Issues in UrlQuery.php (master) - Issues in master - allejo/PhpPulse - Measure and Improve Code Quality continuously with Scrutinizer

Issues (40)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Utilities/UrlQuery.php (3 issues)

Labels

Documentation 3

Severity

Minor 3

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/**
 * @copyright 2017 Vladimir Jimenez
 * @license   https://github.com/allejo/PhpPulse/blob/master/LICENSE.md MIT
 */

namespace allejo\DaPulse\Utilities;

use allejo\DaPulse\Exceptions\CurlException;
use allejo\DaPulse\Exceptions\HttpException;

/**
 * A wrapper class for working with cURL requests.
 *
 * This class configures cURL with all of the appropriate authentication information and proper cURL configuration for
 * processing requests.
 *
 * This class is provided as a convenience for all of the URL requests made by PhpPulse. This class may also be used
 * by external tools to make custom requests.
 *
 * @api
 * @package allejo\DaPulse\Utilities
 * @since   0.1.0
 */
class UrlQuery
{
    /**
     * Send a POST or PUT body as JSON instead of URL encoded values
     */
    const BODY_AS_JSON = 0x1;

    /**
     * The API endpoint that will be used in all requests
     *
     * @var string
     */
    private $url;

    /**
     * The cURL object this class is a wrapper for
     *
     * @var resource
     */
    private $cURL;

    /**
     * Configure all of the authentication needed for cURL requests and the API endpoint
     *
     * @param string $url       The API endpoint this instance will be calling
     * @param array  $urlParams Parameters that will be appended to the URL as GET parameters
     *
     * @since 0.1.0
     */
    public function __construct ($url, $urlParams)
    {
        $this->url  = $url . "?" . self::formatParameters($urlParams);
        $this->cURL = curl_init();

        $this->configureCurl();
    }

    /**
     * Clean up after ourselves; clean up the cURL object.
     */
    public function __destruct ()
    {
        curl_close($this->cURL);
    }

    /**
     * Set the credentials for basic authentication
     *
     * @param string $username The username basic authentication
     * @param string $password The password basic authentication
     *
     * @since 0.1.0
     *
     * @throws \InvalidArgumentException Either the username or the password was an empty or null string
     */
    public function setAuthentication ($username, $password)
    {
        if (StringUtilities::isNullOrEmpty($username) || StringUtilities::isNullOrEmpty($password))
        {
            throw new \InvalidArgumentException("Both the username and password must be non-empty strings.");
        }

        curl_setopt_array($this->cURL, [
            CURLOPT_HTTPAUTH => CURLAUTH_BASIC,
            CURLOPT_USERPWD  => $username . ":" . $password
        ]);
    }

    /**
     * Set cURL headers
     *
     * @param array $headers The headers that will be sent with cURL
     *
     * @since 0.1.0
     *
     * @throws \InvalidArgumentException The $headers parameter was not an array or it was an empty array
     */
    public function setHeaders ($headers)
    {
        if (empty($headers) || !is_array($headers))
        {
            throw new \InvalidArgumentException("The headers parameter must be a non-empty array");
        }

        curl_setopt_array($this->cURL, [
            CURLOPT_HEADER     => true,
            CURLOPT_HTTPHEADER => $headers
        ]);
    }

    /**
     * Send a GET request
     *
     * @since  0.1.0
     *
     * @return mixed  An associative array matching the returned JSON result
     */
    public function sendGet ()
    {
        return $this->handleQuery();
    }

    /**
     * Send a POST request
     *
     * @param  array    $postArray The data that will be sent to DaPulse
     * @param  null|int $flags     Available flags: BODY_AS_JSON
     *
     * @since  0.1.0
     *
     * @throws HttpException
     *
     * @return mixed An associative array matching the returned JSON result
     */
    public function sendPost ($postArray, $flags = null)
    {
        $this->setPostFields($postArray, $flags);
function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);

        curl_setopt_array($this->cURL, [
            CURLOPT_POST          => true,
            CURLOPT_CUSTOMREQUEST => "POST"
        ]);

