Your project uses non-strict array lookups 3

More information: https://insight.symfony.com/what-we-analyse/php.strict_array_lookup

in Core/ClicShopping/Apps/Tools/Backup/Sites/ClicShoppingAdmin/Pages/Home/Actions/Backup/RestoreNow.php, line 182 
  2.         // Extract statement type
  3.         $stmt_type = strtoupper(trim(explode(' ', $sql)[0]));
  5.         // Whitelist allowed SQL types
  6.         if (!in_array($stmt_type, $allowed_statements)) {
    in_array() should be called with the third parameter set to true to enable strict comparison and avoid type juggling bugs.
    Time to fix: about 15 minutes
    Read doc
                Open Issue
             Permalink Copy Prompt
    
                                    Last edited  by clicshopping
                    
  7.           $CLICSHOPPING_MessageStack->add('Restore skipped: unsupported SQL statement type (' . $stmt_type . ')', 'warning');
  8.           continue;
  9.         }
  11.         // Validate DROP TABLE statements to prevent SQL injection
in Core/ClicShopping/Apps/Tools/Upgrade/Classes/ClicShoppingAdmin/ExtractFile.php, line 136 
  1.     }
  3.     // Optional: Whitelist specific domains (e.g., GitHub)
  4.     // Uncomment and modify as needed:
  5.       $allowed_domains = ['github.com', 'api.github.com'];
  6.       if (!in_array($parsed_url['host'] ?? '', $allowed_domains)) {
    in_array() should be called with the third parameter set to true to enable strict comparison and avoid type juggling bugs.
    Time to fix: about 15 minutes
    Read doc
                Open Issue
             Permalink Copy Prompt
    
                                    Last edited  by clicshopping
                    
  7.         $this->messageStack->add('Download from unauthorized domain', 'error');
  8.         CLICSHOPPING::redirect('Upgrade&Marketplace');
  9.         return null;
  10.        }
in Core/ClicShopping/OM/HTML.php, line 306 
  1.       $flags['session_id'] = false;
  2.     }
  4.     // Security: Validate method against whitelist
  5.     $allowed_methods = ['post', 'get'];
  6.     $safe_method = in_array(strtolower($method ?? 'post'), $allowed_methods) ? strtolower($method ?? 'post') : 'post';
    in_array() should be called with the third parameter set to true to enable strict comparison and avoid type juggling bugs.
    Time to fix: about 15 minutes
    Read doc
                Open Issue
             Permalink Copy Prompt
    
                                    Last edited  by clicshopping
                    
  8.     // Security: Sanitize form action URL
  9.     $safe_action = static::sanitizeUrl($action);
  11.     $form = '<form name="' . static::outputProtected($name) . '" action="' . $safe_action . '" method="' . $safe_method . '"';

Your project should not contain PHP files defining multiple classes 2

More information: https://insight.symfony.com/what-we-analyse/php.file_contains_more_than_one_class

in Core/ClicShopping/Apps/Tools/MCP/Classes/ClicShoppingAdmin/Exceptions/Exceptions.php
This file contains 4 classes. Keeping only one class per file is a standard in the PHP community, since it promotes interoperability and maintainability.
Time to fix: about 1 day
Read doc Open Issue Permalink Copy Prompt
Collective
  • McpException (defined at line 18)
  • McpConnectionException (defined at line 27)
  • McpProtocolException (defined at line 36)
  • McpConfigurationException (defined at line 45)
in sources/template/Default/modules/modules_header/he_header_multi_template.php
This file contains 2 classes. Keeping only one class per file is a standard in the PHP community, since it promotes interoperability and maintainability.
Time to fix: about 4 hours
Read doc Open Issue Permalink Copy Prompt
Collective
  • he_header_multi_template (defined at line 14)
  • explodeCategoryTree (defined at line 235)

Your project should use dedicated PHP string functions 10

More information: https://insight.symfony.com/what-we-analyse/php.use_string_function

in Core/ClicShopping/Apps/Configuration/Api/Classes/Shop/ApiSecurity.php, line 103 
  1.     }
  3.     $expectedV6 = filter_var($expected, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6);
  4.     $actualV6   = filter_var($actual,   FILTER_VALIDATE_IP, FILTER_FLAG_IPV6);
  5.     if ($expectedV6 !== false && $actualV6 !== false) {
  6.       return substr(inet_pton($expectedV6), 0, 8) === substr(inet_pton($actualV6), 0, 8);
    Consider replacing substr() with str_starts_with() for improved readability.
    Time to fix: about 1 hour
    Read doc
                Open Issue
             Permalink Copy Prompt
    
