Issues in GoogleAnalytics.php (master) - Issues in master - Apix/log-tracker - Measure and Improve Code Quality continuously with Scrutinizer

Issues (14)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/GoogleAnalytics.php (5 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace Apix\Log;

use Apix\Log\Emitter\EmitterInterface as LogEmitter;
use Psr\Log\InvalidArgumentException;

/*
    TODO:
    A maximum of 20 hits can be specified per request.
    The total size of all hit payloads cannot be greater than 16K bytes.
    No single hit payload can be greater than 8K bytes.
*/

/**
 * Google Analytics logger for Apix Log.
 *
 * @see https://developers.google.com/analytics/devguides/collection/protocol/v1/devguide
 * @see https://developers.google.com/analytics/devguides/collection/protocol/v1/parameters
 */
class GoogleAnalytics extends AbstractTracker
{
    const TRACKER_URL_ONE = 'https://www.google-analytics.com/collect';

    const TRACKER_URL_MANY = 'https://www.google-analytics.com/batch';

    //const DEFAULT_PARAMS = array(
    private $DEFAULT_PARAMS = array(
        'v' => 1,               // API Version
        'tid' => null,          // Tracking/Property (required) ID e.g. UA-XX-XX
        'cid' => null,          // Anonymous Client ID UUIDv4
                                // see http://www.ietf.org/rfc/rfc4122.txt
        'ds' => __NAMESPACE__,  // Data Source
        't' => null,            // Hit type (required)
    );

    /**
     * Constructor.
     *
     * @param array $params Array of Google Analytics parameters
     */
    public function __construct(
        array $params, LogEmitter $emitter = null, LogFormatter $formatter = null
    ) {
        if (!isset($params['tid'])) {
            throw new InvalidArgumentException(sprintf(
                '%s expects `tid` to bet provided, got: %s.',
                __CLASS__, json_encode($params)
            ));
        }

        if (!isset($params['cid'])) {
            $params['cid'] = self::generateUuid();
        }
        $this->uuid = $params['cid'];

        $this->setEmitter(
            $emitter ? $emitter : new Emitter\Async(),
            $formatter ? $formatter : new LogFormatter\QueryString()
        );
        $this->emitter->setParams($this->DEFAULT_PARAMS);

        if (isset($_SERVER['HTTP_USER_AGENT']) && !isset($params['ua'])) {
            $params['ua'] = $_SERVER['HTTP_USER_AGENT'];
        }

        if (isset($_SERVER['HTTP_REFERER']) && !isset($params['dr'])) {
            $params['dr'] = $_SERVER['HTTP_REFERER'];
        }

        if (isset($_SERVER['REMOTE_ADDR']) && !isset($params['uip'])) {
            $params['uip'] = $_SERVER['REMOTE_ADDR'];
        }

        $this->emitter->addParams($params);
    }

    /**
     * Returns a Page Tracking dataset.
     *
     * @param string $url      The full URL for ht page document
     * @param string $title    The title of the page / document
     * @param string $location Document location URL
     *
     * @return array
     */
    public function getPage($url, $title = null, $location = null)
    {
        $params = array();

        if (0 != strpos($url, '/')) {
            $_ = parse_url($url);

            // Document hostname
            if (isset($_['host'])) {
                $params['dh'] = $_['host'];
            }

            // Page
            $params['dp'] = $_['path'];
        }

        // Page title
        if ($title) {
''   == false // true
''   == null  // true
'ab' == false // false
'ab' == null  // false

// It is often better to use strict comparison
'' === false // false
'' === null  // false
            $params['dt'] = $title;
        }

        // Document location URL
        $params['dl'] = $location ? $location : $url;

        return $this->get('pageview', $params);
    }

    /**
     * Returns an Event Tracking dataset.
     *
     * @param string $category
     * @param string $action
     * @param string $label
     * @param string $value
     *
     * @return array
     */
    public function getEvent($category, $action, $label = null, $value = null)
    {
        $params = array(
            'ec' => $category,  // Event Category. Required.
            'ea' => $action,    // Event Action. Required.
        );