        return $this->handleQuery();
    }

    /**
     * Send a PUT request
     *
     * @param  array    $postArray The data that will be sent to DaPulse
     * @param  null|int $flags     Available flags: BODY_AS_JSON
     *
     * @since  0.1.0
     *
     * @return mixed  An associative array matching the returned JSON result
     */
    public function sendPut ($postArray, $flags = null)
    {
        $this->setPostFields($postArray, $flags);
function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);

        curl_setopt($this->cURL, CURLOPT_CUSTOMREQUEST, "PUT");

        return $this->handleQuery();
    }

    /**
     * Send a DELETE request
     *
     * @since  0.1.0
     *
     * @return mixed  An associative array matching the returned JSON result
     */
    public function sendDelete ()
    {
        curl_setopt($this->cURL, CURLOPT_CUSTOMREQUEST, "DELETE");

        return $this->handleQuery();
    }

    /**
     * Set the POST fields that will be submitted in the cURL request
     *
     * @param string   $postArray The POST fields that will be sent to DaPulse
     * @param null|int $flags     Available flags: BODY_AS_JSON
     *
     * @since 0.1.0
     */
    private function setPostFields ($postArray, $flags)
    {
        if ($flags & self::BODY_AS_JSON)
        {
            $postData = json_encode($postArray);
        }
        else
        {
            $postData = self::formatParameters($postArray);
function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
        }

        curl_setopt($this->cURL, CURLOPT_POSTFIELDS, $postData);
    }

    /**
     * Handle the execution of the cURL request. This function will also save the returned HTTP headers and handle them
     * appropriately.
     *
     * @since  0.1.0
     *
     * @throws CurlException If cURL is misconfigured or encounters an error
     * @throws HttpException An HTTP status of something other 200 is returned
     *
     * @return mixed
     */
    private function handleQuery ()
    {
        $result   = $this->executeCurl();
        $httpCode = curl_getinfo($this->cURL, CURLINFO_HTTP_CODE);

        if ($httpCode != 200 && $httpCode != 201)
        {
            throw new HttpException($httpCode, $result);
        }

        return json_decode($result, true);
    }

    /**
     * Configure the cURL instance and its credentials for Basic Authentication that this instance will be working with
     *
     * @since 0.1.0
     */
    private function configureCurl ()
    {
        curl_setopt_array($this->cURL, [
            CURLOPT_URL            => $this->url,
            CURLOPT_RETURNTRANSFER => true
        ]);
    }

    /**
     * Execute the finalized cURL object that has already been configured
     *
     * @since  0.1.0
     *
     * @throws \allejo\DaPulse\Exceptions\CurlException If cURL is misconfigured or encounters an error
     *
     * @return mixed
     */
    private function executeCurl ()
    {
        $result = curl_exec($this->cURL);

        if (!$result)
        {
            throw new CurlException($this->cURL);
        }

        return $result;
    }

    /**
     * Format an array into a URL encoded values to be submitted in cURL requests
     *
     * **Input**
     *
     * ```php
     * array(
     *     "foo"   => "bar",
     *     "param" => "value"
     * )
     * ```
     *
     * **Output**
     *
     * ```php
     * array(
     *     "foo=bar",
     *     "param=value"
     * )
     * ```
     *
     * @param  array $params An array containing parameter names as keys and parameter values as values in the array.
     *
     * @since  0.1.0
     *
     * @return string         A URL encoded and combined array of GET or POST parameters to be sent
     */
    private static function formatParameters ($params)
    {
        $parameters = [];

        foreach ($params as $key => $value)
        {
            if (is_null($value))
            {
                continue;
            }
            else if (is_bool($value))
            {
                $value = StringUtilities::booleanLiteral($value);
            }
            else if (is_array($value))
            {
                $formattedArray = self::formatArray($key, $value);
                $parameters[]   = self::formatParameters($formattedArray);

