Your project should not use insecure random number functions

More information: https://insight.symfony.com/what-we-analyse/php.use_insecure_random_function

in Core/ClicShopping/OM/Hash.php, line 284 
  1.     } catch (Exception $e) {
  2.       if ($secure === true) {
  3.         throw $e;
  4.       }
  6.       $result = mt_rand($min, $max);
    The function mt_rand() is not cryptographically secure. Use random_int() or random_bytes() instead.
    Time to fix: about 2 hours
    Read doc Permalink Copy Prompt
    
                                    Last edited  by ClicShopping
                    
  7.     }
  9.     return $result;
  10.   }
  • gyakutsuki

    Ignored on Wed, 22 Apr 2026 13:19:03 GMT

Your project should use dedicated PHP string functions 10

More information: https://insight.symfony.com/what-we-analyse/php.use_string_function

in Core/ClicShopping/Apps/Configuration/ChatGpt/config/adaptive_weighting.php, line 26 
  1. $llmProvider = 'openai'; // Default
  2. if (defined('CLICSHOPPING_APP_CHATGPT_CH_MODEL')) {
  3.     $model = CLICSHOPPING_APP_CHATGPT_CH_MODEL;
  5.     // Determine provider from model name
  6.     if (strpos($model, 'anth-') === 0 || strpos($model, 'claude') !== false) {
    Consider replacing strpos() with str_starts_with() for improved readability.
    Time to fix: about 1 hour
    Read doc Permalink Copy Prompt
    
                                    Last edited  by clicshopping
                    
  7.         $llmProvider = 'anthropic';
  8.     } elseif (strpos($model, 'mistral') !== false) {
  9.         $llmProvider = 'mistral';
  10.     } elseif (strpos($model, 'ollama:') === 0 || strpos($model, 'mistral:') === 0) {
  11.         $llmProvider = 'ollama';
in Core/ClicShopping/Apps/Configuration/ChatGpt/config/adaptive_weighting.php, line 28 
  1.     $model = CLICSHOPPING_APP_CHATGPT_CH_MODEL;
  3.     // Determine provider from model name
  4.     if (strpos($model, 'anth-') === 0 || strpos($model, 'claude') !== false) {
  5.         $llmProvider = 'anthropic';
  6.     } elseif (strpos($model, 'mistral') !== false) {
    Consider replacing strpos() with str_contains() for improved readability.
    Time to fix: about 1 hour
    Read doc Permalink Copy Prompt
    
                                    Last edited  by clicshopping
                    
  7.         $llmProvider = 'mistral';
  8.     } elseif (strpos($model, 'ollama:') === 0 || strpos($model, 'mistral:') === 0) {
  9.         $llmProvider = 'ollama';
  10.     } elseif (strpos($model, 'openai/') === 0 || strpos($model, 'microsoft/') === 0 || strpos($model, 'qwen/') === 0) {
  11.         $llmProvider = 'lmstudio';
in Core/ClicShopping/Apps/Configuration/ChatGpt/config/adaptive_weighting.php, line 30 
  1.     // Determine provider from model name
  2.     if (strpos($model, 'anth-') === 0 || strpos($model, 'claude') !== false) {
  3.         $llmProvider = 'anthropic';
  4.     } elseif (strpos($model, 'mistral') !== false) {
  5.         $llmProvider = 'mistral';
  6.     } elseif (strpos($model, 'ollama:') === 0 || strpos($model, 'mistral:') === 0) {
    Consider replacing strpos() with str_starts_with() for improved readability.
    Time to fix: about 1 hour
    Read doc Permalink Copy Prompt
    
                                    Last edited  by clicshopping
                    
  7.         $llmProvider = 'ollama';
  8.     } elseif (strpos($model, 'openai/') === 0 || strpos($model, 'microsoft/') === 0 || strpos($model, 'qwen/') === 0) {
  9.         $llmProvider = 'lmstudio';
  10.     } else {
  11.         // Default to OpenAI for gpt-* models
in Core/ClicShopping/Apps/Configuration/ChatGpt/config/adaptive_weighting.php, line 26 
  1. $llmProvider = 'openai'; // Default
  2. if (defined('CLICSHOPPING_APP_CHATGPT_CH_MODEL')) {
  3.     $model = CLICSHOPPING_APP_CHATGPT_CH_MODEL;
  5.     // Determine provider from model name
  6.     if (strpos($model, 'anth-') === 0 || strpos($model, 'claude') !== false) {
    Consider replacing strpos() with str_contains() for improved readability.
    Time to fix: about 1 hour
    Read doc Permalink Copy Prompt
    
