Issues in SoapContext.php (master) - Issues in master - asgorobets/SoapExtension - Measure and Improve Code Quality continuously with Scrutinizer

Issues (1)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Context/SoapContext.php (1 issue)

Labels

Bug 1

Severity

Minor 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * @author Alexei Gorobet, <[email protected]>
 */
namespace Behat\SoapExtension\Context;

use Symfony\Component\Yaml\Yaml;
use PHPUnit_Framework_Assert as Assertions;
// Argument processors.
use Behat\Gherkin\Node\TableNode;
use Behat\Gherkin\Node\PyStringNode;
// Utils.
use Behat\SoapExtension\Utils\SoapFaultProcessor;
// Scopes.
use Behat\Behat\Hook\Scope\BeforeStepScope;

/**
 * Class SoapContext.
 *
 * @package Behat\SoapExtension\Context
 *
 * @todo Rename methods.
 * @todo Document methods.
 * @todo Make steps more flexible with regex.
 */
class SoapContext extends RawSoapContext
{
    /**
     * @var mixed
     */
    private $value;
    private $fault;

    /**
     * Sets the WSDL for the next SOAP request.
     *
     * @param string $wsdl
     *   Publicly accessible URL to wsdl
     *
     * @Given I am working with SOAP service WSDL :wsdl
     */
    public function iAmWorkingWithSoapServiceWSDL($wsdl)
    {
        $this->setWSDL($wsdl);
    }

    /**
     * Sets the WSDL for the next SOAP request to NULL.
     *
     * @Given I am working with SOAP service in non-WSDL mode
     */
    public function iAmWorkingWithSoapServiceNoWSDL()
    {
        $this->setWSDL(null);
    }

    /**
     * @Given I am working with SOAP service with options list:
     */
    public function iAmWorkingWithSoapServiceWithOptions(TableNode $options)
    {
        foreach ($options->getRowsHash() as $option => $value) {
            $this->setOption($option, $value);
        }
    }

    /**
     * @Given I am working with SOAP service with options as YAML:
     */
    public function iAmWorkingWithSoapServiceWithOptionsYaml(PyStringNode $options)
    {
        foreach (Yaml::parse($options->getRaw()) as $option => $value) {
$collection = json_decode($data, true);
if ( ! is_array($collection)) {
    throw new \RuntimeException('$collection must be an array.');
}

foreach ($collection as $item) { /** ... */ }
            $this->setOption($option, $value);
        }
    }

    /**
     * Send SOAP request with params list.
     *
     * @Given I call SOAP function :function with params list:
     */
    public function iSendRequestWithParams($function, TableNode $params)
    {
        $this->sendRequest($function, [$params->getRowsHash()]);
    }

    /**
     * Send SOAP request with raw body.
     *
     * @Given I call SOAP with raw body:
     */
    public function iSendRequestBody(PyStringNode $body)
    {
        // Tell SOAP we want to send the body as XML, if not otherwise specified.
        $this->setOption('use', SOAP_LITERAL);
        $this->setOption('style', SOAP_DOCUMENT);
        $this->sendRequest('MethodNameIsIgnored', [new \SoapVar($body->getRaw(), XSD_ANYXML)]);
    }

    /**
     * Send SOAP request with function arguments array as YAML.
     *
     * @Given I call SOAP function :function with arguments array as YAML:
     */
    public function iSendRequestYAML($function, PyStringNode $arguments)
    {
        $arguments = Yaml::parse($arguments->getRaw());
        $this->sendRequest($function, $arguments);
    }

    /**
     * @Given I register the following XPATH namespaces:
     */
    public function iRegisterXpathNamespaces(TableNode $namespaces)
    {
        foreach ($namespaces->getRowsHash() as $prefix => $uri) {
            $this->setNamespace($prefix, $uri);
        }
    }

    /**
     * @Given /^I expect no SOAP exception$/
     */
    public function expectNoException()
    {
        // Exit with an error because we're not expecting an exception and got one.
        if (null !== $this->fault) {
            throw new \RuntimeException('Unexpected \SoapFault exception was thrown!');
        }
    }

    /**
     * @Then /^(?:|I )expect SOAP exception(?:| with code "(\d+)")(?:|( and| or)? with message "(.+?)")$/
     */
    public function expectException($code = null, $condition = null, $message = null)
    {
        // Exit with an error because we're expected an exception and got nothing.
        if (null === $this->fault) {
            throw new \RuntimeException('Expected \SoapFault exception was not thrown!');
        }

        new SoapFaultProcessor($this->fault, $code, $message, $condition);

        // If processor didn't throw an exception, then we shouldn't too.
        $this->fault = null;
    }

