Issues in class-api-keys-table.php (master) - Issues in master - WordImpress/Give - Measure and Improve Code Quality continuously with Scrutinizer

Issues (4296)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

includes/admin/class-api-keys-table.php (8 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * API Key Table Class
 *
 * @package     Give
 * @subpackage  Admin/Tools/APIKeys
 * @copyright   Copyright (c) 2016, WordImpress
 * @license     https://opensource.org/licenses/gpl-license GNU Public License
 * @since       1.1
 */

// Exit if accessed directly.
if ( ! defined( 'ABSPATH' ) ) {
	exit;
}

// Load WP_List_Table if not loaded
if ( ! class_exists( 'WP_List_Table' ) ) {
	require_once ABSPATH . 'wp-admin/includes/class-wp-list-table.php';
}

/**
 * Give_API_Keys_Table Class
 *
 * Renders the API Keys table
 *
 * @since 1.1
 */
class Give_API_Keys_Table extends WP_List_Table {

	/**
	 * @var int Number of items per page
	 * @since 1.1
	 */
	public $per_page = 30;

	/**
	 * @var object Query results
	 * @since 1.1
	 */
	private $keys;

	/**
	 * Get things started
	 *
	 * @since 1.1
	 * @see   WP_List_Table::__construct()
	 *
	 * @global $status
	 * @global $page
	 */
	public function __construct() {
		global $status, $page;

		// Set parent defaults
		parent::__construct( array(
			'singular' => esc_html__( 'API Key', 'give' ),     // Singular name of the listed records
			'plural'   => esc_html__( 'API Keys', 'give' ),    // Plural name of the listed records
			'ajax'     => false, // Does this table support ajax?
		) );

		$this->query();
	}

	/**
	 * This function renders most of the columns in the list table.
	 *
	 * @access public
	 * @since  1.1
	 *
	 * @param array  $item        Contains all the data of the keys
	 * @param string $column_name The name of the column
	 *
	 * @return string Column Name
	 */
	public function column_default( $item, $column_name ) {
		return $item[ $column_name ];
	}

	/**
	 * Displays the public key rows
	 *
	 * @access public
	 * @since  1.1
	 *
	 * @param array $item Contains all the data of the keys
	 *
	 * @return string Column Name
	 */
	public function column_key( $item ) {
		return '<input onClick="this.setSelectionRange(0, this.value.length)" readonly="readonly" type="text" class="large-text" value="' . esc_attr( $item['key'] ) . '"/>';
	}

	/**
	 * Displays the token rows
	 *
	 * @access public
	 * @since  1.1
	 *
	 * @param array $item Contains all the data of the keys
	 *
	 * @return string Column Name
	 */
	public function column_token( $item ) {
		return '<input onClick="this.setSelectionRange(0, this.value.length)" readonly="readonly" type="text" class="large-text" value="' . esc_attr( $item['token'] ) . '"/>';
	}

	/**
	 * Displays the secret key rows
	 *
	 * @access public
	 * @since  1.1
	 *
	 * @param array $item Contains all the data of the keys
	 *
	 * @return string Column Name
	 */
	public function column_secret( $item ) {
		return '<input onClick="this.setSelectionRange(0, this.value.length)" readonly="readonly" type="text" class="large-text" value="' . esc_attr( $item['secret'] ) . '"/>';
	}

	/**
	 * Renders the column for the user field
	 *
	 * @access public
	 * @since  1.1
	 * @return string
	 */
	public function column_user( $item ) {

		$actions = array();

		if ( apply_filters( 'give_api_log_requests', true ) ) {
			$actions['view'] = sprintf(
				'<a href="%s">%s</a>',
				esc_url( add_query_arg( array(
					'section'   => 'api_requests',
					'post_type' => 'give_forms',
					'page'      => 'give-tools',
					'tab'       => 'logs',
					's'         => $item['email'],
				), 'edit.php' ) ),
				esc_html__( 'View API Log', 'give' )
			);
		}

		$actions['reissue'] = sprintf(
			'<a href="%s" class="give-regenerate-api-key">%s</a>',
			esc_url( wp_nonce_url( add_query_arg( array(
				'user_id'          => $item['id'],
				'give_action'      => 'process_api_key',
				'give_api_process' => 'regenerate',
			) ), 'give-api-nonce' ) ),
			esc_html__( 'Reissue', 'give' )
		);
		$actions['revoke']  = sprintf(
			'<a href="%s" class="give-revoke-api-key give-delete">%s</a>',
			esc_url( wp_nonce_url( add_query_arg( array(
				'user_id'          => $item['id'],
				'give_action'      => 'process_api_key',
				'give_api_process' => 'revoke',
			) ), 'give-api-nonce' ) ),
			esc_html__( 'Revoke', 'give' )
		);

