Issues in Response.php (master) - Issues in master - Jitamin/jitamin - Measure and Improve Code Quality continuously with Scrutinizer

Issues (3948)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

app/Foundation/Http/Response.php (5 issues)

Labels

Severity

Informational 5

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/*
 * This file is part of Jitamin.
 *
 * Copyright (C) Jitamin Team
 *
 * For the full copyright and license information, please view the LICENSE
 * file that was distributed with this source code.
 */

namespace Jitamin\Foundation\Http;

use Jitamin\Foundation\Base;
use Jitamin\Foundation\Csv;

/**
 * Response class.
 */
class Response extends Base
{
    private $httpStatusCode = 200;
    private $httpHeaders = [];
    private $httpBody = '';
    private $responseSent = false;

    /**
     * Return true if the response have been sent to the user agent.
     *
     * @return bool
     */
    public function isResponseAlreadySent()
    {
        return $this->responseSent;
    }

    /**
     * Set HTTP status code.
     *
     * @param int $statusCode
     *
     * @return $this
     */
    public function withStatusCode($statusCode)
    {
        $this->httpStatusCode = $statusCode;

        return $this;
    }

    /**
     * Set HTTP header.
     *
     * @param string $header
     * @param string $value
     *
     * @return $this
     */
    public function withHeader($header, $value)
    {
        $this->httpHeaders[$header] = $value;

        return $this;
    }

    /**
     * Set content type header.
     *
     * @param string $value
     *
     * @return $this
     */
    public function withContentType($value)
    {
        $this->httpHeaders['Content-Type'] = $value;

        return $this;
    }

    /**
     * Set default security headers.
     *
     * @return $this
     */
    public function withSecurityHeaders()
    {
        $this->httpHeaders['X-Content-Type-Options'] = 'nosniff';
        $this->httpHeaders['X-XSS-Protection'] = '1; mode=block';

        return $this;
    }

    /**
     * Set header Content-Security-Policy.
     *
     * @param array $policies
     *
     * @return $this
     */
    public function withContentSecurityPolicy(array $policies = [])
    {
        $values = '';

        foreach ($policies as $policy => $acl) {
            $values .= $policy.' '.trim($acl).'; ';
        }

        $this->withHeader('Content-Security-Policy', $values);

        return $this;
    }

    /**
     * Set header X-Frame-Options.
     *
     * @return $this
     */
    public function withXframe()
    {
        $this->withHeader('X-Frame-Options', 'DENY');

        return $this;
    }

    /**
     * Set header Strict-Transport-Security (only if we use HTTPS).
     *
     * @return $this
     */
    public function withStrictTransportSecurity()
    {
        if ($this->request->isHTTPS()) {
<?php

/**
 * @property int $x
 * @property int $y
 * @property string $text
 */
class MyLabel
{
    private $properties;

    private $allowedProperties = array('x', 'y', 'text');

    public function __get($name)
    {
        if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) {
            return $properties[$name];
        } else {
            return null;
        }
    }

    public function __set($name, $value)
    {
        if (in_array($name, $this->allowedProperties)) {
            $properties[$name] = $value;
        } else {
            throw new \LogicException("Property $name is not defined.");
        }
    }

}
            $this->withHeader('Strict-Transport-Security', 'max-age=31536000');
        }

        return $this;
    }

    /**
     * Set HTTP response body.
     *
     * @param string $body
     *
     * @return $this
     */
    public function withBody($body)
    {
        $this->httpBody = $body;

        return $this;
    }

    /**
     * Send headers to cache a resource.
     *
     * @param int    $duration
     * @param string $etag
     *
     * @return $this
     */
    public function withCache($duration, $etag = '')
    {
        $this
            ->withHeader('Pragma', 'cache')
            ->withHeader('Expires', gmdate('D, d M Y H:i:s', time() + $duration).' GMT')
            ->withHeader('Cache-Control', 'public, max-age='.$duration);

        if ($etag) {
            $this->withHeader('ETag', '"'.$etag.'"');
        }

        return $this;
    }

    /**
     * Send no cache headers.
     *
     * @return $this
     */
    public function withoutCache()
    {
        $this->withHeader('Pragma', 'no-cache');
        $this->withHeader('Expires', 'Sat, 26 Jul 1997 05:00:00 GMT');

        return $this;
    }

    /**
     * Force the browser to download an attachment.
     *
     * @param string $filename
     *
     * @return $this
     */
    public function withFileDownload($filename)
    {
        $this->withHeader('Content-Disposition', 'attachment; filename="'.$filename.'"');
        $this->withHeader('Content-Transfer-Encoding', 'binary');
        $this->withHeader('Content-Type', 'application/octet-stream');

        return $this;
    }

    /**
     * Send headers and body.
     */
    public function send()
    {
        $this->responseSent = true;

        if ($this->httpStatusCode !== 200) {
            header('Status: '.$this->httpStatusCode);
            header($this->request->getServerVariable('SERVER_PROTOCOL').' '.$this->httpStatusCode);
<?php

