Issues in TwitterOAuth.php (master) - Issues in master - abraham/twitteroauth - Measure and Improve Code Quality continuously with Scrutinizer

Issues (2)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/TwitterOAuth.php (1 issue)

Labels

Bug 1

Severity

Minor 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * The most popular PHP library for use with the Twitter OAuth REST API.
 *
 * @license MIT
 */
namespace Abraham\TwitterOAuth;

use Abraham\TwitterOAuth\Util\JsonDecoder;

/**
 * TwitterOAuth class for interacting with the Twitter API.
 *
 * @author Abraham Williams <[email protected]>
 */
class TwitterOAuth extends Config
{
    const API_VERSION = '1.1';
    const API_HOST = 'https://api.twitter.com';
    const UPLOAD_HOST = 'https://upload.twitter.com';

    /** @var Response details about the result of the last request */
    private $response;
    /** @var string|null Application bearer token */
    private $bearer;
    /** @var Consumer Twitter application details */
    private $consumer;
    /** @var Token|null User access token details */
    private $token;
    /** @var HmacSha1 OAuth 1 signature type used by Twitter */
    private $signatureMethod;
    /** @var int Number of attempts we made for the request */
    private $attempts = 0;

    /**
     * Constructor
     *
     * @param string      $consumerKey      The Application Consumer Key
     * @param string      $consumerSecret   The Application Consumer Secret
     * @param string|null $oauthToken       The Client Token (optional)
     * @param string|null $oauthTokenSecret The Client Token Secret (optional)
     */
    public function __construct($consumerKey, $consumerSecret, $oauthToken = null, $oauthTokenSecret = null)
    {
        $this->resetLastResponse();
        $this->signatureMethod = new HmacSha1();
        $this->consumer = new Consumer($consumerKey, $consumerSecret);
        if (!empty($oauthToken) && !empty($oauthTokenSecret)) {
            $this->setOauthToken($oauthToken, $oauthTokenSecret);
        }
        if (empty($oauthToken) && !empty($oauthTokenSecret)) {
            $this->setBearer($oauthTokenSecret);
        }
    }

    /**
     * @param string $oauthToken
     * @param string $oauthTokenSecret
     */
    public function setOauthToken($oauthToken, $oauthTokenSecret)
    {
        $this->token = new Token($oauthToken, $oauthTokenSecret);
        $this->bearer = null;
    }

    /**
     * @param string $oauthTokenSecret
     */
    public function setBearer($oauthTokenSecret)
    {
        $this->bearer = $oauthTokenSecret;
        $this->token = null;
    }

    /**
     * @return string|null
     */
    public function getLastApiPath()
    {
        return $this->response->getApiPath();
    }

    /**
     * @return int
     */
    public function getLastHttpCode()
    {
        return $this->response->getHttpCode();
    }

    /**
     * @return array
     */
    public function getLastXHeaders()
    {
        return $this->response->getXHeaders();
    }

    /**
     * @return array|object|null
     */
    public function getLastBody()
    {
        return $this->response->getBody();
    }

    /**
     * Resets the last response cache.
     */
    public function resetLastResponse()
    {
        $this->response = new Response();
    }

    /**
     * Resets the attempts number.
     */
    private function resetAttemptsNumber()
    {
        $this->attempts = 0;
    }

    /**
     * Delays the retries when they're activated.
     */
    private function sleepIfNeeded()
    {
        if ($this->maxRetries && $this->attempts) {
            sleep($this->retriesDelay);
        }
    }


    /**
     * Make URLs for user browser navigation.
     *
     * @param string $path
     * @param array  $parameters
     *
     * @return string
     */
    public function url($path, array $parameters)
    {
        $this->resetLastResponse();
        $this->response->setApiPath($path);
        $query = http_build_query($parameters);
        return sprintf('%s/%s?%s', self::API_HOST, $path, $query);
    }