                continue;
            }

            $parameters[] = rawurlencode($key) . "=" . rawurlencode($value);
        }

        return implode("&", $parameters);
    }

    /**
     * Convert an indexed array into an array that can be feed to `formatParameters()` to be formatted to an acceptable
     * structure to be sent via a GET or POST request.
     *
     * **Input**
     *
     * ```php
     * array(
     *     "first",
     *     "second",
     *     "third"
     * )
     * ```
     *
     * **Output**
     *
     * ```php
     * array(
     *     "prefix[0]" => "first",
     *     "prefix[1]" => "second",
     *     "prefix[2]" => "third",
     * )
     * ```
     *
     * @param  string   $prefix The name of the
     * @param  string[] $array
     *
     * @see    formatParameters()
     *
     * @since  0.1.0
     *
     * @return array
     */
    private static function formatArray ($prefix, $array)
    {
        $parameters = [];

        foreach ($array as $key => $value)
        {
            $arrayKey              = sprintf("%s[%s]", $prefix, $key);
            $parameters[$arrayKey] = $value;
        }

        return $parameters;
    }
}


1		<?php
2
3		/**
4		* @copyright 2017 Vladimir Jimenez
5		* @license https://github.com/allejo/PhpPulse/blob/master/LICENSE.md MIT
6		*/
7
8		namespace allejo\DaPulse\Utilities;
9
10		use allejo\DaPulse\Exceptions\CurlException;
11		use allejo\DaPulse\Exceptions\HttpException;
12
13		/**
14		* A wrapper class for working with cURL requests.
15		*
16		* This class configures cURL with all of the appropriate authentication information and proper cURL configuration for
17		* processing requests.
18		*
19		* This class is provided as a convenience for all of the URL requests made by PhpPulse. This class may also be used
20		* by external tools to make custom requests.
21		*
22		* @api
23		* @package allejo\DaPulse\Utilities
24		* @since 0.1.0
25		*/
26		class UrlQuery
27		{
28		/**
29		* Send a POST or PUT body as JSON instead of URL encoded values
30		*/
31		const BODY_AS_JSON = 0x1;
32
33		/**
34		* The API endpoint that will be used in all requests
35		*
36		* @var string
37		*/
38		private $url;
39
40		/**
41		* The cURL object this class is a wrapper for
42		*
43		* @var resource
44		*/
45		private $cURL;
46
47		/**
48		* Configure all of the authentication needed for cURL requests and the API endpoint
49		*
50		* @param string $url The API endpoint this instance will be calling
51		* @param array $urlParams Parameters that will be appended to the URL as GET parameters
52		*
53		* @since 0.1.0
54		*/
55	114	public function __construct ($url, $urlParams)
56		{
57	114	$this->url = $url . "?" . self::formatParameters($urlParams);
58	114	$this->cURL = curl_init();
59
60	114	$this->configureCurl();
61	114	}
62
63		/**
64		* Clean up after ourselves; clean up the cURL object.
65		*/
66	114	public function __destruct ()
67		{
68	114	curl_close($this->cURL);
69	114	}
70
71		/**
72		* Set the credentials for basic authentication
73		*
74		* @param string $username The username basic authentication
75		* @param string $password The password basic authentication
76		*
77		* @since 0.1.0
78		*
79		* @throws \InvalidArgumentException Either the username or the password was an empty or null string
80		*/
81		public function setAuthentication ($username, $password)
82		{
83		if (StringUtilities::isNullOrEmpty($username) \|\| StringUtilities::isNullOrEmpty($password))
84		{
85		throw new \InvalidArgumentException("Both the username and password must be non-empty strings.");
86		}
87
88		curl_setopt_array($this->cURL, [
89		CURLOPT_HTTPAUTH => CURLAUTH_BASIC,
90		CURLOPT_USERPWD => $username . ":" . $password
91		]);
92		}
93
94		/**
95		* Set cURL headers
96		*
97		* @param array $headers The headers that will be sent with cURL
98		*
99		* @since 0.1.0
100		*
101		* @throws \InvalidArgumentException The $headers parameter was not an array or it was an empty array
102		*/
103		public function setHeaders ($headers)
104		{
105		if (empty($headers) \|\| !is_array($headers))
