Issues in Provider.php (master) - Issues in master - PreviewTechnologies/oauth2-client - Measure and Improve Code Quality continuously with Scrutinizer

Issues (1)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Provider.php (1 issue)

Labels

Unused Code 1

Severity

Minor 1

Shaharia Azam 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Official OAuth2 Client Provider for Preview Technologies
 *
 * @author Shaharia Azam <[email protected]>
 * @url https://www.previewtechs.com
 */

namespace Previewtechs\Oauth2\Client;

use InvalidArgumentException;
use League\OAuth2\Client\Provider\AbstractProvider;
use League\OAuth2\Client\Provider\Exception\IdentityProviderException;
use League\OAuth2\Client\Token\AccessToken;
use League\OAuth2\Client\Tool\BearerAuthorizationTrait;
use Psr\Http\Message\ResponseInterface;

/**
 * Class Provider
 * @package Previewtechs\Oauth2\Client
 */
class Provider extends AbstractProvider
{
    use BearerAuthorizationTrait;

    /**
     * @var string
     */
    private $urlAuthorize = "https://myaccount.previewtechs.com/oauth/v1/authorize";

    /**
     * @var string
     */
    private $urlAccessToken = "https://myaccount.previewtechs.com/oauth/v1/access_token";

    /**
     * @var string
     */
    private $urlResourceOwnerDetails = "https://api.previewtechs.com/me/v1/me";

    /**
     * @var string
     */
    private $accessTokenMethod = "POST";

    /**
     * @var string
     */
    private $accessTokenResourceOwnerId;

    /**
     * @var array|null
     */
    public $scopes = [];

    /**
     * @var array
     */
    private $defaultScopes = ['basic', 'email'];

    /**
     * @var string
     */
    private $scopeSeparator = ' ';

    /**
     * @var string
     */
    private $responseError = 'error';

    /**
     * @var string
     */
    private $responseCode;

    /**
     * @var string
     */
    private $responseResourceOwnerId = 'id';


    /**
     * @param array $options
     * @param array $collaborators
     */
    public function __construct(array $options = [], array $collaborators = [])
    {
        $this->assertRequiredOptions($options);

        $possible = $this->getConfigurableOptions();
        $configured = array_intersect_key($options, array_flip($possible));

        foreach ($configured as $key => $value) {
            $this->$key = $value;
        }

        // Remove all options that are only used locally
        $options = array_diff_key($options, $configured);

        parent::__construct($options, $collaborators);
    }

    /**
     * Returns all options that can be configured.
     *
     * @return array
     */
    protected function getConfigurableOptions()
    {
        return array_merge($this->getRequiredOptions(), [
            'accessTokenMethod',
            'accessTokenResourceOwnerId',
            'scopeSeparator',
            'responseError',
            'responseCode',
            'responseResourceOwnerId',
            'scopes',
        ]);
    }

    /**
     * Returns all options that are required.
     *
     * @return array
     */
    protected function getRequiredOptions()
    {
        return [
            'clientId',
            'clientSecret'
        ];
    }

    /**
     * Verifies that all required options have been passed.
     *
     * @param  array $options
     * @return void
     * @throws InvalidArgumentException
     */
    private function assertRequiredOptions(array $options)
    {
        $missing = array_diff_key(array_flip($this->getRequiredOptions()), $options);

        if (!empty($missing)) {
            throw new InvalidArgumentException(
                'Required options not defined: ' . implode(', ', array_keys($missing))
            );
        }
    }

    /**
     * @return string
     */
    public function getBaseAuthorizationUrl()
    {
        return $this->urlAuthorize;
    }

    /**
     * @param array $params
     * @return string
     */
    public function getBaseAccessTokenUrl(array $params)
    {
        return $this->urlAccessToken;
    }

    /**
     * @param AccessToken $token
     * @return string
     */
    public function getResourceOwnerDetailsUrl(AccessToken $token)
    {
        return $this->urlResourceOwnerDetails;
    }

