Issues in BlizzardClient.php (master) - Issues in master - LogansUA/blizzard-api-php-client - Measure and Improve Code Quality continuously with Scrutinizer

Issues (6)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/BlizzardClient.php (1 issue)

Labels

Bug 1

Severity

Major 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace BlizzardApi;

use BlizzardApi\Tokens\Access;
use GuzzleHttp\Client;
use Symfony\Component\OptionsResolver\Exception\InvalidOptionsException;
use Symfony\Component\OptionsResolver\OptionsResolver;

/**
 * Class Blizzard Client
 *
 * @author Oleg Kachinsky <[email protected]>
 * @author Hristo Mitev <[email protected]>
 */
class BlizzardClient
{
    const API_URL_PATTERN              = 'https://region.api.battle.net';
    const API_ACCESS_TOKEN_URL_PATTERN = 'https://region.battle.net/oauth/token';

    /**
     * @var string $apiUrl Blizzard API url
     */
    private $apiUrl;

    /**
     * @var string $apiAccessTokenUrl Blizzard API Access Token url
     */
    private $apiAccessTokenUrl;

    /**
     * @var string $apiKey API key
     */
    private $apiKey;

    /**
     * @var Access[] $accessTokens Access tokens
     */
    private $accessTokens;

    /**
     * @var string $locale Locale
     */
    private $locale;

    /**
     * @var string $region Region
     */
    private $region;

    /**
     * Constructor
     *
     * @param string $apiKey    API key
     * @param string $apiSecret API Secret key
     * @param string $region    Region
     * @param string $locale    Locale
     */
    public function __construct($apiKey, $apiSecret, $region = 'us', $locale = 'en_us')
    {
        $options = [
            'apiKey'    => $apiKey,
            'apiSecret' => $apiSecret,
            'region'    => strtolower($region),
            'locale'    => strtolower($locale),
        ];

        $resolver = new OptionsResolver();
        $this->configureOptions($resolver, $options['region']);

        $options = $resolver->resolve($options);

        $this->apiKey = $options['apiKey'];
        $this->apiSecret = $options['apiSecret'];
class MyClass { }

$x = new MyClass();
$x->foo = true;
        $this->region = $options['region'];
        $this->locale = $options['locale'];

        $this->updateApiUrl($options['region']);
        $this->updateApiAccessTokenUrl($options['region']);
    }

    /**
     * Get api url
     *
     * @return string Api url
     */
    public function getApiUrl()
    {
        return $this->apiUrl;
    }

    /**
     * Get api Access Token url
     *
     * @return string Api Access Token url
     */
    public function getApiAccessTokenUrl()
    {
        return $this->apiAccessTokenUrl;
    }

    /**
     * Get api key
     *
     * @return string Api key
     */
    public function getApiKey()
    {
        return $this->apiKey;
    }

    /**
     * Set api key
     *
     * @param string $apiKey Api key
     *
     * @return $this
     */
    public function setApiKey($apiKey)
    {
        $this->apiKey = $apiKey;

        return $this;
    }

    /**
     * Get api secret
     *
     * @return string Api secret
     */
    public function getApiSecret()
    {
        return $this->apiSecret;
    }

    /**
     * Set api secret
     *
     * @param string $apiSecret Api secret
     *
     * @return $this
     */
    public function setApiSecret($apiSecret)
    {
        $this->apiSecret = $apiSecret;

        return $this;
    }

    /**
     * Get region
     *
     * @return string Region
     */
    public function getRegion()
    {
        return strtolower($this->region);
    }

    /**
     * Set region
     *
     * @param string $region region
     *
     * @return $this
     */
    public function setRegion($region)
    {
        $this->region = strtolower($region);

        $this->updateApiUrl($region);
        $this->updateApiAccessTokenUrl($region);

        return $this;
    }

    /**
     * Get locale
     *
     * @return string Locale
     */
    public function getLocale()
    {
        return strtolower($this->locale);
    }

