Issues in WebSocketServer.php (master) - Issues in master - Nekland/Woketo - Measure and Improve Code Quality continuously with Scrutinizer

Issues (11)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Server/WebSocketServer.php (1 issue)

Labels

Unused Code 1

Severity

Minor 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/**
 * This file is a part of Woketo package.
 *
 * (c) Nekland <[email protected]>
 *
 * For the full license, take a look to the LICENSE file
 * on the root directory of this project
 */

namespace Nekland\Woketo\Server;

use Nekland\Woketo\Exception\ConfigException;
use Nekland\Woketo\Exception\RuntimeException;
use Nekland\Woketo\Message\MessageHandlerInterface;
use Nekland\Woketo\Rfc6455\FrameFactory;
use Nekland\Woketo\Rfc6455\Handshake\ServerHandshake;
use Nekland\Woketo\Rfc6455\MessageFactory;
use Nekland\Woketo\Rfc6455\FrameHandler\CloseFrameHandler;
use Nekland\Woketo\Rfc6455\FrameHandler\RsvCheckFrameHandler;
use Nekland\Woketo\Rfc6455\FrameHandler\WrongOpcodeFrameHandler;
use Nekland\Woketo\Rfc6455\FrameHandler\PingFrameHandler;
use Nekland\Woketo\Rfc6455\MessageProcessor;
use Nekland\Woketo\Utils\SimpleLogger;
use Psr\Log\LoggerInterface;
use Psr\Log\LogLevel;
use React\EventLoop\LoopInterface;
use React\Socket\ConnectionInterface;
use React\Socket\ServerInterface;

class WebSocketServer
{
    /**
     * @var int
     */
    private $port;

    /**
     * @var string
     */
    private $host;

    /**
     * @var ServerHandshake
     */
    private $handshake;

    /**
     * @var MessageHandlerInterface[]
     */
    private $messageHandlers;

    /**
     * @var Connection[]
     */
    private $connections;

    /**
     * @var LoopInterface
     */
    private $loop;

    /**
     * @var ServerInterface
     */
    private $server;

    /**
     * @var MessageProcessor
     */
    private $messageProcessor;

    /**
     * @var array
     */
    private $config;

    /**
     * @var LoggerInterface
     */
    private $logger;

    /**
     * @param int    $port   The number of the port to bind
     * @param string $host   The host to listen on (by default 127.0.0.1)
     * @param array  $config
     */
    public function __construct($port, $host = '127.0.0.1', $config = [])
    {
        $this->setConfig($config);
        $this->host = $host;
        $this->port = $port;
        $this->handshake = new ServerHandshake();
        $this->connections = [];
        $this->buildMessageProcessor();

        // Some optimization
        \gc_enable();       // As the process never stops, the garbage collector will be usefull, you may need to call it manually sometimes for performance purpose
        \set_time_limit(0); // It's by default on most server for cli apps but better be sure of that fact
    }

    /**
     * @param MessageHandlerInterface|string $messageHandler An instance of a class as string
     * @param string                         $uri            The URI you want to bind on
     */
    public function setMessageHandler($messageHandler, $uri = '*')
    {
        if (!$messageHandler instanceof MessageHandlerInterface &&  !\is_string($messageHandler)) {
            throw new \InvalidArgumentException('The message handler must be an instance of MessageHandlerInterface or a string.');
        }
        if (\is_string($messageHandler)) {
            try {
                $reflection = new \ReflectionClass($messageHandler);
                if(!$reflection->implementsInterface('Nekland\Woketo\Message\MessageHandlerInterface')) {
                    throw new \InvalidArgumentException('The messageHandler must implement MessageHandlerInterface');
                }
            } catch (\ReflectionException $e) {
                throw new \InvalidArgumentException('The messageHandler must be a string representing a class.');
            }
        }
        $this->messageHandlers[$uri] = $messageHandler;
    }

    /**
     * Launch the WebSocket server and an infinite loop that act on event.
     *
     * @throws \Exception
     */
    public function start()
    {
        if ($this->config['prod'] && \extension_loaded('xdebug')) {
            throw new \Exception('xdebug is enabled, it\'s a performance issue. Disable that extension or specify "prod" option to false.');
        }

