Issues in ServerRequest.php (master) - Issues in master - ThrusterIO/http-message - Measure and Improve Code Quality continuously with Scrutinizer

Issues (57)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/ServerRequest.php (1 issue)

Labels

Severity

Minor 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace Thruster\Component\HttpMessage;

use InvalidArgumentException;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Message\StreamInterface;
use Psr\Http\Message\UploadedFileInterface;
use Psr\Http\Message\UriInterface;

/**
 * Class ServerRequest
 *
 * @package Thruster\Component\HttpMessage
 * @author  Aurimas Niekis <[email protected]>
 */
class ServerRequest extends Request implements ServerRequestInterface
{
    /**
     * @var array
     */
    private $attributes;

    /**
     * @var array
     */
    private $cookieParams;

    /**
     * @var array|object
     */
    private $parsedBody;

    /**
     * @var array
     */
    private $queryParams;

    /**
     * @var array
     */
    private $serverParams;

    /**
     * @var array
     */
    private $uploadedFiles;

    /**
     * @param array                           $serverParams    the value of $_SERVER superglobal.
     * @param array                           $uploadedFiles   the value of $_FILES superglobal.
/**
 * @param array $germany
 * @param array $island
 * @param array $italy
 */
function finale($germany, $island) {
    return "2:1";
}
     * @param string                          $method          HTTP method for the request.
     * @param string|UriInterface             $uri             URI for the request.
     * @param array                           $headers         Headers for the message.
     * @param string|resource|StreamInterface $body            Message body.
     * @param string                          $protocolVersion HTTP protocol version.
     *
     * @throws InvalidArgumentException for an invalid URI
     */
    public function __construct(
        $method,
        $uri,
        array $headers = [],
        $body = null,
        $protocolVersion = '1.1',
        array $serverParams = []
    ) {
        $this->attributes    = [];
        $this->cookieParams  = [];
        $this->queryParams   = [];
        $this->uploadedFiles = [];

        $this->serverParams = $serverParams;

        parent::__construct($method, $uri, $headers, $body, $protocolVersion);
    }

    /**
     * Return an UploadedFile instance array.
     *
     * @param array $files A array which respect $_FILES structure.
     *
     * @throws InvalidArgumentException for unrecognized values
     * @return array
     */
    public static function normalizeFiles(array $files)
    {
        $normalized = [];

        foreach ($files as $key => $value) {
            if ($value instanceof UploadedFileInterface) {
                $normalized[$key] = $value;
            } elseif (is_array($value) && isset($value['tmp_name'])) {
                $normalized[$key] = self::createUploadedFileFromSpec($value);
            } elseif (is_array($value)) {
                $normalized[$key] = self::normalizeFiles($value);
                continue;
            } else {
                throw new InvalidArgumentException('Invalid value in files specification');
            }
        }

        return $normalized;
    }

    /**
     * Create and return an UploadedFile instance from a $_FILES specification.
     *
     * If the specification represents an array of values, this method will
     * delegate to normalizeNestedFileSpec() and return that return value.
     *
     * @param array $value $_FILES struct
     *
     * @return array|UploadedFileInterface
     */
    private static function createUploadedFileFromSpec(array $value)
    {
        if (is_array($value['tmp_name'])) {
            return self::normalizeNestedFileSpec($value);
        }

        return new UploadedFile(
            $value['tmp_name'],
            (int) $value['size'],
            (int) $value['error'],
            $value['name'],
            $value['type']
        );
    }

    /**
     * Normalize an array of file specifications.
     *
     * Loops through all nested files and returns a normalized array of
     * UploadedFileInterface instances.
     *
     * @param array $files
     *
     * @return UploadedFileInterface[]
     */
    private static function normalizeNestedFileSpec(array $files = [])
    {
        $normalizedFiles = [];

        foreach (array_keys($files['tmp_name']) as $key) {
            $spec                  = [
                'tmp_name' => $files['tmp_name'][$key],
                'size'     => $files['size'][$key],
                'error'    => $files['error'][$key],
                'name'     => $files['name'][$key],
                'type'     => $files['type'][$key],
            ];
            $normalizedFiles[$key] = self::createUploadedFileFromSpec($spec);
        }

        return $normalizedFiles;
    }

    /**
     * Return a ServerRequest populated with superglobals:
     * $_GET
     * $_POST
     * $_COOKIE
     * $_FILES
     * $_SERVER
     *
     * @return ServerRequestInterface
     */
    public static function fromGlobals()
    {
        $method   = isset($_SERVER['REQUEST_METHOD']) ? $_SERVER['REQUEST_METHOD'] : 'GET';
        $headers  = function_exists('getallheaders') ? getallheaders() : [];
        $uri      = self::getUriFromGlobals();
        $body     = new LazyOpenStream('php://input', 'r+');
        $protocol = isset($_SERVER['SERVER_PROTOCOL']) ? str_replace('HTTP/', '', $_SERVER['SERVER_PROTOCOL']) : '1.1';

