Issues in Manager.php (master) - Issues in master - Codexshaper/php-oauth2 - Measure and Improve Code Quality continuously with Scrutinizer

Issues (55)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Manager.php (2 issues)

Labels

Severity

Major 2

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace CodexShaper\OAuth2\Server;

use CodexShaper\OAuth2\Server\Repositories\AccessTokenRepository;
use CodexShaper\OAuth2\Server\Repositories\AuthCodeRepository;
use CodexShaper\OAuth2\Server\Repositories\ClientRepository;
use CodexShaper\OAuth2\Server\Repositories\RefreshTokenRepository;
use CodexShaper\OAuth2\Server\Repositories\ScopeRepository;
use CodexShaper\OAuth2\Server\Repositories\UserRepository;
use DateInterval;
use Defuse\Crypto\Key;
use League\OAuth2\Server\AuthorizationServer;
use League\OAuth2\Server\CryptKey;
use League\OAuth2\Server\Grant\AuthCodeGrant;
use League\OAuth2\Server\Grant\ClientCredentialsGrant;
use League\OAuth2\Server\Grant\ImplicitGrant;
use League\OAuth2\Server\Grant\PasswordGrant;
use League\OAuth2\Server\Grant\RefreshTokenGrant;
use League\OAuth2\Server\ResourceServer;
use phpseclib\Crypt\RSA;

class Manager
{
    /**
     * Authorization server.
     *
     * @var string
     */
    protected $server;

    /**
     * All scopes.
     *
     * @var string
     */
    protected static $scopes = [
        'read'       => 'Read',
        'read_write' => 'Read and Write',
    ];

    /**
     * Default scope.
     *
     * @var string
     */
    protected static $defaultScope;

    /**
     * Enable or didable implicit grant.
     *
     * @var string
     */
    protected $isEnableImplicitGrant = false;

    /**
     * Refresh token expire at.
     *
     * @var string
     */
    protected static $refreshTokensExpireAt = 'P1Y';

    /**
     * token exipre at.
     *
     * @var string
     */
    protected static $tokensExpireAt = 'P1Y';

    /**
     * Create RSA authorisation keys.
     *
     * @return void
     */
    public static function keys($dir = null)
    {
        if (!$dir) {
            $dir = __DIR__.'/../storage/rsa';
        }

        if (!is_dir($dir)) {
            mkdir($dir, 0777, true);
        }

        $publicKey = $dir.'/oauth-public.key';
        $privateKey = $dir.'/oauth-private.key';
        $rsa = new RSA();
        $keys = $rsa->createKey(4096);

        file_put_contents($publicKey, $keys['publickey']);
        file_put_contents($privateKey, $keys['privatekey']);
    }

    /**
     * Add New scopes.
     *
     * @return void
     */
    public static function setScopes(array $scopes = [])
    {
        if (!empty($scopes)) {
            return;
        }

        static::$scopes = array_merge(static::$scopes, $scopes);

    }

    /**
     * Get all available scopes.
     *
     * @return array
     */
    public static function getScopes()
    {
        return static::$scopes;
    }

    /**
     * Given a client, grant type and optional user identifier validate the set of scopes requested are valid and optionally
     * append additional scopes or remove requested scopes.
     *
     * @param \League\OAuth2\Server\Entities\ScopeEntityInterface[] $scopes
     * @param string                                                $grantType
     * @param \League\OAuth2\Server\Entities\ClientEntityInterface  $clientEntity
     * @param null|string                                           $userIdentifier
     *
     * @return \League\OAuth2\Server\Entities\ScopeEntityInterface[]
     */
    public static function filterScopes($scopes, $grantType)
    {
        if (!in_array($grantType, ['password', 'personal_access', 'client_credentials'])) {
            $scopes = array_filter($scopes, function ($scope) {
                return trim($scope->getIdentifier()) !== '*';
            });
        }

        return array_filter($scopes, function ($scope) {
            return static::hasScope($scope->getIdentifier());
        });
    }

    /**
     * Create a CryptKey instance without permissions check.
     *
     * @param string $identifier
     *
     * @return bool
     */
    public static function hasScope($identifier)
    {
        return trim($identifier) === '*' || array_key_exists($identifier, static::$scopes);
    }

    /**
     * Check is isset a scope or not.
     *
     * @param string $identifier
     *
     * @return bool
     */
    public static function isValidateScope($identifier)
    {
        return array_key_exists($identifier, static::$scopes);
    }