        $this->loop = $this->loop ?? \React\EventLoop\Factory::create();
        $this->server = $this->server ?? new \React\Socket\TcpServer($this->host . ':' . $this->port, $this->loop);

        if ($this->config['ssl']) {
            $this->server = new \React\Socket\SecureServer($this->server, $this->loop, array_merge([
                'local_cert' => $this->config['certFile'],
                'passphrase' => $this->config['passphrase'],
            ], $this->config['sslContextOptions']));
            $this->getLogger()->info('Enabled ssl');
        }

        $this->server->on('connection', function (ConnectionInterface $socketStream) {
            $this->onNewConnection($socketStream);
        });

        $this->getLogger()->info('Listening on ' . $this->host . ':' . $this->port);

        $this->loop->run();
    }

    /**
     * @param ConnectionInterface $socketStream
     */
    private function onNewConnection(ConnectionInterface $socketStream)
    {
        $connection = new Connection($socketStream, function ($uri, Connection $connection) {
            return $this->getMessageHandler($uri, $connection);
        }, $this->loop, $this->messageProcessor);

        $socketStream->on('end', function () use($connection) {
            $this->onDisconnect($connection);
        });

        $connection->setLogger($this->getLogger());
        $connection->getLogger()->info(sprintf('Ip "%s" establish connection', $connection->getIp()));
        $this->connections[] = $connection;
    }

    /**
     *
     * @param Connection $connection
     */
    private function onDisconnect(Connection $connection)
    {
        $this->removeConnection($connection);
        $connection->getLogger()->info(sprintf('Ip "%s" left connection', $connection->getIp()));
    }

    /**
     * Remove a Connection instance by his object id
     * @param Connection        $connection
     * @throws RuntimeException This method throw an exception if the $connection instance object isn't findable in websocket server's connections
     */
    private function removeConnection(Connection $connection)
    {
        $connectionId = spl_object_hash($connection);
        foreach ($this->connections as $index => $connectionItem) {
            if ($connectionId === spl_object_hash($connectionItem)) {
                unset($this->connections[$index]);
                return;
            }
        }

        $this->logger->critical('No connection found in the server connection list, impossible to delete the given connection id. Something wrong happened');
        throw new RuntimeException('No connection found in the server connection list, impossible to delete the given connection id. Something wrong happened');
    }

    /**
     * @param string $uri
     * @param Connection $connection
     * @return MessageHandlerInterface|null
     */
    private function getMessageHandler(string $uri, Connection $connection)

    {
        $handler = null;

        if (!empty($this->messageHandlers[$uri])) {
            $handler = $this->messageHandlers[$uri];
        }

        if (null === $handler && !empty($this->messageHandlers['*'])) {
            $handler = $this->messageHandlers['*'];
        }

        if (null !== $handler) {
            if (\is_string($handler)) {
                $handler = new $handler;
            }

            return $handler;
        }

        $this->logger->warning('Connection on ' . $uri . ' but no handler found.');
        return null;
    }

    /**
     * Build the message processor with configuration
     */
    private function buildMessageProcessor()
    {
        $this->messageProcessor = new MessageProcessor(
            false,
            new FrameFactory($this->config['frame']),
            new MessageFactory($this->config['message'])
        );
        $this->messageProcessor->addHandler(new PingFrameHandler());
        $this->messageProcessor->addHandler(new CloseFrameHandler());
        $this->messageProcessor->addHandler(new WrongOpcodeFrameHandler());
        $this->messageProcessor->addHandler(new RsvCheckFrameHandler());

        foreach ($this->config['messageHandlers'] as $handler) {
            if (!$handler instanceof MessageHandlerInterface) {
                throw new RuntimeException(sprintf('%s is not an instance of MessageHandlerInterface but must be !', get_class($handler)));
            }
        }
    }

