div>
  5. {{ psr.content|raw }}

    Using the |raw filter or the {% autoescape false %} block in a Twig template exposes users to Cross-Site Scripting (XSS) attacks

    Time to fix: about 3 hours
    Open Issue Permalink
    Last edited by Peter Kokot
  6. {% endblock %}
  7. {% block sidebar %}
  8. {% if psr.meta %}
  9. <h2>Meta dokument</h2>

Twig templates should not contain business logic 2

  • Major
  • Architecture

More information: https://insight.symfony.com/what-we-analyse/twig.template_too_complex

Template too complex, depth of 8 is reached but only 5 is allowed.

Time to fix: about 2 hours
Open Issue Permalink
Last edited by Peter Kokot

Template too complex, depth of 6 is reached but only 5 is allowed.

Time to fix: about 2 hours
Open Issue Permalink
Last edited by Peter Kokot

Symfony applications should not contain a config.php file

  • Major
  • Security

More information: https://insight.symfony.com/what-we-analyse/symfony.web_config_should_not_be_present

in web

This config.php file should only be used to bootstrap a Symfony application. Before releasing to production, you should remove it, otherwise attackers could get valuable insight about your application.

Time to fix: about 1 hour
Open Issue Permalink
Last edited by Peter Kokot
  • web
    • images
    • app.php
    • app_dev.php
    • apple-touch-icon.png
    • config.php
    • favicon.ico
    • robots.txt

Version of dependencies should be fixed 6

  • Minor
  • Bugrisk

More information: https://insight.symfony.com/what-we-analyse/composer.unfixed_dependency_version

Package symfony-si/fig-standards-sl#* is not fixed.

Time to fix: about 1 hour
Open Issue Permalink
Collective

Package php-pm/httpkernel-adapter#dev-master is not fixed.

Time to fix: about 1 hour
Open Issue Permalink
Collective

Package symfony-si/symfony-cheatsheet#* is not fixed.

Time to fix: about 1 hour
Open Issue Permalink
Collective

Package symfony-si/symfony-resources#* is not fixed.

Time to fix: about 1 hour
Open Issue Permalink
Collective

Package php-pm/php-pm#dev-master is not fixed.

Time to fix: about 1 hour
Open Issue Permalink
Collective

Package symfony-si/conduct#* is not fixed.

Time to fix: about 1 hour
Open Issue Permalink
Collective

Object parameters should be type hinted 4

  • Minor
  • Bugrisk

More information: https://insight.symfony.com/what-we-analyse/php.object_parameter_not_type_hinted

  1. public function findAll()
  2. {
  3. $finder = new Finder();
  4. $finder->files()->in($this->path.'/Resources/content/blog');
  5. $finder->files()->name('*.md');
  6. $finder->sort(function ($a, $b) { return strcmp($b->getRealpath(), $a->getRealpath()); });

    The parameter a, which is an object, should be typehinted.

    Time to fix: about 1 hour
    Open Issue Permalink
    Last edited by Peter Kokot
  7. $posts = [];
  8. foreach ($finder as $file) {
  9. $post = $this->getPostByFile($file->getRealPath());
  10. $posts[] = $post;
  1. public function findAll()
  2. {
  3. $finder = new Finder();
  4. $finder->files()->in($this->path.'/Resources/content/blog');
  5. $finder->files()->name('*.md');
  6. $finder->sort(function ($a, $b) { return strcmp($b->getRealpath(), $a->getRealpath()); });

    The parameter b, which is an object, should be typehinted.

    Time to fix: about 1 hour
    Open Issue Permalink
    Last edited by Peter Kokot
  7. $posts = [];
  8. foreach ($finder as $file) {
  9. $post = $this->getPostByFile($file->getRealPath());
  10. $posts[] = $post;
  1. public function findLatest($limit = 10)
  2. {
  3. $finder = new Finder();
  4. $finder->files()->in($this->path.'/Resources/content/blog');
  5. $finder->files()->name('*.md');
  6. $finder->sort(function ($a, $b) { return strcmp($b->getRealpath(), $a->getRealpath()); });

    The parameter a, which is an object, should be typehinted.

