Issues in JwtSession.php (master) - Issues in master - byjg/jwt-session - Measure and Improve Code Quality continuously with Scrutinizer

Issues (3)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/JwtSession.php (1 issue)

Labels

Bug 1

Severity

Minor 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace ByJG\Session;

use ByJG\Util\JwtWrapper;
use SessionHandlerInterface;

class JwtSession implements SessionHandlerInterface
{
    const COOKIE_PREFIX = "AUTH_BEARER_";

    /**
     * @var SessionConfig
     */
    protected $sessionConfig;

    /**
     * JwtSession constructor.
     *
     * @param $sessionConfig
     * @throws JwtSessionException
     */
    public function __construct($sessionConfig)
    {
        ini_set("session.use_cookies", 0);

        if (!($sessionConfig instanceof SessionConfig)) {
            throw new JwtSessionException('Required SessionConfig instance');
        }

        $this->sessionConfig = $sessionConfig;

        if ($this->sessionConfig->isReplaceSession()) {
            $this->replaceSessionHandler();
        }
    }

    /**
     * @param bool $startSession
/**
 * @param array $germany
 * @param array $island
 * @param array $italy
 */
function finale($germany, $island) {
    return "2:1";
}
     * @throws JwtSessionException
     */
    protected function replaceSessionHandler()
    {
        if (session_status() != PHP_SESSION_NONE) {
            throw new JwtSessionException('Session already started!');
        }

        session_set_save_handler($this, true);

        if ($this->sessionConfig->isStartSession()) {
            ob_start();
            session_start();
        }
    }

    /**
     * Close the session
     *
     * @link http://php.net/manual/en/sessionhandlerinterface.close.php
     * @return bool <p>
     * The return value (usually TRUE on success, FALSE on failure).
     * Note this value is returned internally to PHP for processing.
     * </p>
     * @since 5.4.0
     */
    public function close()
    {
        return true;
    }

    /**
     * Destroy a session
     *
     * @link http://php.net/manual/en/sessionhandlerinterface.destroy.php
     * @param string $session_id The session ID being destroyed.
     * @return bool <p>
     * The return value (usually TRUE on success, FALSE on failure).
     * Note this value is returned internally to PHP for processing.
     * </p>
     * @since 5.4.0
     */
    public function destroy($session_id)
    {
        if (!headers_sent()) {
            setcookie(
                self::COOKIE_PREFIX . $this->sessionConfig->getSessionContext(),
                null,
                (time()-3000),
                $this->sessionConfig->getCookiePath(),
                $this->sessionConfig->getCookieDomain()
            );
        }

        return true;
    }

    /**
     * Cleanup old sessions
     *
     * @link http://php.net/manual/en/sessionhandlerinterface.gc.php
     * @param int $maxlifetime <p>
     * Sessions that have not updated for
     * the last maxlifetime seconds will be removed.
     * </p>
     * @return bool <p>
     * The return value (usually TRUE on success, FALSE on failure).
     * Note this value is returned internally to PHP for processing.
     * </p>
     * @since 5.4.0
     */
    public function gc($maxlifetime)
    {
        return true;
    }

    /**
     * Initialize session
     *
     * @link http://php.net/manual/en/sessionhandlerinterface.open.php
     * @param string $save_path The path where to store/retrieve the session.
     * @param string $name The session name.
     * @return bool <p>
     * The return value (usually TRUE on success, FALSE on failure).
     * Note this value is returned internally to PHP for processing.
     * </p>
     * @since 5.4.0
     */
    public function open($save_path, $name)
    {
        return true;
    }

    /**
     * Read session data
     *
     * @link http://php.net/manual/en/sessionhandlerinterface.read.php
     * @param string $session_id The session id to read data for.
     * @return string <p>
     * Returns an encoded string of the read data.
     * If nothing was read, it must return an empty string.
     * Note this value is returned internally to PHP for processing.
     * </p>
     * @since 5.4.0
     */
    public function read($session_id)
    {
        try {
            if (isset($_COOKIE[self::COOKIE_PREFIX . $this->sessionConfig->getSessionContext()])) {
                $jwt = new JwtWrapper(
                    $this->sessionConfig->getServerName(),
                    $this->sessionConfig->getKey()
                );
                $data = $jwt->extractData($_COOKIE[self::COOKIE_PREFIX . $this->sessionConfig->getSessionContext()]);

                if (empty($data->data)) {
                    return '';
                }

                return $data->data;
            }
            return '';
        } catch (\Exception $ex) {
            return '';
        }
    }

