Issues in PulseUpdate.php (master) - Issues in master - allejo/PhpPulse - Measure and Improve Code Quality continuously with Scrutinizer

Issues (40)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/PulseUpdate.php (3 issues)

Labels

Severity

Informational 3

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/**
 * @copyright 2017 Vladimir Jimenez
 * @license   https://github.com/allejo/PhpPulse/blob/master/LICENSE.md MIT
 */

namespace allejo\DaPulse;

use allejo\DaPulse\Exceptions\InvalidObjectException;
use allejo\DaPulse\Objects\ApiObject;

/**
 * Class PulseUpdate
 *
 * @api
 * @package allejo\DaPulse
 * @since   0.1.0
 */
class PulseUpdate extends ApiObject
{
    const API_PREFIX = "updates";

    /**
     * User who wrote the update.
     *
     * @var array|PulseUser
     */
    protected $user;

    /**
     * The resource's URL.
     *
     * @var string
     */
    protected $url;

    /**
     * The update's body.
     *
     * @var string
     */
    protected $body;

    /**
     * The update's body in plain text
     *
     * @var string
     */
    protected $body_text;

    /**
     * The replies made to this update.
     *
     * @var array
     */
    protected $replies;

    /**
     * The update's kind.
     *
     * @var string
     */
    protected $kind;

    /**
     * The update's has_assets.
     *
     * @var string
     */
    protected $has_assets;

    /**
     * The update's assets.
     *
     * @var array
     */
    protected $assets;

    /**
     * Creation time.
     *
     * @var \DateTime
     */
    protected $created_at;

    /**
     * Last update time.
     *
     * @var \DateTime
     */
    protected $updated_at;

    // =================================================================================================================
    //   Getter functions
    // =================================================================================================================

    /**
     * User who wrote the update.
     *
     * @api
     *
     * @since  0.1.0
     *
     * @return PulseUser
     */
    public function getAuthor ()
    {
        $this->lazyLoad();
        self::lazyCast($this->user, "PulseUser");

        return $this->user;
    }

    /**
     * The resource's URL.
     *
     * @api
     *
     * @since  0.1.0
     *
     * @return string
     */
    public function getUrl ()
    {
        $this->lazyLoad();

        return $this->url;
    }

    /**
     * The update's id.
     *
     * @api
     *
     * @since  0.1.0
     *
     * @return string

     */
    public function getId ()
    {
        return $this->id;
    }

    /**
     * The update's body.
     *
     * @api
     *
     * @since  0.1.0
     *
     * @return string
     */
    public function getBody ()
    {
        $this->lazyLoad();

        return $this->body;
    }

    /**
     * The update's body in plain text
     *
     * @api
     *
     * @since  0.1.0
     *
     * @return string
     */
    public function getBodyText ()
    {
        $this->lazyLoad();

        return $this->body_text;
    }

    /**
     * The replies made to this update.
     *
     * @api
     *
     * @since  0.1.0
     *
     * @return static[]
     */
    public function getReplies ()
    {
        $this->lazyLoad();
        self::lazyCastAll($this->replies, "PulseUpdate");

        return $this->replies;
    }

    /**
     * The update's kind.
     *
     * @api
     *
     * @since  0.1.0
     *
     * @return string
     */
    public function getKind ()
    {
        $this->lazyLoad();

        return $this->kind;
    }

    /**
     * Get an array of this update's assets
     *
     * Sample array structure of assets
     *
     * ```
     * array(
     *   0 => array(
     *     'account_id' => 115448
     *     'big_geometry' => '250x250'
     *     'created_at' => '2017-01-21T09:45:28Z'
     *     'crocodoc_status' => null
     *     'crocodoc_uuid' => null
     *     'crocodoc_viewable' => true
     *     'desc' => null
     *     'holder_id' => 23611844
     *     'holder_type' => 'Post'
     *     'id' => 2401793
     *     'large_geometry' => '250x250'
     *     'metadata' => Array ()
     *     'original_geometry' => '250x250'
     *     'resource_content_type' => 'image/png'
     *     'resource_file_name' => 'sample.png'
     *     'resource_file_size' => 6077
     *     'thumb_big_geometry' => '250x250'
     *     'thumb_geometry' => '150x150'
     *     'updated_at' => '2017-01-21T09:45:32Z'
     *     'uploaded_by_id' => 303448
     *   )
     * )
     * ```
     *
     * @api
     *
     * @since  0.3.0 Documentation has been corrected; this returns an array
     * @since  0.1.0
     *
     * @return array
     */
    public function getAssets ()
    {
        $this->lazyLoad();

