Issues in UriParser.php (master) - Issues in master - VIPnytt/RobotsTxtParser - Measure and Improve Code Quality continuously with Scrutinizer

Issues (9)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Parser/UriParser.php (3 issues)

Labels

Duplication 3

Severity

Informational 3

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * vipnytt/RobotsTxtParser
 *
 * @link https://github.com/VIPnytt/RobotsTxtParser
 * @license https://github.com/VIPnytt/RobotsTxtParser/blob/master/LICENSE The MIT License (MIT)
 */

namespace vipnytt\RobotsTxtParser\Parser;

class UriParser
{
    /**
     * Scheme white-list
     * @var string[]
     */
    protected $schemes = [
        'http',
        'https',
        'ftp',
        'ftps',
        'sftp',
    ];

    /**
     * URI
     * @var string
     */
    private $uri;

    /**
     * UriParser constructor.
     *
     * @param $uri
     */
    public function __construct($uri)
    {
        $this->uri = $uri;
    }

    /**
     * Convert relative to full
     *
     * @param string $fallbackBase
     * @return string
     */
    public function convertToFull($fallbackBase)
    {
        $this->encode();
        if ($this->validate()) {
            return $this->uri;
        } elseif (strpos($this->uri, '/') === 0) {
            $relative = $this->uri;
            $this->uri = $fallbackBase;
            return $this->base() . $relative;
        }
        throw new \InvalidArgumentException("Invalid URI `$this->uri`");
    }

    /**
     * URI encoder according to RFC 3986
     * Returns a string containing the encoded URI with disallowed characters converted to their percentage encodings.
     * @link http://publicmind.in/blog/url-encoding/
     *
     * @return string
     */
    public function encode()
    {
        $reserved = [
            '!%21!ui' => "!",
            '!%23!ui' => "#",
            '!%24!ui' => "$",
            '!%26!ui' => "&",
            '!%27!ui' => "'",
            '!%28!ui' => "(",
            '!%29!ui' => ")",
            '!%2A!ui' => "*",
            '!%2B!ui' => "+",
            '!%2C!ui' => ",",
            '!%2F!ui' => "/",
            '!%3A!ui' => ":",
            '!%3B!ui' => ";",
            '!%3D!ui' => "=",
            '!%3F!ui' => "?",
            '!%40!ui' => "@",
            '!%5B!ui' => "[",
            '!%5D!ui' => "]",
            '!%25!ui' => "%",
        ];
        // The % character must be the last in the $reserved array.
        // This makes sure that the already encoded values are not lost or encoded again.
        $this->uri = preg_replace(array_keys($reserved), array_values($reserved), rawurlencode($this->uri));
        return $this->baseToLowercase();
    }

    /**
     * Base uri to lowercase
     *
     * @return string
     */
    private function baseToLowercase()
    {
        if (($host = parse_url($this->uri, PHP_URL_HOST)) === null) {
            return $this->uri;
        }
        $pos = strpos($this->uri, $host) + strlen($host);
        return $this->uri = substr_replace($this->uri, strtolower(substr($this->uri, 0, $pos)), 0, $pos);
    }

    /**
     * Validate
     *
     * @return bool
     */
    public function validate()
    {
        return (
            (
                filter_var($this->uri, FILTER_VALIDATE_URL) ||
                // PHP 5.x bug fix: FILTER_VALIDATE_URL doesn't support IPv6 urls. IP check not needed in the future.
                $this->validateIP(($parsed = parse_url($this->uri, PHP_URL_HOST)) === false ? '' : $parsed)
            ) &&
            ($parsed = parse_url($this->uri)) !== false &&
            (
                $this->validateHost($parsed['host']) ||
                $this->validateIP($parsed['host'])
            ) &&
            $this->validateScheme($parsed['scheme'])
        );
    }

    /**
     * Validate IPv4 or IPv6
     *
     * @param  string|null $ipAddress
     * @return bool
     */
    public function validateIP($ipAddress = null)
    {
        if ($ipAddress === null) {

            $parsed = parse_url($this->uri);
            $ipAddress = isset($parsed['host']) ? $parsed['host'] : null;
        }
        return (
            filter_var($ipAddress, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4) ||
            filter_var(trim($ipAddress, '[]'), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)
        );
    }

    /**
     * Validate host name
     *
     * @link http://stackoverflow.com/questions/1755144/how-to-validate-domain-name-in-php
     *
     * @param  string|null $host
     * @return bool
     */
    public function validateHost($host = null)
    {
        if ($host === null) {

