Issues in AbstractService.php (master) - Issues in master - Lusitanian/PHPoAuthLib - Measure and Improve Code Quality continuously with Scrutinizer

Issues (2014)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/OAuth/OAuth1/Service/AbstractService.php (1 issue)

Labels

Compatibility 1

Severity

Minor 1

Chris Heng 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace OAuth\OAuth1\Service;

use DateTime;
use OAuth\Common\Consumer\CredentialsInterface;
use OAuth\Common\Http\Client\ClientInterface;
use OAuth\Common\Http\Uri\UriInterface;
use OAuth\Common\Service\AbstractService as BaseAbstractService;
use OAuth\Common\Storage\TokenStorageInterface;
use OAuth\OAuth1\Signature\SignatureInterface;
use OAuth\OAuth1\Token\StdOAuth1Token;
use OAuth\OAuth1\Token\TokenInterface;

abstract class AbstractService extends BaseAbstractService implements ServiceInterface
{
    /** @const OAUTH_VERSION */
    const OAUTH_VERSION = 1;

    /** @var SignatureInterface */
    protected $signature;

    /** @var null|UriInterface */
    protected $baseApiUri;

    /**
     * {@inheritdoc}
     */
    public function __construct(
        CredentialsInterface $credentials,
        ClientInterface $httpClient,
        TokenStorageInterface $storage,
        SignatureInterface $signature,
        ?UriInterface $baseApiUri = null
    ) {
        parent::__construct($credentials, $httpClient, $storage);

        $this->signature = $signature;
        $this->baseApiUri = $baseApiUri;

        $this->signature->setHashingAlgorithm($this->getSignatureMethod());
    }

    /**
     * {@inheritdoc}
     */
    public function requestRequestToken()
    {
        $authorizationHeader = ['Authorization' => $this->buildAuthorizationHeaderForTokenRequest()];
        $headers = array_merge($authorizationHeader, $this->getExtraOAuthHeaders());

        $responseBody = $this->httpClient->retrieveResponse($this->getRequestTokenEndpoint(), [], $headers);

        $token = $this->parseRequestTokenResponse($responseBody);
        $this->storage->storeAccessToken($this->service(), $token);

        return $token;
    }

    /**
     * {@inheritdoc}
     */
    public function getAuthorizationUri(array $additionalParameters = [])
    {
        // Build the url
        $url = clone $this->getAuthorizationEndpoint();
        foreach ($additionalParameters as $key => $val) {
            $url->addToQuery($key, $val);
        }

        return $url;
    }

    /**
     * {@inheritdoc}
     */
    public function requestAccessToken($token, $verifier, $tokenSecret = null)
    {
        if (null === $tokenSecret) {
            $storedRequestToken = $this->storage->retrieveAccessToken($this->service());
            $tokenSecret = $storedRequestToken->getRequestTokenSecret();
        }
        $this->signature->setTokenSecret($tokenSecret);

        $bodyParams = [
            'oauth_verifier' => $verifier,
        ];

        $authorizationHeader = [
            'Authorization' => $this->buildAuthorizationHeaderForAPIRequest(
                'POST',
                $this->getAccessTokenEndpoint(),
                $this->storage->retrieveAccessToken($this->service()),

                $bodyParams
            ),
        ];

        $headers = array_merge($authorizationHeader, $this->getExtraOAuthHeaders());

        $responseBody = $this->httpClient->retrieveResponse($this->getAccessTokenEndpoint(), $bodyParams, $headers);

        $token = $this->parseAccessTokenResponse($responseBody);
        $this->storage->storeAccessToken($this->service(), $token);

        return $token;
    }

    /**
     * Refreshes an OAuth1 access token.
     *
     * @return TokenInterface $token
     */
    public function refreshAccessToken(TokenInterface $token)
    {
    }

