Issues in PayplugPaymentService.php (master) - Issues in master - alcalyn/payplug-bundle - Measure and Improve Code Quality continuously with Scrutinizer

Issues (3)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

Services/PayplugPaymentService.php (1 issue)

Labels

Documentation 1

Severity

Minor 1

Alcalyn 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace Alcalyn\PayplugBundle\Services;

use Symfony\Component\Routing\Router;
use Alcalyn\PayplugBundle\Model\Payment;
use Alcalyn\PayplugBundle\Exceptions\PayplugUndefinedAccountParameterException;

class PayplugPaymentService
{
    /**
     * Payplug url from account configuration
     * 
     * @var string
     */
    private $baseUrl;
    
    /**
     * Your private key from account configuration
     * 
     * @var string
     */
    private $privateKey;
    
    /**
     * Payplug url from sandbox account configuration
     * 
     * @var string
     */
    private $testBaseUrl;
    
    /**
     * Your private key from sandbox account configuration
     * 
     * @var string
     */
    private $testPrivateKey;
    
    /**
     * Is sandbox enabled
     * 
     * @var boolean
     */
    private $testEnabled;
    
    /**
     * IPN url
     * 
     * @var string
     */
    private $ipnUrl;
    
    /**
     * @param string $baseUrl
     * @param string $privateKey
     * @param string $testBaseUrl
     * @param string $testPrivateKey
     * @param boolean $testEnabled
     */
    public function __construct($baseUrl, $privateKey, $testBaseUrl, $testPrivateKey, $testEnabled)
    {
        $this->baseUrl = $baseUrl;
        $this->privateKey = $privateKey;
        $this->testBaseUrl = $testBaseUrl;
        $this->testPrivateKey = $testPrivateKey;
        $this->testEnabled = $testEnabled;
    }
    
    /**
     * Generate payment url for $payment
     * 
     * @param Payment $payment
     * @param boolean $sandbox set it to true or false to force test payment or real payment
     * 
     * @return string payment url
     * 
     * @throws PayplugUndefinedAccountParameterException if a parameter is missing
     */
    public function generateUrl(Payment $payment, $sandbox = null)
    {
        if (null === $sandbox ? $this->testEnabled : $sandbox) {
            return $this->generateUrlFrom($payment, $this->testBaseUrl, $this->testPrivateKey, true);
        } else {
            return $this->generateUrlFrom($payment, $this->baseUrl, $this->privateKey, false);
        }
    }
    
    /**
     * Generate payment url for $payment from given parameters
     * 
     * @param Payment $payment
     * @param string $baseUrl
     * @param string $privateKey
     * @param boolean $isTest
     * 
     * @return string payment url
     * 
     * @throws PayplugUndefinedAccountParameterException if a parameter is missing
     */
    private function generateUrlFrom(Payment $payment, $baseUrl, $privateKey, $isTest)
    {
        $testParam = $isTest ? 'sandbox_' : '' ;
        
        if (null === $privateKey) {
            throw new PayplugUndefinedAccountParameterException('payplug_'.$testParam.'account_yourPrivateKey');
        }
        
        if (null === $baseUrl) {
            throw new PayplugUndefinedAccountParameterException('payplug_'.$testParam.'account_url');
        }
        
        // Prepare payment parameters
        $this->affectDefaultIpnUrlToPayment($payment);
        $params = $this->convertPaymentToArray($payment);
        
        // Create data parameter
        $url_params = http_build_query($params);
        $data = urlencode(base64_encode($url_params));
        
        // Create signature parameter
        $signature = null;
        $privatekey = openssl_pkey_get_private($privateKey);
        openssl_sign($url_params, $signature, $privatekey, OPENSSL_ALGO_SHA1);
        $signatureBase64 = urlencode(base64_encode($signature));
        
        return $baseUrl . '?data=' . $data . '&sign=' . $signatureBase64;
    }
    
    /**
     * Return default ipn url used by the bundle (Something like "http://yoursite.com/payplug_ipn").
     * 
     * @return string
     */
    public function getIpnUrl()
    {
        return $this->ipnUrl;
    }
    