    Time to fix: about 1 hour
    Open Issue Permalink
    Last edited by Peter Kokot
  7. $posts = [];
  8. foreach (new \LimitIterator($finder->getIterator(), 0, $limit) as $file) {
  9. $post = $this->getPostByFile($file->getRealPath());
  10. $posts[] = $post;
  1. public function findLatest($limit = 10)
  2. {
  3. $finder = new Finder();
  4. $finder->files()->in($this->path.'/Resources/content/blog');
  5. $finder->files()->name('*.md');
  6. $finder->sort(function ($a, $b) { return strcmp($b->getRealpath(), $a->getRealpath()); });

    The parameter b, which is an object, should be typehinted.

    Time to fix: about 1 hour
    Open Issue Permalink
    Last edited by Peter Kokot
  7. $posts = [];
  8. foreach (new \LimitIterator($finder->getIterator(), 0, $limit) as $file) {
  9. $post = $this->getPostByFile($file->getRealPath());
  10. $posts[] = $post;

Commented code should not be committed

  • Minor
  • Deadcode

More information: https://insight.symfony.com/what-we-analyse/php.commented_out_code

in web/app.php, line 16
  1. $kernel = new AppKernel('prod', false);
  2. $kernel->loadClassCache();
  3. $kernel = new AppCache($kernel);
  4. // When using the HttpCache, you need to call the method in your front controller instead of relying on the configuration parameter
  5. //Request::enableHttpMethodParameterOverride();

    Commented out code reduces readability and lowers the code confidence for other developers. If it's common usage for debug, it should not be committed. Using a version control system, such code can be safely removed.

    Time to fix: about 30 minutes
    Open Issue Permalink
    Last edited by Peter Kokot
  6. $request = Request::createFromGlobals();
  7. $response = $kernel->handle($request);
  8. $response->send();
  9. $kernel->terminate($request, $response);

Default session cookie's name should be changed.

  • Minor
  • Security

More information: https://insight.symfony.com/what-we-analyse/symfony.request.session_cookie_default_name

The session cookie name is the default one, PHPSESSID. You should consider overwriting it thanks to session.name parameter (see the official documentation).

Time to fix: about 1 hour
Open Issue Permalink
Collective

The composer.json file should not raise warnings

  • Info
  • Bugrisk

More information: https://insight.symfony.com/what-we-analyse/composer.warning

Defining autoload.psr-4 with an empty namespace prefix is a bad idea for performance

Time to fix: about 1 hour
Open Issue Permalink
Last edited by Peter Kokot

Text files should end with a newline character 6

  • Info
  • Codestyle

More information: https://insight.symfony.com/what-we-analyse/missing_e_o_l

  1. {% block javascripts %}
  2. {{ parent() }}
  3. <script id="dsq-count-scr" src="//symfonysi.disqus.com/count.js" async></script>
  4. {% endblock %}

    This file ends with no newline character. It won't render properly on a terminal, and it's considered a bad practice. Add a simple line feed as the last character to fix it.

    Time to fix: about 15 minutes
    Open Issue Permalink
    Last edited by Peter Kokot
  1. {% if sidebarpsr.meta %}
  2. <li{% if path('psr_show', {'slug': sidebarpsr.meta.slug}) == currentPath %} class="active"{% endif %}><a href="{{ path('psr_show', {'slug': sidebarpsr.meta.slug}) }}">{{ sidebarpsr.meta.title }}</a></li>
  3. {% endif %}
  4. {% endfor %}
  5. </ul>
  6. {% endblock %}

    This file ends with no newline character. It won't render properly on a terminal, and it's considered a bad practice. Add a simple line feed as the last character to fix it.

    Time to fix: about 15 minutes
    Open Issue Permalink
    Last edited by Peter Kokot
  1. {% block title %}{{ status_code }} {{ status_text }}{% endblock %}
  2. {% block body %}
  3. <h1>Oops! And Error Occurred</h1>
  4. <h2>The server returned a "{{ status_code }} {{ status_text }}".</h2>
  5. {% endblock %}

    This file ends with no newline character. It won't render properly on a terminal, and it's considered a bad practice. Add a simple line feed as the last character to fix it.

