Issues in AbstractClient.php (master) - Issues in master - MichaelJ2324/sugarcrm-restv10-sdk - Measure and Improve Code Quality continuously with Scrutinizer

Issues (5)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Client/Abstracts/AbstractClient.php (3 issues)

Labels

Duplication 3

Severity

Informational 3

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * ©[2016] SugarCRM Inc.  Licensed by SugarCRM under the Apache 2.0 license.
 */

namespace SugarAPI\SDK\Client\Abstracts;

use SugarAPI\SDK\Client\Interfaces\ClientInterface;
use SugarAPI\SDK\Exception\EntryPoint\EntryPointException;
use SugarAPI\SDK\Helpers\Helpers;
use SugarAPI\SDK\EntryPoint\POST\OAuth2Logout;
use SugarAPI\SDK\Exception\Authentication\AuthenticationException;

/**
 * The Abstract Client implementation for Sugar
 * @package SugarAPI\SDK\Client\Abstracts\AbstractClient
 * @method EPInterface ping()
 * @method EPInterface getRecord(string $module = '')
 * @method EPInterface getAttachment(string $module = '',string $record_id = '')
 * @method EPInterface getChangeLog(string $module = '',string $record_id = '')
 * @method EPInterface filterRelated(string $module = '')
 * @method EPInterface getRelated(string $module = '',string $record_id = '',string $relationship = '',string $related_id = '')
 * @method EPInterface me()
 * @method EPInterface search()
 * @method EPInterface oauth2Token()
 * @method EPInterface oauth2Refresh()
 * @method EPInterface createRecord()
 * @method EPInterface filterRecords()
 * @method EPInterface attachFile()
 * @method EPInterface oauth2Logout()
 * @method EPInterface createRelated()
 * @method EPInterface linkRecords()
 * @method EPInterface bulk()
 * @method EPInterface updateRecord()
 * @method EPInterface favorite()
 * @method EPInterface deleteRecord()
 * @method EPInterface unfavorite()
 * @method EPInterface deleteFile()
 * @method EPInterface unlinkRecords()
 */
abstract class AbstractClient implements ClientInterface {

    /**
     * Array of Statically Bound Tokens for SDK Clients
     * - Allows for reinstating objects in multiple areas, without needing to Sign-in
     * - Allows for multiple client_id's to be used between SDK Clients
     *
     * @var array = array(
     *      $client_id => $token
     * )
     */
    protected static $_STORED_TOKENS = array();


    /**
     * The configured server domain name/url on the SDK Client
     * @var string
     */
    protected $server = '';

    /**
     * The API Url configured on the SDK Client
     * @var string
     */
    protected $apiURL = '';

    /**
     * The full token object returned by the Login method
     * @var \stdClass
     */
    protected $token;

    /**
     * Array of OAuth Creds to be used by SDK Client
     * @var array
     */
    protected $credentials = array();

    /**
     * Token expiration time
     * @var
     */
    protected $expiration;

    /**
     * The list of registered EntryPoints
     * @var array
     */
    protected $entryPoints = array();

    public function __construct($server = '',array $credentials = array()){
        $server = (empty($server)?$this->server:$server);
        $this->setServer($server);
        $credentials = (empty($credentials)?$this->credentials:$credentials);
        $this->setCredentials($credentials);
        $this->registerSDKEntryPoints();
    }

    /**
     * @inheritdoc
     * @param string $server
     */
    public function setServer($server) {
        $this->server = $server;
        $this->apiURL = Helpers::configureAPIURL($this->server);
        return $this;
    }

    /**
     * @inheritdoc
     */
    public function getAPIUrl() {
        return $this->apiURL;
    }

    /**
     * @inheritdoc
     * Retrieves stored token based on passed in Credentials
     */
    public function setCredentials(array $credentials){
        $this->credentials = $credentials;
        if (isset($this->credentials['client_id'])) {
            $token = static::getStoredToken($this->credentials['client_id']);
            if (!empty($token)) {
                $this->setToken($token);
            }
        }
        return $this;
    }

    /**
     * @inheritdoc
     */
    public function setToken(\stdClass $token){
        $this->token = $token;
        $this->expiration = time()+$token->expires_in;
        return $this;
    }

    /**
     * @inheritdoc
     */
    public function getToken(){
        return $this->token;
    }

    /**
     * @inheritdoc
     */
    public function getCredentials(){
        return $this->credentials;
    }

    /**
     * @inheritdoc
     */
    public function getServer() {
        return $this->server;
    }

    /**
     * @inheritdoc
     */
    public function authenticated(){
        return time() < $this->expiration;
    }

    /**
     * Register the defined EntryPoints in SDK, located in src/EntryPoint/registry.php file
     * @throws EntryPointException
     */
    protected function registerSDKEntryPoints(){
        $entryPoints = Helpers::getSDKEntryPointRegistry();
        foreach ($entryPoints as $funcName => $className){
            $this->registerEntryPoint($funcName, $className);
        }
    }

