Issues in HttpRequest.php (master) - Issues in master - PatrickLouys/http - Measure and Improve Code Quality continuously with Scrutinizer

Issues (1)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/HttpRequest.php (1 issue)

Labels

Bug 1

Severity

Major 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace Http;

class HttpRequest implements Request
{
    protected $getParameters;
    protected $postParameters;
    protected $server;
    protected $files;
    protected $cookies;

    public function __construct(
        array $get,
        array $post,
        array $cookies,
        array $files,
        array $server,
        $inputStream = ''
    ) {
        $this->getParameters = $get;
        $this->postParameters = $post;
        $this->cookies = $cookies;
        $this->files = $files;
        $this->server = $server;
        $this->inputStream = $inputStream;
class MyClass { }

$x = new MyClass();
$x->foo = true;
    }

    /**
     * Returns a parameter value or a default value if none is set.
     *
     * @param  string $key
     * @param  string $defaultValue (optional)
     * @return string
     */
    public function getParameter($key, $defaultValue = null)
    {
        if (array_key_exists($key, $this->postParameters)) {
            return $this->postParameters[$key];
        }

        if (array_key_exists($key, $this->getParameters)) {
            return $this->getParameters[$key];
        }

        return $defaultValue;
    }

    /**
     * Returns a query parameter value or a default value if none is set.
     *
     * @param  string $key
     * @param  string $defaultValue (optional)
     * @return string
     */
    public function getQueryParameter($key, $defaultValue = null)
    {
        if (array_key_exists($key, $this->getParameters)) {
            return $this->getParameters[$key];
        }

        return $defaultValue;
    }

    /**
     * Returns a body parameter value or a default value if none is set.
     *
     * @param  string $key
     * @param  string $defaultValue (optional)
     * @return string
     */
    public function getBodyParameter($key, $defaultValue = null)
    {
        if (array_key_exists($key, $this->postParameters)) {
            return $this->postParameters[$key];
        }

        return $defaultValue;
    }

    /**
     * Returns a file value or a default value if none is set.
     *
     * @param  string $key
     * @param  string $defaultValue (optional)
     * @return string
     */
    public function getFile($key, $defaultValue = null)
    {
        if (array_key_exists($key, $this->files)) {
            return $this->files[$key];
        }

        return $defaultValue;
    }

    /**
     * Returns a cookie value or a default value if none is set.
     *
     * @param  string $key
     * @param  string $defaultValue (optional)
     * @return string
     */
    public function getCookie($key, $defaultValue = null)
    {
        if (array_key_exists($key, $this->cookies)) {
            return $this->cookies[$key];
        }

        return $defaultValue;
    }

    /**
     * Returns all parameters.
     *
     * @return array
     */
    public function getParameters()
    {
        return array_merge($this->getParameters, $this->postParameters);
    }

    /**
     * Returns all query parameters.
     *
     * @return array
     */
    public function getQueryParameters()
    {
        return $this->getParameters;
    }

    /**
     * Returns all body parameters.
     *
     * @return array
     */
    public function getBodyParameters()
    {
        return $this->postParameters;
    }

    /**
    * Returns raw values from the read-only stream that allows you to read raw data from the request body.
    *
    * @return string
    */
    public function getRawBody()
    {
        return $this->inputStream;
    }

    /**
     * Returns a Cookie Iterator.
     *
     * @return array
     */
    public function getCookies()
    {
        return $this->cookies;
    }

    /**
     * Returns a File Iterator.
     *
     * @return array
     */
    public function getFiles()
    {
        return $this->files;
    }

    /**
     * The URI which was given in order to access this page
     *
     * @return string
     * @throws MissingRequestMetaVariableException
     */
    public function getUri()
    {
        return $this->getServerVariable('REQUEST_URI');
    }

    /**
     * Return just the path
     *
     * @return string
     */
    public function getPath()
    {
        return strtok($this->getServerVariable('REQUEST_URI'), '?');
    }

    /**
     * Which request method was used to access the page;
     * i.e. 'GET', 'HEAD', 'POST', 'PUT'.
     *
     * @return string
     * @throws MissingRequestMetaVariableException
     */
    public function getMethod()
    {
        return $this->getServerVariable('REQUEST_METHOD');
    }

