Issues in class-getpaid-payment-form-submission-taxes.php (master) - Issues in master - AyeCode/invoicing - Measure and Improve Code Quality continuously with Scrutinizer

Issues (850)

Security Analysis 4 potential vulnerabilities

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Code Injection (1)

Code Injection enables an attacker to execute arbitrary code on the server.

Variable Injection (2)

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Cross-Site Scripting (1)

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

Header Injection

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

class-getpaid-payment-form-submission-taxes.php (8 issues)

Labels

Severity

<?php
/**
 * Processes taxes for a payment form submission.
 *
 */

defined( 'ABSPATH' ) || exit;

/**
 * Payment form submission taxes class
 *
 */
class GetPaid_Payment_Form_Submission_Taxes {

	/**
	 * Submission taxes.
	 * @var array
	 */
	public $taxes = array();

	/**
	 * Whether or not we should skip the taxes.
	 * @var bool
	 */
	protected $skip_taxes = false;

    /**
	 * Class constructor
	 *
	 * @param GetPaid_Payment_Form_Submission $submission
	 */
	public function __construct( $submission ) {
		// Validate VAT number.
		$this->validate_vat( $submission );

		if ( $this->skip_taxes ) {
			return;
		}

		foreach ( $submission->get_items() as $item ) {
			$this->process_item_tax( $item, $submission );
		}

		// Process any existing invoice taxes.
		if ( $submission->has_invoice() ) {
			$invoice = $submission->get_invoice();
			$invoice = $this->refresh_totals( $invoice, $submission );

			$this->taxes = array_replace( $invoice->get_taxes(), $this->taxes );
		}
	}

	/**
	 * Maybe process tax.
	 *
	 * @since 1.0.19
	 * @param GetPaid_Form_Item $item
	 * @param GetPaid_Payment_Form_Submission $submission
	 */
	public function process_item_tax( $item, $submission ) {

		$rates    = getpaid_get_item_tax_rates( $item, $submission->country, $submission->state );
		$rates    = getpaid_filter_item_tax_rates( $item, $rates );
		$taxes    = getpaid_calculate_item_taxes( getpaid_get_taxable_amount( $item, false ), $rates );
		$taxes    = getpaid_calculate_item_taxes( getpaid_get_taxable_amount( $item, /** @scrutinizer ignore-type */ false ), $rates );
		$r_taxes  = getpaid_calculate_item_taxes( getpaid_get_taxable_amount( $item, true ), $rates );
		$r_taxes  = getpaid_calculate_item_taxes( getpaid_get_taxable_amount( $item, /** @scrutinizer ignore-type */ true ), $rates );

		foreach ( $taxes as $name => $amount ) {
			$recurring = isset( $r_taxes[ $name ] ) ? $r_taxes[ $name ] : 0;
			$tax       = getpaid_prepare_item_tax( $item, $name, $amount, $recurring );

			$item->item_tax += wpinv_sanitize_amount( $tax['initial_tax'] );

			if ( ! isset( $this->taxes[ $name ] ) ) {
				$this->taxes[ $name ] = $tax;
				continue;
			}

			$this->taxes[ $name ]['initial_tax']   += $tax['initial_tax'];
			$this->taxes[ $name ]['recurring_tax'] += $tax['recurring_tax'];

		}

	}

	/**
	 * Checks if the submission has a digital item.
	 *
	 * @param GetPaid_Payment_Form_Submission $submission
	 * @since 1.0.19
	 * @return bool
	 */
	public function has_digital_item( $submission ) {

		foreach ( $submission->get_items() as $item ) {

			if ( 'digital' == $item->get_vat_rule() ) {
				return true;
			}
}

		return false;
	}

	/**
	 * Checks if this is an eu store.
	 *
	 * @since 1.0.19
	 * @return bool
	 */
	public static function is_eu_store() {
		return self::is_eu_country( wpinv_get_default_country() );
	}

	/**
	 * Checks if this is an eu country.
	 *
	 * @param string $country
	 * @since 1.0.19
	 * @return bool
	 */
	public static function is_eu_country( $country ) {
		return getpaid_is_eu_state( $country );
	}

	/**
	 * Checks if this is an eu purchase.
	 *
	 * @param string $customer_country
	 * @since 1.0.19
	 * @return bool
	 */
	public static function is_eu_transaction( $customer_country ) {
		return self::is_eu_country( $customer_country ) && self::is_eu_store();
	}

	/**
	 * Retrieves the vat number.
	 *
	 * @param GetPaid_Payment_Form_Submission $submission
	 * @since 1.0.19
	 * @return string
	 */
	public function get_vat_number( $submission ) {

		// Retrieve from the posted number.
		$vat_number = $submission->get_field( 'wpinv_vat_number', 'billing' );
class A
{
    function getObject()
    {
        return null;
    }

