Symfony secret should be changed

  • Critical
  • Security

More information: https://insight.symfony.com/what-we-analyse/symfony.obvious_csrf_key

The secret is the default one from the Symfony Standard Edition

Time to fix: about 15 minutes
Open Issue Permalink
Collective

Website should be protected against XSSVulnerability 3

  • Critical
  • Security

More information: https://insight.symfony.com/what-we-analyse/twig.xss_vulnerability

  1. </div>
  2. <br>
  3. <blockquote><p>{{ post.intro }}</p></blockquote>
  4. <p>{{ post.content|raw }}</p>

    Using the |raw filter or the {% autoescape false %} block in a Twig template exposes users to Cross-Site Scripting (XSS) attacks

    Time to fix: about 3 hours
    Open Issue Permalink
    Last edited by Peter Kokot
  5. <div id="disqus_thread"></div>
  6. <script>
  7. /**
  8. * RECOMMENDED CONFIGURATION VARIABLES: EDIT AND UNCOMMENT THE SECTION BELOW TO INSERT DYNAMIC VALUES FROM YOUR PLATFORM OR CMS.
  1. <ul>
  2. {% for bundle in bundles %}
  3. <li>
  4. <a href="{{ bundle.url }}" target="_blank">{{ bundle.name }}</a><br>
  5. <small>{{ bundle.description|raw }}</small>

    Using the |raw filter or the {% autoescape false %} block in a Twig template exposes users to Cross-Site Scripting (XSS) attacks

    Time to fix: about 3 hours
    Open Issue Permalink
    Last edited by Peter Kokot
  6. </li>
  7. {% endfor %}
  8. </ul>
  9. {% endblock %}
  1. <div class="text-left">
  2. <span class="glyphicon glyphicon-time" aria-hidden="true"></span> <em>Čas branja: {{ psr.readTime }}</em> &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
  3. <span class="glyphicon glyphicon-edit" aria-hidden="true"></span> <em>Zadnja sprememba: {{ psr.updated|date("d.m.Y") }}</em>
  4. </div>
  5. {{ psr.content|raw }}

    Using the |raw filter or the {% autoescape false %} block in a Twig template exposes users to Cross-Site Scripting (XSS) attacks

    Time to fix: about 3 hours
    Open Issue Permalink
    Last edited by Peter Kokot
  6. {% endblock %}
  7. {% block sidebar %}
  8. {% if psr.meta %}
  9. <h2>Meta dokument</h2>

Twig templates should not contain business logic 2

  • Major
  • Architecture

More information: https://insight.symfony.com/what-we-analyse/twig.template_too_complex

Template too complex, depth of 8 is reached but only 5 is allowed.

Time to fix: about 2 hours
Open Issue Permalink
Last edited by Peter Kokot

Template too complex, depth of 6 is reached but only 5 is allowed.

Time to fix: about 2 hours
Open Issue Permalink
Last edited by Peter Kokot

Symfony applications should not contain a config.php file

  • Major
  • Security

More information: https://insight.symfony.com/what-we-analyse/symfony.web_config_should_not_be_present

in web

This config.php file should only be used to bootstrap a Symfony application. Before releasing to production, you should remove it, otherwise attackers could get valuable insight about your application.

Time to fix: about 1 hour
Open Issue Permalink
Last edited by Peter Kokot
  • web
    • images
    • app.php
    • app_dev.php
    • apple-touch-icon.png
    • config.php
    • favicon.ico
    • robots.txt

Version of dependencies should be fixed 6

  • Minor
  • Bugrisk

More information: https://insight.symfony.com/what-we-analyse/composer.unfixed_dependency_version

Package symfony-si/fig-standards-sl#* is not fixed.

Time to fix: about 1 hour
Open Issue Permalink
Collective

Package php-pm/httpkernel-adapter#dev-master is not fixed.