106		{
107		throw new \InvalidArgumentException("The headers parameter must be a non-empty array");
108		}
109
110		curl_setopt_array($this->cURL, [
111		CURLOPT_HEADER => true,
112		CURLOPT_HTTPHEADER => $headers
113		]);
114		}
115
116		/**
117		* Send a GET request
118		*
119		* @since 0.1.0
120		*
121		* @return mixed An associative array matching the returned JSON result
122		*/
123	111	public function sendGet ()
124		{
125	111	return $this->handleQuery();
126		}
127
128		/**
129		* Send a POST request
130		*
131		* @param array $postArray The data that will be sent to DaPulse
132		* @param null\|int $flags Available flags: BODY_AS_JSON
133		*
134		* @since 0.1.0
135		*
136		* @throws HttpException
137		*
138		* @return mixed An associative array matching the returned JSON result
139		*/
140	9	public function sendPost ($postArray, $flags = null)
141		{
142	9	$this->setPostFields($postArray, $flags);
		0 ignored issues – show Documentation introduced 2016-04-26 16:14 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$postArray` is of type `array`, but the function expects a `string`. It seems like the type of the argument is not accepted by the function/method which you are calling. In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug. We suggest to add an explicit type cast like in the following example: function acceptsInteger($int) { } $x = '123'; // string "123" // Instead of acceptsInteger($x); // we recommend to use acceptsInteger((integer) $x); Loading history...
143
144	9	curl_setopt_array($this->cURL, [
145	9	CURLOPT_POST => true,
146	9	CURLOPT_CUSTOMREQUEST => "POST"
147		]);
148
149	9	return $this->handleQuery();
150		}
151
152		/**
153		* Send a PUT request
154		*
155		* @param array $postArray The data that will be sent to DaPulse
156		* @param null\|int $flags Available flags: BODY_AS_JSON
157		*
158		* @since 0.1.0
159		*
160		* @return mixed An associative array matching the returned JSON result
161		*/
162	11	public function sendPut ($postArray, $flags = null)
163		{
164	11	$this->setPostFields($postArray, $flags);
		0 ignored issues – show Documentation introduced 2015-11-24 07:30 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$postArray` is of type `array`, but the function expects a `string`. It seems like the type of the argument is not accepted by the function/method which you are calling. In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug. We suggest to add an explicit type cast like in the following example: function acceptsInteger($int) { } $x = '123'; // string "123" // Instead of acceptsInteger($x); // we recommend to use acceptsInteger((integer) $x); Loading history...
165
166	11	curl_setopt($this->cURL, CURLOPT_CUSTOMREQUEST, "PUT");
167
168	11	return $this->handleQuery();
169		}
170
171		/**
172		* Send a DELETE request
173		*
174		* @since 0.1.0
175		*
176		* @return mixed An associative array matching the returned JSON result
177		*/
178	6	public function sendDelete ()
179		{
180	6	curl_setopt($this->cURL, CURLOPT_CUSTOMREQUEST, "DELETE");
181
182	6	return $this->handleQuery();
183		}
184
185		/**
186		* Set the POST fields that will be submitted in the cURL request
187		*
188		* @param string $postArray The POST fields that will be sent to DaPulse
189		* @param null\|int $flags Available flags: BODY_AS_JSON
190		*
191		* @since 0.1.0
192		*/
193	20	private function setPostFields ($postArray, $flags)
194		{
195	20	if ($flags & self::BODY_AS_JSON)
196		{
197		$postData = json_encode($postArray);
198		}
199		else
200		{
201	20	$postData = self::formatParameters($postArray);
		0 ignored issues – show Documentation introduced 2015-11-24 07:30 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$postArray` is of type `string`, but the function expects a `array`. It seems like the type of the argument is not accepted by the function/method which you are calling. In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug. We suggest to add an explicit type cast like in the following example: function acceptsInteger($int) { } $x = '123'; // string "123" // Instead of acceptsInteger($x); // we recommend to use acceptsInteger((integer) $x); Loading history...