    /**
     * @return array
     */
    public function getDefaultScopes()
    {
        return array_merge($this->defaultScopes, $this->scopes);
    }

    /**
     * @return string
     */
    protected function getAccessTokenMethod()
    {
        return $this->accessTokenMethod;
    }

    /**
     * @return null|string
     */
    protected function getAccessTokenResourceOwnerId()
    {
        return $this->accessTokenResourceOwnerId ?: parent::getAccessTokenResourceOwnerId();
    }

    /**
     * @return string
     */
    protected function getScopeSeparator()
    {
        return $this->scopeSeparator;
    }

    /**
     * @param ResponseInterface $response
     * @param array|string $data
     * @throws IdentityProviderException
     */
    protected function checkResponse(ResponseInterface $response, $data)
    {
        if (!empty($data[$this->responseError])) {
            $error = $data[$this->responseError];
            $code = $this->responseCode ? $data[$this->responseCode] : 0;
            throw new IdentityProviderException($error, $code, $data);
        }
    }

    /**
     * @param AccessToken $token
     * @return \League\OAuth2\Client\Provider\ResourceOwnerInterface|ResourceOwner
     */
    public function getResourceOwner(AccessToken $token)
    {
        return parent::getResourceOwner($token);
    }

    /**
     * @param array $response
     * @param AccessToken $token
     * @return ResourceOwner
     */
    protected function createResourceOwner(array $response, AccessToken $token)
    {
        return new ResourceOwner($response);
    }
}