Time to fix: about 1 hour
Open Issue Permalink
Collective

Package symfony-si/symfony-cheatsheet#* is not fixed.

Time to fix: about 1 hour
Open Issue Permalink
Collective

Package symfony-si/symfony-resources#* is not fixed.

Time to fix: about 1 hour
Open Issue Permalink
Collective

Package php-pm/php-pm#dev-master is not fixed.

Time to fix: about 1 hour
Open Issue Permalink
Collective

Package symfony-si/conduct#* is not fixed.

Time to fix: about 1 hour
Open Issue Permalink
Collective

The Symfony version should be the latest stable one

  • Minor
  • Bugrisk

More information: https://insight.symfony.com/what-we-analyse/symfony.version.latest_stable

This project uses Symfony v3.1.2, which is not the latest release of the v3.1 branch. You should use the v3.1.3 instead to benefit from the latest bugfixes.

Time to fix: about 1 day
Open Issue Permalink
Collective

Object parameters should be type hinted 4

  • Minor
  • Bugrisk

More information: https://insight.symfony.com/what-we-analyse/php.object_parameter_not_type_hinted

  1. public function findAll()
  2. {
  3. $finder = new Finder();
  4. $finder->files()->in($this->path.'/Resources/content/blog');
  5. $finder->files()->name('*.md');
  6. $finder->sort(function ($a, $b) { return strcmp($b->getRealpath(), $a->getRealpath()); });

    The parameter a, which is an object, should be typehinted.

    Time to fix: about 1 hour
    Open Issue Permalink
    Last edited by Peter Kokot
  7. $posts = [];
  8. foreach ($finder as $file) {
  9. $post = $this->getPostByFile($file->getRealPath());
  10. $posts[] = $post;
  1. public function findAll()
  2. {
  3. $finder = new Finder();
  4. $finder->files()->in($this->path.'/Resources/content/blog');
  5. $finder->files()->name('*.md');
  6. $finder->sort(function ($a, $b) { return strcmp($b->getRealpath(), $a->getRealpath()); });

    The parameter b, which is an object, should be typehinted.

    Time to fix: about 1 hour
    Open Issue Permalink
    Last edited by Peter Kokot
  7. $posts = [];
  8. foreach ($finder as $file) {
  9. $post = $this->getPostByFile($file->getRealPath());
  10. $posts[] = $post;
  1. public function findLatest($limit = 10)
  2. {
  3. $finder = new Finder();
  4. $finder->files()->in($this->path.'/Resources/content/blog');
  5. $finder->files()->name('*.md');
  6. $finder->sort(function ($a, $b) { return strcmp($b->getRealpath(), $a->getRealpath()); });

    The parameter a, which is an object, should be typehinted.

    Time to fix: about 1 hour
    Open Issue Permalink
    Last edited by Peter Kokot
  7. $posts = [];
  8. foreach (new \LimitIterator($finder->getIterator(), 0, $limit) as $file) {
  9. $post = $this->getPostByFile($file->getRealPath());
  10. $posts[] = $post;
  1. public function findLatest($limit = 10)
  2. {
  3. $finder = new Finder();
  4. $finder->files()->in($this->path.'/Resources/content/blog');
  5. $finder->files()->name('*.md');
  6. $finder->sort(function ($a, $b) { return strcmp($b->getRealpath(), $a->getRealpath()); });

    The parameter b, which is an object, should be typehinted.

    Time to fix: about 1 hour
    Open Issue Permalink
    Last edited by Peter Kokot
  7. $posts = [];
  8. foreach (new \LimitIterator($finder->getIterator(), 0, $limit) as $file) {
  9. $post = $this->getPostByFile($file->getRealPath());
  10. $posts[] = $post;

Commented code should not be committed

  • Minor
  • Deadcode

More information: https://insight.symfony.com/what-we-analyse/php.commented_out_code

in web/app.php, line 16
  1. $kernel = new AppKernel('prod', false);
  2. $kernel->loadClassCache();
  3. $kernel = new AppCache($kernel);
  4. // When using the HttpCache, you need to call the method in your front controller instead of relying on the configuration parameter
  5. //Request::enableHttpMethodParameterOverride();

    Commented out code reduces readability and lowers the code confidence for other developers. If it's common usage for debug, it should not be committed. Using a version control system, such code can be safely removed.

