Issues in TestZone.php (master) - Issues in master - Badcow/DNS - Measure and Improve Code Quality continuously with Scrutinizer

Issues (166)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

tests/TestZone.php (2 issues)

Labels

Severity

Major 2

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

declare(strict_types=1);

/*
 * This file is part of Badcow DNS Library.
 *
 * (c) Samuel Williams <[email protected]>
 *
 * For the full copyright and license information, please view the LICENSE
 * file that was distributed with this source code.
 */

namespace Badcow\DNS\Tests;

use Badcow\DNS\Algorithms;
use Badcow\DNS\Classes;
use Badcow\DNS\Rdata\A;
use Badcow\DNS\Rdata\Factory;
use Badcow\DNS\Rdata\RRSIG;
use Badcow\DNS\ResourceRecord;
use Badcow\DNS\Zone;

final class TestZone
{
    /**
     * @var string
     */
    public static $expected = <<< 'DNS'
$ORIGIN example.com.
$TTL 3600
@ IN SOA example.com. postmaster.example.com. 2015050801 3600 14400 604800 3600
@ 14400 IN NS ns1.example.net.au.
@ 14400 IN NS ns2.example.net.au.
subdomain.au IN A 192.168.1.2; This is a local ip.
ipv6domain 3600 IN AAAA ::1; This is an IPv6 domain.
canberra IN LOC 35 18 27.000 S 149 7 27.840 E 500.00m 20.12m 200.30m 300.10m; This is Canberra
bar.example.com. IN DNAME foo.example.com.
@ IN MX 30 mail-gw3.example.net.
@ IN MX 10 mail-gw1.example.net.
@ IN MX 20 mail-gw2.example.net.
alias IN CNAME subdomain.au.example.com.
example.net. IN TXT "v=spf1 ip4:192.0.2.0/24 ip4:198.51.100.123 a -all"
@ IN HINFO "2.7GHz" "Ubuntu 12.04"
_ftp._tcp IN SRV 10 10 21 files
example.com. IN RRSIG A 14 2 3600 20200112073532 20191229133101 12345 example.com. bDts/7a5qbal6s3ZYzS5puPSjEfys5yI6R/kprBBRDEfVcT6YwPaDT3VkVjKXdvpKX2/DwpijNAWkjpfsewCLmeImx3RgkzfuxfipRKtBUguiPTBhkj/ft2halJziVXl

DNS;

    private function __construct()
    {
    }

    public static function getExpectation(): string
    {
        return str_replace("\r", '', self::$expected);
    }

    public static function buildTestZone(): Zone
    {
        $soa = new ResourceRecord();
        $soa->setClass('IN');
        $soa->setName('@');
        $soa->setRdata(Factory::SOA(
            'example.com.',
            'postmaster.example.com.',
            2015050801,
            3600,
            14400,
            604800,
            3600
        ));

        $ns1 = new ResourceRecord();
        $ns1->setClass('IN');
        $ns1->setName('@');
        $ns1->setTtl(14400);
        $ns1->setRdata(Factory::NS('ns1.example.net.au.'));

        $ns2 = new ResourceRecord();
        $ns2->setClass('IN');
        $ns2->setName('@');
        $ns2->setTtl(14400);
        $ns2->setRdata(Factory::NS('ns2.example.net.au.'));

        $a_record = new ResourceRecord();
        $a_record->setName('subdomain.au');
        $a_record->setRdata(Factory::A('192.168.1.2'));
        $a_record->setComment('This is a local ip.');

        $cname = new ResourceRecord();
        $cname->setName('alias');
        $cname->setRdata(Factory::CNAME('subdomain.au.example.com.'));

        $aaaa = ResourceRecord::create(
            'ipv6domain',
            Factory::AAAA('::1'),
            3600,
            Classes::INTERNET,
            'This is an IPv6 domain.'
        );

        $mx1 = new ResourceRecord();
        $mx1->setName('@');
        $mx1->setRdata(Factory::MX(10, 'mail-gw1.example.net.'));

        $mx2 = new ResourceRecord();
        $mx2->setName('@');
        $mx2->setRdata(Factory::MX(20, 'mail-gw2.example.net.'));

        $mx3 = new ResourceRecord();
        $mx3->setName('@');
        $mx3->setRdata(Factory::MX(30, 'mail-gw3.example.net.'));

        $txt = new ResourceRecord();
        $txt->setName('example.net.');
        $txt->setRdata(Factory::TXT('v=spf1 ip4:192.0.2.0/24 ip4:198.51.100.123 a -all'));
        $txt->setClass(Classes::INTERNET);

        $loc = new ResourceRecord();
        $loc->setName('canberra');
        $loc->setRdata(Factory::LOC(
            -35.3075,   //Lat
            149.1244,   //Lon
            500,        //Alt
            20.12,      //Size
            200.3,      //HP
            300.1       //VP
        ));
        $loc->setComment('This is Canberra');
        $loc->setClass(Classes::INTERNET);

