Issues in TLSSig.php (master) - Issues in master - JimChenWYU/TimSDK - Measure and Improve Code Quality continuously with Scrutinizer

Issues (28)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Core/TLSSig.php (8 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Created by PhpStorm.
 * User: lenovo
 * Date: 6/12/2018
 * Time: 10:31 AM
 */

namespace TimSDK\Core;

use TimSDK\Core\Exceptions\UserSigException;
use TimSDK\Core\Exceptions\OpensslException;

/**
 * Class TLSSigApi
 * @package TimSDK\Service
 */
class TLSSig
{
    private $private_key = false;
    private $public_key = false;
    private $appid;

    /**
     * 设置Appid
     * @param type $appid
     */
    public function setAppid($appid)
    {
        $this->appid = $appid;
    }

    /**
     * 设置私钥 如果要生成usersig则需要私钥
     * @param string $private_key 私钥文件内容
     * @return bool 是否成功
     */
    public function setPrivateKey($private_key)
    {
        $this->private_key = openssl_pkey_get_private($private_key);

        if ($this->private_key === false) {
            throw new OpensslException(openssl_error_string());
        }
        return true;
    }

    /**
     * 设置公钥 如果要验证usersig则需要公钥
     * @param string $public_key 公钥文件内容
     * @return bool 是否成功
     */
    public function setPublicKey($public_key)
    {
        $this->public_key = openssl_pkey_get_public($public_key);

        if ($this->public_key === false) {
            throw new OpensslException(openssl_error_string());
        }
        return true;
    }

    /**
     * 用于url的base64encode
     * '+' => '*', '/' => '-', '=' => '_'
     * @param string $string 需要编码的数据
     * @return string 编码后的base64串，失败返回false
     */
    private function base64Encode($string)

    {
        static $replace = array('+' => '*', '/' => '-', '=' => '_');
        $base64 = base64_encode($string);
        if ($base64 === false) {
            throw new OpensslException('base64_encode error');
        }
        return str_replace(array_keys($replace), array_values($replace), $base64);
    }

    /**
     * 用于url的base64decode
     * '+' => '*', '/' => '-', '=' => '_'
     * @param string $base64 需要解码的base64串
     * @return string 解码后的数据，失败返回false
     */
    private function base64Decode($base64)

    {
        static $replace = array('+' => '*', '/' => '-', '=' => '_');
        $string = str_replace(array_values($replace), array_keys($replace), $base64);
        $result = base64_decode($string);
        if ($result == false) {

            throw new OpensslException('base64_decode error');
        }
        return $result;
    }

    /**
     * 根据json内容生成需要签名的buf串
     * @param array $json 票据json对象
     * @return string 按标准格式生成的用于签名的字符串
     * 失败时返回false
     */
    private function genSignContent(array $json)
    {
        static $members = array(
            'TLS.appid_at_3rd',
            'TLS.account_type',
            'TLS.identifier',
            'TLS.sdk_appid',
            'TLS.time',
            'TLS.expire_after'
        );
        $content = '';
        foreach ($members as $member) {
            if (!isset($json[$member])) {
                throw new OpensslException('json need ' . $member);
            }
            $content .= "{$member}:{$json[$member]}\n";
        }
        return $content;
    }

    /**
     * ECDSA-SHA256签名
     * @param string $data 需要签名的数据
     * @return string 返回签名 失败时返回false
     */
    private function sign($data)
    {
        $signature = '';
        if (!openssl_sign($data, $signature, $this->private_key, 'sha256')) {
            throw new OpensslException(openssl_error_string());
        }
        return $signature;
    }

    /**
     * 验证ECDSA-SHA256签名
     * @param string $data 需要验证的数据原文
     * @param string $sig 需要验证的签名
     * @return int 1验证成功 0验证失败
     */
    private function verify($data, $sig)
    {
        $ret = openssl_verify($data, $sig, $this->public_key, 'sha256');
        if ($ret == -1) {
            throw new OpensslException(openssl_error_string());
        }
        return $ret;
    }