    Time to fix: about 15 minutes
    Open Issue Permalink
    Last edited by Peter Kokot
  1. if (d.getElementById(id)) return;
  2. js = d.createElement(s); js.id = id;
  3. js.src = "//connect.facebook.net/en_US/sdk.js#xfbml=1&version=v2.6&appId=1062356410505765";
  4. fjs.parentNode.insertBefore(js, fjs);
  5. }(document, 'script', 'facebook-jssdk'));</script>
  6. <div class="fb-page" data-href="https://www.facebook.com/symfony.si/" data-small-header="true" data-adapt-container-width="true" data-hide-cover="true" data-show-facepile="true"><blockquote cite="https://www.facebook.com/symfony.si/" class="fb-xfbml-parse-ignore"><a href="https://www.facebook.com/symfony.si/">Symfony Slovenia</a></blockquote></div>

    This file ends with no newline character. It won't render properly on a terminal, and it's considered a bad practice. Add a simple line feed as the last character to fix it.

    Time to fix: about 15 minutes
    Open Issue Permalink
    Last edited by Peter Kokot
  1. })(window,document,'script','//www.google-analytics.com/analytics.js','ga');
  2. ga('create', 'UA-59671004-1', 'auto');
  3. ga('send', 'pageview');
  4. </script>

    This file ends with no newline character. It won't render properly on a terminal, and it's considered a bad practice. Add a simple line feed as the last character to fix it.

    Time to fix: about 15 minutes
    Open Issue Permalink
    Last edited by Peter Kokot
  1. public function getReadTime()
  2. {
  3. return $this->readTime;
  4. }
  5. }

    This file ends with no newline character. It won't render properly on a terminal, and it's considered a bad practice. Add a simple line feed as the last character to fix it.

    Time to fix: about 15 minutes
    Open Issue Permalink
    Last edited by Peter Kokot

A route should always have a valid HTTP method 14

  • Info
  • Security

More information: https://insight.symfony.com/what-we-analyse/symfony.routing.action_not_restricted_by_method

The route "contact" should have a routing method (GET/POST/PUT). It is mandatory.

Time to fix: about 1 hour
Open Issue Permalink
Collective

The route "ecosystem" should have a routing method (GET/POST/PUT). It is mandatory.

Time to fix: about 1 hour
Open Issue Permalink
Collective

The route "psr_show" should have a routing method (GET/POST/PUT). It is mandatory.

Time to fix: about 1 hour
Open Issue Permalink
Collective

The route "copyrights" should have a routing method (GET/POST/PUT). It is mandatory.

Time to fix: about 1 hour
Open Issue Permalink
Collective

The route "blog_show" should have a routing method (GET/POST/PUT). It is mandatory.

Time to fix: about 1 hour
Open Issue Permalink
Collective

The route "homepage" should have a routing method (GET/POST/PUT). It is mandatory.

Time to fix: about 1 hour
Open Issue Permalink
Collective

The route "conduct" should have a routing method (GET/POST/PUT). It is mandatory.

Time to fix: about 1 hour
Open Issue Permalink
Collective

The route "blog_homepage" should have a routing method (GET/POST/PUT). It is mandatory.

Time to fix: about 1 hour
Open Issue Permalink
Collective

The route "join" should have a routing method (GET/POST/PUT). It is mandatory.

Time to fix: about 1 hour
Open Issue Permalink
Collective

The route "contributors" should have a routing method (GET/POST/PUT). It is mandatory.

Time to fix: about 1 hour
Open Issue Permalink
Collective

The route "resources" should have a routing method (GET/POST/PUT). It is mandatory.

Time to fix: about 1 hour
Open Issue Permalink
Collective

The route "contact_success" should have a routing method (GET/POST/PUT). It is mandatory.

Time to fix: about 1 hour
Open Issue Permalink
Collective

The route "cheatsheet" should have a routing method (GET/POST/PUT). It is mandatory.

Time to fix: about 1 hour
Open Issue Permalink
Collective

The route "psr_index" should have a routing method (GET/POST/PUT). It is mandatory.

Time to fix: about 1 hour
Open Issue Permalink
Collective

Default favicon should be changed 2

  • Info
  • Security

More information: https://insight.symfony.com/what-we-analyse/web.default_favicon

Default Apple touch Symfony favicon found.


This reveals the backend engine of the application and makes it more vulnerable to attackers. Consider using a custom favicon instead - plus, your users will memorize your application more easily.

Time to fix: about 1 hour
Open Issue Permalink
Last edited by Peter Kokot
web.default_favicon

Default Symfony favicon found.


This reveals the backend engine of the application and makes it more vulnerable to attackers. Consider using a custom favicon instead - plus, your users will memorize your application more easily.

Time to fix: about 1 hour
Open Issue Permalink
Last edited by Peter Kokot
web.default_favicon