                                    Last edited  by clicshopping
                    
  7.     }
  9.     // Mixed family or unparseable — fall back to strict to avoid silent bypass.
  10.     return $expected === $actual;
  11.   }
in Core/ClicShopping/Apps/Tools/MCP/Classes/Shop/Security/McpSecurity.php, line 81 
  2.     $expectedV6 = filter_var($expected, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6);
  3.     $actualV6   = filter_var($actual,   FILTER_VALIDATE_IP, FILTER_FLAG_IPV6);
  4.     if ($expectedV6 !== false && $actualV6 !== false) {
  5.       // Same /64 — first 8 bytes of the 16-byte packed form.
  6.       return substr(inet_pton($expectedV6), 0, 8) === substr(inet_pton($actualV6), 0, 8);
    Consider replacing substr() with str_starts_with() for improved readability.
    Time to fix: about 1 hour
    Read doc
                Open Issue
             Permalink Copy Prompt
    
                                    Last edited  by clicshopping
                    
  7.     }
  9.     // Mixed family or unparseable — fall back to strict to avoid silent bypass.
  10.     return $expected === $actual;
  11.   }
in Core/ClicShopping/Apps/Tools/Upgrade/Classes/ClicShoppingAdmin/ExtractFile.php, line 175 
  1.     if ($zip->open($filename_localisation) === true) {
  2.       $has_traversal = false;
  3.       for ($i = 0; $i < $zip->numFiles; $i++) {
  4.         $filename = $zip->getNameIndex($i);
  5.         // Check for path traversal
  6.         if (strpos($filename, '..') !== false || strpos($filename, '/') === 0 || strpos($filename, '\\') === 0) {
    Consider replacing strpos() with str_starts_with() for improved readability.
    Time to fix: about 1 hour
    Read doc
                Open Issue
             Permalink Copy Prompt
    
                                    Last edited  by clicshopping
                    
  7.           $has_traversal = true;
  8.           break;
  9.         }
  10.         // Check for absolute paths
  11.         if (preg_match('/^[a-zA-Z]:\\/', $filename)) {
in Core/ClicShopping/Apps/Tools/Upgrade/Classes/ClicShoppingAdmin/ExtractFile.php, line 175 
  1.     if ($zip->open($filename_localisation) === true) {
  2.       $has_traversal = false;
  3.       for ($i = 0; $i < $zip->numFiles; $i++) {
  4.         $filename = $zip->getNameIndex($i);
  5.         // Check for path traversal
  6.         if (strpos($filename, '..') !== false || strpos($filename, '/') === 0 || strpos($filename, '\\') === 0) {
    Consider replacing strpos() with str_contains() for improved readability.
    Time to fix: about 1 hour
    Read doc
                Open Issue
             Permalink Copy Prompt
    
                                    Last edited  by clicshopping
                    
  7.           $has_traversal = true;
  8.           break;
  9.         }
  10.         // Check for absolute paths
  11.         if (preg_match('/^[a-zA-Z]:\\/', $filename)) {
in Core/ClicShopping/AI/CoreAI/Memory/ConversationMemory.php, line 688 
  1.     if ($response === '') {
  2.       return $response;
  3.     }
  5.     // If there are no HTML tags at all, skip the work
  6.     $hasTags = (\strpos($response, '<') !== false);
    Consider replacing strpos() with str_contains() for improved readability.
    Time to fix: about 1 hour
    Read doc
                Open Issue
             Permalink Copy Prompt
    
                                    Last edited  by clicshopping
                    
  8.     if ($hasTags) {
  9.       $response = \strip_tags($response);
  10.       $response = \html_entity_decode($response, ENT_QUOTES | ENT_HTML5, 'UTF-8');
  11.     }
in Core/ClicShopping/Apps/Configuration/ChatGpt/config/adaptive_weighting.php, line 26 
  1. $llmProvider = 'openai'; // Default
  2. if (defined('CLICSHOPPING_APP_CHATGPT_CH_MODEL')) {
  3.     $model = CLICSHOPPING_APP_CHATGPT_CH_MODEL;
  5.     // Determine provider from model name
  6.     if (strpos($model, 'anth-') === 0 || strpos($model, 'claude') !== false) {
    Consider replacing strpos() with str_contains() for improved readability.
    Time to fix: about 1 hour
    Read doc
                Open Issue
             Permalink Copy Prompt
    