        $serverRequest = new ServerRequest($method, $uri, $headers, $body, $protocol, $_SERVER);

        return $serverRequest
            ->withCookieParams($_COOKIE)
            ->withQueryParams($_GET)
            ->withParsedBody($_POST)
            ->withUploadedFiles(self::normalizeFiles($_FILES));
    }

    /**
     * Get a Uri populated with values from $_SERVER.
     *
     * @return UriInterface
     */
    public static function getUriFromGlobals()
    {
        $uri = new Uri('');

        if (isset($_SERVER['HTTPS'])) {
            $uri = $uri->withScheme($_SERVER['HTTPS'] == 'on' ? 'https' : 'http');
        }

        if (isset($_SERVER['HTTP_HOST'])) {
            $uri = $uri->withHost($_SERVER['HTTP_HOST']);
        } elseif (isset($_SERVER['SERVER_NAME'])) {
            $uri = $uri->withHost($_SERVER['SERVER_NAME']);
        }

        if (isset($_SERVER['SERVER_PORT'])) {
            $uri = $uri->withPort($_SERVER['SERVER_PORT']);
        }

        if (isset($_SERVER['REQUEST_URI'])) {
            $uri = $uri->withPath(current(explode('?', $_SERVER['REQUEST_URI'])));
        }

        if (isset($_SERVER['QUERY_STRING'])) {
            $uri = $uri->withQuery($_SERVER['QUERY_STRING']);
        }

        return $uri;
    }


    /**
     * {@inheritdoc}
     */
    public function getServerParams()
    {
        return $this->serverParams;
    }

    /**
     * {@inheritdoc}
     */
    public function getUploadedFiles()
    {
        return $this->uploadedFiles;
    }

    /**
     * {@inheritdoc}
     */
    public function withUploadedFiles(array $uploadedFiles)
    {
        $new                = clone $this;
        $new->uploadedFiles = $uploadedFiles;

        return $new;
    }

    /**
     * {@inheritdoc}
     */
    public function getCookieParams()
    {
        return $this->cookieParams;
    }

    /**
     * {@inheritdoc}
     */
    public function withCookieParams(array $cookies)
    {
        $new               = clone $this;
        $new->cookieParams = $cookies;

        return $new;
    }

    /**
     * {@inheritdoc}
     */
    public function getQueryParams()
    {
        return $this->queryParams;
    }

    /**
     * {@inheritdoc}
     */
    public function withQueryParams(array $query)
    {
        $new              = clone $this;
        $new->queryParams = $query;

        return $new;
    }

    /**
     * {@inheritdoc}
     */
    public function getParsedBody()
    {
        return $this->parsedBody;
    }

    /**
     * {@inheritdoc}
     */
    public function withParsedBody($data)
    {
        $new             = clone $this;
        $new->parsedBody = $data;

        return $new;
    }

    /**
     * {@inheritdoc}
     */
    public function getAttributes()
    {
        return $this->attributes;
    }

    /**
     * {@inheritdoc}
     */
    public function getAttribute($attribute, $default = null)
    {
        if (false === array_key_exists($attribute, $this->attributes)) {
            return $default;
        }

        return $this->attributes[$attribute];
    }

    /**
     * {@inheritdoc}
     */
    public function withAttribute($attribute, $value)
    {
        $new                         = clone $this;
        $new->attributes[$attribute] = $value;

        return $new;
    }

    /**
     * {@inheritdoc}
     */
    public function withoutAttribute($attribute)
    {
        if (false === isset($this->attributes[$attribute])) {
            return clone $this;
        }

        $new = clone $this;
        unset($new->attributes[$attribute]);