/**
 * @property int $x
 * @property int $y
 * @property string $text
 */
class MyLabel
{
    private $properties;

    private $allowedProperties = array('x', 'y', 'text');

    public function __get($name)
    {
        if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) {
            return $properties[$name];
        } else {
            return null;
        }
    }

    public function __set($name, $value)
    {
        if (in_array($name, $this->allowedProperties)) {
            $properties[$name] = $value;
        } else {
            throw new \LogicException("Property $name is not defined.");
        }
    }

}
        }

        foreach ($this->httpHeaders as $header => $value) {
            header($header.': '.$value);
        }

        if (!empty($this->httpBody)) {
            echo $this->httpBody;
        }
    }

    /**
     * Send a custom HTTP status code.
     *
     * @param int $statusCode
     */
    public function status($statusCode)
    {
        $this->withStatusCode($statusCode);
        $this->send();
    }

    /**
     * Redirect to another URL.
     *
     * @param string $url  Redirection URL
     * @param bool   $self If Ajax request and true: refresh the current page
     */
    public function redirect($url, $self = false)
    {
        if ($this->request->isAjax()) {
<?php

/**
 * @property int $x
 * @property int $y
 * @property string $text
 */
class MyLabel
{
    private $properties;

    private $allowedProperties = array('x', 'y', 'text');

    public function __get($name)
    {
        if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) {
            return $properties[$name];
        } else {
            return null;
        }
    }

    public function __set($name, $value)
    {
        if (in_array($name, $this->allowedProperties)) {
            $properties[$name] = $value;
        } else {
            throw new \LogicException("Property $name is not defined.");
        }
    }

}
            $this->withHeader('X-Ajax-Redirect', $self ? 'self' : $url);
        } else {
            $this->withHeader('Location', $url);
        }

        $this->send();
    }

    /**
     * Send a HTML response.
     *
     * @param string $data
     * @param int    $statusCode
     */
    public function html($data, $statusCode = 200)
    {
        $this->withStatusCode($statusCode);
        $this->withContentType('text/html; charset=utf-8');
        $this->withBody($data);
        $this->send();
    }

    /**
     * Send a text response.
     *
     * @param string $data
     * @param int    $statusCode
     */
    public function text($data, $statusCode = 200)
    {
        $this->withStatusCode($statusCode);
        $this->withContentType('text/plain; charset=utf-8');
        $this->withBody($data);
        $this->send();
    }

    /**
     * Send a CSV response.
     *
     * @param array $data Data to serialize in csv
     */
    public function csv(array $data)
    {
        $this->withoutCache();
        $this->withContentType('text/csv; charset=utf-8');
        $this->send();
        Csv::output($data);
    }

    /**
     * Send a Json response.
     *
     * @param array $data       Data to serialize in json
     * @param int   $statusCode HTTP status code
     */
    public function json(array $data, $statusCode = 200)

    {
        $this->withStatusCode($statusCode);
        $this->withContentType('application/json');
        $this->withoutCache();
        $this->withBody(json_encode($data));
        $this->send();
    }

    /**
     * Send a XML response.
     *
     * @param string $data
     * @param int    $statusCode
     */
    public function xml($data, $statusCode = 200)
    {
        $this->withStatusCode($statusCode);
        $this->withContentType('text/xml; charset=utf-8');
        $this->withoutCache();
        $this->withBody($data);
        $this->send();
    }

    /**
     * Send a javascript response.
     *
     * @param string $data
     * @param int    $statusCode
     */
    public function js($data, $statusCode = 200)
    {
        $this->withStatusCode($statusCode);
        $this->withContentType('text/javascript; charset=utf-8');
        $this->withBody($data);
        $this->send();
    }