    /**
     * Sends an authenticated API request to the path provided.
     * If the path provided is not an absolute URI, the base API Uri (must be passed into constructor) will be used.
     *
     * @param string|UriInterface $path
     * @param string              $method       HTTP method
     * @param array               $body         Request body if applicable (key/value pairs)
     * @param array               $extraHeaders Extra headers if applicable.
     *                                          These will override service-specific any defaults.
     *
     * @return string
     */
    public function request($path, $method = 'GET', $body = null, array $extraHeaders = [])
    {
        $uri = $this->determineRequestUriFromPath($path, $this->baseApiUri);

        /** @var StdOAuth1Token $token */
        $token = $this->storage->retrieveAccessToken($this->service());
        $extraHeaders = array_merge($this->getExtraApiHeaders(), $extraHeaders);
        $authorizationHeader = [
            'Authorization' => $this->buildAuthorizationHeaderForAPIRequest($method, $uri, $token, $body),
        ];
        $headers = array_merge($authorizationHeader, $extraHeaders);

        return $this->httpClient->retrieveResponse($uri, $body, $headers, $method);
    }

    /**
     * Return any additional headers always needed for this service implementation's OAuth calls.
     *
     * @return array
     */
    protected function getExtraOAuthHeaders()
    {
        return [];
    }

    /**
     * Return any additional headers always needed for this service implementation's API calls.
     *
     * @return array
     */
    protected function getExtraApiHeaders()
    {
        return [];
    }

    /**
     * Builds the authorization header for getting an access or request token.
     *
     * @return string
     */
    protected function buildAuthorizationHeaderForTokenRequest(array $extraParameters = [])
    {
        $parameters = $this->getBasicAuthorizationHeaderInfo();
        $parameters = array_merge($parameters, $extraParameters);
        $parameters['oauth_signature'] = $this->signature->getSignature(
            $this->getRequestTokenEndpoint(),
            $parameters,
            'POST'
        );

        $authorizationHeader = 'OAuth ';
        $delimiter = '';
        foreach ($parameters as $key => $value) {
            $authorizationHeader .= $delimiter . rawurlencode($key) . '="' . rawurlencode($value) . '"';

            $delimiter = ', ';
        }

        return $authorizationHeader;
    }

    /**
     * Builds the authorization header for an authenticated API request.
     *
     * @param string         $method
     * @param UriInterface   $uri        The uri the request is headed
     * @param array          $bodyParams Request body if applicable (key/value pairs)
     *
     * @return string
     */
    protected function buildAuthorizationHeaderForAPIRequest(
        $method,
        UriInterface $uri,
        TokenInterface $token,
        $bodyParams = null
    ) {
        $this->signature->setTokenSecret($token->getAccessTokenSecret());
        $authParameters = $this->getBasicAuthorizationHeaderInfo();
        if (isset($authParameters['oauth_callback'])) {
            unset($authParameters['oauth_callback']);
        }

        $authParameters = array_merge($authParameters, ['oauth_token' => $token->getAccessToken()]);

        $signatureParams = (is_array($bodyParams)) ? array_merge($authParameters, $bodyParams) : $authParameters;
        $authParameters['oauth_signature'] = $this->signature->getSignature($uri, $signatureParams, $method);

        if (is_array($bodyParams) && isset($bodyParams['oauth_session_handle'])) {
            $authParameters['oauth_session_handle'] = $bodyParams['oauth_session_handle'];
            unset($bodyParams['oauth_session_handle']);
        }

        $authorizationHeader = 'OAuth ';
        $delimiter = '';

        foreach ($authParameters as $key => $value) {
            $authorizationHeader .= $delimiter . rawurlencode($key) . '="' . rawurlencode($value) . '"';
            $delimiter = ', ';
        }

        return $authorizationHeader;
    }

    /**
     * Builds the authorization header array.
     *
     * @return array
     */
    protected function getBasicAuthorizationHeaderInfo()
    {
        $dateTime = new DateTime();
        $headerParameters = [
            'oauth_callback' => $this->credentials->getCallbackUrl(),
            'oauth_consumer_key' => $this->credentials->getConsumerId(),
            'oauth_nonce' => $this->generateNonce(),
            'oauth_signature_method' => $this->getSignatureMethod(),
            'oauth_timestamp' => $dateTime->format('U'),
            'oauth_version' => $this->getVersion(),
        ];

        return $headerParameters;
    }

    /**
     * Pseudo random string generator used to build a unique string to sign each request.
     *
     * @param int $length
     *
     * @return string
     */
    protected function generateNonce($length = 32)
    {
        $characters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890';