    Time to fix: about 30 minutes
    Open Issue Permalink
    Last edited by Peter Kokot
  6. $request = Request::createFromGlobals();
  7. $response = $kernel->handle($request);
  8. $response->send();
  9. $kernel->terminate($request, $response);

Default session cookie's name should be changed.

  • Minor
  • Security

More information: https://insight.symfony.com/what-we-analyse/symfony.request.session_cookie_default_name

The session cookie name is the default one, PHPSESSID. You should consider overwriting it thanks to session.name parameter (see the official documentation).

Time to fix: about 1 hour
Open Issue Permalink
Collective

The composer.json file should not raise warnings

  • Info
  • Bugrisk

More information: https://insight.symfony.com/what-we-analyse/composer.warning

Defining autoload.psr-4 with an empty namespace prefix is a bad idea for performance

Time to fix: about 1 hour
Open Issue Permalink
Last edited by Peter Kokot

Text files should end with a newline character 6

  • Info
  • Codestyle

More information: https://insight.symfony.com/what-we-analyse/missing_e_o_l

  1. {% block javascripts %}
  2. {{ parent() }}
  3. <script id="dsq-count-scr" src="//symfonysi.disqus.com/count.js" async></script>
  4. {% endblock %}

    This file ends with no newline character. It won't render properly on a terminal, and it's considered a bad practice. Add a simple line feed as the last character to fix it.

    Time to fix: about 15 minutes
    Open Issue Permalink
    Last edited by Peter Kokot
  1. {% if sidebarpsr.meta %}
  2. <li{% if path('psr_show', {'slug': sidebarpsr.meta.slug}) == currentPath %} class="active"{% endif %}><a href="{{ path('psr_show', {'slug': sidebarpsr.meta.slug}) }}">{{ sidebarpsr.meta.title }}</a></li>
  3. {% endif %}
  4. {% endfor %}
  5. </ul>
  6. {% endblock %}

    This file ends with no newline character. It won't render properly on a terminal, and it's considered a bad practice. Add a simple line feed as the last character to fix it.

    Time to fix: about 15 minutes
    Open Issue Permalink
    Last edited by Peter Kokot
  1. {% block title %}{{ status_code }} {{ status_text }}{% endblock %}
  2. {% block body %}
  3. <h1>Oops! And Error Occurred</h1>
  4. <h2>The server returned a "{{ status_code }} {{ status_text }}".</h2>
  5. {% endblock %}

    This file ends with no newline character. It won't render properly on a terminal, and it's considered a bad practice. Add a simple line feed as the last character to fix it.

    Time to fix: about 15 minutes
    Open Issue Permalink
    Last edited by Peter Kokot
  1. if (d.getElementById(id)) return;
  2. js = d.createElement(s); js.id = id;
  3. js.src = "//connect.facebook.net/en_US/sdk.js#xfbml=1&version=v2.6&appId=1062356410505765";
  4. fjs.parentNode.insertBefore(js, fjs);
  5. }(document, 'script', 'facebook-jssdk'));</script>
  6. <div class="fb-page" data-href="https://www.facebook.com/symfony.si/" data-small-header="true" data-adapt-container-width="true" data-hide-cover="true" data-show-facepile="true"><blockquote cite="https://www.facebook.com/symfony.si/" class="fb-xfbml-parse-ignore"><a href="https://www.facebook.com/symfony.si/">Symfony Slovenia</a></blockquote></div>

    This file ends with no newline character. It won't render properly on a terminal, and it's considered a bad practice. Add a simple line feed as the last character to fix it.