    /**
     * Send a css response.
     *
     * @param string $data
     * @param int    $statusCode
     */
    public function css($data, $statusCode = 200)
    {
        $this->withStatusCode($statusCode);
        $this->withContentType('text/css; charset=utf-8');
        $this->withBody($data);
        $this->send();
    }

    /**
     * Send a binary response.
     *
     * @param string $data
     * @param int    $statusCode
     */
    public function binary($data, $statusCode = 200)

    {
        $this->withStatusCode($statusCode);
        $this->withoutCache();
        $this->withHeader('Content-Transfer-Encoding', 'binary');
        $this->withContentType('application/octet-stream');
        $this->withBody($data);
        $this->send();
    }

    /**
     * Send a iCal response.
     *
     * @param string $data
     * @param int    $statusCode
     */
    public function ical($data, $statusCode = 200)
    {
        $this->withStatusCode($statusCode);
        $this->withContentType('text/calendar; charset=utf-8');
        $this->withBody($data);
        $this->send();
    }
}


1		<?php
2
3		/*
4		* This file is part of Jitamin.
5		*
6		* Copyright (C) Jitamin Team
7		*
8		* For the full copyright and license information, please view the LICENSE
9		* file that was distributed with this source code.
10		*/
11
12		namespace Jitamin\Foundation\Http;
13
14		use Jitamin\Foundation\Base;
15		use Jitamin\Foundation\Csv;
16
17		/**
18		* Response class.
19		*/
20		class Response extends Base
21		{
22		private $httpStatusCode = 200;
23		private $httpHeaders = [];
24		private $httpBody = '';
25		private $responseSent = false;
26
27		/**
28		* Return true if the response have been sent to the user agent.
29		*
30		* @return bool
31		*/
32		public function isResponseAlreadySent()
33		{
34		return $this->responseSent;
35		}
36
37		/**
38		* Set HTTP status code.
39		*
40		* @param int $statusCode
41		*
42		* @return $this
43		*/
44		public function withStatusCode($statusCode)
45		{
46		$this->httpStatusCode = $statusCode;
47
48		return $this;
49		}
50
51		/**
52		* Set HTTP header.
53		*
54		* @param string $header
55		* @param string $value
56		*
57		* @return $this
58		*/
59		public function withHeader($header, $value)
60		{
61		$this->httpHeaders[$header] = $value;
62
63		return $this;
64		}
65
66		/**
67		* Set content type header.
68		*
69		* @param string $value
70		*
71		* @return $this
72		*/
73		public function withContentType($value)
74		{
75		$this->httpHeaders['Content-Type'] = $value;
76
77		return $this;
78		}
79
80		/**
81		* Set default security headers.
82		*
83		* @return $this
84		*/
85		public function withSecurityHeaders()
86		{
87		$this->httpHeaders['X-Content-Type-Options'] = 'nosniff';
88		$this->httpHeaders['X-XSS-Protection'] = '1; mode=block';
89
90		return $this;
91		}
92
93		/**
94		* Set header Content-Security-Policy.
95		*
96		* @param array $policies
97		*
98		* @return $this
99		*/
100		public function withContentSecurityPolicy(array $policies = [])
101		{
102		$values = '';
103
104		foreach ($policies as $policy => $acl) {
105		$values .= $policy.' '.trim($acl).'; ';
106		}
107
108		$this->withHeader('Content-Security-Policy', $values);
109
110		return $this;
111		}
112
113		/**
114		* Set header X-Frame-Options.
115		*
116		* @return $this
117		*/
118		public function withXframe()
119		{
120		$this->withHeader('X-Frame-Options', 'DENY');
121
122		return $this;
123		}
124
125		/**
126		* Set header Strict-Transport-Security (only if we use HTTPS).
127		*
128		* @return $this
129		*/
130		public function withStrictTransportSecurity()
131		{
132		if ($this->request->isHTTPS()) {
		0 ignored issues – show Documentation introduced 2017-01-10 05:03 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `request` does not exist on `object<Jitamin\Foundation\Http\Response>`. Since you implemented `__get`, maybe consider adding a @property annotation. Since your code implements the magic getter `_get`, this function will be called for any read access on an undefined variable. You can add the `@property` annotation to your class or interface to document the existence of this variable. <?php /** * @property int $x * @property int $y * @property string $text */ class MyLabel { private $properties; private $allowedProperties = array('x', 'y', 'text'); public function __get($name) { if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) { return $properties[$name]; } else { return null; } } public function __set($name, $value) { if (in_array($name, $this->allowedProperties)) { $properties[$name] = $value; } else { throw new \LogicException("Property $name is not defined."); } } } If the property has read access only, you can use the @property-read annotation instead. Of course, you may also just have mistyped another name, in which case you should fix the error. See also the PhpDoc documentation for @property. Loading history...