        return $new;
    }
}


1		<?php
2
3		namespace Thruster\Component\HttpMessage;
4
5		use InvalidArgumentException;
6		use Psr\Http\Message\ServerRequestInterface;
7		use Psr\Http\Message\StreamInterface;
8		use Psr\Http\Message\UploadedFileInterface;
9		use Psr\Http\Message\UriInterface;
10
11		/**
12		* Class ServerRequest
13		*
14		* @package Thruster\Component\HttpMessage
15		* @author Aurimas Niekis <[email protected]>
16		*/
17		class ServerRequest extends Request implements ServerRequestInterface
18		{
19		/**
20		* @var array
21		*/
22		private $attributes;
23
24		/**
25		* @var array
26		*/
27		private $cookieParams;
28
29		/**
30		* @var array\|object
31		*/
32		private $parsedBody;
33
34		/**
35		* @var array
36		*/
37		private $queryParams;
38
39		/**
40		* @var array
41		*/
42		private $serverParams;
43
44		/**
45		* @var array
46		*/
47		private $uploadedFiles;
48
49		/**
50		* @param array $serverParams the value of $_SERVER superglobal.
51		* @param array $uploadedFiles the value of $_FILES superglobal.
		0 ignored issues – show Bug introduced 2016-02-10 23:41 UTC by Report Bug Copy Issue Report Show Similar Issues like this There is no parameter named `$uploadedFiles`. Was it maybe removed? This check looks for PHPDoc comments describing methods or function parameters that do not exist on the corresponding method or function. Consider the following example. The parameter `$italy` is not defined by the method `finale(...)`. /** * @param array $germany * @param array $island * @param array $italy */ function finale($germany, $island) { return "2:1"; } The most likely cause is that the parameter was removed, but the annotation was not. Loading history...
52		* @param string $method HTTP method for the request.
53		* @param string\|UriInterface $uri URI for the request.
54		* @param array $headers Headers for the message.
55		* @param string\|resource\|StreamInterface $body Message body.
56		* @param string $protocolVersion HTTP protocol version.
57		*
58		* @throws InvalidArgumentException for an invalid URI
59		*/
60	7	public function __construct(
61		$method,
62		$uri,
63		array $headers = [],
64		$body = null,
65		$protocolVersion = '1.1',
66		array $serverParams = []
67		) {
68	7	$this->attributes = [];
69	7	$this->cookieParams = [];
70	7	$this->queryParams = [];
71	7	$this->uploadedFiles = [];
72
73	7	$this->serverParams = $serverParams;
74
75	7	parent::__construct($method, $uri, $headers, $body, $protocolVersion);
76	7	}
77
78		/**
79		* Return an UploadedFile instance array.
80		*
81		* @param array $files A array which respect $_FILES structure.
82		*
83		* @throws InvalidArgumentException for unrecognized values
84		* @return array
85		*/
86	8	public static function normalizeFiles(array $files)
87		{
88	8	$normalized = [];
89
90	8	foreach ($files as $key => $value) {
91	8	if ($value instanceof UploadedFileInterface) {
92	2	$normalized[$key] = $value;
93	7	} elseif (is_array($value) && isset($value['tmp_name'])) {
94	5	$normalized[$key] = self::createUploadedFileFromSpec($value);
95	2	} elseif (is_array($value)) {
96	1	$normalized[$key] = self::normalizeFiles($value);
97	1	continue;
98		} else {
99	8	throw new InvalidArgumentException('Invalid value in files specification');
100		}
101		}
102
103	7	return $normalized;
104		}
105
106		/**
107		* Create and return an UploadedFile instance from a $_FILES specification.
108		*
109		* If the specification represents an array of values, this method will
110		* delegate to normalizeNestedFileSpec() and return that return value.
111		*
112		* @param array $value $_FILES struct
113		*
114		* @return array\|UploadedFileInterface
115		*/
116	5	private static function createUploadedFileFromSpec(array $value)
117		{
118	5	if (is_array($value['tmp_name'])) {
119	1	return self::normalizeNestedFileSpec($value);
120		}
121
122	5	return new UploadedFile(
123	5	$value['tmp_name'],
124	5	(int) $value['size'],
125	5	(int) $value['error'],
126	5	$value['name'],
127	5	$value['type']
128		);
129		}
130
131		/**
132		* Normalize an array of file specifications.
133		*
134		* Loops through all nested files and returns a normalized array of
135		* UploadedFileInterface instances.
136		*
137		* @param array $files
138		*
139		* @return UploadedFileInterface[]
140		*/
141	1	private static function normalizeNestedFileSpec(array $files = [])
142		{
143	1	$normalizedFiles = [];
144
145	1	foreach (array_keys($files['tmp_name']) as $key) {
146		$spec = [
147	1	'tmp_name' => $files['tmp_name'][$key],
148	1	'size' => $files['size'][$key],