    /**
     * Sets the configuration
     *
     * @param array $config
     * @throws ConfigException
     */
    private function setConfig(array $config)
    {
        $this->config = \array_merge([
            'frame' => [],
            'message' => [],
            'messageHandlers' => [],
            'prod' => true,
            'ssl' => false,
            'certFile' => '',
            'passphrase' => '',
            'sslContextOptions' => [],
        ], $config);

        if ($this->config['ssl'] && !is_file($this->config['certFile'])) {
            throw new ConfigException('With ssl configuration, you need to specify a certificate file.');
        }
    }

    /**
     * @return SimpleLogger|LoggerInterface
     */
    public function getLogger()
    {
        if (null === $this->logger) {
            return $this->logger = new SimpleLogger(!$this->config['prod']);
        }

        return $this->logger;
    }

    /**
     * Allows you to set a custom logger
     *
     * @param LoggerInterface $logger
     * @return WebSocketServer
     */
    public function setLogger(LoggerInterface $logger)
    {
        $this->logger = $logger;

        return $this;
    }

    /**
     * Allows to specify a loop that will be used instead of the reactphp generated loop.
     *
     * @param LoopInterface $loop
     * @return WebSocketServer
     */
    public function setLoop(LoopInterface $loop)
    {
        $this->loop = $loop;

        return $this;
    }

    /**
     * @param ServerInterface $server
     * @return WebSocketServer
     */
    public function setSocketServer(ServerInterface $server)
    {
        $this->server = $server;