    /**
     * Set locale
     *
     * @param string $locale locale
     *
     * @return $this
     */
    public function setLocale($locale)
    {
        $this->locale = strtolower($locale);

        return $this;
    }

    /**
     * Get access token
     *
     * @return null|string Access token
     */
    public function getAccessToken()
    {
        if (null === $this->accessTokens) {
            $this->accessTokens = [];
        }

        if (!array_key_exists($this->getRegion(), $this->accessTokens)) {
            $this->accessTokens[$this->getRegion()] = $this->requestAccessToken();
        }

        return $this->accessTokens[$this->getRegion()]->getToken();
    }

    /**
     * Set access token
     *
     * @param null|Access $accessToken Access token
     *
     * @return $this
     */
    public function setAccessToken(Access $accessToken)
    {
        $this->accessTokens[$this->getRegion()] = $accessToken;

        return $this;
    }

    /**
     * Update API url
     *
     * Update API url by replacing region in API url pattern
     *
     * @param string $region Region
     *
     * @return $this
     */
    private function updateApiUrl($region)
    {
        $this->apiUrl = str_replace('region', strtolower($region), self::API_URL_PATTERN);

        return $this;
    }

    /**
     * Update API Access Token url
     *
     * Update API Access Token url by replacing region in API url pattern
     *
     * @param string $region Region
     *
     * @return $this
     */
    private function updateApiAccessTokenUrl($region)
    {
        $this->apiAccessTokenUrl = str_replace('region', strtolower($region), self::API_ACCESS_TOKEN_URL_PATTERN);

        return $this;
    }

    /**
     * Configure options
     *
     * @param OptionsResolver $resolver Symfony options resolver
     * @param string          $region   Region
     *
     * @throws InvalidOptionsException
     */
    private function configureOptions(OptionsResolver $resolver, $region)
    {
        if (isset(GeoData::$list[$region])) {
            $locales = GeoData::$list[$region];
        } else {
            throw new InvalidOptionsException(
                sprintf(
                    'The option "region" with value "%s" is invalid. Accepted values are: "%s".',
                    $region,
                    implode('", "', array_keys(GeoData::$list))
                )
            );
        }

        $resolver->setRequired(['apiKey', 'apiSecret', 'region', 'locale'])
                 ->setAllowedTypes('apiKey', 'string')
                 ->setAllowedTypes('apiSecret', 'string')
                 ->setAllowedTypes('region', 'string')
                 ->setAllowedValues('region', array_keys(GeoData::$list))
                 ->setAllowedTypes('locale', 'string')
                 ->setAllowedValues('locale', $locales);
    }

    /**
     * Request an Access Token from Blizzard
     *
     * @return Access
     *
     * @throws \HttpResponseException
     */
    protected function requestAccessToken()
    {
        $options = [
            'form_params' => [
                'grant_type'    => 'client_credentials',
                'client_id'     => $this->getApiKey(),
                'client_secret' => $this->getApiSecret(),
            ],
        ];

        $result = (new Client())->post($this->getApiAccessTokenUrl(), $options);

        if (200 === $result->getStatusCode()) {
            return Access::fromJson(json_decode($result->getBody()->getContents()));
        } else {
            throw new \HttpResponseException('Invalid Response');
        }
    }
}


GitHub Access Token became invalid

Issues (6)