        $nonce = '';
        $maxRand = strlen($characters) - 1;
        for ($i = 0; $i < $length; ++$i) {
            $nonce .= $characters[mt_rand(0, $maxRand)];
        }

        return $nonce;
    }

    /**
     * @return string
     */
    protected function getSignatureMethod()
    {
        return 'HMAC-SHA1';
    }

    /**
     * This returns the version used in the authorization header of the requests.
     *
     * @return string
     */
    protected function getVersion()
    {
        return '1.0';
    }

    /**
     * Parses the request token response and returns a TokenInterface.
     * This is only needed to verify the `oauth_callback_confirmed` parameter. The actual
     * parsing logic is contained in the access token parser.
     *
     * @abstract
     *
     * @param string $responseBody
     *
     * @return TokenInterface
     */
    abstract protected function parseRequestTokenResponse($responseBody);

    /**
     * Parses the access token response and returns a TokenInterface.
     *
     * @abstract
     *
     * @param string $responseBody
     *
     * @return TokenInterface
     */
    abstract protected function parseAccessTokenResponse($responseBody);
}


1			<?php
2
3			namespace OAuth\OAuth1\Service;
4
5			use DateTime;
6			use OAuth\Common\Consumer\CredentialsInterface;
7			use OAuth\Common\Http\Client\ClientInterface;
8			use OAuth\Common\Http\Uri\UriInterface;
9			use OAuth\Common\Service\AbstractService as BaseAbstractService;
10			use OAuth\Common\Storage\TokenStorageInterface;
11			use OAuth\OAuth1\Signature\SignatureInterface;
12			use OAuth\OAuth1\Token\StdOAuth1Token;
13			use OAuth\OAuth1\Token\TokenInterface;
14
15			abstract class AbstractService extends BaseAbstractService implements ServiceInterface
16			{
17			/** @const OAUTH_VERSION */
18			const OAUTH_VERSION = 1;
19
20			/** @var SignatureInterface */
21			protected $signature;
22
23			/** @var null\|UriInterface */
24			protected $baseApiUri;
25
26			/**
27			* {@inheritdoc}
28			*/
29			public function __construct(
30			CredentialsInterface $credentials,
31			ClientInterface $httpClient,
32			TokenStorageInterface $storage,
33			SignatureInterface $signature,
34			?UriInterface $baseApiUri = null
35			) {
36			parent::__construct($credentials, $httpClient, $storage);
37
38			$this->signature = $signature;
39			$this->baseApiUri = $baseApiUri;
40
41			$this->signature->setHashingAlgorithm($this->getSignatureMethod());
42			}
43
44			/**
45			* {@inheritdoc}
46			*/
47			public function requestRequestToken()
48			{
49			$authorizationHeader = ['Authorization' => $this->buildAuthorizationHeaderForTokenRequest()];
50			$headers = array_merge($authorizationHeader, $this->getExtraOAuthHeaders());
51
52			$responseBody = $this->httpClient->retrieveResponse($this->getRequestTokenEndpoint(), [], $headers);
53
54			$token = $this->parseRequestTokenResponse($responseBody);
55			$this->storage->storeAccessToken($this->service(), $token);
56
57			return $token;
58			}
59
60			/**
61			* {@inheritdoc}
62			*/
63			public function getAuthorizationUri(array $additionalParameters = [])
64			{
65			// Build the url
66			$url = clone $this->getAuthorizationEndpoint();
67			foreach ($additionalParameters as $key => $val) {
68			$url->addToQuery($key, $val);
69			}
70
71			return $url;
72			}
73
74			/**
75			* {@inheritdoc}
76			*/
77			public function requestAccessToken($token, $verifier, $tokenSecret = null)
78			{
79			if (null === $tokenSecret) {
80			$storedRequestToken = $this->storage->retrieveAccessToken($this->service());
81			$tokenSecret = $storedRequestToken->getRequestTokenSecret();
82			}
83			$this->signature->setTokenSecret($tokenSecret);
84
85			$bodyParams = [
86			'oauth_verifier' => $verifier,
87			];
88
89			$authorizationHeader = [
90			'Authorization' => $this->buildAuthorizationHeaderForAPIRequest(
91			'POST',
92			$this->getAccessTokenEndpoint(),
