Issues in ContextSession.php (master) - Issues in master - appserver-io/rmi - Measure and Improve Code Quality continuously with Scrutinizer

Issues (18)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

RemoteMethodInvocation/ContextSession.php (4 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/**
 * AppserverIo\RemoteMethodInvocation\RemoteMethod
 *
 * NOTICE OF LICENSE
 *
 * This source file is subject to the Open Software License (OSL 3.0)
 * that is available through the world-wide-web at this URL:
 * http://opensource.org/licenses/osl-3.0.php
 *
 * PHP version 5
 *
 * @author    Tim Wagner <[email protected]>
 * @author    Bernhard Wick <[email protected]>
 * @copyright 2015 TechDivision GmbH <[email protected]>
 * @license   http://opensource.org/licenses/osl-3.0.php Open Software License (OSL 3.0)
 * @link      https://github.com/appserver-io/rmi
 * @link      http://www.appserver.io
 */

namespace AppserverIo\RemoteMethodInvocation;

use AppserverIo\Collections\HashMap;
use AppserverIo\Psr\Servlet\Http\HttpServletRequestInterface;

/**
 * The interface for the remote connection.
 *
 * @author    Tim Wagner <[email protected]>
 * @author    Bernhard Wick <[email protected]>
 * @copyright 2015 TechDivision GmbH <[email protected]>
 * @license   http://opensource.org/licenses/osl-3.0.php Open Software License (OSL 3.0)
 * @link      https://github.com/appserver-io/rmi
 * @link      http://www.appserver.io
 */
class ContextSession extends HashMap implements SessionInterface
{

    /**
     * The connection instances.
     *
     * @var array
     */
    protected $connections = null;

    /**
     * The session ID used for the connection.
     *
     * @var string
     */
    protected $sessionId = null;

    /**
     * The servlet request to load the session ID used for the connection.
     *
     * @var string
     */
    protected $servletRequest = null;

    /**
     * Initializes the session with the connection.
     *
     * @param \AppserverIo\RemoteMethodInvocation\ConnectionInterface $connection The connection for the session
     */
    public function __construct(ConnectionInterface $connection)
    {

        // parent constructor to ensure property preset
        parent::__construct(null);
function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);

        // initialize the array for the collections
        $this->connections = array();

        // add the passed connection
        $this->addConnection($connection);
    }

    /**
     * Injects the servlet request to load the session ID, for the remote method call, from.
     *
     * @param \AppserverIo\Psr\Servlet\Http\HttpServletRequestInterface $servletRequest The servlet request instance to inject
     *
     * @return void
     */
    public function injectServletRequest(HttpServletRequestInterface $servletRequest)
    {
        $this->servletRequest = $servletRequest;

    }

    /**
     * Returns the servlet request instance to load the session ID from.
     *
     * @return \AppserverIo\Psr\Servlet\Http\HttpServletRequestInterface The servlet request instance
     */
    public function getServletRequest()
    {
        return $this->servletRequest;
    }

    /**
     * Add's the passed connection to the session's connection collection.
     *
     * @param \AppserverIo\RemoteMethodInvocation\ConnectionInterface $connection The connection instance to add
     *
     * @return void
     */
    public function addConnection(ConnectionInterface $connection)
    {
        $this->connections[] = $connection;
    }

    /**
     * Returns the collection with the session's connections.
     *
     * @return array The collection with the session's connections
     */
    public function getConnections()
    {
        return $this->connections;
    }

    /**
     * Returns the connection instance.
     *
     * @param integer $key The key of the connection to return
     *
     * @return \AppserverIo\RemoteMethodInvocation\ConnectionInterface The connection instance
     */
    public function getConnection($key = 0)
    {
        return $this->connections[$key];
    }

    /**
     * Returns the ID of the session to use for connecting to the SFSBs.
     *
     * @return string The session ID
     * @see \AppserverIo\RemoteMethodInvocation\SessionInterface::getSessionId()
     */
    public function getSessionId()
    {

        // this is necessary, because in most cases, the session will be started after the
        // SFSB has been injected, so we've to query for a session in method invocation

        // query whether we've a HTTP session ID in the servlet request.
        /** \AppserverIo\Psr\Servlet\Http\HttpSessionInterface $session */
        if ($this->getServletRequest() && $session = $this->getServletRequest()->getSession()) {

            return $session->getId();
        }

        // query whether we've a session ID that has been manually set
        if ($this->sessionId != null) {
            return $this->sessionId;
        }
    }

    /**
     * The session ID to use.
     *
     * @param string $sessionId The session ID to use
     *
     * @return void
     */
    public function setSessionId($sessionId)
    {
        $this->sessionId = $sessionId;
    }