        return $this->assets;
    }

    /**
     * Creation time.
     *
     * @api
     *
     * @since  0.1.0
     *
     * @return \DateTime
     */
    public function getCreatedAt ()
    {
        $this->lazyLoad();
        self::lazyCast($this->created_at, '\DateTime');

        return $this->created_at;
    }

    /**
     * Last update time.
     *
     * @api
     *
     * @since  0.1.0
     *
     * @return \DateTime
     */
    public function getUpdatedAt ()
    {
        $this->lazyLoad();
        self::lazyCast($this->updated_at, '\DateTime');

        return $this->updated_at;
    }

    /**
     * Retrieve whether or not this update has any attachments
     *
     * @api
     *
     * @since  0.3.0 Previously was available as 'getHasAssets()'
     *
     * @return bool

     */
    public function hasAssets ()
    {
        $this->lazyLoad();

        return $this->has_assets;
    }

    // =================================================================================================================
    //   Modification functions
    // =================================================================================================================

    /**
     * Delete this update
     *
     * @api
     *
     * @since  0.1.0
     *
     * @throws InvalidObjectException if this PulseUpdate has already been deleted
     */
    public function deleteUpdate ()

    {
        $this->checkInvalid();

        $url = sprintf("%s/%d.json", self::apiEndpoint(), $this->getId());
        self::sendDelete($url);

        $this->deletedObject = true;
    }

    // =================================================================================================================
    //   Liking functions
    // =================================================================================================================

    /**
     * Have a user like an update
     *
     * @api
     *
     * @param int|PulseUser $user The user that will be liking/un-liking the update
     *
     * @since 0.1.0
     *
     * @throws \InvalidArgumentException if $user is not an integer, is not positive, or is not a PulseUser object
     *
     * @return bool Returns true on success
     */
    public function likeUpdate ($user)
    {
        return $this->likeUnlikeUpdate($user, true);
    }

    /**
     * Have a user unlike an update
     *
     * @api
     *
     * @param int|PulseUser $user The user that will be liking/un-liking the update
     *
     * @since 0.1.0
     *
     * @throws \InvalidArgumentException if $user is not an integer, is not positive, or is not a PulseUser object
     *
     * @return bool Returns true on success
     */
    public function unlikeUpdate ($user)
    {
        return $this->likeUnlikeUpdate($user, false);
    }

    /**
     * Like and un-liking functionality
     *
     * @param int|PulseUser $user The user that will be liking/un-liking the update
     * @param bool          $like True to like the update, false to unlike
     *
     * @throws \InvalidArgumentException if $user is not an integer, is not positive, or is not a PulseUser object
     *
     * @return bool Returns true on success
     */
    private function likeUnlikeUpdate ($user, $like)
    {
        $user   = PulseUser::_castToInt($user);
        $url    = sprintf("%s/%d/%s.json", self::apiEndpoint(), $this->getId(), (($like) ? "like" : "unlike"));
        $params = [
            "user" => $user
        ];

        return self::sendPost($url, $params);
    }

    // =================================================================================================================
    //   PulseUpdate functions
    // =================================================================================================================

    /**
     * Get all of the account's updates (ordered from newest to oldest)
     *
     * ```
     * array['since']         \DateTime - Get updates from a specific date
     *      ['until']         \DateTime - Get updates until a specific date
     *      ['updated_since'] \DateTime - Get updates that were edited or replied to after a specific date
     *      ['updated_until'] \DateTime - Get updates that were edited or replied to before a specific date
     * ```
     *
     * If you do not pass \DateTime objects, they should be strings of dates in the format, YYYY-mm-dd, or a unix
     * timestamp
     *
     * @api
     *
     * @param  array $params GET parameters passed to the URL (see above)
     *
     * @since  0.3.0 $params now accepts \DateTime objects and will be converted automatically. Strings will also try
     *               to be converted to Unix timestamps
     * @since  0.1.0
     *
     * @return PulseUpdate[]
     */
    public static function getUpdates ($params = [])
    {
        $url      = sprintf("%s.json", self::apiEndpoint());
        $dateKeys = [
            'since',
            'until',
            'updated_since',
            'updated_until'
        ];

        foreach ($params as $key => &$value)
        {
            if (in_array($key, $dateKeys))
            {
                if ($value instanceof \DateTime)
                {
                    $value = date_format($value, 'U'); // A unix timestamp will allow for hours & minutes
                }
                else if (($unix = strtotime($value)))
                {
                    $value = $unix;
                }
            }
        }