		$actions = apply_filters( 'give_api_row_actions', array_filter( $actions ) );

		return sprintf( '%1$s %2$s', $item['user'], $this->row_actions( $actions ) );
	}

	/**
	 * Gets the name of the primary column.
	 *
	 * @since  1.5
	 * @access protected
	 *
	 * @return string Name of the primary column.
	 */
	protected function get_primary_column_name() {
		return 'user';
	}

	/**
	 * Retrieve the table columns
	 *
	 * @access public
	 * @since  1.1
	 * @return array $columns Array of all the list table columns
	 */
	public function get_columns() {
		$columns = array(
			'user'   => esc_html__( 'Username', 'give' ),
			'key'    => esc_html__( 'Public Key', 'give' ),
			'token'  => esc_html__( 'Token', 'give' ),
			'secret' => esc_html__( 'Secret Key', 'give' ),
		);

		return $columns;
	}

	/**
	 * Generate the table navigation above or below the table
	 *
	 * @since  3.1.0
	 * @access protected
	 *
	 * @param string $which
	 */
	protected function display_tablenav( $which ) {

		if ( 'top' === $which ) {
			wp_nonce_field( 'bulk-' . $this->_args['plural'] );
		}
		?>
		<div class="tablenav <?php echo esc_attr( $which ); ?>">

			<div class="alignleft actions bulkactions">
				<?php $this->bulk_actions( $which ); ?>
			</div>

			<?php
			$this->extra_tablenav( $which );
			$this->pagination( $which );
			?>

			<br class="clear"/>
		</div>
		<?php
	}

	/**
	 * Display the key generation form
	 *
	 * @access public
	 * @since  1.1
	 *
	 * @param  string $which
	 *
	 * @return void
	 */
	function bulk_actions( $which = '' ) {

		// These aren't really bulk actions but this outputs the markup in the right place.
		static $give_api_is_bottom;

		if ( $give_api_is_bottom ) {
			return;
		}
		?>
		<input type="hidden" name="give_action" value="process_api_key"/>
		<input type="hidden" name="give_api_process" value="generate"/>
		<?php
		wp_nonce_field( 'give-api-nonce' );
		/**
		 * API Key user search.
		 */
		$args = array(
			'id'   => 'give-api-user-search',
			'name' => 'user_id',
		);

		echo Give()->html->ajax_user_search( $args );


		submit_button( esc_html__( 'Generate New API Keys', 'give' ), 'secondary', 'submit', false );

		$give_api_is_bottom = true;
	}

	/**
	 * Retrieve the current page number
	 *
	 * @access public
	 * @since  1.1
	 * @return int Current page number
	 */
	public function get_paged() {
		return isset( $_GET['paged'] ) ? absint( $_GET['paged'] ) : 1;

	}

	/**
	 * Performs the key query
	 *
	 * @access public
	 * @since  1.1
	 * @return array
	 */
	public function query() {
		$users = get_users( array(
			'meta_value' => 'give_user_secret_key',

			'number'     => $this->per_page,
			'offset'     => $this->per_page * ( $this->get_paged() - 1 ),
		) );
		$keys  = array();

		foreach ( $users as $user ) {
			$keys[ $user->ID ]['id']    = $user->ID;
			$keys[ $user->ID ]['email'] = $user->user_email;
			$keys[ $user->ID ]['user']  = '<a href="' . add_query_arg( 'user_id', $user->ID, 'user-edit.php' ) . '"><strong>' . $user->user_login . '</strong></a>';

			$keys[ $user->ID ]['key']    = Give()->api->get_user_public_key( $user->ID );
			$keys[ $user->ID ]['secret'] = Give()->api->get_user_secret_key( $user->ID );
			$keys[ $user->ID ]['token']  = Give()->api->get_token( $user->ID );
		}

		return $keys;
	}


	/**
	 * Retrieve count of total users with keys
	 *
	 * @access public
	 * @since  1.1
	 * @return int
	 */
	public function total_items() {
		global $wpdb;