        $dname = new ResourceRecord();
        $dname->setName('bar.example.com.');
        $dname->setClass(Classes::INTERNET);
        $dname->setRdata(Factory::Dname('foo.example.com.'));

        $hinfo = new ResourceRecord();
        $hinfo->setName('@');
        $hinfo->setClass(Classes::INTERNET);
        $hinfo->setRdata(Factory::HINFO('2.7GHz', 'Ubuntu 12.04'));

        $srv = new ResourceRecord();
        $srv->setName('_ftp._tcp');
        $srv->setClass('IN');
        $srv->setRdata(Factory::SRV(10, 10, 21, 'files'));

        $rrsig = new ResourceRecord();
        $rrsig->setName('example.com.');
        $rrsig->setRdata(Factory::RRSIG(
            A::TYPE,
            Algorithms::ECDSAP384SHA384,
            2,
            3600,
            \DateTime::createFromFormat(RRSIG::TIME_FORMAT, '20200112073532'),

            \DateTime::createFromFormat(RRSIG::TIME_FORMAT, '20191229133101'),

            12345,
            'example.com.',
            base64_decode('bDts/7a5qbal6s3ZYzS5puPSjEfys5yI6R/kprBBRDEfVcT6YwPaDT3VkVjKXdvpKX2/DwpijNAWkjpfsewCLmeImx3RgkzfuxfipRKtBUguiPTBhkj/ft2halJziVXl')
        ));

        return new Zone('example.com.', 3600, [
            $soa,
            $ns1,
            $ns2,
            $a_record,
            $aaaa,
            $loc,
            $dname,
            $mx3,
            $mx1,
            $mx2,
            $cname,
            $txt,
            $hinfo,
            $srv,
            $rrsig,
        ]);
    }
}