        // Event label
        if ($label) {
''   == false // true
''   == null  // true
'ab' == false // false
'ab' == null  // false

// It is often better to use strict comparison
'' === false // false
'' === null  // false
            $params['el'] = (string) $label;
        }

        // Event value
        if ($value) {
''   == false // true
''   == null  // true
'ab' == false // false
'ab' == null  // false

// It is often better to use strict comparison
'' === false // false
'' === null  // false
            $params['ev'] = (int) $value; // GA does not allow float!
        }

        return $this->get('event', $params);
    }

    /**
     * Returns a Social Interactions dataset.
     *
     * @param string $action Social Action (e.g. like)
     * @param string $label  Social Network (e.g. facebook)
/**
 * @param array $germany
 * @param array $island
 * @param array $italy
 */
function finale($germany, $island) {
    return "2:1";
}
     * @param string $value  Social Target. (e.g. /home)
/**
 * @param array $germany
 * @param array $island
 * @param array $italy
 */
function finale($germany, $island) {
    return "2:1";
}
     *
     * @return array
     */
    public function getSocial($action, $network, $target)
    {
        $params = array(
            'sa' => (string) $action,
            'sn' => (string) $network,
            'st' => (string) $target,
        );

        return $this->get('social', $params);
    }

    /**
     * Returns an Exception Tracking dataset.
     *
     * @param string $description Exception description
     * @param string $isFatal     Specifies whether the exception was fatal
     *
     * @return array
     */
    public function getException($description, $isFatal = true)
    {
        $params = array(
            'exd' => (string) $description,
            'exf' => $isFatal ? '1' : '0',
        );

        return $this->get('exception', $params);
    }

    /**
     * Returns an App / Screen Tracking dataset.
     *
     * @param string $name    App name
     * @param string $version App version
     * @param string $id      App Id
     * @param string $iid     App Installer Id
     *
     * @return array
     */
    public function getApp($name, $version = null, $id = null, $iid = null)
    {
        $params = array(
            'an' => (string) $name,
            'av' => (string) $version,
            'aid' => (string) $id,
            'aiid' => (string) $iid,
        );

        return $this->get('screenview', $params);
    }

    /**
     * Returns the named tracking dataset.
     *
     * @return array
     */
    public function get($type, array $params)
    {
        $this->emitter->setParam('t', $type);
        $this->emitter->setUrl(
            $this->deferred ? self::TRACKER_URL_MANY : self::TRACKER_URL_ONE
        );