		$total_items = Give_Cache::get( 'give_total_api_keys', true );

		if ( ! $total_items ) {
			$total_items = $wpdb->get_var(

				$wpdb->prepare(
					"SELECT count(user_id)
					FROM {$wpdb->usermeta} WHERE meta_value=%s",

					'give_user_secret_key'
				)
			);

			Give_Cache::set( 'give_total_api_keys', $total_items, HOUR_IN_SECONDS, true );
		}

		return $total_items;
	}

	/**
	 * Setup the final data for the table
	 *
	 * @access public
	 * @since  1.1
	 * @return void
	 */
	public function prepare_items() {
		$columns = $this->get_columns();

		$hidden   = array(); // No hidden columns
		$sortable = array(); // Not sortable... for now

		$this->_column_headers = array( $columns, $hidden, $sortable );

		$data = $this->query();

		$total_items = $this->total_items();

		$this->items = $data;

		$this->set_pagination_args( array(
			'total_items' => $total_items,
			'per_page'    => $this->per_page,
			'total_pages' => ceil( $total_items / $this->per_page ),
		) );
	}
}


1		<?php
2		/**
3		* API Key Table Class
4		*
5		* @package Give
6		* @subpackage Admin/Tools/APIKeys
7		* @copyright Copyright (c) 2016, WordImpress
8		* @license https://opensource.org/licenses/gpl-license GNU Public License
9		* @since 1.1
10		*/
11
12		// Exit if accessed directly.
13		if ( ! defined( 'ABSPATH' ) ) {
14		exit;
15		}
16
17		// Load WP_List_Table if not loaded
18		if ( ! class_exists( 'WP_List_Table' ) ) {
19		require_once ABSPATH . 'wp-admin/includes/class-wp-list-table.php';
20		}
21
22		/**
23		* Give_API_Keys_Table Class
24		*
25		* Renders the API Keys table
26		*
27		* @since 1.1
28		*/
29		class Give_API_Keys_Table extends WP_List_Table {
30
31		/**
32		* @var int Number of items per page
33		* @since 1.1
34		*/
35		public $per_page = 30;
36
37		/**
38		* @var object Query results
39		* @since 1.1
40		*/
41		private $keys;
42
43		/**
44		* Get things started
45		*
46		* @since 1.1
47		* @see WP_List_Table::__construct()
48		*
49		* @global $status
50		* @global $page
51		*/
52		public function __construct() {
53		global $status, $page;
54
55		// Set parent defaults
56		parent::__construct( array(
57		'singular' => esc_html__( 'API Key', 'give' ), // Singular name of the listed records
58		'plural' => esc_html__( 'API Keys', 'give' ), // Plural name of the listed records
59		'ajax' => false, // Does this table support ajax?
60		) );
61
62		$this->query();
63		}
64
65		/**
66		* This function renders most of the columns in the list table.
67		*
68		* @access public
69		* @since 1.1
70		*
71		* @param array $item Contains all the data of the keys
72		* @param string $column_name The name of the column
73		*
74		* @return string Column Name
75		*/
76		public function column_default( $item, $column_name ) {
77		return $item[ $column_name ];
78		}
79
80		/**
81		* Displays the public key rows
82		*
83		* @access public
84		* @since 1.1
85		*
86		* @param array $item Contains all the data of the keys
87		*
88		* @return string Column Name
89		*/
90		public function column_key( $item ) {
91		return '<input onClick="this.setSelectionRange(0, this.value.length)" readonly="readonly" type="text" class="large-text" value="' . esc_attr( $item['key'] ) . '"/>';
92		}
93
94		/**
95		* Displays the token rows
96		*
97		* @access public
98		* @since 1.1
99		*
100		* @param array $item Contains all the data of the keys
101		*
102		* @return string Column Name
103		*/
104		public function column_token( $item ) {
105		return '<input onClick="this.setSelectionRange(0, this.value.length)" readonly="readonly" type="text" class="large-text" value="' . esc_attr( $item['token'] ) . '"/>';
106		}
107
108		/**
109		* Displays the secret key rows
110		*
111		* @access public
112		* @since 1.1
113		*
114		* @param array $item Contains all the data of the keys
115		*
116		* @return string Column Name
117		*/
118		public function column_secret( $item ) {
119		return '<input onClick="this.setSelectionRange(0, this.value.length)" readonly="readonly" type="text" class="large-text" value="' . esc_attr( $item['secret'] ) . '"/>';
120		}
121
122		/**
123		* Renders the column for the user field