                                    Last edited  by clicshopping
                    
  7.         $llmProvider = 'anthropic';
  8.     } elseif (strpos($model, 'mistral') !== false) {
  9.         $llmProvider = 'mistral';
  10.     } elseif (strpos($model, 'ollama:') === 0 || strpos($model, 'mistral:') === 0) {
  11.         $llmProvider = 'ollama';
in Core/ClicShopping/Apps/Configuration/ChatGpt/config/adaptive_weighting.php, line 26 
  1. $llmProvider = 'openai'; // Default
  2. if (defined('CLICSHOPPING_APP_CHATGPT_CH_MODEL')) {
  3.     $model = CLICSHOPPING_APP_CHATGPT_CH_MODEL;
  5.     // Determine provider from model name
  6.     if (strpos($model, 'anth-') === 0 || strpos($model, 'claude') !== false) {
    Consider replacing strpos() with str_starts_with() for improved readability.
    Time to fix: about 1 hour
    Read doc
                Open Issue
             Permalink Copy Prompt
    
                                    Last edited  by clicshopping
                    
  7.         $llmProvider = 'anthropic';
  8.     } elseif (strpos($model, 'mistral') !== false) {
  9.         $llmProvider = 'mistral';
  10.     } elseif (strpos($model, 'ollama:') === 0 || strpos($model, 'mistral:') === 0) {
  11.         $llmProvider = 'ollama';
in Core/ClicShopping/Apps/Configuration/ChatGpt/config/adaptive_weighting.php, line 28 
  1.     $model = CLICSHOPPING_APP_CHATGPT_CH_MODEL;
  3.     // Determine provider from model name
  4.     if (strpos($model, 'anth-') === 0 || strpos($model, 'claude') !== false) {
  5.         $llmProvider = 'anthropic';
  6.     } elseif (strpos($model, 'mistral') !== false) {
    Consider replacing strpos() with str_contains() for improved readability.
    Time to fix: about 1 hour
    Read doc
                Open Issue
             Permalink Copy Prompt
    
                                    Last edited  by clicshopping
                    
  7.         $llmProvider = 'mistral';
  8.     } elseif (strpos($model, 'ollama:') === 0 || strpos($model, 'mistral:') === 0) {
  9.         $llmProvider = 'ollama';
  10.     } elseif (strpos($model, 'openai/') === 0 || strpos($model, 'microsoft/') === 0 || strpos($model, 'qwen/') === 0) {
  11.         $llmProvider = 'lmstudio';
in Core/ClicShopping/Apps/Configuration/ChatGpt/config/adaptive_weighting.php, line 30 
  1.     // Determine provider from model name
  2.     if (strpos($model, 'anth-') === 0 || strpos($model, 'claude') !== false) {
  3.         $llmProvider = 'anthropic';
  4.     } elseif (strpos($model, 'mistral') !== false) {
  5.         $llmProvider = 'mistral';
  6.     } elseif (strpos($model, 'ollama:') === 0 || strpos($model, 'mistral:') === 0) {
    Consider replacing strpos() with str_starts_with() for improved readability.
    Time to fix: about 1 hour
    Read doc
                Open Issue
             Permalink Copy Prompt
    
                                    Last edited  by clicshopping
                    
  7.         $llmProvider = 'ollama';
  8.     } elseif (strpos($model, 'openai/') === 0 || strpos($model, 'microsoft/') === 0 || strpos($model, 'qwen/') === 0) {
  9.         $llmProvider = 'lmstudio';
  10.     } else {
  11.         // Default to OpenAI for gpt-* models
in Core/ClicShopping/Apps/Configuration/ChatGpt/config/adaptive_weighting.php, line 32 
  1.         $llmProvider = 'anthropic';
  2.     } elseif (strpos($model, 'mistral') !== false) {
  3.         $llmProvider = 'mistral';
  4.     } elseif (strpos($model, 'ollama:') === 0 || strpos($model, 'mistral:') === 0) {
  5.         $llmProvider = 'ollama';
  6.     } elseif (strpos($model, 'openai/') === 0 || strpos($model, 'microsoft/') === 0 || strpos($model, 'qwen/') === 0) {
    Consider replacing strpos() with str_starts_with() for improved readability.
    Time to fix: about 1 hour
    Read doc
                Open Issue
             Permalink Copy Prompt
    
                                    Last edited  by clicshopping
                    
  7.         $llmProvider = 'lmstudio';
  8.     } else {
  9.         // Default to OpenAI for gpt-* models
  10.         $llmProvider = 'openai';
  11.     }