    /**
     * Make /oauth/* requests to the API.
     *
     * @param string $path
     * @param array  $parameters
     *
     * @return array
     * @throws TwitterOAuthException
     */
    public function oauth($path, array $parameters = [])
    {
        $response = [];
        $this->resetLastResponse();
        $this->response->setApiPath($path);
        $url = sprintf('%s/%s', self::API_HOST, $path);
        $result = $this->oAuthRequest($url, 'POST', $parameters);

        if ($this->getLastHttpCode() != 200) {
            throw new TwitterOAuthException($result);
        }

        parse_str($result, $response);
        $this->response->setBody($response);
/**
 * @return array|string
 */
function returnsDifferentValues($x) {
    if ($x) {
        return 'foo';
    }

    return array();
}

$x = returnsDifferentValues($y);
if (is_array($x)) {
    // $x is an array.
}

        return $response;
    }

    /**
     * Make /oauth2/* requests to the API.
     *
     * @param string $path
     * @param array  $parameters
     *
     * @return array|object
     */
    public function oauth2($path, array $parameters = [])
    {
        $method = 'POST';
        $this->resetLastResponse();
        $this->response->setApiPath($path);
        $url = sprintf('%s/%s', self::API_HOST, $path);
        $request = Request::fromConsumerAndToken($this->consumer, $this->token, $method, $url, $parameters);
        $authorization = 'Authorization: Basic ' . $this->encodeAppAuthorization($this->consumer);
        $result = $this->request($request->getNormalizedHttpUrl(), $method, $authorization, $parameters);
        $response = JsonDecoder::decode($result, $this->decodeJsonAsArray);
        $this->response->setBody($response);
        return $response;
    }

    /**
     * Make GET requests to the API.
     *
     * @param string $path
     * @param array  $parameters
     *
     * @return array|object
     */
    public function get($path, array $parameters = [])
    {
        return $this->http('GET', self::API_HOST, $path, $parameters);
    }

    /**
     * Make POST requests to the API.
     *
     * @param string $path
     * @param array  $parameters
     *
     * @return array|object
     */
    public function post($path, array $parameters = [])
    {
        return $this->http('POST', self::API_HOST, $path, $parameters);
    }

    /**
     * Make DELETE requests to the API.
     *
     * @param string $path
     * @param array  $parameters
     *
     * @return array|object
     */
    public function delete($path, array $parameters = [])
    {
        return $this->http('DELETE', self::API_HOST, $path, $parameters);
    }

    /**
     * Make PUT requests to the API.
     *
     * @param string $path
     * @param array  $parameters
     *
     * @return array|object
     */
    public function put($path, array $parameters = [])
    {
        return $this->http('PUT', self::API_HOST, $path, $parameters);
    }

    /**
     * Upload media to upload.twitter.com.
     *
     * @param string $path
     * @param array  $parameters
     * @param boolean  $chunked
     *
     * @return array|object
     */
    public function upload($path, array $parameters = [], $chunked = false)
    {
        if ($chunked) {
            return $this->uploadMediaChunked($path, $parameters);
        } else {
            return $this->uploadMediaNotChunked($path, $parameters);
        }
    }

    /**
     * Private method to upload media (not chunked) to upload.twitter.com.
     *
     * @param string $path
     * @param array  $parameters
     *
     * @return array|object
     */
    private function uploadMediaNotChunked($path, array $parameters)
    {
        if (! is_readable($parameters['media']) ||
            ($file = file_get_contents($parameters['media'])) === false) {
            throw new \InvalidArgumentException('You must supply a readable file');
        }
        $parameters['media'] = base64_encode($file);
        return $this->http('POST', self::UPLOAD_HOST, $path, $parameters);
    }

    /**
     * Private method to upload media (chunked) to upload.twitter.com.
     *
     * @param string $path
     * @param array  $parameters
     *
     * @return array|object
     */
    private function uploadMediaChunked($path, array $parameters)
    {
        $init = $this->http('POST', self::UPLOAD_HOST, $path, $this->mediaInitParameters($parameters));
        // Append
        $segmentIndex = 0;
        $media = fopen($parameters['media'], 'rb');
        while (!feof($media)) {
            $this->http('POST', self::UPLOAD_HOST, 'media/upload', [
                'command' => 'APPEND',
                'media_id' => $init->media_id_string,
                'segment_index' => $segmentIndex++,
                'media_data' => base64_encode(fread($media, $this->chunkSize))
            ]);
        }
        fclose($media);
        // Finalize
        $finalize = $this->http('POST', self::UPLOAD_HOST, 'media/upload', [
            'command' => 'FINALIZE',
            'media_id' => $init->media_id_string
        ]);
        return $finalize;
    }