    /**
     * @param $funcName
     * @param $className
     * @return self
     * @throws EntryPointException
     */
    public function registerEntryPoint($funcName, $className){
        $implements = class_implements($className);
        if (is_array($implements) && in_array('SugarAPI\SDK\EntryPoint\Interfaces\EPInterface',$implements)){
            $this->entryPoints[$funcName] = $className;
        }else{
            throw new EntryPointException($className,'Class must extend SugarAPI\SDK\EntryPoint\Interfaces\EPInterface');
        }
        return $this;
    }

    /**
     * Generates the EntryPoint objects based on a Method name that was called
     * @param $name
     * @param $params
     * @return mixed
     * @throws EntryPointException
     */
    public function __call($name, $params){
        if (array_key_exists($name, $this->entryPoints)){
            $Class = $this->entryPoints[$name];
            $EntryPoint = new $Class($this->apiURL, $params);

            if ($EntryPoint->authRequired() && $this->authenticated()){
                $EntryPoint->setAuth($this->token->access_token);
            }
            return $EntryPoint;
        }else{
            throw new EntryPointException($name,'Unregistered EntryPoint');
        }
    }

    /**
     * @inheritdoc
     * @throws AuthenticationException - When Login request fails
     */
    public function login() {
        if (!empty($this->credentials)) {
            $response = $this->oauth2Token()->execute($this->credentials)->getResponse();
            if ($response->getStatus() == '200') {

                $this->setToken($response->getBody(FALSE));
                static::storeToken($this->token, $this->credentials['client_id']);
                return TRUE;
            } else {
                $error = $response->getBody();
                throw new AuthenticationException("Login Response [" . $error['error'] . "] " . $error['error_message']);
            }
        }
        return FALSE;
    }

    /**
     * @inheritdoc
     * @throws AuthenticationException - When Refresh Request fails
     */
    public function refreshToken(){
        if (isset($this->credentials['client_id'])&&
            isset($this->credentials['client_secret'])&&
            isset($this->token)) {
            $refreshOptions = array(
                'client_id' => $this->credentials['client_id'],
                'client_secret' => $this->credentials['client_secret'],
                'refresh_token' => $this->token->refresh_token
            );
            $response = $this->oauth2Refresh()->execute($refreshOptions)->getResponse();
            if ($response->getStatus() == '200') {

                $this->setToken($response->getBody(FALSE));
                static::storeToken($this->token, $this->credentials['client_id']);
                return TRUE;
            } else {
                $error = $response->getBody();
                throw new AuthenticationException("Refresh Response [" . $error['error'] . "] " . $error['error_message']);
            }
        }
        return FALSE;
    }

    /**
     * @inheritdoc
     * @throws AuthenticationException - When logout request fails
     */
    public function logout(){
        if ($this->authenticated()){
            $response = $this->oauth2Logout()->execute()->getResponse();
            if ($response->getStatus()=='200'){

                unset($this->token);
                static::removeStoredToken($this->credentials['client_id']);
                return TRUE;
            }else{
                $error = $response->getBody();
                throw new AuthenticationException("Logout Response [".$error['error']."] ".$error['message']);
            }
        }
        return FALSE;
    }

    /**
     * @inheritdoc
     * @param \stdClass $token
     */
    public static function storeToken($token, $client_id) {
        static::$_STORED_TOKENS[$client_id] = $token;
        return TRUE;
    }

    /**
     * @inheritdoc
     */
    public static function getStoredToken($client_id) {
        return (isset(static::$_STORED_TOKENS[$client_id])?static::$_STORED_TOKENS[$client_id]:NULL);
    }

    /**
     * @inheritdoc
     */
    public static function removeStoredToken($client_id) {
        unset(static::$_STORED_TOKENS[$client_id]);
        return TRUE;
    }

