Issues in Config.php (master) - Issues in master - EvilFreelancer/pihole-api-php - Measure and Improve Code Quality continuously with Scrutinizer

Issues (6)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Config.php (1 issue)

Labels

Documentation 1

Severity

Minor 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace PiHole;

class Config
{
    /**
     * List of allowed parameters
     */
    public const ALLOWED = [
        'webpassword',
        'json_force_object',
        'proxy',
        'base_url',
        'user_agent',
        'timeout',
        'tries',
        'seconds',
        'debug',
        'track_redirects',
    ];

    /**
     * List of minimal required parameters
     */
    public const REQUIRED = [
        'user_agent',
        'base_url',
        'timeout',
        'webpassword',
    ];

    /**
     * List of configured parameters
     *
     * @var array
     */
    private $_parameters;

    /**
     * Config constructor.
     *
     * @param array $parameters List of parameters which can be set on object creation stage
     *
     * @throws \InvalidArgumentException
     */
    public function __construct(array $parameters = [])
    {
        // Set default parameters of client
        $this->_parameters = [
            // Errors must be disabled by default, because we need to get error codes
            // @link http://docs.guzzlephp.org/en/stable/request-options.html#http-errors
            'http_errors'       => false,

            // Wrapper settings
            'tries'             => 2,  // Count of tries
            'seconds'           => 10, // Waiting time per each try

            // Optional parameters
            'debug'             => false,
            'track_redirects'   => false,

            // Main parameters
            'json_force_object' => false,
            'timeout'           => 20,
            'user_agent'        => 'Pi-Hole PHP Client',
        ];

        // Overwrite parameters by client input
        foreach ($parameters as $key => $value) {
            $this->set($key, $value);
        }
    }

    /**
     * Magic setter parameter by name
     *
     * @param string               $name  Name of parameter
     * @param string|bool|int|null $value Value of parameter
     */
    public function __set(string $name, $value)
    {
        $this->set($name, $value);
    }

    /**
     * Check if parameter if available
     *
     * @param string $name Name of parameter
     *
     * @return bool
     * @throws \InvalidArgumentException
     */
    public function __isset($name): bool
    {
        return isset($this->_parameters[$name]);
    }

    /**
     * Get parameter via magic call
     *
     * @param string $name Name of parameter
     *
     * @return bool|int|string|null
     * @throws \InvalidArgumentException
     */
    public function __get($name)
    {
        return $this->get($name);
    }

    /**
     * Remove parameter from array
     *
     * @param string $name Name of parameter
     */
    public function __unset($name)
    {
        unset($this->_parameters[$name]);
    }

    /**
     * Set parameter by name
     *
     * @param string               $name  Name of parameter
     * @param string|bool|int|null $value Value of parameter
     *
     * @return $this
     * @throws \InvalidArgumentException
     */
    public function set(string $name, $value): self
    {
        if (!\in_array($name, self::ALLOWED, false)) {
            throw new \InvalidArgumentException("Parameter \"$name\" is not in available list [" . implode(',', self::ALLOWED) . ']');
        }

        // Add parameters into array
        $this->_parameters[$name] = $value;
        return $this;
    }

    /**
     * Get available parameter by name
     *
     * @param string $name Name of parameter
     *
     * @return bool|int|string|null
     * @throws \InvalidArgumentException
     */
    public function get(string $name)
    {
        if (!isset($this->_parameters[$name])) {
            throw new \InvalidArgumentException("Parameter \"$name\" is not in set");
        }

        return $this->_parameters[$name];
    }

    /**
     * Get all available parameters
     *
     * @return array
     */
    public function all(): array
    {
        return $this->_parameters;
    }

    /**
     * Generate query by parameters
     *
     * @param array $url
     * @param bool  $auth
     *
     * @return string
     */
    public function getBaseUrl(array $url = [], bool $auth = false): string
    {
        if ($auth) {
            $url['auth'] = $this->get('webpassword');
        }

        if ($this->get('json_force_object')) {
            $url['jsonForceObject'] = null;
        }

        return $this->get('base_url') . '?' . http_build_query($url);
    }

    /**
     * Return all ready for Guzzle parameters
     *
     * @return array
     */
    public function guzzle(): array
    {
        $options = [
            'timeout'         => $this->get('timeout'),
            'track_redirects' => $this->get('track_redirects'),
            'debug'           => $this->get('debug'),
            'headers'         => [
                'User-Agent' => $this->get('user_agent'),
            ]
        ];

        // Proxy is optional
        if (isset($this->proxy)) {
            $options['proxy'] = $this->proxy;
<?php

/**
 * @property int $x
 * @property int $y
 * @property string $text
 */
class MyLabel
{
    private $properties;

    private $allowedProperties = array('x', 'y', 'text');

    public function __get($name)
    {
        if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) {
            return $properties[$name];
        } else {
            return null;
        }
    }

    public function __set($name, $value)
    {
        if (in_array($name, $this->allowedProperties)) {
            $properties[$name] = $value;
        } else {
            throw new \LogicException("Property $name is not defined.");
        }
    }