    /**
     * Private method to get params for upload media chunked init.
     * Twitter docs: https://dev.twitter.com/rest/reference/post/media/upload-init.html
     *
     * @param array  $parameters
     *
     * @return array
     */
    private function mediaInitParameters(array $parameters)
    {
        $return = [
            'command' => 'INIT',
            'media_type' => $parameters['media_type'],
            'total_bytes' => filesize($parameters['media'])
        ];
        if (isset($parameters['additional_owners'])) {
            $return['additional_owners'] = $parameters['additional_owners'];
        }
        if (isset($parameters['media_category'])) {
            $return['media_category'] = $parameters['media_category'];
        }
        return $return;
    }

    /**
     * @param string $method
     * @param string $host
     * @param string $path
     * @param array  $parameters
     *
     * @return array|object
     */
    private function http($method, $host, $path, array $parameters)
    {
        $this->resetLastResponse();
        $this->resetAttemptsNumber();
        $url = sprintf('%s/%s/%s.json', $host, self::API_VERSION, $path);
        $this->response->setApiPath($path);
        return $this->makeRequests($url, $method, $parameters);
    }

    /**
     *
     * Make requests and retry them (if enabled) in case of Twitter's problems.
     *
     * @param string $method
     * @param string $url
     * @param string $method
     * @param array  $parameters
     *
     * @return array|object
     */
    private function makeRequests($url, $method, array $parameters)
    {
        do {
            $this->sleepIfNeeded();
            $result = $this->oAuthRequest($url, $method, $parameters);
            $response = JsonDecoder::decode($result, $this->decodeJsonAsArray);
            $this->response->setBody($response);
            $this->attempts++;
            // Retry up to our $maxRetries number if we get errors greater than 500 (over capacity etc)
        } while ($this->requestsAvailable());

        return $response;
    }

    /**
     * Checks if we have to retry request if API is down.
     *
     * @return bool
     */
    private function requestsAvailable()
    {
        return ($this->maxRetries && ($this->attempts <= $this->maxRetries) && $this->getLastHttpCode() >= 500);
    }

    /**
     * Format and sign an OAuth / API request
     *
     * @param string $url
     * @param string $method
     * @param array  $parameters
     *
     * @return string
     * @throws TwitterOAuthException
     */
    private function oAuthRequest($url, $method, array $parameters)
    {
        $request = Request::fromConsumerAndToken($this->consumer, $this->token, $method, $url, $parameters);
        if (array_key_exists('oauth_callback', $parameters)) {
            // Twitter doesn't like oauth_callback as a parameter.
            unset($parameters['oauth_callback']);
        }
        if ($this->bearer === null) {
            $request->signRequest($this->signatureMethod, $this->consumer, $this->token);
            $authorization = $request->toHeader();
            if (array_key_exists('oauth_verifier', $parameters)) {
                // Twitter doesn't always work with oauth in the body and in the header
                // and it's already included in the $authorization header
                unset($parameters['oauth_verifier']);
            }
        } else {
            $authorization = 'Authorization: Bearer ' . $this->bearer;
        }
        return $this->request($request->getNormalizedHttpUrl(), $method, $authorization, $parameters);
    }

    /**
     * Set Curl options.
     *
     * @return array
     */
    private function curlOptions()
    {
        $options = [
            // CURLOPT_VERBOSE => true,
            CURLOPT_CONNECTTIMEOUT => $this->connectionTimeout,
            CURLOPT_HEADER => true,
            CURLOPT_RETURNTRANSFER => true,
            CURLOPT_SSL_VERIFYHOST => 2,
            CURLOPT_SSL_VERIFYPEER => true,
            CURLOPT_TIMEOUT => $this->timeout,
            CURLOPT_USERAGENT => $this->userAgent,
        ];

        if ($this->useCAFile()) {
            $options[CURLOPT_CAINFO] = __DIR__ . DIRECTORY_SEPARATOR . 'cacert.pem';
        }

        if ($this->gzipEncoding) {
            $options[CURLOPT_ENCODING] = 'gzip';
        }

        if (!empty($this->proxy)) {
            $options[CURLOPT_PROXY] = $this->proxy['CURLOPT_PROXY'];
            $options[CURLOPT_PROXYUSERPWD] = $this->proxy['CURLOPT_PROXYUSERPWD'];
            $options[CURLOPT_PROXYPORT] = $this->proxy['CURLOPT_PROXYPORT'];
            $options[CURLOPT_PROXYAUTH] = CURLAUTH_BASIC;
            $options[CURLOPT_PROXYTYPE] = CURLPROXY_HTTP;
        }