    /**
     * Contents of the Accept: header from the current request, if there is one.
     *
     * @return string
     * @throws MissingRequestMetaVariableException
     */
    public function getHttpAccept()
    {
        return $this->getServerVariable('HTTP_ACCEPT');
    }

    /**
     * The address of the page (if any) which referred the user agent to the
     * current page.
     *
     * @return string
     * @throws MissingRequestMetaVariableException
     */
    public function getReferer()
    {
        return $this->getServerVariable('HTTP_REFERER');
    }

    /**
     * Content of the User-Agent header from the request, if there is one.
     *
     * @return string
     * @throws MissingRequestMetaVariableException
     */
    public function getUserAgent()
    {
        return $this->getServerVariable('HTTP_USER_AGENT');
    }

    /**
     * The IP address from which the user is viewing the current page.
     *
     * @return string
     * @throws MissingRequestMetaVariableException
     */
    public function getIpAddress()
    {
        return $this->getServerVariable('REMOTE_ADDR');
    }

    /**
     * Checks to see whether the current request is using HTTPS.
     *
     * @return boolean
     */
    public function isSecure()
    {
        return (array_key_exists('HTTPS', $this->server)
            && $this->server['HTTPS'] !== 'off'
        );
    }

    /**
     * The query string, if any, via which the page was accessed.
     *
     * @return string
     * @throws MissingRequestMetaVariableException
     */
    public function getQueryString()
    {
        return $this->getServerVariable('QUERY_STRING');
    }

    private function getServerVariable($key)
    {
        if (!array_key_exists($key, $this->server)) {
            throw new MissingRequestMetaVariableException($key);
        }