        return self::fetchAndCastToObjectArray($url, 'PulseUpdate', $params);
    }

    /**
     * Create a new update
     *
     * @api
     *
     * @param  int|PulseUser $user          The author of this post
     * @param  int|Pulse     $pulse         The Pulse to whom this update will belong to
     * @param  string        $text          The content of the update
     * @param  null|bool     $announceToAll Whether or not to announce this update to everyone's wall
     *
     * @since  0.3.0 An InvalidArgumentException can now be thrown
     * @since  0.1.0
     *
     * @throws \InvalidArgumentException if $user is not an integer, is not positive, or is not a PulseUser object
     *
     * @return PulseUpdate
     */
    public static function createUpdate ($user, $pulse, $text, $announceToAll = null)
    {
        $user   = PulseUser::_castToInt($user);
        $pulse  = ($pulse instanceof Pulse) ? $pulse->getId() : $pulse;
        $url    = sprintf("%s.json", self::apiEndpoint());
        $params = [
            "user"        => $user,
            "pulse"       => $pulse,
            "update_text" => $text
        ];

        self::setIfNotNullOrEmpty($params, "announcement", $announceToAll);

        $result = self::sendPost($url, $params);

        return (new PulseUpdate($result));
    }
}

1			<?php
2
3			/**
4			* @copyright 2017 Vladimir Jimenez
5			* @license https://github.com/allejo/PhpPulse/blob/master/LICENSE.md MIT
6			*/
7
8			namespace allejo\DaPulse;
9
10			use allejo\DaPulse\Exceptions\InvalidObjectException;
11			use allejo\DaPulse\Objects\ApiObject;
12
13			/**
14			* Class PulseUpdate
15			*
16			* @api
17			* @package allejo\DaPulse
18			* @since 0.1.0
19			*/
20			class PulseUpdate extends ApiObject
21			{
22			const API_PREFIX = "updates";
23
24			/**
25			* User who wrote the update.
26			*
27			* @var array\|PulseUser
28			*/
29			protected $user;
30
31			/**
32			* The resource's URL.
33			*
34			* @var string
35			*/
36			protected $url;
37
38			/**
39			* The update's body.
40			*
41			* @var string
42			*/
43			protected $body;
44
45			/**
46			* The update's body in plain text
47			*
48			* @var string
49			*/
50			protected $body_text;
51
52			/**
53			* The replies made to this update.
54			*
55			* @var array
56			*/
57			protected $replies;
58
59			/**
60			* The update's kind.
61			*
62			* @var string
63			*/
64			protected $kind;
65
66			/**
67			* The update's has_assets.
68			*
69			* @var string
70			*/
71			protected $has_assets;
72
73			/**
74			* The update's assets.
75			*
76			* @var array
77			*/
78			protected $assets;
79
80			/**
81			* Creation time.
82			*
83			* @var \DateTime
84			*/
85			protected $created_at;
86
87			/**
88			* Last update time.
89			*
90			* @var \DateTime
91			*/
92			protected $updated_at;
93
94			// =================================================================================================================
95			// Getter functions
96			// =================================================================================================================
97
98			/**
99			* User who wrote the update.
100			*
101			* @api
102			*
103			* @since 0.1.0
104			*
105			* @return PulseUser
106			*/
107	1		public function getAuthor ()
108			{
109	1		$this->lazyLoad();
110	1		self::lazyCast($this->user, "PulseUser");
111
112	1		return $this->user;
113			}
114
115			/**
116			* The resource's URL.
117			*
118			* @api
119			*
120			* @since 0.1.0
121			*
122			* @return string
123			*/
124	1		public function getUrl ()
125			{
126	1		$this->lazyLoad();
127
128	1		return $this->url;
129			}
130
131			/**
132			* The update's id.
133			*
134			* @api
135			*
136			* @since 0.1.0
137			*
138			* @return string
			0 ignored issues – show Documentation introduced 2017-01-23 22:48 UTC by Report Bug Copy Issue Report Show Similar Issues like this Should the return type not be `integer`? This check compares the return type specified in the `@return` annotation of a function or method doc comment with the types returned by the function and raises an issue if they mismatch. Loading history...
139			*/
140	4		public function getId ()
141			{
142	4		return $this->id;
143			}
144
145			/**
146			* The update's body.
147			*
148			* @api
149			*
150			* @since 0.1.0
151			*
152			* @return string
153			*/
154	2		public function getBody ()
155			{
156	2		$this->lazyLoad();
157
158	2		return $this->body;
159			}
160
161			/**
162			* The update's body in plain text
163			*
164			* @api
165			*
166			* @since 0.1.0
167			*
168			* @return string
169			*/