1			<?php
2
3			declare(strict_types=1);
4
5			/*
6			* This file is part of Badcow DNS Library.
7			*
8			* (c) Samuel Williams <[email protected]>
9			*
10			* For the full copyright and license information, please view the LICENSE
11			* file that was distributed with this source code.
12			*/
13
14			namespace Badcow\DNS\Tests;
15
16			use Badcow\DNS\Algorithms;
17			use Badcow\DNS\Classes;
18			use Badcow\DNS\Rdata\A;
19			use Badcow\DNS\Rdata\Factory;
20			use Badcow\DNS\Rdata\RRSIG;
21			use Badcow\DNS\ResourceRecord;
22			use Badcow\DNS\Zone;
23
24			final class TestZone
25			{
26			/**
27			* @var string
28			*/
29			public static $expected = <<< 'DNS'
30			$ORIGIN example.com.
31			$TTL 3600
32			@ IN SOA example.com. postmaster.example.com. 2015050801 3600 14400 604800 3600
33			@ 14400 IN NS ns1.example.net.au.
34			@ 14400 IN NS ns2.example.net.au.
35			subdomain.au IN A 192.168.1.2; This is a local ip.
36			ipv6domain 3600 IN AAAA ::1; This is an IPv6 domain.
37			canberra IN LOC 35 18 27.000 S 149 7 27.840 E 500.00m 20.12m 200.30m 300.10m; This is Canberra
38			bar.example.com. IN DNAME foo.example.com.
39			@ IN MX 30 mail-gw3.example.net.
40			@ IN MX 10 mail-gw1.example.net.
41			@ IN MX 20 mail-gw2.example.net.
42			alias IN CNAME subdomain.au.example.com.
43			example.net. IN TXT "v=spf1 ip4:192.0.2.0/24 ip4:198.51.100.123 a -all"
44			@ IN HINFO "2.7GHz" "Ubuntu 12.04"
45			_ftp._tcp IN SRV 10 10 21 files
46			example.com. IN RRSIG A 14 2 3600 20200112073532 20191229133101 12345 example.com. bDts/7a5qbal6s3ZYzS5puPSjEfys5yI6R/kprBBRDEfVcT6YwPaDT3VkVjKXdvpKX2/DwpijNAWkjpfsewCLmeImx3RgkzfuxfipRKtBUguiPTBhkj/ft2halJziVXl
47
48			DNS;
49
50			private function __construct()
51			{
52			}
53
54			public static function getExpectation(): string
55			{
56			return str_replace("\r", '', self::$expected);
57			}
58
59			public static function buildTestZone(): Zone
60			{
61			$soa = new ResourceRecord();
62			$soa->setClass('IN');
63			$soa->setName('@');
64			$soa->setRdata(Factory::SOA(
65			'example.com.',
66			'postmaster.example.com.',
67			2015050801,
68			3600,
69			14400,
70			604800,
71			3600
72			));
73
74			$ns1 = new ResourceRecord();
75			$ns1->setClass('IN');
76			$ns1->setName('@');
77			$ns1->setTtl(14400);
78			$ns1->setRdata(Factory::NS('ns1.example.net.au.'));
79
80			$ns2 = new ResourceRecord();
81			$ns2->setClass('IN');
82			$ns2->setName('@');
83			$ns2->setTtl(14400);
84			$ns2->setRdata(Factory::NS('ns2.example.net.au.'));
85
86			$a_record = new ResourceRecord();
87			$a_record->setName('subdomain.au');
88			$a_record->setRdata(Factory::A('192.168.1.2'));
89			$a_record->setComment('This is a local ip.');
90
91			$cname = new ResourceRecord();
92			$cname->setName('alias');
93			$cname->setRdata(Factory::CNAME('subdomain.au.example.com.'));
94
95			$aaaa = ResourceRecord::create(
96			'ipv6domain',
97			Factory::AAAA('::1'),
98			3600,
99			Classes::INTERNET,
100			'This is an IPv6 domain.'
101			);
102
103			$mx1 = new ResourceRecord();
104			$mx1->setName('@');
105			$mx1->setRdata(Factory::MX(10, 'mail-gw1.example.net.'));
106
107			$mx2 = new ResourceRecord();
108			$mx2->setName('@');
109			$mx2->setRdata(Factory::MX(20, 'mail-gw2.example.net.'));
110
111			$mx3 = new ResourceRecord();
112			$mx3->setName('@');
113			$mx3->setRdata(Factory::MX(30, 'mail-gw3.example.net.'));
114
115			$txt = new ResourceRecord();
116			$txt->setName('example.net.');
117			$txt->setRdata(Factory::TXT('v=spf1 ip4:192.0.2.0/24 ip4:198.51.100.123 a -all'));
118			$txt->setClass(Classes::INTERNET);
119
120			$loc = new ResourceRecord();
121			$loc->setName('canberra');
122			$loc->setRdata(Factory::LOC(
123			-35.3075, //Lat
124			149.1244, //Lon
125			500, //Alt
126			20.12, //Size
127			200.3, //HP
128			300.1 //VP
129			));
130			$loc->setComment('This is Canberra');
131			$loc->setClass(Classes::INTERNET);
132
133			$dname = new ResourceRecord();
134			$dname->setName('bar.example.com.');
135			$dname->setClass(Classes::INTERNET);
136			$dname->setRdata(Factory::Dname('foo.example.com.'));
137
138			$hinfo = new ResourceRecord();
139			$hinfo->setName('@');
140			$hinfo->setClass(Classes::INTERNET);
141			$hinfo->setRdata(Factory::HINFO('2.7GHz', 'Ubuntu 12.04'));
142
143			$srv = new ResourceRecord();
144			$srv->setName('_ftp._tcp');
145			$srv->setClass('IN');
146			$srv->setRdata(Factory::SRV(10, 10, 21, 'files'));
147
148			$rrsig = new ResourceRecord();
149			$rrsig->setName('example.com.');
150			$rrsig->setRdata(Factory::RRSIG(
151			A::TYPE,
152			Algorithms::ECDSAP384SHA384,
153			2,
154			3600,
155			\DateTime::createFromFormat(RRSIG::TIME_FORMAT, '20200112073532'),
			0 ignored issues – show Security Bug introduced 2021-01-21 22:25 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `\DateTime::createFromFor...RMAT, '20200112073532')` targeting `DateTime::createFromFormat()` can also be of type `false`; however, `Badcow\DNS\Rdata\Factory::RRSIG()` does only seem to accept `object<DateTime>`, did you maybe forget to handle an error condition? Loading history...
156			\DateTime::createFromFormat(RRSIG::TIME_FORMAT, '20191229133101'),
			0 ignored issues – show Security Bug introduced 2021-01-21 22:25 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `\DateTime::createFromFor...RMAT, '20191229133101')` targeting `DateTime::createFromFormat()` can also be of type `false`; however, `Badcow\DNS\Rdata\Factory::RRSIG()` does only seem to accept `object<DateTime>`, did you maybe forget to handle an error condition? Loading history...
157			12345,
158			'example.com.',
159			base64_decode('bDts/7a5qbal6s3ZYzS5puPSjEfys5yI6R/kprBBRDEfVcT6YwPaDT3VkVjKXdvpKX2/DwpijNAWkjpfsewCLmeImx3RgkzfuxfipRKtBUguiPTBhkj/ft2halJziVXl')
160			));
161
162			return new Zone('example.com.', 3600, [
163			$soa,
164			$ns1,
165			$ns2,
166			$a_record,
167			$aaaa,
168			$loc,
169			$dname,
170			$mx3,
171			$mx1,
172			$mx2,
173			$cname,
174			$txt,
175			$hinfo,
176			$srv,
177			$rrsig,
178			]);
179			}
180			}
181

Badcow / DNS

Issues (166)

Security Analysis no request data

tests/TestZone.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like