Security Analysis no request data

src/BlizzardClient.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

1			<?php
2
3			namespace BlizzardApi;
4
5			use BlizzardApi\Tokens\Access;
6			use GuzzleHttp\Client;
7			use Symfony\Component\OptionsResolver\Exception\InvalidOptionsException;
8			use Symfony\Component\OptionsResolver\OptionsResolver;
9
10			/**
11			* Class Blizzard Client
12			*
13			* @author Oleg Kachinsky <[email protected]>
14			* @author Hristo Mitev <[email protected]>
15			*/
16			class BlizzardClient
17			{
18			const API_URL_PATTERN = 'https://region.api.battle.net';
19			const API_ACCESS_TOKEN_URL_PATTERN = 'https://region.battle.net/oauth/token';
20
21			/**
22			* @var string $apiUrl Blizzard API url
23			*/
24			private $apiUrl;
25
26			/**
27			* @var string $apiAccessTokenUrl Blizzard API Access Token url
28			*/
29			private $apiAccessTokenUrl;
30
31			/**
32			* @var string $apiKey API key
33			*/
34			private $apiKey;
35
36			/**
37			* @var Access[] $accessTokens Access tokens
38			*/
39			private $accessTokens;
40
41			/**
42			* @var string $locale Locale
43			*/
44			private $locale;
45
46			/**
47			* @var string $region Region
48			*/
49			private $region;
50
51			/**
52			* Constructor
53			*
54			* @param string $apiKey API key
55			* @param string $apiSecret API Secret key
56			* @param string $region Region
57			* @param string $locale Locale
58			*/
59			public function __construct($apiKey, $apiSecret, $region = 'us', $locale = 'en_us')
60			{
61			$options = [
62			'apiKey' => $apiKey,
63			'apiSecret' => $apiSecret,
64			'region' => strtolower($region),
65			'locale' => strtolower($locale),
66			];
67
68			$resolver = new OptionsResolver();
69			$this->configureOptions($resolver, $options['region']);
70
71			$options = $resolver->resolve($options);
72
73			$this->apiKey = $options['apiKey'];
74			$this->apiSecret = $options['apiSecret'];
			0 ignored issues – show Bug introduced 2016-12-27 12:01 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `apiSecret` does not exist. Did you maybe forget to declare it? In PHP it is possible to write to properties without declaring them. For example, the following is perfectly valid PHP code: class MyClass { } $x = new MyClass(); $x->foo = true; Generally, it is a good practice to explictly declare properties to avoid accidental typos and provide IDE auto-completion: class MyClass { public $foo; } $x = new MyClass(); $x->foo = true; Loading history...
75			$this->region = $options['region'];
76			$this->locale = $options['locale'];
77
78			$this->updateApiUrl($options['region']);
79			$this->updateApiAccessTokenUrl($options['region']);
80			}
81
82			/**
83			* Get api url
84			*
85			* @return string Api url
86			*/
87			public function getApiUrl()
88			{
89			return $this->apiUrl;
90			}
91
92			/**
93			* Get api Access Token url
94			*
95			* @return string Api Access Token url
96			*/
97			public function getApiAccessTokenUrl()
98			{
99			return $this->apiAccessTokenUrl;
100			}
101
102			/**
103			* Get api key
104			*
105			* @return string Api key
106			*/
107			public function getApiKey()
108			{
109			return $this->apiKey;
110			}
111
112			/**
113			* Set api key
114			*
115			* @param string $apiKey Api key
116			*
117			* @return $this
118			*/
119			public function setApiKey($apiKey)
120			{
121			$this->apiKey = $apiKey;
122
123			return $this;
124			}
125
126			/**
127			* Get api secret
128			*
129			* @return string Api secret
130			*/
131			public function getApiSecret()
132			{
133			return $this->apiSecret;
134			}
135
136			/**
137			* Set api secret
138			*
139			* @param string $apiSecret Api secret
140			*
141			* @return $this
142			*/
143			public function setApiSecret($apiSecret)
144			{
145			$this->apiSecret = $apiSecret;
146
147			return $this;
148			}
149
150			/**
151			* Get region
152			*
153			* @return string Region
154			*/
155			public function getRegion()
156			{
157			return strtolower($this->region);
158			}
159
160			/**
161			* Set region
162			*
163			* @param string $region region
164			*