    /**
     * Make the authorization service instance.
     *
     * @return \League\OAuth2\Server\AuthorizationServer
     */
    public function makeAuthorizationServer()
    {
        $encryptionKey = 'def00000069ceedc03a1f91fd51a49ce08ebb8580d688f4fbc3774c86aaa4df516eea0f72c1f62e3e577ec9f0c83c773b890222966bf93ac22e84a9eca55638be310665b';

        $this->server = new AuthorizationServer(

            new ClientRepository(),
            new AccessTokenRepository(),
            new ScopeRepository(),
            $this->makeCryptKey('private'),
            Key::loadFromAsciiSafeString($encryptionKey)
        );

        $this->server->setDefaultScope(static::$defaultScope);
        $this->enableGrantTypes();

        return $this->server;
    }

    /**
     * Enable All grant types.
     *
     * @return void
     */
    protected function enableGrantTypes()
    {
        $this->server->enableGrantType(
            new ClientCredentialsGrant(),
            new DateInterval(static::$tokensExpireAt) // access tokens will expire after 1 hour
        );

        $this->enableAuthCodeGrant();
        $this->enablePasswordGrant();
        $this->enableRefreshTokenGrant();

        if ($this->isEnableImplicitGrant) {
            $this->server->enableGrantType(
                new ImplicitGrant(new DateInterval(static::$tokensExpireAt)),
                new DateInterval(static::$tokensExpireAt) // access tokens will expire after 1 hour
            );
        }
    }

    /**
     * Enable Authorization code Grant.
     *
     * @return void
     */
    protected function enableAuthCodeGrant()
    {
        $authCodeGrant = new AuthCodeGrant(
            new AuthCodeRepository(),
            new RefreshTokenRepository(),
            new DateInterval('PT10M')
        );

        $authCodeGrant->setRefreshTokenTTL(new DateInterval(static::$refreshTokensExpireAt));

        $this->server->enableGrantType(
            $authCodeGrant,
            new DateInterval(static::$tokensExpireAt)
        );
    }

    /**
     * Enable Password Grant.
     *
     * @return void
     */
    protected function enablePasswordGrant()
    {
        $passwordGrant = new PasswordGrant(
            new UserRepository(),
            new RefreshTokenRepository()
        );

        $passwordGrant->setRefreshTokenTTL(new DateInterval(static::$refreshTokensExpireAt)); // refresh tokens will expire after 1 month

        // Enable the password grant on the server
        $this->server->enableGrantType(
            $passwordGrant,
            new DateInterval(static::$tokensExpireAt) // access tokens will expire after 1 hour
        );
    }

    /**
     * Enable Refresh token Grant.
     *
     * @return void
     */
    protected function enableRefreshTokenGrant()
    {
        $refreshTokenGrant = new RefreshTokenGrant(new RefreshTokenRepository());
        $refreshTokenGrant->setRefreshTokenTTL(new \DateInterval(static::$refreshTokensExpireAt)); // new refresh tokens will expire after 1 month

        // Enable the refresh token grant on the server
        $this->server->enableGrantType(
            $refreshTokenGrant,
            new \DateInterval(static::$tokensExpireAt) // new access tokens will expire after an hour
        );
    }

    /**
     * Create a resource server for validation.
     *
     * @return \League\OAuth2\Server\ResourServer
     */
    public function getResourceServer()
    {
        return new ResourceServer(
            new AccessTokenRepository(),
            $this->makeCryptKey('public')
        );
    }

    /**
     * Create a CryptKey instance without permissions check.
     *
     * @param string $key
     *
     * @return \League\OAuth2\Server\CryptKey
     */
    protected function makeCryptKey($type)
    {
        $key = __DIR__.'/../storage/rsa/oauth-'.$type.'.key';

        return new CryptKey($key, null, false);
    }

    /**
     * Validate user for current request.
     *
     * @param \Psr\Http\Message\ServerRequestInterface $request
     *
     * @return null|int
     */
    public function validateUserForRequest($request)
    {
        $token = Model::instance('tokenModel')->find($request->getAttribute('oauth_access_token_id'));
        $client = Model::instance('clientModel')->find($request->getAttribute('oauth_client_id'));

        if (!$token || !$client) {
            return null;
        }

        if (!$token->user_id && !$client->user_id) {
            return null;
        }

        if ($token->user_id != null) {
            return $token->user_id;
        }

        return $client->user_id;
    }

    /**
     * Migrate tables.
     *
     * @param string $dir
     *
     * @return void
     */
    public static function migrate($dir = null)
    {
        if (is_null($dir)) {
            $dir = __DIR__.'/../database/migrations';
        }

        foreach (glob($dir.'/*.php') as $file) {
            require_once $file;
            $table = pathinfo($file)['filename'];
            (new $table())->up();
        }
    }