}

$a = new A();
$object = $a->getObject();
		if ( ! is_null( $vat_number ) ) {

			return wpinv_clean( $vat_number );
		}

		return $submission->has_invoice() ? $submission->get_invoice()->get_vat_number() : '';
	}

	/**
	 * Retrieves the company.
	 *
	 * @param GetPaid_Payment_Form_Submission $submission
	 * @since 1.0.19
	 * @return string
	 */
	public function get_company( $submission ) {

		// Retrieve from the posted data.
		$company = $submission->get_field( 'wpinv_company', 'billing' );
class A
{
    function getObject()
    {
        return null;
    }

}

$a = new A();
$object = $a->getObject();
		if ( ! empty( $company ) ) {
			return wpinv_clean( $company );

		}

		// Retrieve from the invoice.
		return $submission->has_invoice() ? $submission->get_invoice()->get_company() : '';
	}

	/**
	 * Checks if we require a VAT number.
	 *
	 * @param bool $ip_in_eu Whether the customer IP is from the EU
	 * @param bool $country_in_eu Whether the customer country is from the EU
	 * @since 1.0.19
	 * @return string
	 */
	public function requires_vat( $ip_in_eu, $country_in_eu ) {

		$prevent_b2c = wpinv_get_option( 'vat_prevent_b2c_purchase' );
		$prevent_b2c = ! empty( $prevent_b2c );
		$is_eu       = $ip_in_eu || $country_in_eu;

		return $prevent_b2c && $is_eu;

	}

	/**
	 * Validate VAT data.
	 *
	 * @param GetPaid_Payment_Form_Submission $submission
	 * @since 1.0.19
	 */
	public function validate_vat( $submission ) {

		$in_eu = $this->is_eu_transaction( $submission->country );

		// Abort if we are not validating vat numbers.
		if ( ! $in_eu ) {
            return;
		}

		// Prepare variables.
		$vat_number  = $this->get_vat_number( $submission );
		$ip_country  = getpaid_get_ip_country();
        $is_eu       = $this->is_eu_country( $submission->country );
        $is_ip_eu    = $this->is_eu_country( $ip_country );

		// Maybe abort early for initial fetches.
		if ( $submission->is_initial_fetch() && empty( $vat_number ) ) {
			return;
		}

		// If we're preventing business to consumer purchases,
		if ( $this->requires_vat( $is_ip_eu, $is_eu ) && empty( $vat_number ) ) {

			// Ensure that a vat number has been specified.
			throw new GetPaid_Payment_Exception( '.getpaid-error-billingwpinv_vat_number.getpaid-custom-payment-form-errors', __( 'Please enter your VAT number to verify your purchase is by an EU business.', 'invoicing' ) );

		}

		if ( empty( $vat_number ) ) {
			return;
		}

		if ( wpinv_should_validate_vat_number() && ! wpinv_validate_vat_number( $vat_number, $submission->country ) ) {
			throw new GetPaid_Payment_Exception( '.getpaid-error-billingwpinv_vat_number.getpaid-custom-payment-form-errors', __( 'Your VAT number is invalid', 'invoicing' ) );
		}

		if ( wpinv_default_billing_country() == $submission->country && 'vat_too' == wpinv_get_option( 'vat_same_country_rule', 'vat_too' ) ) {
			return;
		}

		$this->skip_taxes = true;
	}

	 /**
	 * Refresh totals if country or region changed in payment form.
	 *
	 * @since 2.8.8
	 *
	 * @param object $invoice Invoice object.
	 * @param GetPaid_Payment_Form_Submission $submission Payment form submission object.
	 * @return object Invoice object.
	 */
	public function refresh_totals( $invoice, $submission ) {
		if ( ! ( ! empty( $_POST['action'] ) && ( $_POST['action'] == 'wpinv_payment_form_refresh_prices' || $_POST['action'] == 'wpinv_payment_form' ) && isset( $_POST['billing']['wpinv_country'] ) ) ) {
			return $invoice;
		}

		if ( ! ( ! $invoice->is_paid() && ! $invoice->is_refunded() && ! $invoice->is_held() ) ) {
			return $invoice;
		}

		// Maybe check the country, state.
		if ( $submission->country != $invoice->get_country() || $submission->state != $invoice->get_state() ) {
			$invoice->set_country( sanitize_text_field( $submission->country ) );
			$invoice->set_state( sanitize_text_field( $submission->state ) );

			// Recalculate totals.
			$invoice->recalculate_total();
		}

		return $invoice;
	}
}


AyeCode / invoicing

Issues (850)

Security Analysis 4 potential vulnerabilities

class-getpaid-payment-form-submission-taxes.php (8 issues)

Labels

Severity

Introduced By

Duplication Side-by-Side

Filter issues like