124		*
125		* @access public
126		* @since 1.1
127		* @return string
128		*/
129		public function column_user( $item ) {
130
131		$actions = array();
132
133		if ( apply_filters( 'give_api_log_requests', true ) ) {
134		$actions['view'] = sprintf(
135		'<a href="%s">%s</a>',
136		esc_url( add_query_arg( array(
137		'section' => 'api_requests',
138		'post_type' => 'give_forms',
139		'page' => 'give-tools',
140		'tab' => 'logs',
141		's' => $item['email'],
142		), 'edit.php' ) ),
143		esc_html__( 'View API Log', 'give' )
144		);
145		}
146
147		$actions['reissue'] = sprintf(
148		'<a href="%s" class="give-regenerate-api-key">%s</a>',
149		esc_url( wp_nonce_url( add_query_arg( array(
150		'user_id' => $item['id'],
151		'give_action' => 'process_api_key',
152		'give_api_process' => 'regenerate',
153		) ), 'give-api-nonce' ) ),
154		esc_html__( 'Reissue', 'give' )
155		);
156		$actions['revoke'] = sprintf(
157		'<a href="%s" class="give-revoke-api-key give-delete">%s</a>',
158		esc_url( wp_nonce_url( add_query_arg( array(
159		'user_id' => $item['id'],
160		'give_action' => 'process_api_key',
161		'give_api_process' => 'revoke',
162		) ), 'give-api-nonce' ) ),
163		esc_html__( 'Revoke', 'give' )
164		);
165
166		$actions = apply_filters( 'give_api_row_actions', array_filter( $actions ) );
167
168		return sprintf( '%1$s %2$s', $item['user'], $this->row_actions( $actions ) );
169		}
170
171		/**
172		* Gets the name of the primary column.
173		*
174		* @since 1.5
175		* @access protected
176		*
177		* @return string Name of the primary column.
178		*/
179		protected function get_primary_column_name() {
180		return 'user';
181		}
182
183		/**
184		* Retrieve the table columns
185		*
186		* @access public
187		* @since 1.1
188		* @return array $columns Array of all the list table columns
189		*/
190		public function get_columns() {
191		$columns = array(
192		'user' => esc_html__( 'Username', 'give' ),
193		'key' => esc_html__( 'Public Key', 'give' ),
194		'token' => esc_html__( 'Token', 'give' ),
195		'secret' => esc_html__( 'Secret Key', 'give' ),
196		);
197
198		return $columns;
199		}
200
201		/**
202		* Generate the table navigation above or below the table
203		*
204		* @since 3.1.0
205		* @access protected
206		*
207		* @param string $which
208		*/
209	View Code Duplication	protected function display_tablenav( $which ) {
		0 ignored issues – show Duplication introduced 2017-08-01 08:32 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
210		if ( 'top' === $which ) {
211		wp_nonce_field( 'bulk-' . $this->_args['plural'] );
212		}
213		?>
214		<div class="tablenav <?php echo esc_attr( $which ); ?>">
215
216		<div class="alignleft actions bulkactions">
217		<?php $this->bulk_actions( $which ); ?>
218		</div>
219
220		<?php
221		$this->extra_tablenav( $which );
222		$this->pagination( $which );
223		?>
224
225		<br class="clear"/>
226		</div>
227		<?php
228		}
229
230		/**
231		* Display the key generation form
232		*
233		* @access public
234		* @since 1.1
235		*
236		* @param string $which
237		*
238		* @return void
239		*/
240		function bulk_actions( $which = '' ) {
		0 ignored issues – show Best Practice introduced 2015-11-20 23:18 UTC by Report Bug Copy Issue Report Show Similar Issues like this It is generally recommended to explicitly declare the visibility for methods. Adding explicit visibility (`private`, `protected`, or `public`) is generally recommend to communicate to other developers how, and from where this method is intended to be used. Loading history...
241		// These aren't really bulk actions but this outputs the markup in the right place.
242		static $give_api_is_bottom;
243
244		if ( $give_api_is_bottom ) {
245		return;
246		}
247		?>
248		<input type="hidden" name="give_action" value="process_api_key"/>
249		<input type="hidden" name="give_api_process" value="generate"/>
250		<?php
251		wp_nonce_field( 'give-api-nonce' );
252		/**
253		* API Key user search.
254		*/
255		$args = array(
256		'id' => 'give-api-user-search',
257		'name' => 'user_id',
258		);
259
260		echo Give()->html->ajax_user_search( $args );