            $parsed = parse_url($this->uri);
            $host = isset($parsed['host']) ? $parsed['host'] : $parsed['path'];
        }
        return (
            preg_match("/^([a-z\d](-*[a-z\d])*)(\.([a-z\d](-*[a-z\d])*))*$/i", $host) //valid chars check
            && preg_match("/^.{1,253}$/", $host) //overall length check
            && preg_match("/^[^\.]{1,63}(\.[^\.]{1,63})*$/", $host) //length of each label
            && !$this->validateIP($host)
        );
    }

    /**
     * Validate scheme
     *
     * @param  string|null $scheme
     * @return bool
     */
    public function validateScheme($scheme = null)
    {
        if ($scheme === null) {

            $parsed = parse_url($this->uri);
            $scheme = isset($parsed['host']) ? $parsed['host'] : $parsed['path'];
        }
        return in_array($scheme, $this->schemes);
    }

    /**
     * Base
     *
     * @return string
     */
    public function base()
    {
        if (!$this->validate()) {
            throw new \InvalidArgumentException("Invalid URI: $this->uri");
        }
        $parts = [
            'scheme' => parse_url($this->uri, PHP_URL_SCHEME),
            'host' => parse_url($this->uri, PHP_URL_HOST),
        ];
        $parts['port'] = is_int($port = parse_url($this->uri, PHP_URL_PORT)) ? $port : getservbyname($parts['scheme'], 'tcp');
        return strtolower($parts['scheme'] . '://' . $parts['host'] . ':' . $parts['port']);
    }

    /**
     * Strip fragment
     *
     * @return string
     */
    public function stripFragment()
    {
        return explode('#', $this->uri, 2)[0];
    }
}