    /**
     * Set default ipn url used by the bundle (Something like "http://yoursite.com/payplug_ipn").
     * 
     * @param string $ipnUrl
     * 
     * @return PayplugPaymentService
     */
    public function setIpnUrl($ipnUrl)
    {
        $this->ipnUrl = $ipnUrl;
        
        return $this;
    }
    
    /**
     * Set default ipn url used by the bundle
     * based on the ipn route payplug_ipn.
     * 
     * @param Router $router
     * 
     * @return PayplugPaymentService
     */
    public function setIpnUrlFromRouter(Router $router)
    {
        return $this->setIpnUrl($router->generate('payplug_ipn', array(), true));
function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
    }
    
    /**
     * Set automatically ipn url to the default used by this bundle if not set by user
     * 
     * @param Payment $payment
     * 
     * @return PayplugPaymentService
     */
    private function affectDefaultIpnUrlToPayment(Payment $payment)
    {
        if (null === $payment->getIpnUrl()) {
            $payment->setIpnUrl($this->getIpnUrl());
        }
        
        return $this;
    }
    
    /**
     * @param Payment $payment
     * 
     * @return array
     */
    private function convertPaymentToArray(Payment $payment)
    {
        return array(
            'amount'        => $payment->getAmount(),
            'currency'      => $payment->getCurrency(),
            'ipn_url'       => $payment->getIpnUrl(),
            'return_url'    => $payment->getReturnUrl(),
            'cancel_url'    => $payment->getCancelUrl(),
            'email'         => $payment->getEmail(),
            'first_name'    => $payment->getFirstName(),
            'last_name'     => $payment->getLastName(),
            'customer'      => $payment->getCustomer(),
            'order'         => $payment->getOrder(),
            'custom_data'   => $payment->getCustomData(),
            'origin'        => $payment->getOrigin(),
        );
    }
}