        return $this;
    }
}


1		<?php
2
3		/**
4		* This file is a part of Woketo package.
5		*
6		* (c) Nekland <[email protected]>
7		*
8		* For the full license, take a look to the LICENSE file
9		* on the root directory of this project
10		*/
11
12		namespace Nekland\Woketo\Server;
13
14		use Nekland\Woketo\Exception\ConfigException;
15		use Nekland\Woketo\Exception\RuntimeException;
16		use Nekland\Woketo\Message\MessageHandlerInterface;
17		use Nekland\Woketo\Rfc6455\FrameFactory;
18		use Nekland\Woketo\Rfc6455\Handshake\ServerHandshake;
19		use Nekland\Woketo\Rfc6455\MessageFactory;
20		use Nekland\Woketo\Rfc6455\FrameHandler\CloseFrameHandler;
21		use Nekland\Woketo\Rfc6455\FrameHandler\RsvCheckFrameHandler;
22		use Nekland\Woketo\Rfc6455\FrameHandler\WrongOpcodeFrameHandler;
23		use Nekland\Woketo\Rfc6455\FrameHandler\PingFrameHandler;
24		use Nekland\Woketo\Rfc6455\MessageProcessor;
25		use Nekland\Woketo\Utils\SimpleLogger;
26		use Psr\Log\LoggerInterface;
27		use Psr\Log\LogLevel;
28		use React\EventLoop\LoopInterface;
29		use React\Socket\ConnectionInterface;
30		use React\Socket\ServerInterface;
31
32		class WebSocketServer
33		{
34		/**
35		* @var int
36		*/
37		private $port;
38
39		/**
40		* @var string
41		*/
42		private $host;
43
44		/**
45		* @var ServerHandshake
46		*/
47		private $handshake;
48
49		/**
50		* @var MessageHandlerInterface[]
51		*/
52		private $messageHandlers;
53
54		/**
55		* @var Connection[]
56		*/
57		private $connections;
58
59		/**
60		* @var LoopInterface
61		*/
62		private $loop;
63
64		/**
65		* @var ServerInterface
66		*/
67		private $server;
68
69		/**
70		* @var MessageProcessor
71		*/
72		private $messageProcessor;
73
74		/**
75		* @var array
76		*/
77		private $config;
78
79		/**
80		* @var LoggerInterface
81		*/
82		private $logger;
83
84		/**
85		* @param int $port The number of the port to bind
86		* @param string $host The host to listen on (by default 127.0.0.1)
87		* @param array $config
88		*/
89	9	public function __construct($port, $host = '127.0.0.1', $config = [])
90		{
91	9	$this->setConfig($config);
92	8	$this->host = $host;
93	8	$this->port = $port;
94	8	$this->handshake = new ServerHandshake();
95	8	$this->connections = [];
96	8	$this->buildMessageProcessor();
97
98		// Some optimization
99	7	\gc_enable(); // As the process never stops, the garbage collector will be usefull, you may need to call it manually sometimes for performance purpose
100	7	\set_time_limit(0); // It's by default on most server for cli apps but better be sure of that fact
101	7	}
102
103		/**
104		* @param MessageHandlerInterface\|string $messageHandler An instance of a class as string
105		* @param string $uri The URI you want to bind on
106		*/
107	5	public function setMessageHandler($messageHandler, $uri = '*')
108		{
109	5	if (!$messageHandler instanceof MessageHandlerInterface && !\is_string($messageHandler)) {
110		throw new \InvalidArgumentException('The message handler must be an instance of MessageHandlerInterface or a string.');
111		}
112	5	if (\is_string($messageHandler)) {
113		try {
114		$reflection = new \ReflectionClass($messageHandler);
115		if(!$reflection->implementsInterface('Nekland\Woketo\Message\MessageHandlerInterface')) {
116		throw new \InvalidArgumentException('The messageHandler must implement MessageHandlerInterface');
117		}
118		} catch (\ReflectionException $e) {
119		throw new \InvalidArgumentException('The messageHandler must be a string representing a class.');
120		}
121		}
122	5	$this->messageHandlers[$uri] = $messageHandler;
123	5	}
124
125		/**
126		* Launch the WebSocket server and an infinite loop that act on event.
127		*
128		* @throws \Exception
129		*/
130	5	public function start()
131		{
132	5	if ($this->config['prod'] && \extension_loaded('xdebug')) {
133		throw new \Exception('xdebug is enabled, it\'s a performance issue. Disable that extension or specify "prod" option to false.');
134		}
135
136	5	$this->loop = $this->loop ?? \React\EventLoop\Factory::create();
137	5	$this->server = $this->server ?? new \React\Socket\TcpServer($this->host . ':' . $this->port, $this->loop);
138
139	5	if ($this->config['ssl']) {
140		$this->server = new \React\Socket\SecureServer($this->server, $this->loop, array_merge([
141		'local_cert' => $this->config['certFile'],
142		'passphrase' => $this->config['passphrase'],
143		], $this->config['sslContextOptions']));
144		$this->getLogger()->info('Enabled ssl');
145		}
146
147		$this->server->on('connection', function (ConnectionInterface $socketStream) {
148	5	$this->onNewConnection($socketStream);
149	5	});
150
151	5	$this->getLogger()->info('Listening on ' . $this->host . ':' . $this->port);
152
153	5	$this->loop->run();
154	5	}
155
156		/**
157		* @param ConnectionInterface $socketStream
158		*/
159	5	private function onNewConnection(ConnectionInterface $socketStream)
160		{
161		$connection = new Connection($socketStream, function ($uri, Connection $connection) {
162	5	return $this->getMessageHandler($uri, $connection);
163	5	}, $this->loop, $this->messageProcessor);
164
165		$socketStream->on('end', function () use($connection) {