        return $options;
    }

    /**
     * Make an HTTP request
     *
     * @param string $url
     * @param string $method
     * @param string $authorization
     * @param array $postfields
     *
     * @return string
     * @throws TwitterOAuthException
     */
    private function request($url, $method, $authorization, array $postfields)
    {
        $options = $this->curlOptions();
        $options[CURLOPT_URL] = $url;
        $options[CURLOPT_HTTPHEADER] = ['Accept: application/json', $authorization, 'Expect:'];

        switch ($method) {
            case 'GET':
                break;
            case 'POST':
                $options[CURLOPT_POST] = true;
                $options[CURLOPT_POSTFIELDS] = Util::buildHttpQuery($postfields);
                break;
            case 'DELETE':
                $options[CURLOPT_CUSTOMREQUEST] = 'DELETE';
                break;
            case 'PUT':
                $options[CURLOPT_CUSTOMREQUEST] = 'PUT';
                break;
        }

        if (in_array($method, ['GET', 'PUT', 'DELETE']) && !empty($postfields)) {
            $options[CURLOPT_URL] .= '?' . Util::buildHttpQuery($postfields);
        }


        $curlHandle = curl_init();
        curl_setopt_array($curlHandle, $options);
        $response = curl_exec($curlHandle);

        // Throw exceptions on cURL errors.
        if (curl_errno($curlHandle) > 0) {
            throw new TwitterOAuthException(curl_error($curlHandle), curl_errno($curlHandle));
        }

        $this->response->setHttpCode(curl_getinfo($curlHandle, CURLINFO_HTTP_CODE));
        $parts = explode("\r\n\r\n", $response);
        $responseBody = array_pop($parts);
        $responseHeader = array_pop($parts);
        $this->response->setHeaders($this->parseHeaders($responseHeader));

        curl_close($curlHandle);

        return $responseBody;
    }

    /**
     * Get the header info to store.
     *
     * @param string $header
     *
     * @return array
     */
    private function parseHeaders($header)
    {
        $headers = [];
        foreach (explode("\r\n", $header) as $line) {
            if (strpos($line, ':') !== false) {
                list ($key, $value) = explode(': ', $line);
                $key = str_replace('-', '_', strtolower($key));
                $headers[$key] = trim($value);
            }
        }
        return $headers;
    }

    /**
     * Encode application authorization header with base64.
     *
     * @param Consumer $consumer
     *
     * @return string
     */
    private function encodeAppAuthorization(Consumer $consumer)
    {
        $key = rawurlencode($consumer->key);
        $secret = rawurlencode($consumer->secret);
        return base64_encode($key . ':' . $secret);
    }

    /**
     * Is the code running from a Phar module.
     *
     * @return boolean
     */
    private function pharRunning()
    {
        return class_exists('Phar') && \Phar::running(false) !== '';
    }

    /**
     * Use included CA file instead of OS provided list.
     *
     * @return boolean
     */
    private function useCAFile()
    {
        /* Use CACert file when not in a PHAR file. */
        return !$this->pharRunning();
    }
}


GitHub Access Token became invalid

Issues (2)