    /**
     * 生成usersig
     * @param string $identifier 用户名
     * @param uint $expire usersig有效期 默认为180天, 180 * 24 * 3600, 单位秒
     * @return string 生成的UserSig 失败时为false
     */
    public function genSig($identifier, $expire = 15552000)
    {
        $json = array(
            'TLS.account_type' => '0',
            'TLS.identifier' => (string) $identifier,
            'TLS.appid_at_3rd' => '0',
            'TLS.sdk_appid' => (string) $this->appid,
            'TLS.expire_after' => (string) $expire,
            'TLS.version' => '201512300000',
            'TLS.time' => (string) time()
        );
        $err = '';
        $content = $this->genSignContent($json, $err);

        $signature = $this->sign($content, $err);

        $json['TLS.sig'] = base64_encode($signature);
        if ($json['TLS.sig'] === false) {
            throw new UserSigException('base64_encode error');
        }
        $json_text = json_encode($json);
        if ($json_text === false) {
            throw new UserSigException('json_encode error');
        }
        $compressed = gzcompress($json_text);
        if ($compressed === false) {
            throw new UserSigException('gzcompress error');
        }
        return $this->base64Encode($compressed);
    }

    /**
     * 验证usersig
     * @param type $sig usersig
     * @param type $identifier 需要验证用户名
     * @param type $init_time usersig中的生成时间
     * @param type $expire_time usersig中的有效期 如：3600秒
     * @param type $error_msg 失败时的错误信息
     * @return boolean 验证是否成功
     */
    public function verifySig($sig, $identifier, &$init_time, &$expire_time, &$error_msg)
    {
        try {
            $error_msg = '';
            $decoded_sig = $this->base64Decode($sig);
            $uncompressed_sig = gzuncompress($decoded_sig);
            if ($uncompressed_sig === false) {
                throw new UserSigException('gzuncompress error');
            }
            $json = json_decode($uncompressed_sig);
            if ($json == false) {
                throw new UserSigException('json_decode error');
            }
            $json = (array) $json;
            if ($json['TLS.identifier'] !== $identifier) {
                throw new UserSigException("identifier error sigid:{$json['TLS.identifier']} id:{$identifier}");
            }
            if ($json['TLS.sdk_appid'] != $this->appid) {
                throw new UserSigException("appid error sigappid:{$json['TLS.appid']} thisappid:{$this->appid}");
            }
            $content = $this->genSignContent($json);
            $signature = base64_decode($json['TLS.sig']);
            if ($signature == false) {

                throw new UserSigException('sig json_decode error');
            }
            $succ = $this->verify($content, $signature);
            if (!$succ) {
                throw new UserSigException('verify failed');
            }
            $init_time = $json['TLS.time'];
            $expire_time = $json['TLS.expire_after'];
            return true;
        } catch (UserSigException $ex) {
            $error_msg = $ex->getMessage();
            return false;
        }
    }
}