1			<?php
2			/**
3			* Official OAuth2 Client Provider for Preview Technologies
4			*
5			* @author Shaharia Azam <[email protected]>
6			* @url https://www.previewtechs.com
7			*/
8
9			namespace Previewtechs\Oauth2\Client;
10
11			use InvalidArgumentException;
12			use League\OAuth2\Client\Provider\AbstractProvider;
13			use League\OAuth2\Client\Provider\Exception\IdentityProviderException;
14			use League\OAuth2\Client\Token\AccessToken;
15			use League\OAuth2\Client\Tool\BearerAuthorizationTrait;
16			use Psr\Http\Message\ResponseInterface;
17
18			/**
19			* Class Provider
20			* @package Previewtechs\Oauth2\Client
21			*/
22			class Provider extends AbstractProvider
23			{
24			use BearerAuthorizationTrait;
25
26			/**
27			* @var string
28			*/
29			private $urlAuthorize = "https://myaccount.previewtechs.com/oauth/v1/authorize";
30
31			/**
32			* @var string
33			*/
34			private $urlAccessToken = "https://myaccount.previewtechs.com/oauth/v1/access_token";
35
36			/**
37			* @var string
38			*/
39			private $urlResourceOwnerDetails = "https://api.previewtechs.com/me/v1/me";
40
41			/**
42			* @var string
43			*/
44			private $accessTokenMethod = "POST";
45
46			/**
47			* @var string
48			*/
49			private $accessTokenResourceOwnerId;
50
51			/**
52			* @var array\|null
53			*/
54			public $scopes = [];
55
56			/**
57			* @var array
58			*/
59			private $defaultScopes = ['basic', 'email'];
60
61			/**
62			* @var string
63			*/
64			private $scopeSeparator = ' ';
65
66			/**
67			* @var string
68			*/
69			private $responseError = 'error';
70
71			/**
72			* @var string
73			*/
74			private $responseCode;
75
76			/**
77			* @var string
78			*/
79			private $responseResourceOwnerId = 'id';
			0 ignored issues – show Unused Code introduced 2018-03-05 06:57 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `$responseResourceOwnerId` is not used and could be removed. This check marks private properties in classes that are never used. Those properties can be removed. Loading history...
80
81			/**
82			* @param array $options
83			* @param array $collaborators
84			*/
85			public function __construct(array $options = [], array $collaborators = [])
86			{
87			$this->assertRequiredOptions($options);
88
89			$possible = $this->getConfigurableOptions();
90			$configured = array_intersect_key($options, array_flip($possible));
91
92			foreach ($configured as $key => $value) {
93			$this->$key = $value;
94			}
95
96			// Remove all options that are only used locally
97			$options = array_diff_key($options, $configured);
98
99			parent::__construct($options, $collaborators);
100			}
101
102			/**
103			* Returns all options that can be configured.
104			*
105			* @return array
106			*/
107			protected function getConfigurableOptions()
108			{
109			return array_merge($this->getRequiredOptions(), [
110			'accessTokenMethod',
111			'accessTokenResourceOwnerId',
112			'scopeSeparator',
113			'responseError',
114			'responseCode',
115			'responseResourceOwnerId',
116			'scopes',
117			]);
118			}
119
120			/**
121			* Returns all options that are required.
122			*
123			* @return array
124			*/
125			protected function getRequiredOptions()
126			{
127			return [
128			'clientId',
129			'clientSecret'
130			];
131			}
132
133			/**
134			* Verifies that all required options have been passed.
135			*
136			* @param array $options
137			* @return void
138			* @throws InvalidArgumentException
139			*/
140			private function assertRequiredOptions(array $options)
141			{
142			$missing = array_diff_key(array_flip($this->getRequiredOptions()), $options);
143
144			if (!empty($missing)) {
145			throw new InvalidArgumentException(
146			'Required options not defined: ' . implode(', ', array_keys($missing))
147			);
148			}
149			}
150
151			/**
152			* @return string
153			*/
154			public function getBaseAuthorizationUrl()
155			{
156			return $this->urlAuthorize;
157			}
158
159			/**
160			* @param array $params
161			* @return string
162			*/
163			public function getBaseAccessTokenUrl(array $params)
164			{
165			return $this->urlAccessToken;
166			}
167
168			/**
169			* @param AccessToken $token
170			* @return string
171			*/
172			public function getResourceOwnerDetailsUrl(AccessToken $token)
173			{
174			return $this->urlResourceOwnerDetails;
175			}
176
177			/**
178			* @return array
179			*/
180			public function getDefaultScopes()
181			{
182			return array_merge($this->defaultScopes, $this->scopes);
183			}
184
185			/**
186			* @return string
187			*/
188			protected function getAccessTokenMethod()
189			{
190			return $this->accessTokenMethod;
191			}
192
193			/**
194			* @return null\|string
195			*/
196			protected function getAccessTokenResourceOwnerId()
197			{
198			return $this->accessTokenResourceOwnerId ?: parent::getAccessTokenResourceOwnerId();
199			}
200
201			/**
202			* @return string
203			*/
204			protected function getScopeSeparator()
205			{
206			return $this->scopeSeparator;
207			}
208
209			/**
210			* @param ResponseInterface $response
211			* @param array\|string $data
212			* @throws IdentityProviderException
213			*/
214			protected function checkResponse(ResponseInterface $response, $data)
215			{
216			if (!empty($data[$this->responseError])) {
217			$error = $data[$this->responseError];
218			$code = $this->responseCode ? $data[$this->responseCode] : 0;
219			throw new IdentityProviderException($error, $code, $data);
220			}
221			}
222
223			/**
224			* @param AccessToken $token
225			* @return \League\OAuth2\Client\Provider\ResourceOwnerInterface\|ResourceOwner
226			*/
227			public function getResourceOwner(AccessToken $token)
228			{
229			return parent::getResourceOwner($token);
230			}
231
232			/**
233			* @param array $response
234			* @param AccessToken $token
235			* @return ResourceOwner
236			*/
237			protected function createResourceOwner(array $response, AccessToken $token)
238			{
239			return new ResourceOwner($response);
240			}
241			}

PreviewTechnologies / oauth2-client

Issues (1)

Security Analysis no request data

src/Provider.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like