170	1		public function getBodyText ()
171			{
172	1		$this->lazyLoad();
173
174	1		return $this->body_text;
175			}
176
177			/**
178			* The replies made to this update.
179			*
180			* @api
181			*
182			* @since 0.1.0
183			*
184			* @return static[]
185			*/
186	3		public function getReplies ()
187			{
188	3		$this->lazyLoad();
189	3		self::lazyCastAll($this->replies, "PulseUpdate");
190
191	3		return $this->replies;
192			}
193
194			/**
195			* The update's kind.
196			*
197			* @api
198			*
199			* @since 0.1.0
200			*
201			* @return string
202			*/
203	1		public function getKind ()
204			{
205	1		$this->lazyLoad();
206
207	1		return $this->kind;
208			}
209
210			/**
211			* Get an array of this update's assets
212			*
213			* Sample array structure of assets
214			*
215			* ```
216			* array(
217			* 0 => array(
218			* 'account_id' => 115448
219			* 'big_geometry' => '250x250'
220			* 'created_at' => '2017-01-21T09:45:28Z'
221			* 'crocodoc_status' => null
222			* 'crocodoc_uuid' => null
223			* 'crocodoc_viewable' => true
224			* 'desc' => null
225			* 'holder_id' => 23611844
226			* 'holder_type' => 'Post'
227			* 'id' => 2401793
228			* 'large_geometry' => '250x250'
229			* 'metadata' => Array ()
230			* 'original_geometry' => '250x250'
231			* 'resource_content_type' => 'image/png'
232			* 'resource_file_name' => 'sample.png'
233			* 'resource_file_size' => 6077
234			* 'thumb_big_geometry' => '250x250'
235			* 'thumb_geometry' => '150x150'
236			* 'updated_at' => '2017-01-21T09:45:32Z'
237			* 'uploaded_by_id' => 303448
238			* )
239			* )
240			* ```
241			*
242			* @api
243			*
244			* @since 0.3.0 Documentation has been corrected; this returns an array
245			* @since 0.1.0
246			*
247			* @return array
248			*/
249	2		public function getAssets ()
250			{
251	2		$this->lazyLoad();
252
253	2		return $this->assets;
254			}
255
256			/**
257			* Creation time.
258			*
259			* @api
260			*
261			* @since 0.1.0
262			*
263			* @return \DateTime
264			*/
265	1		public function getCreatedAt ()
266			{
267	1		$this->lazyLoad();
268	1		self::lazyCast($this->created_at, '\DateTime');
269
270	1		return $this->created_at;
271			}
272
273			/**
274			* Last update time.
275			*
276			* @api
277			*
278			* @since 0.1.0
279			*
280			* @return \DateTime
281			*/
282	1		public function getUpdatedAt ()
283			{
284	1		$this->lazyLoad();
285	1		self::lazyCast($this->updated_at, '\DateTime');
286
287	1		return $this->updated_at;
288			}
289
290			/**
291			* Retrieve whether or not this update has any attachments
292			*
293			* @api
294			*
295			* @since 0.3.0 Previously was available as 'getHasAssets()'
296			*
297			* @return bool
			0 ignored issues – show Documentation introduced 2017-01-21 10:23 UTC by Report Bug Copy Issue Report Show Similar Issues like this Should the return type not be `string`? This check compares the return type specified in the `@return` annotation of a function or method doc comment with the types returned by the function and raises an issue if they mismatch. Loading history...
298			*/
299	1		public function hasAssets ()
300			{
301	1		$this->lazyLoad();
302
303	1		return $this->has_assets;
304			}
305
306			// =================================================================================================================
307			// Modification functions
308			// =================================================================================================================
309
310			/**
311			* Delete this update
312			*
313			* @api
314			*
315			* @since 0.1.0
316			*
317			* @throws InvalidObjectException if this PulseUpdate has already been deleted
318			*/
319		View Code Duplication	public function deleteUpdate ()
			0 ignored issues – show Duplication introduced 2018-01-11 16:51 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
320			{
321			$this->checkInvalid();
322
323			$url = sprintf("%s/%d.json", self::apiEndpoint(), $this->getId());
324			self::sendDelete($url);
325
326			$this->deletedObject = true;
327			}
328
329			// =================================================================================================================
330			// Liking functions
331			// =================================================================================================================
332
333			/**
334			* Have a user like an update
335			*
336			* @api
337			*
338			* @param int\|PulseUser $user The user that will be liking/un-liking the update
339			*
340			* @since 0.1.0
341			*
342			* @throws \InvalidArgumentException if $user is not an integer, is not positive, or is not a PulseUser object