    Time to fix: about 15 minutes
    Open Issue Permalink
    Last edited by Peter Kokot
  1. })(window,document,'script','//www.google-analytics.com/analytics.js','ga');
  2. ga('create', 'UA-59671004-1', 'auto');
  3. ga('send', 'pageview');
  4. </script>

    This file ends with no newline character. It won't render properly on a terminal, and it's considered a bad practice. Add a simple line feed as the last character to fix it.

    Time to fix: about 15 minutes
    Open Issue Permalink
    Last edited by Peter Kokot
  1. public function getReadTime()
  2. {
  3. return $this->readTime;
  4. }
  5. }

    This file ends with no newline character. It won't render properly on a terminal, and it's considered a bad practice. Add a simple line feed as the last character to fix it.

    Time to fix: about 15 minutes
    Open Issue Permalink
    Last edited by Peter Kokot

A route should always have a valid HTTP method 14

  • Info
  • Security

More information: https://insight.symfony.com/what-we-analyse/symfony.routing.action_not_restricted_by_method

The route "ecosystem" should have a routing method (GET/POST/PUT). It is mandatory.

Time to fix: about 1 hour
Open Issue Permalink
Collective

The route "psr_show" should have a routing method (GET/POST/PUT). It is mandatory.

Time to fix: about 1 hour
Open Issue Permalink
Collective

The route "copyrights" should have a routing method (GET/POST/PUT). It is mandatory.

Time to fix: about 1 hour
Open Issue Permalink
Collective

The route "blog_show" should have a routing method (GET/POST/PUT). It is mandatory.

Time to fix: about 1 hour
Open Issue Permalink
Collective

The route "homepage" should have a routing method (GET/POST/PUT). It is mandatory.

Time to fix: about 1 hour
Open Issue Permalink
Collective

The route "conduct" should have a routing method (GET/POST/PUT). It is mandatory.

Time to fix: about 1 hour
Open Issue Permalink
Collective

The route "blog_homepage" should have a routing method (GET/POST/PUT). It is mandatory.

Time to fix: about 1 hour
Open Issue Permalink
Collective

The route "join" should have a routing method (GET/POST/PUT). It is mandatory.

Time to fix: about 1 hour
Open Issue Permalink
Collective

The route "contributors" should have a routing method (GET/POST/PUT). It is mandatory.

Time to fix: about 1 hour
Open Issue Permalink
Collective

The route "resources" should have a routing method (GET/POST/PUT). It is mandatory.

Time to fix: about 1 hour
Open Issue Permalink
Collective

The route "contact_success" should have a routing method (GET/POST/PUT). It is mandatory.

Time to fix: about 1 hour
Open Issue Permalink
Collective

The route "cheatsheet" should have a routing method (GET/POST/PUT). It is mandatory.

Time to fix: about 1 hour
Open Issue Permalink
Collective

The route "psr_index" should have a routing method (GET/POST/PUT). It is mandatory.

Time to fix: about 1 hour
Open Issue Permalink
Collective

The route "contact" should have a routing method (GET/POST/PUT). It is mandatory.

Time to fix: about 1 hour
Open Issue Permalink
Collective

Default favicon should be changed 2

  • Info
  • Security

More information: https://insight.symfony.com/what-we-analyse/web.default_favicon

Default Apple touch Symfony favicon found.


This reveals the backend engine of the application and makes it more vulnerable to attackers. Consider using a custom favicon instead - plus, your users will memorize your application more easily.

Time to fix: about 1 hour
Open Issue Permalink
Last edited by Peter Kokot
web.default_favicon

Default Symfony favicon found.


This reveals the backend engine of the application and makes it more vulnerable to attackers. Consider using a custom favicon instead - plus, your users will memorize your application more easily.

Time to fix: about 1 hour
Open Issue Permalink
Last edited by Peter Kokot
web.default_favicon