133		$this->withHeader('Strict-Transport-Security', 'max-age=31536000');
134		}
135
136		return $this;
137		}
138
139		/**
140		* Set HTTP response body.
141		*
142		* @param string $body
143		*
144		* @return $this
145		*/
146		public function withBody($body)
147		{
148		$this->httpBody = $body;
149
150		return $this;
151		}
152
153		/**
154		* Send headers to cache a resource.
155		*
156		* @param int $duration
157		* @param string $etag
158		*
159		* @return $this
160		*/
161		public function withCache($duration, $etag = '')
162		{
163		$this
164		->withHeader('Pragma', 'cache')
165		->withHeader('Expires', gmdate('D, d M Y H:i:s', time() + $duration).' GMT')
166		->withHeader('Cache-Control', 'public, max-age='.$duration);
167
168		if ($etag) {
169		$this->withHeader('ETag', '"'.$etag.'"');
170		}
171
172		return $this;
173		}
174
175		/**
176		* Send no cache headers.
177		*
178		* @return $this
179		*/
180		public function withoutCache()
181		{
182		$this->withHeader('Pragma', 'no-cache');
183		$this->withHeader('Expires', 'Sat, 26 Jul 1997 05:00:00 GMT');
184
185		return $this;
186		}
187
188		/**
189		* Force the browser to download an attachment.
190		*
191		* @param string $filename
192		*
193		* @return $this
194		*/
195		public function withFileDownload($filename)
196		{
197		$this->withHeader('Content-Disposition', 'attachment; filename="'.$filename.'"');
198		$this->withHeader('Content-Transfer-Encoding', 'binary');
199		$this->withHeader('Content-Type', 'application/octet-stream');
200
201		return $this;
202		}
203
204		/**
205		* Send headers and body.
206		*/
207		public function send()
208		{
209		$this->responseSent = true;
210
211		if ($this->httpStatusCode !== 200) {
212		header('Status: '.$this->httpStatusCode);
213		header($this->request->getServerVariable('SERVER_PROTOCOL').' '.$this->httpStatusCode);
		0 ignored issues – show Documentation introduced 2017-01-10 05:03 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `request` does not exist on `object<Jitamin\Foundation\Http\Response>`. Since you implemented `__get`, maybe consider adding a @property annotation. Since your code implements the magic getter `_get`, this function will be called for any read access on an undefined variable. You can add the `@property` annotation to your class or interface to document the existence of this variable. <?php /** * @property int $x * @property int $y * @property string $text */ class MyLabel { private $properties; private $allowedProperties = array('x', 'y', 'text'); public function __get($name) { if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) { return $properties[$name]; } else { return null; } } public function __set($name, $value) { if (in_array($name, $this->allowedProperties)) { $properties[$name] = $value; } else { throw new \LogicException("Property $name is not defined."); } } } If the property has read access only, you can use the @property-read annotation instead. Of course, you may also just have mistyped another name, in which case you should fix the error. See also the PhpDoc documentation for @property. Loading history...
214		}
215
216		foreach ($this->httpHeaders as $header => $value) {
217		header($header.': '.$value);
218		}
219
220		if (!empty($this->httpBody)) {
221		echo $this->httpBody;
222		}
223		}
224
225		/**
226		* Send a custom HTTP status code.
227		*
228		* @param int $statusCode
229		*/
230		public function status($statusCode)
231		{
232		$this->withStatusCode($statusCode);
233		$this->send();
234		}
235
236		/**
237		* Redirect to another URL.
238		*
239		* @param string $url Redirection URL
240		* @param bool $self If Ajax request and true: refresh the current page
241		*/
242		public function redirect($url, $self = false)
243		{
244		if ($this->request->isAjax()) {