}

1			<?php
2			/**
3			* ©[2016] SugarCRM Inc. Licensed by SugarCRM under the Apache 2.0 license.
4			*/
5
6			namespace SugarAPI\SDK\Client\Abstracts;
7
8			use SugarAPI\SDK\Client\Interfaces\ClientInterface;
9			use SugarAPI\SDK\Exception\EntryPoint\EntryPointException;
10			use SugarAPI\SDK\Helpers\Helpers;
11			use SugarAPI\SDK\EntryPoint\POST\OAuth2Logout;
12			use SugarAPI\SDK\Exception\Authentication\AuthenticationException;
13
14			/**
15			* The Abstract Client implementation for Sugar
16			* @package SugarAPI\SDK\Client\Abstracts\AbstractClient
17			* @method EPInterface ping()
18			* @method EPInterface getRecord(string $module = '')
19			* @method EPInterface getAttachment(string $module = '',string $record_id = '')
20			* @method EPInterface getChangeLog(string $module = '',string $record_id = '')
21			* @method EPInterface filterRelated(string $module = '')
22			* @method EPInterface getRelated(string $module = '',string $record_id = '',string $relationship = '',string $related_id = '')
23			* @method EPInterface me()
24			* @method EPInterface search()
25			* @method EPInterface oauth2Token()
26			* @method EPInterface oauth2Refresh()
27			* @method EPInterface createRecord()
28			* @method EPInterface filterRecords()
29			* @method EPInterface attachFile()
30			* @method EPInterface oauth2Logout()
31			* @method EPInterface createRelated()
32			* @method EPInterface linkRecords()
33			* @method EPInterface bulk()
34			* @method EPInterface updateRecord()
35			* @method EPInterface favorite()
36			* @method EPInterface deleteRecord()
37			* @method EPInterface unfavorite()
38			* @method EPInterface deleteFile()
39			* @method EPInterface unlinkRecords()
40			*/
41			abstract class AbstractClient implements ClientInterface {
42
43			/**
44			* Array of Statically Bound Tokens for SDK Clients
45			* - Allows for reinstating objects in multiple areas, without needing to Sign-in
46			* - Allows for multiple client_id's to be used between SDK Clients
47			*
48			* @var array = array(
49			* $client_id => $token
50			* )
51			*/
52			protected static $_STORED_TOKENS = array();
53
54
55			/**
56			* The configured server domain name/url on the SDK Client
57			* @var string
58			*/
59			protected $server = '';
60
61			/**
62			* The API Url configured on the SDK Client
63			* @var string
64			*/
65			protected $apiURL = '';
66
67			/**
68			* The full token object returned by the Login method
69			* @var \stdClass
70			*/
71			protected $token;
72
73			/**
74			* Array of OAuth Creds to be used by SDK Client
75			* @var array
76			*/
77			protected $credentials = array();
78
79			/**
80			* Token expiration time
81			* @var
82			*/
83			protected $expiration;
84
85			/**
86			* The list of registered EntryPoints
87			* @var array
88			*/
89			protected $entryPoints = array();
90
91	1		public function __construct($server = '',array $credentials = array()){
92	1		$server = (empty($server)?$this->server:$server);
93	1		$this->setServer($server);
94	1		$credentials = (empty($credentials)?$this->credentials:$credentials);
95	1		$this->setCredentials($credentials);
96	1		$this->registerSDKEntryPoints();
97	1		}
98
99			/**
100			* @inheritdoc
101			* @param string $server
102			*/
103	1		public function setServer($server) {
104	1		$this->server = $server;
105	1		$this->apiURL = Helpers::configureAPIURL($this->server);
106	1		return $this;
107			}
108
109			/**
110			* @inheritdoc
111			*/
112	1		public function getAPIUrl() {
113	1		return $this->apiURL;
114			}
115
116			/**
117			* @inheritdoc
118			* Retrieves stored token based on passed in Credentials
119			*/
120	2		public function setCredentials(array $credentials){
121	2		$this->credentials = $credentials;
122	2		if (isset($this->credentials['client_id'])) {
123	2		$token = static::getStoredToken($this->credentials['client_id']);
124	2		if (!empty($token)) {
125	1		$this->setToken($token);
126	1		}
127	2		}
128	2		return $this;
129			}
130
131			/**
132			* @inheritdoc
133			*/
134	1		public function setToken(\stdClass $token){
135	1		$this->token = $token;
136	1		$this->expiration = time()+$token->expires_in;
137	1		return $this;
138			}
139
140			/**
141			* @inheritdoc
142			*/
143	2		public function getToken(){
144	2		return $this->token;
145			}
146
147			/**
148			* @inheritdoc
149			*/
150	1		public function getCredentials(){
151	1		return $this->credentials;
152			}
153
154			/**
155			* @inheritdoc
156			*/
157	1		public function getServer() {
158	1		return $this->server;
159			}
160
161			/**
162			* @inheritdoc
163			*/
164	1		public function authenticated(){
165	1		return time() < $this->expiration;
166			}
167
168			/**
169			* Register the defined EntryPoints in SDK, located in src/EntryPoint/registry.php file
170			* @throws EntryPointException
171			*/
172	1		protected function registerSDKEntryPoints(){
173	1		$entryPoints = Helpers::getSDKEntryPointRegistry();
174	1		foreach ($entryPoints as $funcName => $className){
