Issues in sjcl.php - All Issues - Inspection of "found another" - PrivateBin/PrivateBin - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Push — master ( 3e0ba1...df5150 )

by El

created 2016-07-11 13:55 UTC

lib/sjcl.php (2 issues)

Labels

Duplication 2

Severity

Informational 2

Sebastien SAUVAGE 2

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * PrivateBin
 *
 * a zero-knowledge paste bin
 *
 * @link      https://github.com/PrivateBin/PrivateBin
 * @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
 * @license   http://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
 * @version   0.22
 */

/**
 * sjcl
 *
 * Provides SJCL validation function.
 */
class sjcl
{
    /**
     * SJCL validator
     *
     * Checks if a json string is a proper SJCL encrypted message.
     *
     * @access public
     * @static
     * @param  string $encoded JSON
     * @return bool
     */
    public static function isValid($encoded)
    {
        $accepted_keys = array('iv','v','iter','ks','ts','mode','adata','cipher','salt','ct');

        // Make sure content is valid json
        $decoded = json_decode($encoded);
        if (is_null($decoded)) return false;
        $decoded = (array) $decoded;

        // Make sure no additionnal keys were added.
        if (
            count(array_keys($decoded)) != count($accepted_keys)
        ) return false;

        // Make sure required fields are present and contain base64 data.
        foreach($accepted_keys as $k)
        {
            if (!array_key_exists($k, $decoded)) return false;
        }

        // Make sure some fields are base64 data.
        if (!base64_decode($decoded['iv'], true)) return false;
        if (!base64_decode($decoded['salt'], true)) return false;
        if (!($ct = base64_decode($decoded['ct'], true))) return false;

        // Make sure some fields have a reasonable size.
        if (strlen($decoded['iv']) > 24) return false;
        if (strlen($decoded['salt']) > 14) return false;

        // Make sure some fields contain no unsupported values.
        if (!(is_int($decoded['v']) || is_float($decoded['v'])) || (float) $decoded['v'] < 1) return false;
        if (!is_int($decoded['iter']) || $decoded['iter'] <= 100) return false;
        if (!in_array($decoded['ks'], array(128, 192, 256), true)) return false;
        if (!in_array($decoded['ts'], array(64, 96, 128), true)) return false;

        if (!in_array($decoded['mode'], array('ccm', 'ocb2', 'gcm'), true)) return false;

        if ($decoded['cipher'] !== 'aes') return false;

        // Reject data if entropy is too low
        if (strlen($ct) > strlen(gzdeflate($ct))) return false;

        return true;
    }
}


1			<?php
2			/**
3			* PrivateBin
4			*
5			* a zero-knowledge paste bin
6			*
7			* @link https://github.com/PrivateBin/PrivateBin
8			* @copyright 2012 Sébastien SAUVAGE (sebsauvage.net)
9			* @license http://www.opensource.org/licenses/zlib-license.php The zlib/libpng License
10			* @version 0.22
11			*/
12
13			/**
14			* sjcl
15			*
16			* Provides SJCL validation function.
17			*/
18			class sjcl
19			{
20			/**
21			* SJCL validator
22			*
23			* Checks if a json string is a proper SJCL encrypted message.
24			*
25			* @access public
26			* @static
27			* @param string $encoded JSON
28			* @return bool
29			*/
30	7		public static function isValid($encoded)
31			{
32	7		$accepted_keys = array('iv','v','iter','ks','ts','mode','adata','cipher','salt','ct');
33
34			// Make sure content is valid json
35	7		$decoded = json_decode($encoded);
36	7		if (is_null($decoded)) return false;
37	7		$decoded = (array) $decoded;
38
39			// Make sure no additionnal keys were added.
40			if (
41	7		count(array_keys($decoded)) != count($accepted_keys)
42	7		) return false;
43
44			// Make sure required fields are present and contain base64 data.
45	7		foreach($accepted_keys as $k)
46			{
47	7		if (!array_key_exists($k, $decoded)) return false;
48	7		}
49
50			// Make sure some fields are base64 data.
51	7		if (!base64_decode($decoded['iv'], true)) return false;
52	7		if (!base64_decode($decoded['salt'], true)) return false;
53	7		if (!($ct = base64_decode($decoded['ct'], true))) return false;
54
55			// Make sure some fields have a reasonable size.
56	7		if (strlen($decoded['iv']) > 24) return false;
57	7		if (strlen($decoded['salt']) > 14) return false;
58
59			// Make sure some fields contain no unsupported values.
60	7		if (!(is_int($decoded['v']) \|\| is_float($decoded['v'])) \|\| (float) $decoded['v'] < 1) return false;
61	7		if (!is_int($decoded['iter']) \|\| $decoded['iter'] <= 100) return false;
62	7		if (!in_array($decoded['ks'], array(128, 192, 256), true)) return false;
63	7	View Code Duplication	if (!in_array($decoded['ts'], array(64, 96, 128), true)) return false;
			0 ignored issues – show Duplication introduced 2016-07-09 10:42 UTC by Report Bug Copy Issue Report Show Similar Issues like this This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
64	7	View Code Duplication	if (!in_array($decoded['mode'], array('ccm', 'ocb2', 'gcm'), true)) return false;
			0 ignored issues – show Duplication introduced 2016-07-09 10:42 UTC by Report Bug Copy Issue Report Show Similar Issues like this This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
65	7		if ($decoded['cipher'] !== 'aes') return false;
66
67			// Reject data if entropy is too low
68	7		if (strlen($ct) > strlen(gzdeflate($ct))) return false;
69
70	7		return true;
71			}
72			}
73

PrivateBin / PrivateBin

Push — master ( 3e0ba1...df5150 )

lib/sjcl.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like