    /**
     * Invokes the remote method over the connection.
     *
     * @param \AppserverIo\RemoteMethodInvocation\RemoteMethodInterface $remoteMethod The remote method call to invoke
     *
     * @return mixed the method return value
     * @see \AppserverIo\RemoteMethodInvocation\SessionInterface::send()
     * @todo Refactor to replace check for 'setSession' method, e. g. check for an interface

     */
    public function send(RemoteMethodInterface $remoteMethod)
    {

        // create an array to store connection response temporarily
        $responses = array();

        // iterate over all connections and invoke the remote method call
        foreach ($this->getConnections() as $key => $connection) {
            // invoke the remote method on the connection
            $responses[$key] = $connection->send($remoteMethod);

            // check if a proxy has been returned
            if (method_exists($responses[$key], 'setSession')) {
                $responses[$key]->setSession($this);
            }
        }

        // return the response of the first connection
        return reset($responses);
    }

    /**
     * Creates a remote initial context instance.
     *
     * @return \AppserverIo\RemoteMethodInvocation\RemoteObjectInterface The proxy for the initial context
     * @see \AppserverIo\RemoteMethodInvocation\SessionInterface::createInitialContext()
     */
    public function createInitialContext()
    {
        $initialContext = new InitialContextProxy();
        $initialContext->__setSession($this);
        return $initialContext;
    }
}