Security Analysis no request data

src/TwitterOAuth.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

1			<?php
2			/**
3			* The most popular PHP library for use with the Twitter OAuth REST API.
4			*
5			* @license MIT
6			*/
7			namespace Abraham\TwitterOAuth;
8
9			use Abraham\TwitterOAuth\Util\JsonDecoder;
10
11			/**
12			* TwitterOAuth class for interacting with the Twitter API.
13			*
14			* @author Abraham Williams <[email protected]>
15			*/
16			class TwitterOAuth extends Config
17			{
18			const API_VERSION = '1.1';
19			const API_HOST = 'https://api.twitter.com';
20			const UPLOAD_HOST = 'https://upload.twitter.com';
21
22			/** @var Response details about the result of the last request */
23			private $response;
24			/** @var string\|null Application bearer token */
25			private $bearer;
26			/** @var Consumer Twitter application details */
27			private $consumer;
28			/** @var Token\|null User access token details */
29			private $token;
30			/** @var HmacSha1 OAuth 1 signature type used by Twitter */
31			private $signatureMethod;
32			/** @var int Number of attempts we made for the request */
33			private $attempts = 0;
34
35			/**
36			* Constructor
37			*
38			* @param string $consumerKey The Application Consumer Key
39			* @param string $consumerSecret The Application Consumer Secret
40			* @param string\|null $oauthToken The Client Token (optional)
41			* @param string\|null $oauthTokenSecret The Client Token Secret (optional)
42			*/
43			public function __construct($consumerKey, $consumerSecret, $oauthToken = null, $oauthTokenSecret = null)
44			{
45			$this->resetLastResponse();
46			$this->signatureMethod = new HmacSha1();
47			$this->consumer = new Consumer($consumerKey, $consumerSecret);
48			if (!empty($oauthToken) && !empty($oauthTokenSecret)) {
49			$this->setOauthToken($oauthToken, $oauthTokenSecret);
50			}
51			if (empty($oauthToken) && !empty($oauthTokenSecret)) {
52			$this->setBearer($oauthTokenSecret);
53			}
54			}
55
56			/**
57			* @param string $oauthToken
58			* @param string $oauthTokenSecret
59			*/
60			public function setOauthToken($oauthToken, $oauthTokenSecret)
61			{
62			$this->token = new Token($oauthToken, $oauthTokenSecret);
63			$this->bearer = null;
64			}
65
66			/**
67			* @param string $oauthTokenSecret
68			*/
69			public function setBearer($oauthTokenSecret)
70			{
71			$this->bearer = $oauthTokenSecret;
72			$this->token = null;
73			}
74
75			/**
76			* @return string\|null
77			*/
78			public function getLastApiPath()
79			{
80			return $this->response->getApiPath();
81			}
82
83			/**
84			* @return int
85			*/
86			public function getLastHttpCode()
87			{
88			return $this->response->getHttpCode();
89			}
90
91			/**
92			* @return array
93			*/
94			public function getLastXHeaders()
95			{
96			return $this->response->getXHeaders();
97			}
98
99			/**
100			* @return array\|object\|null
101			*/
102			public function getLastBody()
103			{
104			return $this->response->getBody();
105			}
106
107			/**
108			* Resets the last response cache.
109			*/
110			public function resetLastResponse()
111			{
112			$this->response = new Response();
113			}
114
115			/**
116			* Resets the attempts number.
117			*/
118			private function resetAttemptsNumber()
119			{
120			$this->attempts = 0;
121			}
122
123			/**
124			* Delays the retries when they're activated.
125			*/
126			private function sleepIfNeeded()
127			{
128			if ($this->maxRetries && $this->attempts) {
129			sleep($this->retriesDelay);
130			}
131			}
132
133
134			/**
135			* Make URLs for user browser navigation.
136			*
137			* @param string $path
138			* @param array $parameters
139			*
140			* @return string
141			*/
142			public function url($path, array $parameters)
143			{
144			$this->resetLastResponse();
145			$this->response->setApiPath($path);
146			$query = http_build_query($parameters);
147			return sprintf('%s/%s?%s', self::API_HOST, $path, $query);
148			}
149
150			/**
151			* Make /oauth/* requests to the API.
152			*
153			* @param string $path
154			* @param array $parameters
155			*
156			* @return array
157			* @throws TwitterOAuthException
158			*/
159			public function oauth($path, array $parameters = [])
160			{
161			$response = [];
162			$this->resetLastResponse();
163			$this->response->setApiPath($path);
164			$url = sprintf('%s/%s', self::API_HOST, $path);