                                    Last edited  by clicshopping
                    
  7.         $llmProvider = 'anthropic';
  8.     } elseif (strpos($model, 'mistral') !== false) {
  9.         $llmProvider = 'mistral';
  10.     } elseif (strpos($model, 'ollama:') === 0 || strpos($model, 'mistral:') === 0) {
  11.         $llmProvider = 'ollama';
in Core/ClicShopping/Apps/Configuration/ChatGpt/config/adaptive_weighting.php, line 32 
  1.         $llmProvider = 'anthropic';
  2.     } elseif (strpos($model, 'mistral') !== false) {
  3.         $llmProvider = 'mistral';
  4.     } elseif (strpos($model, 'ollama:') === 0 || strpos($model, 'mistral:') === 0) {
  5.         $llmProvider = 'ollama';
  6.     } elseif (strpos($model, 'openai/') === 0 || strpos($model, 'microsoft/') === 0 || strpos($model, 'qwen/') === 0) {
    Consider replacing strpos() with str_starts_with() for improved readability.
    Time to fix: about 1 hour
    Read doc Permalink Copy Prompt
    
                                    Last edited  by clicshopping
                    
  7.         $llmProvider = 'lmstudio';
  8.     } else {
  9.         // Default to OpenAI for gpt-* models
  10.         $llmProvider = 'openai';
  11.     }
in Core/ClicShopping/Apps/Tools/Upgrade/Classes/ClicShoppingAdmin/ExtractFile.php, line 175 
  1.     if ($zip->open($filename_localisation) === true) {
  2.       $has_traversal = false;
  3.       for ($i = 0; $i < $zip->numFiles; $i++) {
  4.         $filename = $zip->getNameIndex($i);
  5.         // Check for path traversal
  6.         if (strpos($filename, '..') !== false || strpos($filename, '/') === 0 || strpos($filename, '\\') === 0) {
    Consider replacing strpos() with str_contains() for improved readability.
    Time to fix: about 1 hour
    Read doc Permalink Copy Prompt
    
                                    Last edited  by clicshopping
                    
  7.           $has_traversal = true;
  8.           break;
  9.         }
  10.         // Check for absolute paths
  11.         if (preg_match('/^[a-zA-Z]:\\/', $filename)) {
in Core/ClicShopping/Apps/Tools/Upgrade/Classes/ClicShoppingAdmin/ExtractFile.php, line 175 
  1.     if ($zip->open($filename_localisation) === true) {
  2.       $has_traversal = false;
  3.       for ($i = 0; $i < $zip->numFiles; $i++) {
  4.         $filename = $zip->getNameIndex($i);
  5.         // Check for path traversal
  6.         if (strpos($filename, '..') !== false || strpos($filename, '/') === 0 || strpos($filename, '\\') === 0) {
    Consider replacing strpos() with str_starts_with() for improved readability.
    Time to fix: about 1 hour
    Read doc Permalink Copy Prompt
    
                                    Last edited  by clicshopping
                    
  7.           $has_traversal = true;
  8.           break;
  9.         }
  10.         // Check for absolute paths
  11.         if (preg_match('/^[a-zA-Z]:\\/', $filename)) {
in Core/ClicShopping/AI/CoreAI/Memory/ConversationMemory.php, line 688 
  1.     if ($response === '') {
  2.       return $response;
  3.     }
  5.     // If there are no HTML tags at all, skip the work
  6.     $hasTags = (\strpos($response, '<') !== false);
    Consider replacing strpos() with str_contains() for improved readability.
    Time to fix: about 1 hour
    Read doc Permalink Copy Prompt
    
                                    Last edited  by clicshopping
                    
  8.     if ($hasTags) {
  9.       $response = \strip_tags($response);
  10.       $response = \html_entity_decode($response, ENT_QUOTES | ENT_HTML5, 'UTF-8');
  11.     }
in Core/ClicShopping/Apps/Configuration/Api/Classes/Shop/ApiSecurity.php, line 103 
  1.     }
  3.     $expectedV6 = filter_var($expected, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6);
  4.     $actualV6   = filter_var($actual,   FILTER_VALIDATE_IP, FILTER_FLAG_IPV6);
  5.     if ($expectedV6 !== false && $actualV6 !== false) {
  6.       return substr(inet_pton($expectedV6), 0, 8) === substr(inet_pton($actualV6), 0, 8);
    Consider replacing substr() with str_starts_with() for improved readability.
    Time to fix: about 1 hour
    Read doc Permalink Copy Prompt
    
                                    Last edited  by clicshopping
                    
  7.     }
  9.     // Mixed family or unparseable — fall back to strict to avoid silent bypass.
  10.     return $expected === $actual;
  11.   }
in Core/ClicShopping/Apps/Tools/MCP/Classes/Shop/Security/McpSecurity.php, line 81 
  2.     $expectedV6 = filter_var($expected, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6);
  3.     $actualV6   = filter_var($actual,   FILTER_VALIDATE_IP, FILTER_FLAG_IPV6);
  4.     if ($expectedV6 !== false && $actualV6 !== false) {
  5.       // Same /64 — first 8 bytes of the 16-byte packed form.
  6.       return substr(inet_pton($expectedV6), 0, 8) === substr(inet_pton($actualV6), 0, 8);
    Consider replacing substr() with str_starts_with() for improved readability.
    Time to fix: about 1 hour
    Read doc Permalink Copy Prompt
    
                                    Last edited  by clicshopping
                    
  7.     }
  9.     // Mixed family or unparseable — fall back to strict to avoid silent bypass.
  10.     return $expected === $actual;
  11.   }