        return array_merge($this->emitter->getParams(), $params);
    }
}


1		<?php
2
3		namespace Apix\Log;
4
5		use Apix\Log\Emitter\EmitterInterface as LogEmitter;
6		use Psr\Log\InvalidArgumentException;
7
8		/*
9		TODO:
10		A maximum of 20 hits can be specified per request.
11		The total size of all hit payloads cannot be greater than 16K bytes.
12		No single hit payload can be greater than 8K bytes.
13		*/
14
15		/**
16		* Google Analytics logger for Apix Log.
17		*
18		* @see https://developers.google.com/analytics/devguides/collection/protocol/v1/devguide
19		* @see https://developers.google.com/analytics/devguides/collection/protocol/v1/parameters
20		*/
21		class GoogleAnalytics extends AbstractTracker
22		{
23		const TRACKER_URL_ONE = 'https://www.google-analytics.com/collect';
24
25		const TRACKER_URL_MANY = 'https://www.google-analytics.com/batch';
26
27		//const DEFAULT_PARAMS = array(
28		private $DEFAULT_PARAMS = array(
29		'v' => 1, // API Version
30		'tid' => null, // Tracking/Property (required) ID e.g. UA-XX-XX
31		'cid' => null, // Anonymous Client ID UUIDv4
32		// see http://www.ietf.org/rfc/rfc4122.txt
33		'ds' => __NAMESPACE__, // Data Source
34		't' => null, // Hit type (required)
35		);
36
37		/**
38		* Constructor.
39		*
40		* @param array $params Array of Google Analytics parameters
41		*/
42	48	public function __construct(
43		array $params, LogEmitter $emitter = null, LogFormatter $formatter = null
44		) {
45	48	if (!isset($params['tid'])) {
46	4	throw new InvalidArgumentException(sprintf(
47	4	'%s expects `tid` to bet provided, got: %s.',
48	4	__CLASS__, json_encode($params)
49	3	));
50		}
51
52	48	if (!isset($params['cid'])) {
53	4	$params['cid'] = self::generateUuid();
54	3	}
55	48	$this->uuid = $params['cid'];
56
57	48	$this->setEmitter(
58	48	$emitter ? $emitter : new Emitter\Async(),
59	48	$formatter ? $formatter : new LogFormatter\QueryString()
60	36	);
61	48	$this->emitter->setParams($this->DEFAULT_PARAMS);
62
63	48	if (isset($_SERVER['HTTP_USER_AGENT']) && !isset($params['ua'])) {
64	4	$params['ua'] = $_SERVER['HTTP_USER_AGENT'];
65	3	}
66
67	48	if (isset($_SERVER['HTTP_REFERER']) && !isset($params['dr'])) {
68	4	$params['dr'] = $_SERVER['HTTP_REFERER'];
69	3	}
70
71	48	if (isset($_SERVER['REMOTE_ADDR']) && !isset($params['uip'])) {
72	4	$params['uip'] = $_SERVER['REMOTE_ADDR'];
73	3	}
74
75	48	$this->emitter->addParams($params);
76	48	}
77
78		/**
79		* Returns a Page Tracking dataset.
80		*
81		* @param string $url The full URL for ht page document
82		* @param string $title The title of the page / document
83		* @param string $location Document location URL
84		*
85		* @return array
86		*/
87	12	public function getPage($url, $title = null, $location = null)
88		{
89	12	$params = array();
90
91	12	if (0 != strpos($url, '/')) {
92	12	$_ = parse_url($url);
93
94		// Document hostname
95	12	if (isset($_['host'])) {
96	12	$params['dh'] = $_['host'];
97	9	}
98
99		// Page
100	12	$params['dp'] = $_['path'];
101	9	}
102
103		// Page title
104	12	if ($title) {
		0 ignored issues – show Bug Best Practice introduced 2016-10-10 16:31 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$title` of type `string\|null` is loosely compared to `true`; this is ambiguous if the string can be empty. You might want to explicitly use `!== null` instead. In PHP, under loose comparison (like `==`, or `!=`, or `switch` conditions), values of different types might be equal. For `string` values, the empty string `''` is a special case, in particular the following results might be unexpected: '' == false // true '' == null // true 'ab' == false // false 'ab' == null // false // It is often better to use strict comparison '' === false // false '' === null // false Loading history...
105	12	$params['dt'] = $title;
106	9	}
107
108		// Document location URL
109	12	$params['dl'] = $location ? $location : $url;
110
111	12	return $this->get('pageview', $params);
112		}
113
114		/**
115		* Returns an Event Tracking dataset.
116		*
117		* @param string $category
118		* @param string $action
119		* @param string $label
120		* @param string $value
121		*
122		* @return array
123		*/
124	12	public function getEvent($category, $action, $label = null, $value = null)
125		{
126		$params = array(
127	12	'ec' => $category, // Event Category. Required.
128	12	'ea' => $action, // Event Action. Required.
129	9	);
130
131		// Event label
132	12	if ($label) {