166	1	$this->onDisconnect($connection);
167	5	});
168
169	5	$connection->setLogger($this->getLogger());
170	5	$connection->getLogger()->info(sprintf('Ip "%s" establish connection', $connection->getIp()));
171	5	$this->connections[] = $connection;
172	5	}
173
174		/**
175		*
176		* @param Connection $connection
177		*/
178	1	private function onDisconnect(Connection $connection)
179		{
180	1	$this->removeConnection($connection);
181	1	$connection->getLogger()->info(sprintf('Ip "%s" left connection', $connection->getIp()));
182	1	}
183
184		/**
185		* Remove a Connection instance by his object id
186		* @param Connection $connection
187		* @throws RuntimeException This method throw an exception if the $connection instance object isn't findable in websocket server's connections
188		*/
189	1	private function removeConnection(Connection $connection)
190		{
191	1	$connectionId = spl_object_hash($connection);
192	1	foreach ($this->connections as $index => $connectionItem) {
193	1	if ($connectionId === spl_object_hash($connectionItem)) {
194	1	unset($this->connections[$index]);
195	1	return;
196		}
197		}
198
199		$this->logger->critical('No connection found in the server connection list, impossible to delete the given connection id. Something wrong happened');
200		throw new RuntimeException('No connection found in the server connection list, impossible to delete the given connection id. Something wrong happened');
201		}
202
203		/**
204		* @param string $uri
205		* @param Connection $connection
206		* @return MessageHandlerInterface\|null
207		*/
208	5	private function getMessageHandler(string $uri, Connection $connection)
		0 ignored issues – show Unused Code introduced 2017-08-02 15:20 UTC by Report Bug Copy Issue Report Show Similar Issues like this The parameter `$connection` is not used and could be removed. This check looks from parameters that have been defined for a function or method, but which are not used in the method body. Loading history...
209		{
210	5	$handler = null;
211
212	5	if (!empty($this->messageHandlers[$uri])) {
213	2	$handler = $this->messageHandlers[$uri];
214		}
215
216	5	if (null === $handler && !empty($this->messageHandlers['*'])) {
217	2	$handler = $this->messageHandlers['*'];
218		}
219
220	5	if (null !== $handler) {
221	4	if (\is_string($handler)) {
222		$handler = new $handler;
223		}
224
225	4	return $handler;
226		}
227
228	1	$this->logger->warning('Connection on ' . $uri . ' but no handler found.');
229	1	return null;
230		}
231
232		/**
233		* Build the message processor with configuration
234		*/
235	8	private function buildMessageProcessor()
236		{
237	8	$this->messageProcessor = new MessageProcessor(
238	8	false,
239	8	new FrameFactory($this->config['frame']),
240	8	new MessageFactory($this->config['message'])
241		);
242	8	$this->messageProcessor->addHandler(new PingFrameHandler());
243	8	$this->messageProcessor->addHandler(new CloseFrameHandler());
244	8	$this->messageProcessor->addHandler(new WrongOpcodeFrameHandler());
245	8	$this->messageProcessor->addHandler(new RsvCheckFrameHandler());
246
247	8	foreach ($this->config['messageHandlers'] as $handler) {
248	1	if (!$handler instanceof MessageHandlerInterface) {
249	1	throw new RuntimeException(sprintf('%s is not an instance of MessageHandlerInterface but must be !', get_class($handler)));
250		}
251		}
252	7	}
253
254		/**
255		* Sets the configuration
256		*
257		* @param array $config
258		* @throws ConfigException
259		*/
260	9	private function setConfig(array $config)
261		{
262	9	$this->config = \array_merge([
263	9	'frame' => [],
264		'message' => [],
265		'messageHandlers' => [],
266		'prod' => true,
267		'ssl' => false,
268		'certFile' => '',
269		'passphrase' => '',
270		'sslContextOptions' => [],
271	9	], $config);
272
273	9	if ($this->config['ssl'] && !is_file($this->config['certFile'])) {
274	1	throw new ConfigException('With ssl configuration, you need to specify a certificate file.');
275		}
276	8	}
277
278		/**
279		* @return SimpleLogger\|LoggerInterface
280		*/
281	5	public function getLogger()
282		{
283	5	if (null === $this->logger) {
284	3	return $this->logger = new SimpleLogger(!$this->config['prod']);
285		}
286
287	5	return $this->logger;
288		}
289
290		/**
291		* Allows you to set a custom logger
292		*
293		* @param LoggerInterface $logger
294		* @return WebSocketServer
295		*/
296	2	public function setLogger(LoggerInterface $logger)
297		{
298	2	$this->logger = $logger;
299
300	2	return $this;
301		}
302
303		/**
304		* Allows to specify a loop that will be used instead of the reactphp generated loop.
305		*
306		* @param LoopInterface $loop
307		* @return WebSocketServer
308		*/
309	5	public function setLoop(LoopInterface $loop)
310		{
311	5	$this->loop = $loop;
312
313	5	return $this;
314		}
315
316		/**
317		* @param ServerInterface $server
318		* @return WebSocketServer
319		*/
320	5	public function setSocketServer(ServerInterface $server)
321		{
322	5	$this->server = $server;
323
324	5	return $this;
325		}
326		}
327

Nekland / Woketo

Issues (11)

Security Analysis no request data

src/Server/WebSocketServer.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like