93			$this->storage->retrieveAccessToken($this->service()),
			0 ignored issues – show Compatibility introduced 2015-11-21 18:34 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$this->storage->retrieve...Token($this->service())` of type `object<OAuth\Common\Token\TokenInterface>` is not a sub-type of `object<OAuth\OAuth1\Token\TokenInterface>`. It seems like you assume a child interface of the interface `OAuth\Common\Token\TokenInterface` to be always present. This check looks for parameters that are defined as one type in their type hint or doc comment but seem to be used as a narrower type, i.e an implementation of an interface or a subclass. Consider changing the type of the parameter or doing an instanceof check before assuming your parameter is of the expected type. Loading history...
94			$bodyParams
95			),
96			];
97
98			$headers = array_merge($authorizationHeader, $this->getExtraOAuthHeaders());
99
100			$responseBody = $this->httpClient->retrieveResponse($this->getAccessTokenEndpoint(), $bodyParams, $headers);
101
102			$token = $this->parseAccessTokenResponse($responseBody);
103			$this->storage->storeAccessToken($this->service(), $token);
104
105			return $token;
106			}
107
108			/**
109			* Refreshes an OAuth1 access token.
110			*
111			* @return TokenInterface $token
112			*/
113			public function refreshAccessToken(TokenInterface $token)
114			{
115			}
116
117			/**
118			* Sends an authenticated API request to the path provided.
119			* If the path provided is not an absolute URI, the base API Uri (must be passed into constructor) will be used.
120			*
121			* @param string\|UriInterface $path
122			* @param string $method HTTP method
123			* @param array $body Request body if applicable (key/value pairs)
124			* @param array $extraHeaders Extra headers if applicable.
125			* These will override service-specific any defaults.
126			*
127			* @return string
128			*/
129			public function request($path, $method = 'GET', $body = null, array $extraHeaders = [])
130			{
131			$uri = $this->determineRequestUriFromPath($path, $this->baseApiUri);
132
133			/** @var StdOAuth1Token $token */
134			$token = $this->storage->retrieveAccessToken($this->service());
135			$extraHeaders = array_merge($this->getExtraApiHeaders(), $extraHeaders);
136			$authorizationHeader = [
137			'Authorization' => $this->buildAuthorizationHeaderForAPIRequest($method, $uri, $token, $body),
138			];
139			$headers = array_merge($authorizationHeader, $extraHeaders);
140
141			return $this->httpClient->retrieveResponse($uri, $body, $headers, $method);
142			}
143
144			/**
145			* Return any additional headers always needed for this service implementation's OAuth calls.
146			*
147			* @return array
148			*/
149			protected function getExtraOAuthHeaders()
150			{
151			return [];
152			}
153
154			/**
155			* Return any additional headers always needed for this service implementation's API calls.
156			*
157			* @return array
158			*/
159			protected function getExtraApiHeaders()
160			{
161			return [];
162			}
163
164			/**
165			* Builds the authorization header for getting an access or request token.
166			*
167			* @return string
168			*/
169			protected function buildAuthorizationHeaderForTokenRequest(array $extraParameters = [])
170			{
171			$parameters = $this->getBasicAuthorizationHeaderInfo();
172			$parameters = array_merge($parameters, $extraParameters);
173			$parameters['oauth_signature'] = $this->signature->getSignature(
174			$this->getRequestTokenEndpoint(),
175			$parameters,
176			'POST'
177			);
178
179			$authorizationHeader = 'OAuth ';
180			$delimiter = '';
181			foreach ($parameters as $key => $value) {
182			$authorizationHeader .= $delimiter . rawurlencode($key) . '="' . rawurlencode($value) . '"';
183
184			$delimiter = ', ';
185			}
186
187			return $authorizationHeader;
188			}
189
190			/**