1		<?php
2		/**
3		* Created by PhpStorm.
4		* User: lenovo
5		* Date: 6/12/2018
6		* Time: 10:31 AM
7		*/
8
9		namespace TimSDK\Core;
10
11		use TimSDK\Core\Exceptions\UserSigException;
12		use TimSDK\Core\Exceptions\OpensslException;
13
14		/**
15		* Class TLSSigApi
16		* @package TimSDK\Service
17		*/
18		class TLSSig
19		{
20		private $private_key = false;
21		private $public_key = false;
22		private $appid;
23
24		/**
25		* 设置Appid
26		* @param type $appid
27		*/
28		public function setAppid($appid)
29		{
30		$this->appid = $appid;
31		}
32
33		/**
34		* 设置私钥如果要生成usersig则需要私钥
35		* @param string $private_key 私钥文件内容
36		* @return bool 是否成功
37		*/
38		public function setPrivateKey($private_key)
39		{
40		$this->private_key = openssl_pkey_get_private($private_key);
		0 ignored issues – show Documentation Bug introduced 2018-06-24 07:56 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `openssl_pkey_get_private($private_key)` of type `resource` is incompatible with the declared type `boolean` of property `$private_key`. Our type inference engine has found an assignment to a property that is incompatible with the declared type of that property. Either this assignment is in error or the assigned type should be added to the documentation/type hint for that property.. Loading history...
41		if ($this->private_key === false) {
42		throw new OpensslException(openssl_error_string());
43		}
44		return true;
45		}
46
47		/**
48		* 设置公钥如果要验证usersig则需要公钥
49		* @param string $public_key 公钥文件内容
50		* @return bool 是否成功
51		*/
52		public function setPublicKey($public_key)
53		{
54		$this->public_key = openssl_pkey_get_public($public_key);
		0 ignored issues – show Documentation Bug introduced 2018-06-24 07:56 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `openssl_pkey_get_public($public_key)` of type `resource` is incompatible with the declared type `boolean` of property `$public_key`. Our type inference engine has found an assignment to a property that is incompatible with the declared type of that property. Either this assignment is in error or the assigned type should be added to the documentation/type hint for that property.. Loading history...
55		if ($this->public_key === false) {
56		throw new OpensslException(openssl_error_string());
57		}
58		return true;
59		}
60
61		/**
62		* 用于url的base64encode
63		* '+' => '*', '/' => '-', '=' => '_'
64		* @param string $string 需要编码的数据
65		* @return string 编码后的base64串，失败返回false
66		*/
67	View Code Duplication	private function base64Encode($string)
		0 ignored issues – show Duplication introduced 2018-06-24 07:56 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
68		{
69		static $replace = array('+' => '*', '/' => '-', '=' => '_');
70		$base64 = base64_encode($string);
71		if ($base64 === false) {
72		throw new OpensslException('base64_encode error');
73		}
74		return str_replace(array_keys($replace), array_values($replace), $base64);
75		}
76
77		/**
78		* 用于url的base64decode
79		* '+' => '*', '/' => '-', '=' => '_'
80		* @param string $base64 需要解码的base64串
81		* @return string 解码后的数据，失败返回false
82		*/
83	View Code Duplication	private function base64Decode($base64)
		0 ignored issues – show Duplication introduced 2018-06-24 07:56 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
84		{
85		static $replace = array('+' => '*', '/' => '-', '=' => '_');
86		$string = str_replace(array_values($replace), array_keys($replace), $base64);
87		$result = base64_decode($string);
88		if ($result == false) {
		0 ignored issues – show Bug Best Practice introduced 2018-06-24 07:56 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you are loosely comparing `$result` of type `string` to the boolean `false`. If you are specifically checking for an empty string, consider using the more explicit `=== ''` instead. Loading history...
89		throw new OpensslException('base64_decode error');
90		}
91		return $result;
92		}
93
94		/**
95		* 根据json内容生成需要签名的buf串
96		* @param array $json 票据json对象
97		* @return string 按标准格式生成的用于签名的字符串
98		* 失败时返回false
99		*/
100		private function genSignContent(array $json)
101		{
102		static $members = array(
103		'TLS.appid_at_3rd',
104		'TLS.account_type',
105		'TLS.identifier',
106		'TLS.sdk_appid',
107		'TLS.time',
108		'TLS.expire_after'
109		);
110		$content = '';
111		foreach ($members as $member) {
112		if (!isset($json[$member])) {
113		throw new OpensslException('json need ' . $member);
114		}
115		$content .= "{$member}:{$json[$member]}\n";
116		}
117		return $content;
118		}
119
120		/**
121		* ECDSA-SHA256签名
122		* @param string $data 需要签名的数据
123		* @return string 返回签名失败时返回false
124		*/
125		private function sign($data)
126		{
127		$signature = '';