    /**
     * @Given I should see SOAP response property :property equals to :text
     */
    public function iShouldSeeSoapResponsePropertyEquals($text, $property)
    {
        Assertions::assertEquals($text, $this->extractResponseProperty($property));
    }

    /**
     * @Given I should see SOAP response property :property is not :text
     */
    public function iShouldSeeSoapResponsePropertyNotEquals($text, $property)
    {
        Assertions::assertNotEquals($text, $this->extractResponseProperty($property));
    }

    /**
     * @Given I should see SOAP response property :property contains :text
     */
    public function iShouldSeeSoapResponsePropertyContains($text, $property)
    {
        Assertions::assertContains($text, $this->extractResponseProperty($property));
    }

    /**
     * @Given I should see SOAP response property :property doesn't contain :text
     */
    public function iShouldSeeSoapResponsePropertyNotContains($text, $property)
    {
        Assertions::assertNotContains($text, $this->extractResponseProperty($property));
    }

    /**
     * @Then I should see SOAP response property :property matching pattern :pattern
     */
    public function iShouldSeeSoapResponsePropertyMatches($pattern, $property)
    {
        Assertions::assertRegExp($pattern, $this->extractResponseProperty($property));
    }

    /**
     * @Then I should see that SOAP Response matches XPATH :xpath
     */
    public function iShouldSeeThatSOAPResponseMatchesXpath($xpath)
    {
        Assertions::assertTrue(
            $this->extractResponseValueMatchingXPATH($xpath) !== false,
            "Couldn't find node matching provided XPATH: "
        );
    }

    /**
     * @Given I am working with SOAP response property :property
     */
    public function iWorkWithResponseProperty($property)
    {
        $this->value = $this->extractResponseProperty($property);
    }

    /**
     * @Given I am working with SOAP element matching XPATH :xpath
     */
    public function iWorkWithElementTextMatchingXPATH($xpath)
    {
        $this->value = $this->extractResponseValueMatchingXPATH($xpath);
    }

    /**
     * @Then saved SOAP value equals to :text
     */
    public function savedValueEquals($text)
    {
        Assertions::assertEquals($text, $this->value);
    }

    /**
     * @Then saved SOAP value is not equal to :text
     */
    public function savedValueNotEquals($text)
    {
        Assertions::assertNotEquals($text, $this->value);
    }

    /**
     * @Then saved SOAP value contains :text
     */
    public function savedValueContains($text)
    {
        Assertions::assertContains($text, $this->value);
    }

    /**
     * @Then saved SOAP value doesn't contain :text
     */
    public function savedValueNotContains($text)
    {
        Assertions::assertNotContains($text, $this->value);
    }

    /**
     * @Then saved SOAP value matches :pattern
     */
    public function savedValueMatchesRegExp($pattern)
    {
        Assertions::assertRegExp($pattern, $this->value);
    }

    /**
     * @Then saved SOAP value doesn't match :pattern
     */
    public function savedValueNotMatchesRegExp($pattern)
    {
        Assertions::assertNotRegExp($pattern, $this->value);
    }

    /**
     * @BeforeStep
     */
    public function beforeStepCheckForException(BeforeStepScope $scope)
    {
        // Check for SOAP exception from previously executed step.
        $this->fault = $this->getException();

        // @todo Is it really a better way to do this?
        if (null !== $this->fault && strpos($scope->getStep()->getText(), 'SOAP exception') === false) {
            throw $this->fault;
        }
    }

    /**
     * @Given I register the following SOAP headers:
     */
    public function iRegisterHeaders(TableNode $headers)
    {
        $soapHeaders = array();

        foreach ($headers->getColumnsHash() as $header) {
            $soapHeaders[] = new \SoapHeader($header['namespace'], $header['key'], $header['value']);
        }

        $this->setHeaders($soapHeaders);
    }
}


GitHub Access Token became invalid

Issues (1)

