These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
1 | <?php |
||
2 | /** |
||
3 | * PrivateBin |
||
4 | * |
||
5 | * a zero-knowledge paste bin |
||
6 | * |
||
7 | * @link https://github.com/PrivateBin/PrivateBin |
||
8 | * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net) |
||
9 | * @license https://www.opensource.org/licenses/zlib-license.php The zlib/libpng License |
||
10 | * @version 1.1.1 |
||
11 | */ |
||
12 | |||
13 | namespace PrivateBin; |
||
14 | |||
15 | /** |
||
16 | * Sjcl |
||
17 | * |
||
18 | * Provides SJCL validation function. |
||
19 | */ |
||
20 | class Sjcl |
||
21 | { |
||
22 | /** |
||
23 | * SJCL validator |
||
24 | * |
||
25 | * Checks if a json string is a proper SJCL encrypted message. |
||
26 | * |
||
27 | * @access public |
||
28 | * @static |
||
29 | * @param string $encoded JSON |
||
30 | * @return bool |
||
31 | */ |
||
32 | 49 | public static function isValid($encoded) |
|
33 | { |
||
34 | 49 | $accepted_keys = array('iv', 'v', 'iter', 'ks', 'ts', 'mode', 'adata', 'cipher', 'salt', 'ct'); |
|
35 | |||
36 | // Make sure content is valid json |
||
37 | 49 | $decoded = json_decode($encoded); |
|
38 | 49 | if (is_null($decoded)) { |
|
39 | 3 | return false; |
|
40 | } |
||
41 | 46 | $decoded = (array) $decoded; |
|
42 | |||
43 | // Make sure no additionnal keys were added. |
||
44 | if ( |
||
45 | 46 | count(array_keys($decoded)) != count($accepted_keys) |
|
46 | ) { |
||
47 | 1 | return false; |
|
48 | } |
||
49 | |||
50 | // Make sure required fields are present and contain base64 data. |
||
51 | 46 | foreach ($accepted_keys as $k) { |
|
52 | 46 | if (!array_key_exists($k, $decoded)) { |
|
53 | 46 | return false; |
|
54 | } |
||
55 | } |
||
56 | |||
57 | // Make sure some fields are base64 data. |
||
58 | 46 | if (!base64_decode($decoded['iv'], true)) { |
|
59 | 1 | return false; |
|
60 | } |
||
61 | 46 | if (!base64_decode($decoded['salt'], true)) { |
|
62 | 1 | return false; |
|
63 | } |
||
64 | 46 | if (!($ct = base64_decode($decoded['ct'], true))) { |
|
65 | 1 | return false; |
|
66 | } |
||
67 | |||
68 | // Make sure some fields have a reasonable size. |
||
69 | 46 | if (strlen($decoded['iv']) > 24) { |
|
70 | 1 | return false; |
|
71 | } |
||
72 | 46 | if (strlen($decoded['salt']) > 14) { |
|
73 | 1 | return false; |
|
74 | } |
||
75 | |||
76 | // Make sure some fields contain no unsupported values. |
||
77 | 46 | if (!(is_int($decoded['v']) || is_float($decoded['v'])) || (float) $decoded['v'] < 1) { |
|
78 | 1 | return false; |
|
79 | } |
||
80 | 46 | if (!is_int($decoded['iter']) || $decoded['iter'] <= 100) { |
|
81 | 1 | return false; |
|
82 | } |
||
83 | 46 | if (!in_array($decoded['ks'], array(128, 192, 256), true)) { |
|
84 | 1 | return false; |
|
85 | } |
||
86 | 46 | View Code Duplication | if (!in_array($decoded['ts'], array(64, 96, 128), true)) { |
0 ignored issues
–
show
|
|||
87 | 1 | return false; |
|
88 | } |
||
89 | 46 | View Code Duplication | if (!in_array($decoded['mode'], array('ccm', 'ocb2', 'gcm'), true)) { |
0 ignored issues
–
show
This code seems to be duplicated across your project.
Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository.
Loading history...
|
|||
90 | 1 | return false; |
|
91 | } |
||
92 | 46 | if ($decoded['cipher'] !== 'aes') { |
|
93 | 1 | return false; |
|
94 | } |
||
95 | |||
96 | // Reject data if entropy is too low |
||
97 | 46 | if (strlen($ct) > strlen(gzdeflate($ct))) { |
|
98 | 1 | return false; |
|
99 | } |
||
100 | |||
101 | 46 | return true; |
|
102 | } |
||
103 | } |
||
104 |
Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation.
You can also find more detailed suggestions in the “Code” section of your repository.