1		<?php
2		/**
3		* vipnytt/RobotsTxtParser
4		*
5		* @link https://github.com/VIPnytt/RobotsTxtParser
6		* @license https://github.com/VIPnytt/RobotsTxtParser/blob/master/LICENSE The MIT License (MIT)
7		*/
8
9		namespace vipnytt\RobotsTxtParser\Parser;
10
11		class UriParser
12		{
13		/**
14		* Scheme white-list
15		* @var string[]
16		*/
17		protected $schemes = [
18		'http',
19		'https',
20		'ftp',
21		'ftps',
22		'sftp',
23		];
24
25		/**
26		* URI
27		* @var string
28		*/
29		private $uri;
30
31		/**
32		* UriParser constructor.
33		*
34		* @param $uri
35		*/
36		public function __construct($uri)
37		{
38		$this->uri = $uri;
39		}
40
41		/**
42		* Convert relative to full
43		*
44		* @param string $fallbackBase
45		* @return string
46		*/
47		public function convertToFull($fallbackBase)
48		{
49		$this->encode();
50		if ($this->validate()) {
51		return $this->uri;
52		} elseif (strpos($this->uri, '/') === 0) {
53		$relative = $this->uri;
54		$this->uri = $fallbackBase;
55		return $this->base() . $relative;
56		}
57		throw new \InvalidArgumentException("Invalid URI `$this->uri`");
58		}
59
60		/**
61		* URI encoder according to RFC 3986
62		* Returns a string containing the encoded URI with disallowed characters converted to their percentage encodings.
63		* @link http://publicmind.in/blog/url-encoding/
64		*
65		* @return string
66		*/
67		public function encode()
68		{
69		$reserved = [
70		'!%21!ui' => "!",
71		'!%23!ui' => "#",
72		'!%24!ui' => "$",
73		'!%26!ui' => "&",
74		'!%27!ui' => "'",
75		'!%28!ui' => "(",
76		'!%29!ui' => ")",
77		'!%2A!ui' => "*",
78		'!%2B!ui' => "+",
79		'!%2C!ui' => ",",
80		'!%2F!ui' => "/",
81		'!%3A!ui' => ":",
82		'!%3B!ui' => ";",
83		'!%3D!ui' => "=",
84		'!%3F!ui' => "?",
85		'!%40!ui' => "@",
86		'!%5B!ui' => "[",
87		'!%5D!ui' => "]",
88		'!%25!ui' => "%",
89		];
90		// The % character must be the last in the $reserved array.
91		// This makes sure that the already encoded values are not lost or encoded again.
92		$this->uri = preg_replace(array_keys($reserved), array_values($reserved), rawurlencode($this->uri));
93		return $this->baseToLowercase();
94		}
95
96		/**
97		* Base uri to lowercase
98		*
99		* @return string
100		*/
101		private function baseToLowercase()
102		{
103		if (($host = parse_url($this->uri, PHP_URL_HOST)) === null) {
104		return $this->uri;
105		}
106		$pos = strpos($this->uri, $host) + strlen($host);
107		return $this->uri = substr_replace($this->uri, strtolower(substr($this->uri, 0, $pos)), 0, $pos);
108		}
109
110		/**
111		* Validate
112		*
113		* @return bool
114		*/
115		public function validate()
116		{
117		return (
118		(
119		filter_var($this->uri, FILTER_VALIDATE_URL) \|\|
120		// PHP 5.x bug fix: FILTER_VALIDATE_URL doesn't support IPv6 urls. IP check not needed in the future.
121		$this->validateIP(($parsed = parse_url($this->uri, PHP_URL_HOST)) === false ? '' : $parsed)
122		) &&
123		($parsed = parse_url($this->uri)) !== false &&
124		(
125		$this->validateHost($parsed['host']) \|\|
126		$this->validateIP($parsed['host'])
127		) &&
128		$this->validateScheme($parsed['scheme'])
129		);
130		}
131
132		/**
133		* Validate IPv4 or IPv6
134		*
135		* @param string\|null $ipAddress
136		* @return bool
137		*/
138		public function validateIP($ipAddress = null)
139		{
140	View Code Duplication	if ($ipAddress === null) {
		0 ignored issues – show Duplication introduced 2016-07-15 17:42 UTC by Report Bug Copy Issue Report Show Similar Issues like this This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
141		$parsed = parse_url($this->uri);
142		$ipAddress = isset($parsed['host']) ? $parsed['host'] : null;
143		}
144		return (
145		filter_var($ipAddress, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4) \|\|
146		filter_var(trim($ipAddress, '[]'), FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)
147		);
148		}
149
150		/**
151		* Validate host name
152		*
153		* @link http://stackoverflow.com/questions/1755144/how-to-validate-domain-name-in-php
154		*
155		* @param string\|null $host
156		* @return bool
157		*/
158		public function validateHost($host = null)
159		{
160	View Code Duplication	if ($host === null) {
		0 ignored issues – show Duplication introduced 2016-07-15 17:42 UTC by Report Bug Copy Issue Report Show Similar Issues like this This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
161		$parsed = parse_url($this->uri);
162		$host = isset($parsed['host']) ? $parsed['host'] : $parsed['path'];
163		}
164		return (
165		preg_match("/^([a-z\d](-[a-z\d]))(\.([a-z\d](-[a-z\d])))*$/i", $host) //valid chars check
166		&& preg_match("/^.{1,253}$/", $host) //overall length check
167		&& preg_match("/^[^\.]{1,63}(\.[^\.]{1,63})*$/", $host) //length of each label
168		&& !$this->validateIP($host)
169		);
170		}
171
172		/**
173		* Validate scheme
174		*
175		* @param string\|null $scheme
176		* @return bool
177		*/
178		public function validateScheme($scheme = null)
179		{
180	View Code Duplication	if ($scheme === null) {
		0 ignored issues – show Duplication introduced 2016-07-15 17:42 UTC by Report Bug Copy Issue Report Show Similar Issues like this This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
181		$parsed = parse_url($this->uri);
182		$scheme = isset($parsed['host']) ? $parsed['host'] : $parsed['path'];
183		}
184		return in_array($scheme, $this->schemes);
185		}
186
187		/**
188		* Base
189		*
190		* @return string
191		*/
192		public function base()
193		{
194		if (!$this->validate()) {
195		throw new \InvalidArgumentException("Invalid URI: $this->uri");
196		}
197		$parts = [
198		'scheme' => parse_url($this->uri, PHP_URL_SCHEME),
199		'host' => parse_url($this->uri, PHP_URL_HOST),
200		];
201		$parts['port'] = is_int($port = parse_url($this->uri, PHP_URL_PORT)) ? $port : getservbyname($parts['scheme'], 'tcp');
202		return strtolower($parts['scheme'] . '://' . $parts['host'] . ':' . $parts['port']);
203		}
204
205		/**
206		* Strip fragment
207		*
208		* @return string
209		*/
210		public function stripFragment()
211		{
212		return explode('#', $this->uri, 2)[0];
213		}
214		}
215

VIPnytt / RobotsTxtParser

Issues (9)

Security Analysis no request data

src/Parser/UriParser.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like