202		}
203
204	20	curl_setopt($this->cURL, CURLOPT_POSTFIELDS, $postData);
205	20	}
206
207		/**
208		* Handle the execution of the cURL request. This function will also save the returned HTTP headers and handle them
209		* appropriately.
210		*
211		* @since 0.1.0
212		*
213		* @throws CurlException If cURL is misconfigured or encounters an error
214		* @throws HttpException An HTTP status of something other 200 is returned
215		*
216		* @return mixed
217		*/
218	114	private function handleQuery ()
219		{
220	114	$result = $this->executeCurl();
221	114	$httpCode = curl_getinfo($this->cURL, CURLINFO_HTTP_CODE);
222
223	114	if ($httpCode != 200 && $httpCode != 201)
224		{
225	1	throw new HttpException($httpCode, $result);
226		}
227
228	114	return json_decode($result, true);
229		}
230
231		/**
232		* Configure the cURL instance and its credentials for Basic Authentication that this instance will be working with
233		*
234		* @since 0.1.0
235		*/
236	114	private function configureCurl ()
237		{
238	114	curl_setopt_array($this->cURL, [
239	114	CURLOPT_URL => $this->url,
240	114	CURLOPT_RETURNTRANSFER => true
241		]);
242	114	}
243
244		/**
245		* Execute the finalized cURL object that has already been configured
246		*
247		* @since 0.1.0
248		*
249		* @throws \allejo\DaPulse\Exceptions\CurlException If cURL is misconfigured or encounters an error
250		*
251		* @return mixed
252		*/
253	114	private function executeCurl ()
254		{
255	114	$result = curl_exec($this->cURL);
256
257	114	if (!$result)
258		{
259		throw new CurlException($this->cURL);
260		}
261
262	114	return $result;
263		}
264
265		/**
266		* Format an array into a URL encoded values to be submitted in cURL requests
267		*
268		* Input
269		*
270		* ```php
271		* array(
272		* "foo" => "bar",
273		* "param" => "value"
274		* )
275		* ```
276		*
277		* Output
278		*
279		* ```php
280		* array(
281		* "foo=bar",
282		* "param=value"
283		* )
284		* ```
285		*
286		* @param array $params An array containing parameter names as keys and parameter values as values in the array.
287		*
288		* @since 0.1.0
289		*
290		* @return string A URL encoded and combined array of GET or POST parameters to be sent
291		*/
292	114	private static function formatParameters ($params)
293		{
294	114	$parameters = [];
295
296	114	foreach ($params as $key => $value)
297		{
298	114	if (is_null($value))
299		{
300	1	continue;
301		}
302	114	else if (is_bool($value))
303		{
304	2	$value = StringUtilities::booleanLiteral($value);
305		}
306	114	else if (is_array($value))
307		{
308	2	$formattedArray = self::formatArray($key, $value);
309	2	$parameters[] = self::formatParameters($formattedArray);
310
311	2	continue;
312		}
313
314	114	$parameters[] = rawurlencode($key) . "=" . rawurlencode($value);
315		}
316
317	114	return implode("&", $parameters);
318		}
319
320		/**
321		* Convert an indexed array into an array that can be feed to `formatParameters()` to be formatted to an acceptable
322		* structure to be sent via a GET or POST request.
323		*
324		* Input
325		*
326		* ```php
327		* array(
328		* "first",
329		* "second",
330		* "third"
331		* )
332		* ```
333		*
334		* Output
335		*
336		* ```php
337		* array(
338		* "prefix[0]" => "first",
339		* "prefix[1]" => "second",
340		* "prefix[2]" => "third",
341		* )
342		* ```
343		*
344		* @param string $prefix The name of the
345		* @param string[] $array
346		*
347		* @see formatParameters()
348		*
349		* @since 0.1.0
350		*
351		* @return array
352		*/
353	2	private static function formatArray ($prefix, $array)
354		{
355	2	$parameters = [];
356
357	2	foreach ($array as $key => $value)
358		{
359	2	$arrayKey = sprintf("%s[%s]", $prefix, $key);
360	2	$parameters[$arrayKey] = $value;
361		}
362
363	2	return $parameters;
364		}
365		}
366

allejo / PhpPulse

Issues (40)

Security Analysis no request data

src/Utilities/UrlQuery.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like