		0 ignored issues – show Bug Best Practice introduced 2016-10-10 16:31 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$label` of type `string\|null` is loosely compared to `true`; this is ambiguous if the string can be empty. You might want to explicitly use `!== null` instead. In PHP, under loose comparison (like `==`, or `!=`, or `switch` conditions), values of different types might be equal. For `string` values, the empty string `''` is a special case, in particular the following results might be unexpected: '' == false // true '' == null // true 'ab' == false // false 'ab' == null // false // It is often better to use strict comparison '' === false // false '' === null // false Loading history...
133	12	$params['el'] = (string) $label;
134	9	}
135
136		// Event value
137	12	if ($value) {
		0 ignored issues – show Bug Best Practice introduced 2016-10-10 16:31 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$value` of type `string\|null` is loosely compared to `true`; this is ambiguous if the string can be empty. You might want to explicitly use `!== null` instead. In PHP, under loose comparison (like `==`, or `!=`, or `switch` conditions), values of different types might be equal. For `string` values, the empty string `''` is a special case, in particular the following results might be unexpected: '' == false // true '' == null // true 'ab' == false // false 'ab' == null // false // It is often better to use strict comparison '' === false // false '' === null // false Loading history...
138	12	$params['ev'] = (int) $value; // GA does not allow float!
139	9	}
140
141	12	return $this->get('event', $params);
142		}
143
144		/**
145		* Returns a Social Interactions dataset.
146		*
147		* @param string $action Social Action (e.g. like)
148		* @param string $label Social Network (e.g. facebook)
		0 ignored issues – show Bug introduced 2016-10-10 16:31 UTC by Report Bug Copy Issue Report Show Similar Issues like this There is no parameter named `$label`. Was it maybe removed? This check looks for PHPDoc comments describing methods or function parameters that do not exist on the corresponding method or function. Consider the following example. The parameter `$italy` is not defined by the method `finale(...)`. /** * @param array $germany * @param array $island * @param array $italy */ function finale($germany, $island) { return "2:1"; } The most likely cause is that the parameter was removed, but the annotation was not. Loading history...
149		* @param string $value Social Target. (e.g. /home)
		0 ignored issues – show Bug introduced 2016-10-10 16:31 UTC by Report Bug Copy Issue Report Show Similar Issues like this There is no parameter named `$value`. Was it maybe removed? This check looks for PHPDoc comments describing methods or function parameters that do not exist on the corresponding method or function. Consider the following example. The parameter `$italy` is not defined by the method `finale(...)`. /** * @param array $germany * @param array $island * @param array $italy */ function finale($germany, $island) { return "2:1"; } The most likely cause is that the parameter was removed, but the annotation was not. Loading history...
150		*
151		* @return array
152		*/
153	4	public function getSocial($action, $network, $target)
154		{
155		$params = array(
156	4	'sa' => (string) $action,
157	4	'sn' => (string) $network,
158	4	'st' => (string) $target,
159	3	);
160
161	4	return $this->get('social', $params);
162		}
163
164		/**
165		* Returns an Exception Tracking dataset.
166		*
167		* @param string $description Exception description
168		* @param string $isFatal Specifies whether the exception was fatal
169		*
170		* @return array
171		*/
172	4	public function getException($description, $isFatal = true)
173		{
174		$params = array(
175	4	'exd' => (string) $description,
176	4	'exf' => $isFatal ? '1' : '0',
177	3	);
178
179	4	return $this->get('exception', $params);
180		}
181
182		/**
183		* Returns an App / Screen Tracking dataset.
184		*
185		* @param string $name App name
186		* @param string $version App version
187		* @param string $id App Id
188		* @param string $iid App Installer Id
189		*
190		* @return array
191		*/
192	4	public function getApp($name, $version = null, $id = null, $iid = null)
193		{
194		$params = array(
195	4	'an' => (string) $name,
196	4	'av' => (string) $version,
197	4	'aid' => (string) $id,
198	4	'aiid' => (string) $iid,
199	3	);
200
201	4	return $this->get('screenview', $params);
202		}
203
204		/**
205		* Returns the named tracking dataset.
206		*
207		* @return array
208		*/
209	32	public function get($type, array $params)
210		{
211	32	$this->emitter->setParam('t', $type);
212	32	$this->emitter->setUrl(
213	32	$this->deferred ? self::TRACKER_URL_MANY : self::TRACKER_URL_ONE
214	24	);
215
216	32	return array_merge($this->emitter->getParams(), $params);
217		}
218		}
219

Apix / log-tracker

Issues (14)

Security Analysis not enabled

src/GoogleAnalytics.php (5 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like