165			$result = $this->oAuthRequest($url, 'POST', $parameters);
166
167			if ($this->getLastHttpCode() != 200) {
168			throw new TwitterOAuthException($result);
169			}
170
171			parse_str($result, $response);
172			$this->response->setBody($response);
			0 ignored issues – show Bug introduced 2015-11-27 03:35 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$response` can also be of type `null`; however, `Abraham\TwitterOAuth\Response::setBody()` does only seem to accept `array\|object`, maybe add an additional type check? If a method or function can return multiple different values and unless you are sure that you only can receive a single value in this context, we recommend to add an additional type check: /** * @return array\|string */ function returnsDifferentValues($x) { if ($x) { return 'foo'; } return array(); } $x = returnsDifferentValues($y); if (is_array($x)) { // $x is an array. } If this a common case that PHP Analyzer should handle natively, please let us know by opening an issue. Loading history...
173
174			return $response;
175			}
176
177			/**
178			* Make /oauth2/* requests to the API.
179			*
180			* @param string $path
181			* @param array $parameters
182			*
183			* @return array\|object
184			*/
185			public function oauth2($path, array $parameters = [])
186			{
187			$method = 'POST';
188			$this->resetLastResponse();
189			$this->response->setApiPath($path);
190			$url = sprintf('%s/%s', self::API_HOST, $path);
191			$request = Request::fromConsumerAndToken($this->consumer, $this->token, $method, $url, $parameters);
192			$authorization = 'Authorization: Basic ' . $this->encodeAppAuthorization($this->consumer);
193			$result = $this->request($request->getNormalizedHttpUrl(), $method, $authorization, $parameters);
194			$response = JsonDecoder::decode($result, $this->decodeJsonAsArray);
195			$this->response->setBody($response);
196			return $response;
197			}
198
199			/**
200			* Make GET requests to the API.
201			*
202			* @param string $path
203			* @param array $parameters
204			*
205			* @return array\|object
206			*/
207			public function get($path, array $parameters = [])
208			{
209			return $this->http('GET', self::API_HOST, $path, $parameters);
210			}
211
212			/**
213			* Make POST requests to the API.
214			*
215			* @param string $path
216			* @param array $parameters
217			*
218			* @return array\|object
219			*/
220			public function post($path, array $parameters = [])
221			{
222			return $this->http('POST', self::API_HOST, $path, $parameters);
223			}
224
225			/**
226			* Make DELETE requests to the API.
227			*
228			* @param string $path
229			* @param array $parameters
230			*
231			* @return array\|object
232			*/
233			public function delete($path, array $parameters = [])
234			{
235			return $this->http('DELETE', self::API_HOST, $path, $parameters);
236			}
237
238			/**
239			* Make PUT requests to the API.
240			*
241			* @param string $path
242			* @param array $parameters
243			*
244			* @return array\|object
245			*/
246			public function put($path, array $parameters = [])
247			{
248			return $this->http('PUT', self::API_HOST, $path, $parameters);
249			}
250
251			/**
252			* Upload media to upload.twitter.com.
253			*
254			* @param string $path
255			* @param array $parameters
256			* @param boolean $chunked
257			*
258			* @return array\|object
259			*/
260			public function upload($path, array $parameters = [], $chunked = false)
261			{
262			if ($chunked) {
263			return $this->uploadMediaChunked($path, $parameters);
264			} else {
265			return $this->uploadMediaNotChunked($path, $parameters);
266			}
267			}
268
269			/**
270			* Private method to upload media (not chunked) to upload.twitter.com.
271			*
272			* @param string $path
273			* @param array $parameters
274			*
275			* @return array\|object
276			*/
277			private function uploadMediaNotChunked($path, array $parameters)
278			{
279			if (! is_readable($parameters['media']) \|\|
280			($file = file_get_contents($parameters['media'])) === false) {
281			throw new \InvalidArgumentException('You must supply a readable file');
282			}
283			$parameters['media'] = base64_encode($file);
284			return $this->http('POST', self::UPLOAD_HOST, $path, $parameters);
285			}
286
287			/**
288			* Private method to upload media (chunked) to upload.twitter.com.
289			*
290			* @param string $path