		0 ignored issues – show introduced 2017-08-01 08:32 UTC by Report Bug Copy Issue Report Show Similar Issues like this Expected a sanitizing function (see Codex for 'Data Validation'), but instead saw 'Give' Loading history...
261
262		submit_button( esc_html__( 'Generate New API Keys', 'give' ), 'secondary', 'submit', false );
263
264		$give_api_is_bottom = true;
265		}
266
267		/**
268		* Retrieve the current page number
269		*
270		* @access public
271		* @since 1.1
272		* @return int Current page number
273		*/
274		public function get_paged() {
275		return isset( $_GET['paged'] ) ? absint( $_GET['paged'] ) : 1;
		0 ignored issues – show introduced 2017-08-01 08:32 UTC by Report Bug Copy Issue Report Show Similar Issues like this Detected access of super global var $_GET, probably need manual inspection. Loading history...
276		}
277
278		/**
279		* Performs the key query
280		*
281		* @access public
282		* @since 1.1
283		* @return array
284		*/
285		public function query() {
286		$users = get_users( array(
287		'meta_value' => 'give_user_secret_key',
		0 ignored issues – show introduced 2017-08-01 08:32 UTC by Report Bug Copy Issue Report Show Similar Issues like this Detected usage of meta_value, possible slow query. Loading history...
288		'number' => $this->per_page,
289		'offset' => $this->per_page * ( $this->get_paged() - 1 ),
290		) );
291		$keys = array();
292
293		foreach ( $users as $user ) {
294		$keys[ $user->ID ]['id'] = $user->ID;
295		$keys[ $user->ID ]['email'] = $user->user_email;
296		$keys[ $user->ID ]['user'] = '<a href="' . add_query_arg( 'user_id', $user->ID, 'user-edit.php' ) . '"><strong>' . $user->user_login . '</strong></a>';
297
298		$keys[ $user->ID ]['key'] = Give()->api->get_user_public_key( $user->ID );
299		$keys[ $user->ID ]['secret'] = Give()->api->get_user_secret_key( $user->ID );
300		$keys[ $user->ID ]['token'] = Give()->api->get_token( $user->ID );
301		}
302
303		return $keys;
304		}
305
306
307		/**
308		* Retrieve count of total users with keys
309		*
310		* @access public
311		* @since 1.1
312		* @return int
313		*/
314		public function total_items() {
315		global $wpdb;
316
317		$total_items = Give_Cache::get( 'give_total_api_keys', true );
318
319		if ( ! $total_items ) {
320		$total_items = $wpdb->get_var(
		0 ignored issues – show introduced 2018-05-02 19:53 UTC by Report Bug Copy Issue Report Show Similar Issues like this Usage of a direct database call is discouraged. Loading history... introduced 2018-05-02 19:53 UTC by Report Bug Copy Issue Report Show Similar Issues like this Usage of a direct database call without caching is prohibited. Use wp_cache_get / wp_cache_set. Loading history...
321		$wpdb->prepare(
322		"SELECT count(user_id)
323		FROM {$wpdb->usermeta} WHERE meta_value=%s",
		0 ignored issues – show introduced 2017-08-01 08:32 UTC by Report Bug Copy Issue Report Show Similar Issues like this Usage of users/usermeta tables is highly discouraged in VIP context, For storing user additional user metadata, you should look at User Attributes. Loading history...
324		'give_user_secret_key'
325		)
326		);
327
328		Give_Cache::set( 'give_total_api_keys', $total_items, HOUR_IN_SECONDS, true );
329		}
330
331		return $total_items;
332		}
333
334		/**
335		* Setup the final data for the table
336		*
337		* @access public
338		* @since 1.1
339		* @return void
340		*/
341		public function prepare_items() {
342		$columns = $this->get_columns();
343
344		$hidden = array(); // No hidden columns
345		$sortable = array(); // Not sortable... for now
346
347		$this->_column_headers = array( $columns, $hidden, $sortable );
348
349		$data = $this->query();
350
351		$total_items = $this->total_items();
352
353		$this->items = $data;
354
355		$this->set_pagination_args( array(
356		'total_items' => $total_items,
357		'per_page' => $this->per_page,
358		'total_pages' => ceil( $total_items / $this->per_page ),
359		) );
360		}
361		}
362

WordImpress / Give

Issues (4296)

Security Analysis not enabled

includes/admin/class-api-keys-table.php (8 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like