128		if (!openssl_sign($data, $signature, $this->private_key, 'sha256')) {
129		throw new OpensslException(openssl_error_string());
130		}
131		return $signature;
132		}
133
134		/**
135		* 验证ECDSA-SHA256签名
136		* @param string $data 需要验证的数据原文
137		* @param string $sig 需要验证的签名
138		* @return int 1验证成功 0验证失败
139		*/
140		private function verify($data, $sig)
141		{
142		$ret = openssl_verify($data, $sig, $this->public_key, 'sha256');
143		if ($ret == -1) {
144		throw new OpensslException(openssl_error_string());
145		}
146		return $ret;
147		}
148
149		/**
150		* 生成usersig
151		* @param string $identifier 用户名
152		* @param uint $expire usersig有效期默认为180天, 180 * 24 * 3600, 单位秒
153		* @return string 生成的UserSig 失败时为false
154		*/
155		public function genSig($identifier, $expire = 15552000)
156		{
157		$json = array(
158		'TLS.account_type' => '0',
159		'TLS.identifier' => (string) $identifier,
160		'TLS.appid_at_3rd' => '0',
161		'TLS.sdk_appid' => (string) $this->appid,
162		'TLS.expire_after' => (string) $expire,
163		'TLS.version' => '201512300000',
164		'TLS.time' => (string) time()
165		);
166		$err = '';
167		$content = $this->genSignContent($json, $err);
		0 ignored issues – show Unused Code introduced 2018-06-24 07:56 UTC by Report Bug Copy Issue Report Show Similar Issues like this The call to `TLSSig::genSignContent()` has too many arguments starting with `$err`. This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue. If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress. In this case you can add the `@ignore` PhpDoc annotation to the duplicate definition and it will be ignored. Loading history...
168		$signature = $this->sign($content, $err);
		0 ignored issues – show Unused Code introduced 2018-06-24 07:56 UTC by Report Bug Copy Issue Report Show Similar Issues like this The call to `TLSSig::sign()` has too many arguments starting with `$err`. This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue. If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress. In this case you can add the `@ignore` PhpDoc annotation to the duplicate definition and it will be ignored. Loading history...
169		$json['TLS.sig'] = base64_encode($signature);
170		if ($json['TLS.sig'] === false) {
171		throw new UserSigException('base64_encode error');
172		}
173		$json_text = json_encode($json);
174		if ($json_text === false) {
175		throw new UserSigException('json_encode error');
176		}
177		$compressed = gzcompress($json_text);
178		if ($compressed === false) {
179		throw new UserSigException('gzcompress error');
180		}
181		return $this->base64Encode($compressed);
182		}
183
184		/**
185		* 验证usersig
186		* @param type $sig usersig
187		* @param type $identifier 需要验证用户名
188		* @param type $init_time usersig中的生成时间
189		* @param type $expire_time usersig中的有效期如：3600秒
190		* @param type $error_msg 失败时的错误信息
191		* @return boolean 验证是否成功
192		*/
193		public function verifySig($sig, $identifier, &$init_time, &$expire_time, &$error_msg)
194		{
195		try {
196		$error_msg = '';
197		$decoded_sig = $this->base64Decode($sig);
198		$uncompressed_sig = gzuncompress($decoded_sig);
199		if ($uncompressed_sig === false) {
200		throw new UserSigException('gzuncompress error');
201		}
202		$json = json_decode($uncompressed_sig);
203		if ($json == false) {
204		throw new UserSigException('json_decode error');
205		}
206		$json = (array) $json;
207		if ($json['TLS.identifier'] !== $identifier) {
208		throw new UserSigException("identifier error sigid:{$json['TLS.identifier']} id:{$identifier}");
209		}
210		if ($json['TLS.sdk_appid'] != $this->appid) {
211		throw new UserSigException("appid error sigappid:{$json['TLS.appid']} thisappid:{$this->appid}");
212		}
213		$content = $this->genSignContent($json);
214		$signature = base64_decode($json['TLS.sig']);
215		if ($signature == false) {
		0 ignored issues – show Bug Best Practice introduced 2018-06-24 07:56 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you are loosely comparing `$signature` of type `string` to the boolean `false`. If you are specifically checking for an empty string, consider using the more explicit `=== ''` instead. Loading history...
216		throw new UserSigException('sig json_decode error');
217		}
218		$succ = $this->verify($content, $signature);
219		if (!$succ) {
220		throw new UserSigException('verify failed');
221		}
222		$init_time = $json['TLS.time'];
223		$expire_time = $json['TLS.expire_after'];
224		return true;
225		} catch (UserSigException $ex) {
226		$error_msg = $ex->getMessage();
227		return false;
228		}
229		}
230		}
231

JimChenWYU / TimSDK

Issues (28)

Security Analysis no request data

src/Core/TLSSig.php (8 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like