191			* Builds the authorization header for an authenticated API request.
192			*
193			* @param string $method
194			* @param UriInterface $uri The uri the request is headed
195			* @param array $bodyParams Request body if applicable (key/value pairs)
196			*
197			* @return string
198			*/
199			protected function buildAuthorizationHeaderForAPIRequest(
200			$method,
201			UriInterface $uri,
202			TokenInterface $token,
203			$bodyParams = null
204			) {
205			$this->signature->setTokenSecret($token->getAccessTokenSecret());
206			$authParameters = $this->getBasicAuthorizationHeaderInfo();
207			if (isset($authParameters['oauth_callback'])) {
208			unset($authParameters['oauth_callback']);
209			}
210
211			$authParameters = array_merge($authParameters, ['oauth_token' => $token->getAccessToken()]);
212
213			$signatureParams = (is_array($bodyParams)) ? array_merge($authParameters, $bodyParams) : $authParameters;
214			$authParameters['oauth_signature'] = $this->signature->getSignature($uri, $signatureParams, $method);
215
216			if (is_array($bodyParams) && isset($bodyParams['oauth_session_handle'])) {
217			$authParameters['oauth_session_handle'] = $bodyParams['oauth_session_handle'];
218			unset($bodyParams['oauth_session_handle']);
219			}
220
221			$authorizationHeader = 'OAuth ';
222			$delimiter = '';
223
224			foreach ($authParameters as $key => $value) {
225			$authorizationHeader .= $delimiter . rawurlencode($key) . '="' . rawurlencode($value) . '"';
226			$delimiter = ', ';
227			}
228
229			return $authorizationHeader;
230			}
231
232			/**
233			* Builds the authorization header array.
234			*
235			* @return array
236			*/
237			protected function getBasicAuthorizationHeaderInfo()
238			{
239			$dateTime = new DateTime();
240			$headerParameters = [
241			'oauth_callback' => $this->credentials->getCallbackUrl(),
242			'oauth_consumer_key' => $this->credentials->getConsumerId(),
243			'oauth_nonce' => $this->generateNonce(),
244			'oauth_signature_method' => $this->getSignatureMethod(),
245			'oauth_timestamp' => $dateTime->format('U'),
246			'oauth_version' => $this->getVersion(),
247			];
248
249			return $headerParameters;
250			}
251
252			/**
253			* Pseudo random string generator used to build a unique string to sign each request.
254			*
255			* @param int $length
256			*
257			* @return string
258			*/
259			protected function generateNonce($length = 32)
260			{
261			$characters = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890';
262
263			$nonce = '';
264			$maxRand = strlen($characters) - 1;
265			for ($i = 0; $i < $length; ++$i) {
266			$nonce .= $characters[mt_rand(0, $maxRand)];
267			}
268
269			return $nonce;
270			}
271
272			/**
273			* @return string
274			*/
275			protected function getSignatureMethod()
276			{
277			return 'HMAC-SHA1';
278			}
279
280			/**
281			* This returns the version used in the authorization header of the requests.
282			*
283			* @return string
284			*/
285			protected function getVersion()
286			{
287			return '1.0';
288			}
289
290			/**
291			* Parses the request token response and returns a TokenInterface.
292			* This is only needed to verify the `oauth_callback_confirmed` parameter. The actual
293			* parsing logic is contained in the access token parser.
294			*
295			* @abstract
296			*
297			* @param string $responseBody
298			*
299			* @return TokenInterface
300			*/
301			abstract protected function parseRequestTokenResponse($responseBody);
302
303			/**
304			* Parses the access token response and returns a TokenInterface.
305			*
306			* @abstract
307			*
308			* @param string $responseBody
309			*
310			* @return TokenInterface
311			*/
312			abstract protected function parseAccessTokenResponse($responseBody);
313			}
314

Lusitanian / PHPoAuthLib

Issues (2014)

Security Analysis not enabled

src/OAuth/OAuth1/Service/AbstractService.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like