149	1	'error' => $files['error'][$key],
150	1	'name' => $files['name'][$key],
151	1	'type' => $files['type'][$key],
152		];
153	1	$normalizedFiles[$key] = self::createUploadedFileFromSpec($spec);
154		}
155
156	1	return $normalizedFiles;
157		}
158
159		/**
160		* Return a ServerRequest populated with superglobals:
161		* $_GET
162		* $_POST
163		* $_COOKIE
164		* $_FILES
165		* $_SERVER
166		*
167		* @return ServerRequestInterface
168		*/
169	1	public static function fromGlobals()
170		{
171	1	$method = isset($_SERVER['REQUEST_METHOD']) ? $_SERVER['REQUEST_METHOD'] : 'GET';
172	1	$headers = function_exists('getallheaders') ? getallheaders() : [];
173	1	$uri = self::getUriFromGlobals();
174	1	$body = new LazyOpenStream('php://input', 'r+');
175	1	$protocol = isset($_SERVER['SERVER_PROTOCOL']) ? str_replace('HTTP/', '', $_SERVER['SERVER_PROTOCOL']) : '1.1';
176
177	1	$serverRequest = new ServerRequest($method, $uri, $headers, $body, $protocol, $_SERVER);
178
179		return $serverRequest
180	1	->withCookieParams($_COOKIE)
181	1	->withQueryParams($_GET)
182	1	->withParsedBody($_POST)
183	1	->withUploadedFiles(self::normalizeFiles($_FILES));
184		}
185
186		/**
187		* Get a Uri populated with values from $_SERVER.
188		*
189		* @return UriInterface
190		*/
191	7	public static function getUriFromGlobals()
192		{
193	7	$uri = new Uri('');
194
195	7	if (isset($_SERVER['HTTPS'])) {
196	6	$uri = $uri->withScheme($_SERVER['HTTPS'] == 'on' ? 'https' : 'http');
197		}
198
199	7	if (isset($_SERVER['HTTP_HOST'])) {
200	5	$uri = $uri->withHost($_SERVER['HTTP_HOST']);
201	2	} elseif (isset($_SERVER['SERVER_NAME'])) {
202	1	$uri = $uri->withHost($_SERVER['SERVER_NAME']);
203		}
204
205	7	if (isset($_SERVER['SERVER_PORT'])) {
206	6	$uri = $uri->withPort($_SERVER['SERVER_PORT']);
207		}
208
209	7	if (isset($_SERVER['REQUEST_URI'])) {
210	6	$uri = $uri->withPath(current(explode('?', $_SERVER['REQUEST_URI'])));
211		}
212
213	7	if (isset($_SERVER['QUERY_STRING'])) {
214	6	$uri = $uri->withQuery($_SERVER['QUERY_STRING']);
215		}
216
217	7	return $uri;
218		}
219
220
221		/**
222		* {@inheritdoc}
223		*/
224	1	public function getServerParams()
225		{
226	1	return $this->serverParams;
227		}
228
229		/**
230		* {@inheritdoc}
231		*/
232	2	public function getUploadedFiles()
233		{
234	2	return $this->uploadedFiles;
235		}
236
237		/**
238		* {@inheritdoc}
239		*/
240	2	public function withUploadedFiles(array $uploadedFiles)
241		{
242	2	$new = clone $this;
243	2	$new->uploadedFiles = $uploadedFiles;
244
245	2	return $new;
246		}
247
248		/**
249		* {@inheritdoc}
250		*/
251	2	public function getCookieParams()
252		{
253	2	return $this->cookieParams;
254		}
255
256		/**
257		* {@inheritdoc}
258		*/
259	2	public function withCookieParams(array $cookies)
260		{
261	2	$new = clone $this;
262	2	$new->cookieParams = $cookies;
263
264	2	return $new;
265		}
266
267		/**
268		* {@inheritdoc}
269		*/
270	2	public function getQueryParams()
271		{
272	2	return $this->queryParams;
273		}
274
275		/**
276		* {@inheritdoc}
277		*/
278	2	public function withQueryParams(array $query)
279		{
280	2	$new = clone $this;
281	2	$new->queryParams = $query;
282
283	2	return $new;
284		}
285
286		/**
287		* {@inheritdoc}
288		*/
289	2	public function getParsedBody()
290		{
291	2	return $this->parsedBody;
292		}
293
294		/**
295		* {@inheritdoc}
296		*/
297	2	public function withParsedBody($data)
298		{
299	2	$new = clone $this;
300	2	$new->parsedBody = $data;
301
302	2	return $new;
303		}
304
305		/**
306		* {@inheritdoc}
307		*/
308	1	public function getAttributes()
309		{
310	1	return $this->attributes;
311		}
312
313		/**
314		* {@inheritdoc}
315		*/
316	1	public function getAttribute($attribute, $default = null)
317		{
318	1	if (false === array_key_exists($attribute, $this->attributes)) {
319	1	return $default;
320		}
321
322	1	return $this->attributes[$attribute];
323		}
324
325		/**
326		* {@inheritdoc}
327		*/
328	1	public function withAttribute($attribute, $value)
329		{
330	1	$new = clone $this;
331	1	$new->attributes[$attribute] = $value;
332
333	1	return $new;
334		}
335
336		/**
337		* {@inheritdoc}
338		*/
339	1	public function withoutAttribute($attribute)
340		{
341	1	if (false === isset($this->attributes[$attribute])) {
342	1	return clone $this;
343		}
344
345	1	$new = clone $this;
346	1	unset($new->attributes[$attribute]);
347
348	1	return $new;
349		}
350		}
351

ThrusterIO / http-message

Issues (57)

Security Analysis not enabled

src/ServerRequest.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like