    /**
     * Drop tables.
     *
     * @param string $dir
     *
     * @return void
     */
    public static function rollback($dir = null)
    {
        if (is_null($dir)) {
            $dir = __DIR__.'/../database/migrations';
        }

        foreach (glob($dir.'/*.php') as $file) {
            require_once $file;
            $table = pathinfo($file)['filename'];
            (new $table())->down();
        }
    }

    /**
     * Drop and migrate fresh tables.
     *
     * @param string $dir
     *
     * @return void
     */
    public static function refresh($dir = null)
    {
        if (is_null($dir)) {
            $dir = __DIR__.'/../database/migrations';
        }

        static::rollback($dir);
        static::migrate($dir);
    }
}


1		<?php
2
3		namespace CodexShaper\OAuth2\Server;
4
5		use CodexShaper\OAuth2\Server\Repositories\AccessTokenRepository;
6		use CodexShaper\OAuth2\Server\Repositories\AuthCodeRepository;
7		use CodexShaper\OAuth2\Server\Repositories\ClientRepository;
8		use CodexShaper\OAuth2\Server\Repositories\RefreshTokenRepository;
9		use CodexShaper\OAuth2\Server\Repositories\ScopeRepository;
10		use CodexShaper\OAuth2\Server\Repositories\UserRepository;
11		use DateInterval;
12		use Defuse\Crypto\Key;
13		use League\OAuth2\Server\AuthorizationServer;
14		use League\OAuth2\Server\CryptKey;
15		use League\OAuth2\Server\Grant\AuthCodeGrant;
16		use League\OAuth2\Server\Grant\ClientCredentialsGrant;
17		use League\OAuth2\Server\Grant\ImplicitGrant;
18		use League\OAuth2\Server\Grant\PasswordGrant;
19		use League\OAuth2\Server\Grant\RefreshTokenGrant;
20		use League\OAuth2\Server\ResourceServer;
21		use phpseclib\Crypt\RSA;
22
23		class Manager
24		{
25		/**
26		* Authorization server.
27		*
28		* @var string
29		*/
30		protected $server;
31
32		/**
33		* All scopes.
34		*
35		* @var string
36		*/
37		protected static $scopes = [
38		'read' => 'Read',
39		'read_write' => 'Read and Write',
40		];
41
42		/**
43		* Default scope.
44		*
45		* @var string
46		*/
47		protected static $defaultScope;
48
49		/**
50		* Enable or didable implicit grant.
51		*
52		* @var string
53		*/
54		protected $isEnableImplicitGrant = false;
55
56		/**
57		* Refresh token expire at.
58		*
59		* @var string
60		*/
61		protected static $refreshTokensExpireAt = 'P1Y';
62
63		/**
64		* token exipre at.
65		*
66		* @var string
67		*/
68		protected static $tokensExpireAt = 'P1Y';
69
70		/**
71		* Create RSA authorisation keys.
72		*
73		* @return void
74		*/
75		public static function keys($dir = null)
76		{
77		if (!$dir) {
78		$dir = __DIR__.'/../storage/rsa';
79		}
80
81		if (!is_dir($dir)) {
82		mkdir($dir, 0777, true);
83		}
84
85		$publicKey = $dir.'/oauth-public.key';
86		$privateKey = $dir.'/oauth-private.key';
87		$rsa = new RSA();
88		$keys = $rsa->createKey(4096);
89
90		file_put_contents($publicKey, $keys['publickey']);
91		file_put_contents($privateKey, $keys['privatekey']);
92		}
93
94		/**
95		* Add New scopes.
96		*
97		* @return void
98		*/
99		public static function setScopes(array $scopes = [])
100		{
101		if (!empty($scopes)) {
102		return;
103		}
104
105		static::$scopes = array_merge(static::$scopes, $scopes);
		0 ignored issues – show Documentation Bug introduced 2020-06-05 08:15 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `array_merge(static::$scopes, $scopes)` of type `array` is incompatible with the declared type `string` of property `$scopes`. Our type inference engine has found an assignment to a property that is incompatible with the declared type of that property. Either this assignment is in error or the assigned type should be added to the documentation/type hint for that property.. Loading history...
106		}
107
108		/**
109		* Get all available scopes.
110		*
111		* @return array
112		*/
113		public static function getScopes()
114		{
115		return static::$scopes;
116		}
117
118		/**