165			* @return $this
166			*/
167			public function setRegion($region)
168			{
169			$this->region = strtolower($region);
170
171			$this->updateApiUrl($region);
172			$this->updateApiAccessTokenUrl($region);
173
174			return $this;
175			}
176
177			/**
178			* Get locale
179			*
180			* @return string Locale
181			*/
182			public function getLocale()
183			{
184			return strtolower($this->locale);
185			}
186
187			/**
188			* Set locale
189			*
190			* @param string $locale locale
191			*
192			* @return $this
193			*/
194			public function setLocale($locale)
195			{
196			$this->locale = strtolower($locale);
197
198			return $this;
199			}
200
201			/**
202			* Get access token
203			*
204			* @return null\|string Access token
205			*/
206			public function getAccessToken()
207			{
208			if (null === $this->accessTokens) {
209			$this->accessTokens = [];
210			}
211
212			if (!array_key_exists($this->getRegion(), $this->accessTokens)) {
213			$this->accessTokens[$this->getRegion()] = $this->requestAccessToken();
214			}
215
216			return $this->accessTokens[$this->getRegion()]->getToken();
217			}
218
219			/**
220			* Set access token
221			*
222			* @param null\|Access $accessToken Access token
223			*
224			* @return $this
225			*/
226			public function setAccessToken(Access $accessToken)
227			{
228			$this->accessTokens[$this->getRegion()] = $accessToken;
229
230			return $this;
231			}
232
233			/**
234			* Update API url
235			*
236			* Update API url by replacing region in API url pattern
237			*
238			* @param string $region Region
239			*
240			* @return $this
241			*/
242			private function updateApiUrl($region)
243			{
244			$this->apiUrl = str_replace('region', strtolower($region), self::API_URL_PATTERN);
245
246			return $this;
247			}
248
249			/**
250			* Update API Access Token url
251			*
252			* Update API Access Token url by replacing region in API url pattern
253			*
254			* @param string $region Region
255			*
256			* @return $this
257			*/
258			private function updateApiAccessTokenUrl($region)
259			{
260			$this->apiAccessTokenUrl = str_replace('region', strtolower($region), self::API_ACCESS_TOKEN_URL_PATTERN);
261
262			return $this;
263			}
264
265			/**
266			* Configure options
267			*
268			* @param OptionsResolver $resolver Symfony options resolver
269			* @param string $region Region
270			*
271			* @throws InvalidOptionsException
272			*/
273			private function configureOptions(OptionsResolver $resolver, $region)
274			{
275			if (isset(GeoData::$list[$region])) {
276			$locales = GeoData::$list[$region];
277			} else {
278			throw new InvalidOptionsException(
279			sprintf(
280			'The option "region" with value "%s" is invalid. Accepted values are: "%s".',
281			$region,
282			implode('", "', array_keys(GeoData::$list))
283			)
284			);
285			}
286
287			$resolver->setRequired(['apiKey', 'apiSecret', 'region', 'locale'])
288			->setAllowedTypes('apiKey', 'string')
289			->setAllowedTypes('apiSecret', 'string')
290			->setAllowedTypes('region', 'string')
291			->setAllowedValues('region', array_keys(GeoData::$list))
292			->setAllowedTypes('locale', 'string')
293			->setAllowedValues('locale', $locales);
294			}
295
296			/**
297			* Request an Access Token from Blizzard
298			*
299			* @return Access
300			*
301			* @throws \HttpResponseException
302			*/
303			protected function requestAccessToken()
304			{
305			$options = [
306			'form_params' => [
307			'grant_type' => 'client_credentials',
308			'client_id' => $this->getApiKey(),
309			'client_secret' => $this->getApiSecret(),
310			],
311			];
312
313			$result = (new Client())->post($this->getApiAccessTokenUrl(), $options);
314
315			if (200 === $result->getStatusCode()) {
316			return Access::fromJson(json_decode($result->getBody()->getContents()));
317			} else {
318			throw new \HttpResponseException('Invalid Response');
319			}
320			}
321			}
322

LogansUA / blizzard-api-php-client

GitHub Access Token became invalid

Issues (6)

Security Analysis no request data

src/BlizzardClient.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like