291			* @param array $parameters
292			*
293			* @return array\|object
294			*/
295			private function uploadMediaChunked($path, array $parameters)
296			{
297			$init = $this->http('POST', self::UPLOAD_HOST, $path, $this->mediaInitParameters($parameters));
298			// Append
299			$segmentIndex = 0;
300			$media = fopen($parameters['media'], 'rb');
301			while (!feof($media)) {
302			$this->http('POST', self::UPLOAD_HOST, 'media/upload', [
303			'command' => 'APPEND',
304			'media_id' => $init->media_id_string,
305			'segment_index' => $segmentIndex++,
306			'media_data' => base64_encode(fread($media, $this->chunkSize))
307			]);
308			}
309			fclose($media);
310			// Finalize
311			$finalize = $this->http('POST', self::UPLOAD_HOST, 'media/upload', [
312			'command' => 'FINALIZE',
313			'media_id' => $init->media_id_string
314			]);
315			return $finalize;
316			}
317
318			/**
319			* Private method to get params for upload media chunked init.
320			* Twitter docs: https://dev.twitter.com/rest/reference/post/media/upload-init.html
321			*
322			* @param array $parameters
323			*
324			* @return array
325			*/
326			private function mediaInitParameters(array $parameters)
327			{
328			$return = [
329			'command' => 'INIT',
330			'media_type' => $parameters['media_type'],
331			'total_bytes' => filesize($parameters['media'])
332			];
333			if (isset($parameters['additional_owners'])) {
334			$return['additional_owners'] = $parameters['additional_owners'];
335			}
336			if (isset($parameters['media_category'])) {
337			$return['media_category'] = $parameters['media_category'];
338			}
339			return $return;
340			}
341
342			/**
343			* @param string $method
344			* @param string $host
345			* @param string $path
346			* @param array $parameters
347			*
348			* @return array\|object
349			*/
350			private function http($method, $host, $path, array $parameters)
351			{
352			$this->resetLastResponse();
353			$this->resetAttemptsNumber();
354			$url = sprintf('%s/%s/%s.json', $host, self::API_VERSION, $path);
355			$this->response->setApiPath($path);
356			return $this->makeRequests($url, $method, $parameters);
357			}
358
359			/**
360			*
361			* Make requests and retry them (if enabled) in case of Twitter's problems.
362			*
363			* @param string $method
364			* @param string $url
365			* @param string $method
366			* @param array $parameters
367			*
368			* @return array\|object
369			*/
370			private function makeRequests($url, $method, array $parameters)
371			{
372			do {
373			$this->sleepIfNeeded();
374			$result = $this->oAuthRequest($url, $method, $parameters);
375			$response = JsonDecoder::decode($result, $this->decodeJsonAsArray);
376			$this->response->setBody($response);
377			$this->attempts++;
378			// Retry up to our $maxRetries number if we get errors greater than 500 (over capacity etc)
379			} while ($this->requestsAvailable());
380
381			return $response;
382			}
383
384			/**
385			* Checks if we have to retry request if API is down.
386			*
387			* @return bool
388			*/
389			private function requestsAvailable()
390			{
391			return ($this->maxRetries && ($this->attempts <= $this->maxRetries) && $this->getLastHttpCode() >= 500);
392			}
393
394			/**
395			* Format and sign an OAuth / API request
396			*
397			* @param string $url
398			* @param string $method
399			* @param array $parameters
400			*
401			* @return string
402			* @throws TwitterOAuthException
403			*/
404			private function oAuthRequest($url, $method, array $parameters)
405			{
406			$request = Request::fromConsumerAndToken($this->consumer, $this->token, $method, $url, $parameters);
407			if (array_key_exists('oauth_callback', $parameters)) {
408			// Twitter doesn't like oauth_callback as a parameter.
409			unset($parameters['oauth_callback']);
410			}
411			if ($this->bearer === null) {
412			$request->signRequest($this->signatureMethod, $this->consumer, $this->token);
413			$authorization = $request->toHeader();
414			if (array_key_exists('oauth_verifier', $parameters)) {
415			// Twitter doesn't always work with oauth in the body and in the header
416			// and it's already included in the $authorization header
417			unset($parameters['oauth_verifier']);
418			}
419			} else {
420			$authorization = 'Authorization: Bearer ' . $this->bearer;
421			}
422			return $this->request($request->getNormalizedHttpUrl(), $method, $authorization, $parameters);