Security Analysis no request data

src/Context/SoapContext.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

1			<?php
2			/**
3			* @author Alexei Gorobet, <[email protected]>
4			*/
5			namespace Behat\SoapExtension\Context;
6
7			use Symfony\Component\Yaml\Yaml;
8			use PHPUnit_Framework_Assert as Assertions;
9			// Argument processors.
10			use Behat\Gherkin\Node\TableNode;
11			use Behat\Gherkin\Node\PyStringNode;
12			// Utils.
13			use Behat\SoapExtension\Utils\SoapFaultProcessor;
14			// Scopes.
15			use Behat\Behat\Hook\Scope\BeforeStepScope;
16
17			/**
18			* Class SoapContext.
19			*
20			* @package Behat\SoapExtension\Context
21			*
22			* @todo Rename methods.
23			* @todo Document methods.
24			* @todo Make steps more flexible with regex.
25			*/
26			class SoapContext extends RawSoapContext
27			{
28			/**
29			* @var mixed
30			*/
31			private $value;
32			private $fault;
33
34			/**
35			* Sets the WSDL for the next SOAP request.
36			*
37			* @param string $wsdl
38			* Publicly accessible URL to wsdl
39			*
40			* @Given I am working with SOAP service WSDL :wsdl
41			*/
42			public function iAmWorkingWithSoapServiceWSDL($wsdl)
43			{
44			$this->setWSDL($wsdl);
45			}
46
47			/**
48			* Sets the WSDL for the next SOAP request to NULL.
49			*
50			* @Given I am working with SOAP service in non-WSDL mode
51			*/
52			public function iAmWorkingWithSoapServiceNoWSDL()
53			{
54			$this->setWSDL(null);
55			}
56
57			/**
58			* @Given I am working with SOAP service with options list:
59			*/
60			public function iAmWorkingWithSoapServiceWithOptions(TableNode $options)
61			{
62			foreach ($options->getRowsHash() as $option => $value) {
63			$this->setOption($option, $value);
64			}
65			}
66
67			/**
68			* @Given I am working with SOAP service with options as YAML:
69			*/
70			public function iAmWorkingWithSoapServiceWithOptionsYaml(PyStringNode $options)
71			{
72			foreach (Yaml::parse($options->getRaw()) as $option => $value) {
			0 ignored issues – show Bug introduced 2016-03-30 18:23 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `\Symfony\Component\Yaml\...rse($options->getRaw())` of type `array\|string\|object<stdClass>` is not guaranteed to be traversable. How about adding an additional type check? There are different options of fixing this problem. If you want to be on the safe side, you can add an additional type-check: $collection = json_decode($data, true); if ( ! is_array($collection)) { throw new \RuntimeException('$collection must be an array.'); } foreach ($collection as $item) { /** ... / } If you are sure that the expression is traversable, you might want to add a doc comment cast* to improve IDE auto-completion and static analysis: /** @var array $collection / $collection = json_decode($data, true); foreach ($collection as $item) { /* .. / } Mark the issue as a false-positive*: Just hover the remove button, in the top-right corner of this issue for more options. Loading history...
73			$this->setOption($option, $value);
74			}
75			}
76
77			/**
78			* Send SOAP request with params list.
79			*
80			* @Given I call SOAP function :function with params list:
81			*/
82			public function iSendRequestWithParams($function, TableNode $params)
83			{
84			$this->sendRequest($function, [$params->getRowsHash()]);
85			}
86
87			/**
88			* Send SOAP request with raw body.
89			*
90			* @Given I call SOAP with raw body:
91			*/
92			public function iSendRequestBody(PyStringNode $body)
93			{
94			// Tell SOAP we want to send the body as XML, if not otherwise specified.
95			$this->setOption('use', SOAP_LITERAL);
96			$this->setOption('style', SOAP_DOCUMENT);
97			$this->sendRequest('MethodNameIsIgnored', [new \SoapVar($body->getRaw(), XSD_ANYXML)]);
98			}
99
100			/**
101			* Send SOAP request with function arguments array as YAML.
102			*
103			* @Given I call SOAP function :function with arguments array as YAML:
104			*/
105			public function iSendRequestYAML($function, PyStringNode $arguments)
106			{
107			$arguments = Yaml::parse($arguments->getRaw());
108			$this->sendRequest($function, $arguments);
109			}
110
111			/**
112			* @Given I register the following XPATH namespaces:
113			*/
114			public function iRegisterXpathNamespaces(TableNode $namespaces)
115			{
116			foreach ($namespaces->getRowsHash() as $prefix => $uri) {
117			$this->setNamespace($prefix, $uri);
118			}
119			}
120
121			/**
122			* @Given /^I expect no SOAP exception$/
123			*/
124			public function expectNoException()
125			{
126			// Exit with an error because we're not expecting an exception and got one.
127			if (null !== $this->fault) {
128			throw new \RuntimeException('Unexpected \SoapFault exception was thrown!');
129			}
130			}
131
132			/**
133			* @Then /^(?:\|I )expect SOAP exception(?:\| with code "(\d+)")(?:\|( and\| or)? with message "(.+?)")$/
134			*/