}
        }

        return $options;
    }
}


1			<?php
2
3			namespace PiHole;
4
5			class Config
6			{
7			/**
8			* List of allowed parameters
9			*/
10			public const ALLOWED = [
11			'webpassword',
12			'json_force_object',
13			'proxy',
14			'base_url',
15			'user_agent',
16			'timeout',
17			'tries',
18			'seconds',
19			'debug',
20			'track_redirects',
21			];
22
23			/**
24			* List of minimal required parameters
25			*/
26			public const REQUIRED = [
27			'user_agent',
28			'base_url',
29			'timeout',
30			'webpassword',
31			];
32
33			/**
34			* List of configured parameters
35			*
36			* @var array
37			*/
38			private $_parameters;
39
40			/**
41			* Config constructor.
42			*
43			* @param array $parameters List of parameters which can be set on object creation stage
44			*
45			* @throws \InvalidArgumentException
46			*/
47			public function __construct(array $parameters = [])
48			{
49			// Set default parameters of client
50			$this->_parameters = [
51			// Errors must be disabled by default, because we need to get error codes
52			// @link http://docs.guzzlephp.org/en/stable/request-options.html#http-errors
53			'http_errors' => false,
54
55			// Wrapper settings
56			'tries' => 2, // Count of tries
57			'seconds' => 10, // Waiting time per each try
58
59			// Optional parameters
60			'debug' => false,
61			'track_redirects' => false,
62
63			// Main parameters
64			'json_force_object' => false,
65			'timeout' => 20,
66			'user_agent' => 'Pi-Hole PHP Client',
67			];
68
69			// Overwrite parameters by client input
70			foreach ($parameters as $key => $value) {
71			$this->set($key, $value);
72			}
73			}
74
75			/**
76			* Magic setter parameter by name
77			*
78			* @param string $name Name of parameter
79			* @param string\|bool\|int\|null $value Value of parameter
80			*/
81			public function __set(string $name, $value)
82			{
83			$this->set($name, $value);
84			}
85
86			/**
87			* Check if parameter if available
88			*
89			* @param string $name Name of parameter
90			*
91			* @return bool
92			* @throws \InvalidArgumentException
93			*/
94			public function __isset($name): bool
95			{
96			return isset($this->_parameters[$name]);
97			}
98
99			/**
100			* Get parameter via magic call
101			*
102			* @param string $name Name of parameter
103			*
104			* @return bool\|int\|string\|null
105			* @throws \InvalidArgumentException
106			*/
107			public function __get($name)
108			{
109			return $this->get($name);
110			}
111
112			/**
113			* Remove parameter from array
114			*
115			* @param string $name Name of parameter
116			*/
117			public function __unset($name)
118			{
119			unset($this->_parameters[$name]);
120			}
121
122			/**
123			* Set parameter by name
124			*
125			* @param string $name Name of parameter
126			* @param string\|bool\|int\|null $value Value of parameter
127			*
128			* @return $this
129			* @throws \InvalidArgumentException
130			*/
131			public function set(string $name, $value): self
132			{
133			if (!\in_array($name, self::ALLOWED, false)) {
134			throw new \InvalidArgumentException("Parameter \"$name\" is not in available list [" . implode(',', self::ALLOWED) . ']');
135			}
136
137			// Add parameters into array
138			$this->_parameters[$name] = $value;
139			return $this;
140			}
141
142			/**
143			* Get available parameter by name
144			*
145			* @param string $name Name of parameter
146			*
147			* @return bool\|int\|string\|null
148			* @throws \InvalidArgumentException
149			*/
150			public function get(string $name)
151			{
152			if (!isset($this->_parameters[$name])) {
153			throw new \InvalidArgumentException("Parameter \"$name\" is not in set");
154			}
155
156			return $this->_parameters[$name];
157			}
158
159			/**
160			* Get all available parameters
161			*
162			* @return array
163			*/
164			public function all(): array
165			{
166			return $this->_parameters;
167			}
168
169			/**
170			* Generate query by parameters
171			*
172			* @param array $url
173			* @param bool $auth
174			*
175			* @return string
176			*/
177			public function getBaseUrl(array $url = [], bool $auth = false): string
178			{
179			if ($auth) {
180			$url['auth'] = $this->get('webpassword');
181			}
182
183			if ($this->get('json_force_object')) {
184			$url['jsonForceObject'] = null;
185			}
186
187			return $this->get('base_url') . '?' . http_build_query($url);
188			}
189
190			/**
191			* Return all ready for Guzzle parameters
192			*
193			* @return array
194			*/
195			public function guzzle(): array
196			{
197			$options = [
198			'timeout' => $this->get('timeout'),
199			'track_redirects' => $this->get('track_redirects'),
200			'debug' => $this->get('debug'),
201			'headers' => [
202			'User-Agent' => $this->get('user_agent'),
203			]
204			];
205
206			// Proxy is optional
207			if (isset($this->proxy)) {
208			$options['proxy'] = $this->proxy;
			0 ignored issues – show Documentation introduced 2019-10-23 21:35 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `proxy` does not exist on `object<PiHole\Config>`. Since you implemented `__set`, maybe consider adding a @property annotation. Since your code implements the magic setter `_set`, this function will be called for any write access on an undefined variable. You can add the `@property` annotation to your class or interface to document the existence of this variable. <?php /** * @property int $x * @property int $y * @property string $text */ class MyLabel { private $properties; private $allowedProperties = array('x', 'y', 'text'); public function __get($name) { if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) { return $properties[$name]; } else { return null; } } public function __set($name, $value) { if (in_array($name, $this->allowedProperties)) { $properties[$name] = $value; } else { throw new \LogicException("Property $name is not defined."); } } } Since the property has write access only, you can use the @property-write annotation instead. Of course, you may also just have mistyped another name, in which case you should fix the error. See also the PhpDoc documentation for @property. Loading history...
209			}
210
211			return $options;
212			}
213			}
214

EvilFreelancer / pihole-api-php

Issues (6)

Security Analysis no request data

src/Config.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like