1		<?php
2
3		/**
4		* AppserverIo\RemoteMethodInvocation\RemoteMethod
5		*
6		* NOTICE OF LICENSE
7		*
8		* This source file is subject to the Open Software License (OSL 3.0)
9		* that is available through the world-wide-web at this URL:
10		* http://opensource.org/licenses/osl-3.0.php
11		*
12		* PHP version 5
13		*
14		* @author Tim Wagner <[email protected]>
15		* @author Bernhard Wick <[email protected]>
16		* @copyright 2015 TechDivision GmbH <[email protected]>
17		* @license http://opensource.org/licenses/osl-3.0.php Open Software License (OSL 3.0)
18		* @link https://github.com/appserver-io/rmi
19		* @link http://www.appserver.io
20		*/
21
22		namespace AppserverIo\RemoteMethodInvocation;
23
24		use AppserverIo\Collections\HashMap;
25		use AppserverIo\Psr\Servlet\Http\HttpServletRequestInterface;
26
27		/**
28		* The interface for the remote connection.
29		*
30		* @author Tim Wagner <[email protected]>
31		* @author Bernhard Wick <[email protected]>
32		* @copyright 2015 TechDivision GmbH <[email protected]>
33		* @license http://opensource.org/licenses/osl-3.0.php Open Software License (OSL 3.0)
34		* @link https://github.com/appserver-io/rmi
35		* @link http://www.appserver.io
36		*/
37		class ContextSession extends HashMap implements SessionInterface
38		{
39
40		/**
41		* The connection instances.
42		*
43		* @var array
44		*/
45		protected $connections = null;
46
47		/**
48		* The session ID used for the connection.
49		*
50		* @var string
51		*/
52		protected $sessionId = null;
53
54		/**
55		* The servlet request to load the session ID used for the connection.
56		*
57		* @var string
58		*/
59		protected $servletRequest = null;
60
61		/**
62		* Initializes the session with the connection.
63		*
64		* @param \AppserverIo\RemoteMethodInvocation\ConnectionInterface $connection The connection for the session
65		*/
66	1	public function __construct(ConnectionInterface $connection)
67		{
68
69		// parent constructor to ensure property preset
70	1	parent::__construct(null);
		0 ignored issues – show Documentation introduced 2015-12-21 13:46 UTC by Report Bug Copy Issue Report Show Similar Issues like this `null` is of type `null`, but the function expects a `array`. It seems like the type of the argument is not accepted by the function/method which you are calling. In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug. We suggest to add an explicit type cast like in the following example: function acceptsInteger($int) { } $x = '123'; // string "123" // Instead of acceptsInteger($x); // we recommend to use acceptsInteger((integer) $x); Loading history...
71
72		// initialize the array for the collections
73	1	$this->connections = array();
74
75		// add the passed connection
76	1	$this->addConnection($connection);
77	1	}
78
79		/**
80		* Injects the servlet request to load the session ID, for the remote method call, from.
81		*
82		* @param \AppserverIo\Psr\Servlet\Http\HttpServletRequestInterface $servletRequest The servlet request instance to inject
83		*
84		* @return void
85		*/
86		public function injectServletRequest(HttpServletRequestInterface $servletRequest)
87		{
88		$this->servletRequest = $servletRequest;
		0 ignored issues – show Documentation Bug introduced 2015-12-21 13:46 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$servletRequest` of type `object<AppserverIo\Psr\S...ervletRequestInterface>` is incompatible with the declared type `string` of property `$servletRequest`. Our type inference engine has found an assignment to a property that is incompatible with the declared type of that property. Either this assignment is in error or the assigned type should be added to the documentation/type hint for that property.. Loading history...
89		}
90
91		/**
92		* Returns the servlet request instance to load the session ID from.
93		*
94		* @return \AppserverIo\Psr\Servlet\Http\HttpServletRequestInterface The servlet request instance
95		*/
96		public function getServletRequest()
97		{
98		return $this->servletRequest;
99		}
100
101		/**
102		* Add's the passed connection to the session's connection collection.
103		*
104		* @param \AppserverIo\RemoteMethodInvocation\ConnectionInterface $connection The connection instance to add
105		*
106		* @return void
107		*/
108	1	public function addConnection(ConnectionInterface $connection)
109		{
110	1	$this->connections[] = $connection;
111	1	}
112
113		/**
114		* Returns the collection with the session's connections.
115		*
116		* @return array The collection with the session's connections
117		*/
118		public function getConnections()
119		{
120		return $this->connections;
121		}
122
123		/**
124		* Returns the connection instance.
125		*
126		* @param integer $key The key of the connection to return
127		*
128		* @return \AppserverIo\RemoteMethodInvocation\ConnectionInterface The connection instance
129		*/
130		public function getConnection($key = 0)
131		{
132		return $this->connections[$key];
133		}
134
135		/**
136		* Returns the ID of the session to use for connecting to the SFSBs.
137		*
138		* @return string The session ID
139		* @see \AppserverIo\RemoteMethodInvocation\SessionInterface::getSessionId()
140		*/
141		public function getSessionId()
142		{
143
144		// this is necessary, because in most cases, the session will be started after the
145		// SFSB has been injected, so we've to query for a session in method invocation
146
147		// query whether we've a HTTP session ID in the servlet request.
148		/** \AppserverIo\Psr\Servlet\Http\HttpSessionInterface $session */
149		if ($this->getServletRequest() && $session = $this->getServletRequest()->getSession()) {
		0 ignored issues – show Bug introduced 2015-12-21 13:46 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `getSession` cannot be called on `$this->getServletRequest()` (of type `string`). Methods can only be called on objects. This check looks for methods being called on variables that have been inferred to never be objects. Loading history...
150		return $session->getId();
151		}
152
153		// query whether we've a session ID that has been manually set
154		if ($this->sessionId != null) {
155		return $this->sessionId;
156		}
157		}
158
159		/**
160		* The session ID to use.
161		*
162		* @param string $sessionId The session ID to use
163		*
164		* @return void
165		*/
166		public function setSessionId($sessionId)
167		{
168		$this->sessionId = $sessionId;
169		}
170
171		/**
172		* Invokes the remote method over the connection.
173		*
174		* @param \AppserverIo\RemoteMethodInvocation\RemoteMethodInterface $remoteMethod The remote method call to invoke
175		*
176		* @return mixed the method return value
177		* @see \AppserverIo\RemoteMethodInvocation\SessionInterface::send()
178		* @todo Refactor to replace check for 'setSession' method, e. g. check for an interface
		0 ignored issues – show Coding Style introduced 2015-12-21 13:46 UTC by Report Bug Copy Issue Report Show Similar Issues like this Comment refers to a TODO task This check looks `TODO` comments that have been left in the code. ``TODO``s show that something is left unfinished and should be attended to. Loading history...
179		*/
180		public function send(RemoteMethodInterface $remoteMethod)
181		{
182
183		// create an array to store connection response temporarily
184		$responses = array();
185
186		// iterate over all connections and invoke the remote method call
187		foreach ($this->getConnections() as $key => $connection) {
188		// invoke the remote method on the connection
189		$responses[$key] = $connection->send($remoteMethod);
190
191		// check if a proxy has been returned
192		if (method_exists($responses[$key], 'setSession')) {
193		$responses[$key]->setSession($this);
194		}
195		}
196
197		// return the response of the first connection
198		return reset($responses);
199		}
200
201		/**
202		* Creates a remote initial context instance.
203		*
204		* @return \AppserverIo\RemoteMethodInvocation\RemoteObjectInterface The proxy for the initial context
205		* @see \AppserverIo\RemoteMethodInvocation\SessionInterface::createInitialContext()
206		*/
207		public function createInitialContext()
208		{
209		$initialContext = new InitialContextProxy();
210		$initialContext->__setSession($this);
211		return $initialContext;
212		}
213		}
214

appserver-io / rmi

Issues (18)

Security Analysis no request data

RemoteMethodInvocation/ContextSession.php (4 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like