343			*
344			* @return bool Returns true on success
345			*/
346	1		public function likeUpdate ($user)
347			{
348	1		return $this->likeUnlikeUpdate($user, true);
349			}
350
351			/**
352			* Have a user unlike an update
353			*
354			* @api
355			*
356			* @param int\|PulseUser $user The user that will be liking/un-liking the update
357			*
358			* @since 0.1.0
359			*
360			* @throws \InvalidArgumentException if $user is not an integer, is not positive, or is not a PulseUser object
361			*
362			* @return bool Returns true on success
363			*/
364	2		public function unlikeUpdate ($user)
365			{
366	2		return $this->likeUnlikeUpdate($user, false);
367			}
368
369			/**
370			* Like and un-liking functionality
371			*
372			* @param int\|PulseUser $user The user that will be liking/un-liking the update
373			* @param bool $like True to like the update, false to unlike
374			*
375			* @throws \InvalidArgumentException if $user is not an integer, is not positive, or is not a PulseUser object
376			*
377			* @return bool Returns true on success
378			*/
379	3		private function likeUnlikeUpdate ($user, $like)
380			{
381	3		$user = PulseUser::_castToInt($user);
382	3		$url = sprintf("%s/%d/%s.json", self::apiEndpoint(), $this->getId(), (($like) ? "like" : "unlike"));
383			$params = [
384	3		"user" => $user
385			];
386
387	3		return self::sendPost($url, $params);
388			}
389
390			// =================================================================================================================
391			// PulseUpdate functions
392			// =================================================================================================================
393
394			/**
395			* Get all of the account's updates (ordered from newest to oldest)
396			*
397			* ```
398			* array['since'] \DateTime - Get updates from a specific date
399			* ['until'] \DateTime - Get updates until a specific date
400			* ['updated_since'] \DateTime - Get updates that were edited or replied to after a specific date
401			* ['updated_until'] \DateTime - Get updates that were edited or replied to before a specific date
402			* ```
403			*
404			* If you do not pass \DateTime objects, they should be strings of dates in the format, YYYY-mm-dd, or a unix
405			* timestamp
406			*
407			* @api
408			*
409			* @param array $params GET parameters passed to the URL (see above)
410			*
411			* @since 0.3.0 $params now accepts \DateTime objects and will be converted automatically. Strings will also try
412			* to be converted to Unix timestamps
413			* @since 0.1.0
414			*
415			* @return PulseUpdate[]
416			*/
417	4		public static function getUpdates ($params = [])
418			{
419	4		$url = sprintf("%s.json", self::apiEndpoint());
420			$dateKeys = [
421	4		'since',
422			'until',
423			'updated_since',
424			'updated_until'
425			];
426
427	4		foreach ($params as $key => &$value)
428			{
429	3		if (in_array($key, $dateKeys))
430			{
431	3		if ($value instanceof \DateTime)
432			{
433	1		$value = date_format($value, 'U'); // A unix timestamp will allow for hours & minutes
434			}
435	2		else if (($unix = strtotime($value)))
436			{
437	3		$value = $unix;
438			}
439			}
440			}
441
442	4		return self::fetchAndCastToObjectArray($url, 'PulseUpdate', $params);
443			}
444
445			/**
446			* Create a new update
447			*
448			* @api
449			*
450			* @param int\|PulseUser $user The author of this post
451			* @param int\|Pulse $pulse The Pulse to whom this update will belong to
452			* @param string $text The content of the update
453			* @param null\|bool $announceToAll Whether or not to announce this update to everyone's wall
454			*
455			* @since 0.3.0 An InvalidArgumentException can now be thrown
456			* @since 0.1.0
457			*
458			* @throws \InvalidArgumentException if $user is not an integer, is not positive, or is not a PulseUser object
459			*
460			* @return PulseUpdate
461			*/
462	2		public static function createUpdate ($user, $pulse, $text, $announceToAll = null)
463			{
464	2		$user = PulseUser::_castToInt($user);
465	1		$pulse = ($pulse instanceof Pulse) ? $pulse->getId() : $pulse;
466	1		$url = sprintf("%s.json", self::apiEndpoint());
467			$params = [
468	1		"user" => $user,
469	1		"pulse" => $pulse,
470	1		"update_text" => $text
471			];
472
473	1		self::setIfNotNullOrEmpty($params, "announcement", $announceToAll);
474
475	1		$result = self::sendPost($url, $params);
476
477	1		return (new PulseUpdate($result));
478			}
479			}

allejo / PhpPulse

Issues (40)

Security Analysis no request data

src/PulseUpdate.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like