		0 ignored issues – show Documentation introduced 2017-01-10 05:03 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `request` does not exist on `object<Jitamin\Foundation\Http\Response>`. Since you implemented `__get`, maybe consider adding a @property annotation. Since your code implements the magic getter `_get`, this function will be called for any read access on an undefined variable. You can add the `@property` annotation to your class or interface to document the existence of this variable. <?php /** * @property int $x * @property int $y * @property string $text */ class MyLabel { private $properties; private $allowedProperties = array('x', 'y', 'text'); public function __get($name) { if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) { return $properties[$name]; } else { return null; } } public function __set($name, $value) { if (in_array($name, $this->allowedProperties)) { $properties[$name] = $value; } else { throw new \LogicException("Property $name is not defined."); } } } If the property has read access only, you can use the @property-read annotation instead. Of course, you may also just have mistyped another name, in which case you should fix the error. See also the PhpDoc documentation for @property. Loading history...
245		$this->withHeader('X-Ajax-Redirect', $self ? 'self' : $url);
246		} else {
247		$this->withHeader('Location', $url);
248		}
249
250		$this->send();
251		}
252
253		/**
254		* Send a HTML response.
255		*
256		* @param string $data
257		* @param int $statusCode
258		*/
259		public function html($data, $statusCode = 200)
260		{
261		$this->withStatusCode($statusCode);
262		$this->withContentType('text/html; charset=utf-8');
263		$this->withBody($data);
264		$this->send();
265		}
266
267		/**
268		* Send a text response.
269		*
270		* @param string $data
271		* @param int $statusCode
272		*/
273		public function text($data, $statusCode = 200)
274		{
275		$this->withStatusCode($statusCode);
276		$this->withContentType('text/plain; charset=utf-8');
277		$this->withBody($data);
278		$this->send();
279		}
280
281		/**
282		* Send a CSV response.
283		*
284		* @param array $data Data to serialize in csv
285		*/
286		public function csv(array $data)
287		{
288		$this->withoutCache();
289		$this->withContentType('text/csv; charset=utf-8');
290		$this->send();
291		Csv::output($data);
292		}
293
294		/**
295		* Send a Json response.
296		*
297		* @param array $data Data to serialize in json
298		* @param int $statusCode HTTP status code
299		*/
300	View Code Duplication	public function json(array $data, $statusCode = 200)
		0 ignored issues – show Duplication introduced 2017-11-03 05:20 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
301		{
302		$this->withStatusCode($statusCode);
303		$this->withContentType('application/json');
304		$this->withoutCache();
305		$this->withBody(json_encode($data));
306		$this->send();
307		}
308
309		/**
310		* Send a XML response.
311		*
312		* @param string $data
313		* @param int $statusCode
314		*/
315		public function xml($data, $statusCode = 200)
316		{
317		$this->withStatusCode($statusCode);
318		$this->withContentType('text/xml; charset=utf-8');
319		$this->withoutCache();
320		$this->withBody($data);
321		$this->send();
322		}
323
324		/**
325		* Send a javascript response.
326		*
327		* @param string $data
328		* @param int $statusCode
329		*/
330		public function js($data, $statusCode = 200)
331		{
332		$this->withStatusCode($statusCode);
333		$this->withContentType('text/javascript; charset=utf-8');
334		$this->withBody($data);
335		$this->send();
336		}
337
338		/**
339		* Send a css response.
340		*
341		* @param string $data
342		* @param int $statusCode
343		*/
344		public function css($data, $statusCode = 200)
345		{
346		$this->withStatusCode($statusCode);
347		$this->withContentType('text/css; charset=utf-8');
348		$this->withBody($data);
349		$this->send();
350		}
351
352		/**
353		* Send a binary response.
354		*
355		* @param string $data
356		* @param int $statusCode
357		*/
358	View Code Duplication	public function binary($data, $statusCode = 200)
		0 ignored issues – show Duplication introduced 2017-11-03 05:20 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
359		{
360		$this->withStatusCode($statusCode);
361		$this->withoutCache();
362		$this->withHeader('Content-Transfer-Encoding', 'binary');
363		$this->withContentType('application/octet-stream');
364		$this->withBody($data);
365		$this->send();
366		}
367
368		/**
369		* Send a iCal response.
370		*
371		* @param string $data
372		* @param int $statusCode
373		*/
374		public function ical($data, $statusCode = 200)
375		{
376		$this->withStatusCode($statusCode);
377		$this->withContentType('text/calendar; charset=utf-8');
378		$this->withBody($data);
379		$this->send();
380		}
381		}
382

Jitamin / jitamin

Issues (3948)

Security Analysis not enabled

app/Foundation/Http/Response.php (5 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like