135			public function expectException($code = null, $condition = null, $message = null)
136			{
137			// Exit with an error because we're expected an exception and got nothing.
138			if (null === $this->fault) {
139			throw new \RuntimeException('Expected \SoapFault exception was not thrown!');
140			}
141
142			new SoapFaultProcessor($this->fault, $code, $message, $condition);
143
144			// If processor didn't throw an exception, then we shouldn't too.
145			$this->fault = null;
146			}
147
148			/**
149			* @Given I should see SOAP response property :property equals to :text
150			*/
151			public function iShouldSeeSoapResponsePropertyEquals($text, $property)
152			{
153			Assertions::assertEquals($text, $this->extractResponseProperty($property));
154			}
155
156			/**
157			* @Given I should see SOAP response property :property is not :text
158			*/
159			public function iShouldSeeSoapResponsePropertyNotEquals($text, $property)
160			{
161			Assertions::assertNotEquals($text, $this->extractResponseProperty($property));
162			}
163
164			/**
165			* @Given I should see SOAP response property :property contains :text
166			*/
167			public function iShouldSeeSoapResponsePropertyContains($text, $property)
168			{
169			Assertions::assertContains($text, $this->extractResponseProperty($property));
170			}
171
172			/**
173			* @Given I should see SOAP response property :property doesn't contain :text
174			*/
175			public function iShouldSeeSoapResponsePropertyNotContains($text, $property)
176			{
177			Assertions::assertNotContains($text, $this->extractResponseProperty($property));
178			}
179
180			/**
181			* @Then I should see SOAP response property :property matching pattern :pattern
182			*/
183			public function iShouldSeeSoapResponsePropertyMatches($pattern, $property)
184			{
185			Assertions::assertRegExp($pattern, $this->extractResponseProperty($property));
186			}
187
188			/**
189			* @Then I should see that SOAP Response matches XPATH :xpath
190			*/
191			public function iShouldSeeThatSOAPResponseMatchesXpath($xpath)
192			{
193			Assertions::assertTrue(
194			$this->extractResponseValueMatchingXPATH($xpath) !== false,
195			"Couldn't find node matching provided XPATH: "
196			);
197			}
198
199			/**
200			* @Given I am working with SOAP response property :property
201			*/
202			public function iWorkWithResponseProperty($property)
203			{
204			$this->value = $this->extractResponseProperty($property);
205			}
206
207			/**
208			* @Given I am working with SOAP element matching XPATH :xpath
209			*/
210			public function iWorkWithElementTextMatchingXPATH($xpath)
211			{
212			$this->value = $this->extractResponseValueMatchingXPATH($xpath);
213			}
214
215			/**
216			* @Then saved SOAP value equals to :text
217			*/
218			public function savedValueEquals($text)
219			{
220			Assertions::assertEquals($text, $this->value);
221			}
222
223			/**
224			* @Then saved SOAP value is not equal to :text
225			*/
226			public function savedValueNotEquals($text)
227			{
228			Assertions::assertNotEquals($text, $this->value);
229			}
230
231			/**
232			* @Then saved SOAP value contains :text
233			*/
234			public function savedValueContains($text)
235			{
236			Assertions::assertContains($text, $this->value);
237			}
238
239			/**
240			* @Then saved SOAP value doesn't contain :text
241			*/
242			public function savedValueNotContains($text)
243			{
244			Assertions::assertNotContains($text, $this->value);
245			}
246
247			/**
248			* @Then saved SOAP value matches :pattern
249			*/
250			public function savedValueMatchesRegExp($pattern)
251			{
252			Assertions::assertRegExp($pattern, $this->value);
253			}
254
255			/**
256			* @Then saved SOAP value doesn't match :pattern
257			*/
258			public function savedValueNotMatchesRegExp($pattern)
259			{
260			Assertions::assertNotRegExp($pattern, $this->value);
261			}
262
263			/**
264			* @BeforeStep
265			*/
266			public function beforeStepCheckForException(BeforeStepScope $scope)
267			{
268			// Check for SOAP exception from previously executed step.
269			$this->fault = $this->getException();
270
271			// @todo Is it really a better way to do this?
272			if (null !== $this->fault && strpos($scope->getStep()->getText(), 'SOAP exception') === false) {
273			throw $this->fault;
274			}
275			}
276
277			/**
278			* @Given I register the following SOAP headers:
279			*/
280			public function iRegisterHeaders(TableNode $headers)
281			{
282			$soapHeaders = array();
283
284			foreach ($headers->getColumnsHash() as $header) {
285			$soapHeaders[] = new \SoapHeader($header['namespace'], $header['key'], $header['value']);
286			}
287
288			$this->setHeaders($soapHeaders);
289			}
290			}
291

asgorobets / SoapExtension

GitHub Access Token became invalid

Issues (1)

Security Analysis no request data

src/Context/SoapContext.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like