119		* Given a client, grant type and optional user identifier validate the set of scopes requested are valid and optionally
120		* append additional scopes or remove requested scopes.
121		*
122		* @param \League\OAuth2\Server\Entities\ScopeEntityInterface[] $scopes
123		* @param string $grantType
124		* @param \League\OAuth2\Server\Entities\ClientEntityInterface $clientEntity
125		* @param null\|string $userIdentifier
126		*
127		* @return \League\OAuth2\Server\Entities\ScopeEntityInterface[]
128		*/
129		public static function filterScopes($scopes, $grantType)
130		{
131		if (!in_array($grantType, ['password', 'personal_access', 'client_credentials'])) {
132		$scopes = array_filter($scopes, function ($scope) {
133		return trim($scope->getIdentifier()) !== '*';
134		});
135		}
136
137		return array_filter($scopes, function ($scope) {
138		return static::hasScope($scope->getIdentifier());
139		});
140		}
141
142		/**
143		* Create a CryptKey instance without permissions check.
144		*
145		* @param string $identifier
146		*
147		* @return bool
148		*/
149		public static function hasScope($identifier)
150		{
151		return trim($identifier) === '*' \|\| array_key_exists($identifier, static::$scopes);
152		}
153
154		/**
155		* Check is isset a scope or not.
156		*
157		* @param string $identifier
158		*
159		* @return bool
160		*/
161		public static function isValidateScope($identifier)
162		{
163		return array_key_exists($identifier, static::$scopes);
164		}
165
166		/**
167		* Make the authorization service instance.
168		*
169		* @return \League\OAuth2\Server\AuthorizationServer
170		*/
171		public function makeAuthorizationServer()
172		{
173		$encryptionKey = 'def00000069ceedc03a1f91fd51a49ce08ebb8580d688f4fbc3774c86aaa4df516eea0f72c1f62e3e577ec9f0c83c773b890222966bf93ac22e84a9eca55638be310665b';
174
175		$this->server = new AuthorizationServer(
		0 ignored issues – show Documentation Bug introduced 2020-06-05 08:15 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `new \League\OAuth2\Serve...String($encryptionKey))` of type `object<League\OAuth2\Server\AuthorizationServer>` is incompatible with the declared type `string` of property `$server`. Our type inference engine has found an assignment to a property that is incompatible with the declared type of that property. Either this assignment is in error or the assigned type should be added to the documentation/type hint for that property.. Loading history...
176		new ClientRepository(),
177		new AccessTokenRepository(),
178		new ScopeRepository(),
179		$this->makeCryptKey('private'),
180		Key::loadFromAsciiSafeString($encryptionKey)
181		);
182
183		$this->server->setDefaultScope(static::$defaultScope);
184		$this->enableGrantTypes();
185
186		return $this->server;
187		}
188
189		/**
190		* Enable All grant types.
191		*
192		* @return void
193		*/
194		protected function enableGrantTypes()
195		{
196		$this->server->enableGrantType(
197		new ClientCredentialsGrant(),
198		new DateInterval(static::$tokensExpireAt) // access tokens will expire after 1 hour
199		);
200
201		$this->enableAuthCodeGrant();
202		$this->enablePasswordGrant();
203		$this->enableRefreshTokenGrant();
204
205		if ($this->isEnableImplicitGrant) {
206		$this->server->enableGrantType(
207		new ImplicitGrant(new DateInterval(static::$tokensExpireAt)),
208		new DateInterval(static::$tokensExpireAt) // access tokens will expire after 1 hour
209		);
210		}
211		}
212
213		/**
214		* Enable Authorization code Grant.
215		*
216		* @return void
217		*/
218	View Code Duplication	protected function enableAuthCodeGrant()
219		{
220		$authCodeGrant = new AuthCodeGrant(
221		new AuthCodeRepository(),
222		new RefreshTokenRepository(),
223		new DateInterval('PT10M')
224		);
225
226		$authCodeGrant->setRefreshTokenTTL(new DateInterval(static::$refreshTokensExpireAt));
227
228		$this->server->enableGrantType(
229		$authCodeGrant,