        return $this->server[$key];
    }
}


1			<?php
2
3			namespace Http;
4
5			class HttpRequest implements Request
6			{
7			protected $getParameters;
8			protected $postParameters;
9			protected $server;
10			protected $files;
11			protected $cookies;
12
13			public function __construct(
14			array $get,
15			array $post,
16			array $cookies,
17			array $files,
18			array $server,
19			$inputStream = ''
20			) {
21			$this->getParameters = $get;
22			$this->postParameters = $post;
23			$this->cookies = $cookies;
24			$this->files = $files;
25			$this->server = $server;
26			$this->inputStream = $inputStream;
			0 ignored issues – show Bug introduced 2016-08-16 17:14 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `inputStream` does not exist. Did you maybe forget to declare it? In PHP it is possible to write to properties without declaring them. For example, the following is perfectly valid PHP code: class MyClass { } $x = new MyClass(); $x->foo = true; Generally, it is a good practice to explictly declare properties to avoid accidental typos and provide IDE auto-completion: class MyClass { public $foo; } $x = new MyClass(); $x->foo = true; Loading history...
27			}
28
29			/**
30			* Returns a parameter value or a default value if none is set.
31			*
32			* @param string $key
33			* @param string $defaultValue (optional)
34			* @return string
35			*/
36			public function getParameter($key, $defaultValue = null)
37			{
38			if (array_key_exists($key, $this->postParameters)) {
39			return $this->postParameters[$key];
40			}
41
42			if (array_key_exists($key, $this->getParameters)) {
43			return $this->getParameters[$key];
44			}
45
46			return $defaultValue;
47			}
48
49			/**
50			* Returns a query parameter value or a default value if none is set.
51			*
52			* @param string $key
53			* @param string $defaultValue (optional)
54			* @return string
55			*/
56			public function getQueryParameter($key, $defaultValue = null)
57			{
58			if (array_key_exists($key, $this->getParameters)) {
59			return $this->getParameters[$key];
60			}
61
62			return $defaultValue;
63			}
64
65			/**
66			* Returns a body parameter value or a default value if none is set.
67			*
68			* @param string $key
69			* @param string $defaultValue (optional)
70			* @return string
71			*/
72			public function getBodyParameter($key, $defaultValue = null)
73			{
74			if (array_key_exists($key, $this->postParameters)) {
75			return $this->postParameters[$key];
76			}
77
78			return $defaultValue;
79			}
80
81			/**
82			* Returns a file value or a default value if none is set.
83			*
84			* @param string $key
85			* @param string $defaultValue (optional)
86			* @return string
87			*/
88			public function getFile($key, $defaultValue = null)
89			{
90			if (array_key_exists($key, $this->files)) {
91			return $this->files[$key];
92			}
93
94			return $defaultValue;
95			}
96
97			/**
98			* Returns a cookie value or a default value if none is set.
99			*
100			* @param string $key
101			* @param string $defaultValue (optional)
102			* @return string
103			*/
104			public function getCookie($key, $defaultValue = null)
105			{
106			if (array_key_exists($key, $this->cookies)) {
107			return $this->cookies[$key];
108			}
109
110			return $defaultValue;
111			}
112
113			/**
114			* Returns all parameters.
115			*
116			* @return array
117			*/
118			public function getParameters()
119			{
120			return array_merge($this->getParameters, $this->postParameters);
121			}
122
123			/**
124			* Returns all query parameters.
125			*
126			* @return array
127			*/
128			public function getQueryParameters()
129			{
130			return $this->getParameters;
131			}
132
133			/**
134			* Returns all body parameters.
135			*
136			* @return array
137			*/
138			public function getBodyParameters()
139			{
140			return $this->postParameters;
141			}
142
143			/**
144			* Returns raw values from the read-only stream that allows you to read raw data from the request body.
145			*
146			* @return string
147			*/
148			public function getRawBody()
149			{
150			return $this->inputStream;
151			}
152
153			/**
154			* Returns a Cookie Iterator.
155			*
156			* @return array
157			*/
158			public function getCookies()
159			{
160			return $this->cookies;
161			}
162
163			/**
164			* Returns a File Iterator.
165			*
166			* @return array
167			*/
168			public function getFiles()
169			{
170			return $this->files;
171			}
172
173			/**
174			* The URI which was given in order to access this page
175			*
176			* @return string
177			* @throws MissingRequestMetaVariableException
178			*/
179			public function getUri()
180			{
181			return $this->getServerVariable('REQUEST_URI');
182			}
183
184			/**
185			* Return just the path
186			*
187			* @return string
188			*/
189			public function getPath()
190			{
191			return strtok($this->getServerVariable('REQUEST_URI'), '?');
192			}
193
194			/**
195			* Which request method was used to access the page;
196			* i.e. 'GET', 'HEAD', 'POST', 'PUT'.
197			*
198			* @return string
199			* @throws MissingRequestMetaVariableException
200			*/
201			public function getMethod()
202			{
203			return $this->getServerVariable('REQUEST_METHOD');
204			}
205
206			/**
207			* Contents of the Accept: header from the current request, if there is one.
208			*
209			* @return string
210			* @throws MissingRequestMetaVariableException
211			*/
212			public function getHttpAccept()
213			{
214			return $this->getServerVariable('HTTP_ACCEPT');
215			}
216
217			/**
218			* The address of the page (if any) which referred the user agent to the
219			* current page.
220			*
221			* @return string
222			* @throws MissingRequestMetaVariableException
223			*/
224			public function getReferer()
225			{
226			return $this->getServerVariable('HTTP_REFERER');
227			}
228
229			/**
230			* Content of the User-Agent header from the request, if there is one.
231			*
232			* @return string
233			* @throws MissingRequestMetaVariableException
234			*/
235			public function getUserAgent()
236			{
237			return $this->getServerVariable('HTTP_USER_AGENT');
238			}
239
240			/**
241			* The IP address from which the user is viewing the current page.
242			*
243			* @return string
244			* @throws MissingRequestMetaVariableException
245			*/
246			public function getIpAddress()
247			{
248			return $this->getServerVariable('REMOTE_ADDR');
249			}
250
251			/**
252			* Checks to see whether the current request is using HTTPS.
253			*
254			* @return boolean
255			*/
256			public function isSecure()
257			{
258			return (array_key_exists('HTTPS', $this->server)
259			&& $this->server['HTTPS'] !== 'off'
260			);
261			}
262
263			/**
264			* The query string, if any, via which the page was accessed.
265			*
266			* @return string
267			* @throws MissingRequestMetaVariableException
268			*/
269			public function getQueryString()
270			{
271			return $this->getServerVariable('QUERY_STRING');
272			}
273
274			private function getServerVariable($key)
275			{
276			if (!array_key_exists($key, $this->server)) {
277			throw new MissingRequestMetaVariableException($key);
278			}
279
280			return $this->server[$key];
281			}
282			}
283

PatrickLouys / http

Issues (1)

Security Analysis no request data

src/HttpRequest.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like