1			<?php
2
3			namespace Alcalyn\PayplugBundle\Services;
4
5			use Symfony\Component\Routing\Router;
6			use Alcalyn\PayplugBundle\Model\Payment;
7			use Alcalyn\PayplugBundle\Exceptions\PayplugUndefinedAccountParameterException;
8
9			class PayplugPaymentService
10			{
11			/**
12			* Payplug url from account configuration
13			*
14			* @var string
15			*/
16			private $baseUrl;
17
18			/**
19			* Your private key from account configuration
20			*
21			* @var string
22			*/
23			private $privateKey;
24
25			/**
26			* Payplug url from sandbox account configuration
27			*
28			* @var string
29			*/
30			private $testBaseUrl;
31
32			/**
33			* Your private key from sandbox account configuration
34			*
35			* @var string
36			*/
37			private $testPrivateKey;
38
39			/**
40			* Is sandbox enabled
41			*
42			* @var boolean
43			*/
44			private $testEnabled;
45
46			/**
47			* IPN url
48			*
49			* @var string
50			*/
51			private $ipnUrl;
52
53			/**
54			* @param string $baseUrl
55			* @param string $privateKey
56			* @param string $testBaseUrl
57			* @param string $testPrivateKey
58			* @param boolean $testEnabled
59			*/
60			public function __construct($baseUrl, $privateKey, $testBaseUrl, $testPrivateKey, $testEnabled)
61			{
62			$this->baseUrl = $baseUrl;
63			$this->privateKey = $privateKey;
64			$this->testBaseUrl = $testBaseUrl;
65			$this->testPrivateKey = $testPrivateKey;
66			$this->testEnabled = $testEnabled;
67			}
68
69			/**
70			* Generate payment url for $payment
71			*
72			* @param Payment $payment
73			* @param boolean $sandbox set it to true or false to force test payment or real payment
74			*
75			* @return string payment url
76			*
77			* @throws PayplugUndefinedAccountParameterException if a parameter is missing
78			*/
79			public function generateUrl(Payment $payment, $sandbox = null)
80			{
81			if (null === $sandbox ? $this->testEnabled : $sandbox) {
82			return $this->generateUrlFrom($payment, $this->testBaseUrl, $this->testPrivateKey, true);
83			} else {
84			return $this->generateUrlFrom($payment, $this->baseUrl, $this->privateKey, false);
85			}
86			}
87
88			/**
89			* Generate payment url for $payment from given parameters
90			*
91			* @param Payment $payment
92			* @param string $baseUrl
93			* @param string $privateKey
94			* @param boolean $isTest
95			*
96			* @return string payment url
97			*
98			* @throws PayplugUndefinedAccountParameterException if a parameter is missing
99			*/
100			private function generateUrlFrom(Payment $payment, $baseUrl, $privateKey, $isTest)
101			{
102			$testParam = $isTest ? 'sandbox_' : '' ;
103
104			if (null === $privateKey) {
105			throw new PayplugUndefinedAccountParameterException('payplug_'.$testParam.'account_yourPrivateKey');
106			}
107
108			if (null === $baseUrl) {
109			throw new PayplugUndefinedAccountParameterException('payplug_'.$testParam.'account_url');
110			}
111
112			// Prepare payment parameters
113			$this->affectDefaultIpnUrlToPayment($payment);
114			$params = $this->convertPaymentToArray($payment);
115
116			// Create data parameter
117			$url_params = http_build_query($params);
118			$data = urlencode(base64_encode($url_params));
119
120			// Create signature parameter
121			$signature = null;
122			$privatekey = openssl_pkey_get_private($privateKey);
123			openssl_sign($url_params, $signature, $privatekey, OPENSSL_ALGO_SHA1);
124			$signatureBase64 = urlencode(base64_encode($signature));
125
126			return $baseUrl . '?data=' . $data . '&sign=' . $signatureBase64;
127			}
128
129			/**
130			* Return default ipn url used by the bundle (Something like "http://yoursite.com/payplug_ipn").
131			*
132			* @return string
133			*/
134			public function getIpnUrl()
135			{
136			return $this->ipnUrl;
137			}
138
139			/**
140			* Set default ipn url used by the bundle (Something like "http://yoursite.com/payplug_ipn").
141			*
142			* @param string $ipnUrl
143			*
144			* @return PayplugPaymentService
145			*/
146			public function setIpnUrl($ipnUrl)
147			{
148			$this->ipnUrl = $ipnUrl;
149
150			return $this;
151			}
152
153			/**
154			* Set default ipn url used by the bundle
155			* based on the ipn route payplug_ipn.
156			*
157			* @param Router $router
158			*
159			* @return PayplugPaymentService
160			*/
161			public function setIpnUrlFromRouter(Router $router)
162			{
163			return $this->setIpnUrl($router->generate('payplug_ipn', array(), true));
			0 ignored issues – show Documentation introduced 2015-12-09 22:12 UTC by Report Bug Copy Issue Report Show Similar Issues like this `true` is of type `boolean`, but the function expects a `integer`. It seems like the type of the argument is not accepted by the function/method which you are calling. In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug. We suggest to add an explicit type cast like in the following example: function acceptsInteger($int) { } $x = '123'; // string "123" // Instead of acceptsInteger($x); // we recommend to use acceptsInteger((integer) $x); Loading history...
164			}
165
166			/**
167			* Set automatically ipn url to the default used by this bundle if not set by user
168			*
169			* @param Payment $payment
170			*
171			* @return PayplugPaymentService
172			*/
173			private function affectDefaultIpnUrlToPayment(Payment $payment)
174			{
175			if (null === $payment->getIpnUrl()) {
176			$payment->setIpnUrl($this->getIpnUrl());
177			}
178
179			return $this;
180			}
181
182			/**
183			* @param Payment $payment
184			*
185			* @return array
186			*/
187			private function convertPaymentToArray(Payment $payment)
188			{
189			return array(
190			'amount' => $payment->getAmount(),
191			'currency' => $payment->getCurrency(),
192			'ipn_url' => $payment->getIpnUrl(),
193			'return_url' => $payment->getReturnUrl(),
194			'cancel_url' => $payment->getCancelUrl(),
195			'email' => $payment->getEmail(),
196			'first_name' => $payment->getFirstName(),
197			'last_name' => $payment->getLastName(),
198			'customer' => $payment->getCustomer(),
199			'order' => $payment->getOrder(),
200			'custom_data' => $payment->getCustomData(),
201			'origin' => $payment->getOrigin(),
202			);
203			}
204			}
205

alcalyn / payplug-bundle

Issues (3)

Security Analysis not enabled

Services/PayplugPaymentService.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like