230		new DateInterval(static::$tokensExpireAt)
231		);
232		}
233
234		/**
235		* Enable Password Grant.
236		*
237		* @return void
238		*/
239	View Code Duplication	protected function enablePasswordGrant()
240		{
241		$passwordGrant = new PasswordGrant(
242		new UserRepository(),
243		new RefreshTokenRepository()
244		);
245
246		$passwordGrant->setRefreshTokenTTL(new DateInterval(static::$refreshTokensExpireAt)); // refresh tokens will expire after 1 month
247
248		// Enable the password grant on the server
249		$this->server->enableGrantType(
250		$passwordGrant,
251		new DateInterval(static::$tokensExpireAt) // access tokens will expire after 1 hour
252		);
253		}
254
255		/**
256		* Enable Refresh token Grant.
257		*
258		* @return void
259		*/
260	View Code Duplication	protected function enableRefreshTokenGrant()
261		{
262		$refreshTokenGrant = new RefreshTokenGrant(new RefreshTokenRepository());
263		$refreshTokenGrant->setRefreshTokenTTL(new \DateInterval(static::$refreshTokensExpireAt)); // new refresh tokens will expire after 1 month
264
265		// Enable the refresh token grant on the server
266		$this->server->enableGrantType(
267		$refreshTokenGrant,
268		new \DateInterval(static::$tokensExpireAt) // new access tokens will expire after an hour
269		);
270		}
271
272		/**
273		* Create a resource server for validation.
274		*
275		* @return \League\OAuth2\Server\ResourServer
276		*/
277		public function getResourceServer()
278		{
279		return new ResourceServer(
280		new AccessTokenRepository(),
281		$this->makeCryptKey('public')
282		);
283		}
284
285		/**
286		* Create a CryptKey instance without permissions check.
287		*
288		* @param string $key
289		*
290		* @return \League\OAuth2\Server\CryptKey
291		*/
292		protected function makeCryptKey($type)
293		{
294		$key = __DIR__.'/../storage/rsa/oauth-'.$type.'.key';
295
296		return new CryptKey($key, null, false);
297		}
298
299		/**
300		* Validate user for current request.
301		*
302		* @param \Psr\Http\Message\ServerRequestInterface $request
303		*
304		* @return null\|int
305		*/
306		public function validateUserForRequest($request)
307		{
308		$token = Model::instance('tokenModel')->find($request->getAttribute('oauth_access_token_id'));
309		$client = Model::instance('clientModel')->find($request->getAttribute('oauth_client_id'));
310
311		if (!$token \|\| !$client) {
312		return null;
313		}
314
315		if (!$token->user_id && !$client->user_id) {
316		return null;
317		}
318
319		if ($token->user_id != null) {
320		return $token->user_id;
321		}
322
323		return $client->user_id;
324		}
325
326		/**
327		* Migrate tables.
328		*
329		* @param string $dir
330		*
331		* @return void
332		*/
333	View Code Duplication	public static function migrate($dir = null)
334		{
335		if (is_null($dir)) {
336		$dir = __DIR__.'/../database/migrations';
337		}
338
339		foreach (glob($dir.'/*.php') as $file) {
340		require_once $file;
341		$table = pathinfo($file)['filename'];
342		(new $table())->up();
343		}
344		}
345
346		/**
347		* Drop tables.
348		*
349		* @param string $dir
350		*
351		* @return void
352		*/
353	View Code Duplication	public static function rollback($dir = null)
354		{
355		if (is_null($dir)) {
356		$dir = __DIR__.'/../database/migrations';
357		}
358
359		foreach (glob($dir.'/*.php') as $file) {
360		require_once $file;
361		$table = pathinfo($file)['filename'];
362		(new $table())->down();
363		}
364		}
365
366		/**
367		* Drop and migrate fresh tables.
368		*
369		* @param string $dir
370		*
371		* @return void
372		*/
373		public static function refresh($dir = null)
374		{
375		if (is_null($dir)) {
376		$dir = __DIR__.'/../database/migrations';
377		}
378
379		static::rollback($dir);
380		static::migrate($dir);
381		}
382		}
383

Codexshaper / php-oauth2

Issues (55)

Security Analysis no request data

src/Manager.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like