423			}
424
425			/**
426			* Set Curl options.
427			*
428			* @return array
429			*/
430			private function curlOptions()
431			{
432			$options = [
433			// CURLOPT_VERBOSE => true,
434			CURLOPT_CONNECTTIMEOUT => $this->connectionTimeout,
435			CURLOPT_HEADER => true,
436			CURLOPT_RETURNTRANSFER => true,
437			CURLOPT_SSL_VERIFYHOST => 2,
438			CURLOPT_SSL_VERIFYPEER => true,
439			CURLOPT_TIMEOUT => $this->timeout,
440			CURLOPT_USERAGENT => $this->userAgent,
441			];
442
443			if ($this->useCAFile()) {
444			$options[CURLOPT_CAINFO] = __DIR__ . DIRECTORY_SEPARATOR . 'cacert.pem';
445			}
446
447			if ($this->gzipEncoding) {
448			$options[CURLOPT_ENCODING] = 'gzip';
449			}
450
451			if (!empty($this->proxy)) {
452			$options[CURLOPT_PROXY] = $this->proxy['CURLOPT_PROXY'];
453			$options[CURLOPT_PROXYUSERPWD] = $this->proxy['CURLOPT_PROXYUSERPWD'];
454			$options[CURLOPT_PROXYPORT] = $this->proxy['CURLOPT_PROXYPORT'];
455			$options[CURLOPT_PROXYAUTH] = CURLAUTH_BASIC;
456			$options[CURLOPT_PROXYTYPE] = CURLPROXY_HTTP;
457			}
458
459			return $options;
460			}
461
462			/**
463			* Make an HTTP request
464			*
465			* @param string $url
466			* @param string $method
467			* @param string $authorization
468			* @param array $postfields
469			*
470			* @return string
471			* @throws TwitterOAuthException
472			*/
473			private function request($url, $method, $authorization, array $postfields)
474			{
475			$options = $this->curlOptions();
476			$options[CURLOPT_URL] = $url;
477			$options[CURLOPT_HTTPHEADER] = ['Accept: application/json', $authorization, 'Expect:'];
478
479			switch ($method) {
480			case 'GET':
481			break;
482			case 'POST':
483			$options[CURLOPT_POST] = true;
484			$options[CURLOPT_POSTFIELDS] = Util::buildHttpQuery($postfields);
485			break;
486			case 'DELETE':
487			$options[CURLOPT_CUSTOMREQUEST] = 'DELETE';
488			break;
489			case 'PUT':
490			$options[CURLOPT_CUSTOMREQUEST] = 'PUT';
491			break;
492			}
493
494			if (in_array($method, ['GET', 'PUT', 'DELETE']) && !empty($postfields)) {
495			$options[CURLOPT_URL] .= '?' . Util::buildHttpQuery($postfields);
496			}
497
498
499			$curlHandle = curl_init();
500			curl_setopt_array($curlHandle, $options);
501			$response = curl_exec($curlHandle);
502
503			// Throw exceptions on cURL errors.
504			if (curl_errno($curlHandle) > 0) {
505			throw new TwitterOAuthException(curl_error($curlHandle), curl_errno($curlHandle));
506			}
507
508			$this->response->setHttpCode(curl_getinfo($curlHandle, CURLINFO_HTTP_CODE));
509			$parts = explode("\r\n\r\n", $response);
510			$responseBody = array_pop($parts);
511			$responseHeader = array_pop($parts);
512			$this->response->setHeaders($this->parseHeaders($responseHeader));
513
514			curl_close($curlHandle);
515
516			return $responseBody;
517			}
518
519			/**
520			* Get the header info to store.
521			*
522			* @param string $header
523			*
524			* @return array
525			*/
526			private function parseHeaders($header)
527			{
528			$headers = [];
529			foreach (explode("\r\n", $header) as $line) {
530			if (strpos($line, ':') !== false) {
531			list ($key, $value) = explode(': ', $line);
532			$key = str_replace('-', '_', strtolower($key));
533			$headers[$key] = trim($value);
534			}
535			}
536			return $headers;
537			}
538
539			/**
540			* Encode application authorization header with base64.
541			*
542			* @param Consumer $consumer
543			*
544			* @return string
545			*/
546			private function encodeAppAuthorization(Consumer $consumer)
547			{
548			$key = rawurlencode($consumer->key);
549			$secret = rawurlencode($consumer->secret);
550			return base64_encode($key . ':' . $secret);
551			}
552
553			/**
554			* Is the code running from a Phar module.
555			*
556			* @return boolean
557			*/
558			private function pharRunning()
559			{
560			return class_exists('Phar') && \Phar::running(false) !== '';
561			}
562
563			/**
564			* Use included CA file instead of OS provided list.
565			*
566			* @return boolean
567			*/
568			private function useCAFile()
569			{
570			/* Use CACert file when not in a PHAR file. */
571			return !$this->pharRunning();
572			}
573			}
574

abraham / twitteroauth

GitHub Access Token became invalid

Issues (2)

Security Analysis no request data

src/TwitterOAuth.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like