175	1		$this->registerEntryPoint($funcName, $className);
176	1		}
177	1		}
178
179			/**
180			* @param $funcName
181			* @param $className
182			* @return self
183			* @throws EntryPointException
184			*/
185	2		public function registerEntryPoint($funcName, $className){
186	2		$implements = class_implements($className);
187	2		if (is_array($implements) && in_array('SugarAPI\SDK\EntryPoint\Interfaces\EPInterface',$implements)){
188	1		$this->entryPoints[$funcName] = $className;
189	1		}else{
190	1		throw new EntryPointException($className,'Class must extend SugarAPI\SDK\EntryPoint\Interfaces\EPInterface');
191			}
192	1		return $this;
193			}
194
195			/**
196			* Generates the EntryPoint objects based on a Method name that was called
197			* @param $name
198			* @param $params
199			* @return mixed
200			* @throws EntryPointException
201			*/
202	2		public function __call($name, $params){
203	2		if (array_key_exists($name, $this->entryPoints)){
204	1		$Class = $this->entryPoints[$name];
205	1		$EntryPoint = new $Class($this->apiURL, $params);
206
207	1		if ($EntryPoint->authRequired() && $this->authenticated()){
208	1		$EntryPoint->setAuth($this->token->access_token);
209	1		}
210	1		return $EntryPoint;
211			}else{
212	1		throw new EntryPointException($name,'Unregistered EntryPoint');
213			}
214			}
215
216			/**
217			* @inheritdoc
218			* @throws AuthenticationException - When Login request fails
219			*/
220	1		public function login() {
221	1		if (!empty($this->credentials)) {
222	1		$response = $this->oauth2Token()->execute($this->credentials)->getResponse();
223	1	View Code Duplication	if ($response->getStatus() == '200') {
			0 ignored issues – show Duplication introduced 2016-04-29 17:32 UTC by Report Bug Copy Issue Report Show Similar Issues like this This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
224			$this->setToken($response->getBody(FALSE));
225			static::storeToken($this->token, $this->credentials['client_id']);
226			return TRUE;
227			} else {
228	1		$error = $response->getBody();
229	1		throw new AuthenticationException("Login Response [" . $error['error'] . "] " . $error['error_message']);
230			}
231			}
232	1		return FALSE;
233			}
234
235			/**
236			* @inheritdoc
237			* @throws AuthenticationException - When Refresh Request fails
238			*/
239	1		public function refreshToken(){
240	1		if (isset($this->credentials['client_id'])&&
241	1		isset($this->credentials['client_secret'])&&
242	1		isset($this->token)) {
243			$refreshOptions = array(
244	1		'client_id' => $this->credentials['client_id'],
245	1		'client_secret' => $this->credentials['client_secret'],
246	1		'refresh_token' => $this->token->refresh_token
247	1		);
248	1		$response = $this->oauth2Refresh()->execute($refreshOptions)->getResponse();
249	1	View Code Duplication	if ($response->getStatus() == '200') {
			0 ignored issues – show Duplication introduced 2016-04-29 17:32 UTC by Report Bug Copy Issue Report Show Similar Issues like this This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
250			$this->setToken($response->getBody(FALSE));
251			static::storeToken($this->token, $this->credentials['client_id']);
252			return TRUE;
253			} else {
254	1		$error = $response->getBody();
255	1		throw new AuthenticationException("Refresh Response [" . $error['error'] . "] " . $error['error_message']);
256			}
257			}
258	1		return FALSE;
259			}
260
261			/**
262			* @inheritdoc
263			* @throws AuthenticationException - When logout request fails
264			*/
265	1		public function logout(){
266	1		if ($this->authenticated()){
267	1		$response = $this->oauth2Logout()->execute()->getResponse();
268	1	View Code Duplication	if ($response->getStatus()=='200'){
			0 ignored issues – show Duplication introduced 2016-04-29 17:32 UTC by Report Bug Copy Issue Report Show Similar Issues like this This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
269			unset($this->token);
270			static::removeStoredToken($this->credentials['client_id']);
271			return TRUE;
272			}else{
273	1		$error = $response->getBody();
274	1		throw new AuthenticationException("Logout Response [".$error['error']."] ".$error['message']);
275			}
276			}
277	1		return FALSE;
278			}
279
280			/**
281			* @inheritdoc
282			* @param \stdClass $token
283			*/
284	1		public static function storeToken($token, $client_id) {
285	1		static::$_STORED_TOKENS[$client_id] = $token;
286	1		return TRUE;
287			}
288
289			/**
290			* @inheritdoc
291			*/
292	1		public static function getStoredToken($client_id) {
293	1		return (isset(static::$_STORED_TOKENS[$client_id])?static::$_STORED_TOKENS[$client_id]:NULL);
294			}
295
296			/**
297			* @inheritdoc
298			*/
299	1		public static function removeStoredToken($client_id) {
300	1		unset(static::$_STORED_TOKENS[$client_id]);
301	1		return TRUE;
302			}
303
304			}

MichaelJ2324 / sugarcrm-restv10-sdk

Issues (5)

Security Analysis no request data

src/Client/Abstracts/AbstractClient.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like