    /**
     * Write session data
     *
     * @link http://php.net/manual/en/sessionhandlerinterface.write.php
     * @param string $session_id The session id.
     * @param string $session_data <p>
     * The encoded session data. This data is the
     * result of the PHP internally encoding
     * the $_SESSION superglobal to a serialized
     * string and passing it as this parameter.
     * Please note sessions use an alternative serialization method.
     * </p>
     * @return bool <p>
     * The return value (usually TRUE on success, FALSE on failure).
     * Note this value is returned internally to PHP for processing.
     * </p>
     * @throws \ByJG\Util\JwtWrapperException
     * @since 5.4.0
     */
    public function write($session_id, $session_data)
    {
        $jwt = new JwtWrapper(
            $this->sessionConfig->getServerName(),
            $this->sessionConfig->getKey()
        );
        $data = $jwt->createJwtData($session_data, $this->sessionConfig->getTimeoutMinutes() * 60);
        $token = $jwt->generateToken($data);

        if (!headers_sent()) {
            setcookie(
                self::COOKIE_PREFIX . $this->sessionConfig->getSessionContext(),
                $token,
                (time()+$this->sessionConfig->getTimeoutMinutes()*60) ,
                $this->sessionConfig->getCookiePath(),
                $this->sessionConfig->getCookieDomain(),
                false,
                true
            );
            if (defined("SETCOOKIE_FORTEST")) {
                $_COOKIE[self::COOKIE_PREFIX . $this->sessionConfig->getSessionContext()] = $token;
            }
        }

        return true;
    }

    public function serializeSessionData($array)
    {
        $result = '';
        foreach ($array as $key => $value) {
            $result .= $key . "|" . serialize($value);
        }

        return $result;
    }

    /**
     * @param $session_data
     * @return array
     * @throws JwtSessionException
     */
    public function unSerializeSessionData($session_data)
    {
        $return_data = array();
        $offset = 0;
        while ($offset < strlen($session_data)) {
            if (!strstr(substr($session_data, $offset), "|")) {
                throw new JwtSessionException("invalid data, remaining: " . substr($session_data, $offset));
            }
            $pos = strpos($session_data, "|", $offset);
            $num = $pos - $offset;
            $varname = substr($session_data, $offset, $num);
            $offset += $num + 1;
            $data = unserialize(substr($session_data, $offset));
            $return_data[$varname] = $data;
            $offset += strlen(serialize($data));
        }

        return $return_data;
    }
}


1			<?php
2
3			namespace ByJG\Session;
4
5			use ByJG\Util\JwtWrapper;
6			use SessionHandlerInterface;
7
8			class JwtSession implements SessionHandlerInterface
9			{
10			const COOKIE_PREFIX = "AUTH_BEARER_";
11
12			/**
13			* @var SessionConfig
14			*/
15			protected $sessionConfig;
16
17			/**
18			* JwtSession constructor.
19			*
20			* @param $sessionConfig
21			* @throws JwtSessionException
22			*/
23			public function __construct($sessionConfig)
24			{
25			ini_set("session.use_cookies", 0);
26
27			if (!($sessionConfig instanceof SessionConfig)) {
28			throw new JwtSessionException('Required SessionConfig instance');
29			}
30
31			$this->sessionConfig = $sessionConfig;
32
33			if ($this->sessionConfig->isReplaceSession()) {
34			$this->replaceSessionHandler();
35			}
36			}
37
38			/**
39			* @param bool $startSession
			0 ignored issues – show Bug introduced 2019-01-03 03:50 UTC by Report Bug Copy Issue Report Show Similar Issues like this There is no parameter named `$startSession`. Was it maybe removed? This check looks for PHPDoc comments describing methods or function parameters that do not exist on the corresponding method or function. Consider the following example. The parameter `$italy` is not defined by the method `finale(...)`. /** * @param array $germany * @param array $island * @param array $italy */ function finale($germany, $island) { return "2:1"; } The most likely cause is that the parameter was removed, but the annotation was not. Loading history...
40			* @throws JwtSessionException
41			*/
42			protected function replaceSessionHandler()
43			{
44			if (session_status() != PHP_SESSION_NONE) {
45			throw new JwtSessionException('Session already started!');
46			}
47
48			session_set_save_handler($this, true);
49
50			if ($this->sessionConfig->isStartSession()) {
51			ob_start();
52			session_start();
53			}
54			}
55
56			/**
57			* Close the session
58			*
59			* @link http://php.net/manual/en/sessionhandlerinterface.close.php
60			* @return bool <p>
61			* The return value (usually TRUE on success, FALSE on failure).
62			* Note this value is returned internally to PHP for processing.
63			* </p>
64			* @since 5.4.0
65			*/
66			public function close()
67			{
68			return true;
69			}
70
71			/**
72			* Destroy a session
73			*
74			* @link http://php.net/manual/en/sessionhandlerinterface.destroy.php
75			* @param string $session_id The session ID being destroyed.
76			* @return bool <p>
77			* The return value (usually TRUE on success, FALSE on failure).
78			* Note this value is returned internally to PHP for processing.
79			* </p>
80			* @since 5.4.0
81			*/
82			public function destroy($session_id)
83			{
84			if (!headers_sent()) {
85			setcookie(
86			self::COOKIE_PREFIX . $this->sessionConfig->getSessionContext(),
87			null,
88			(time()-3000),
89			$this->sessionConfig->getCookiePath(),
90			$this->sessionConfig->getCookieDomain()
91			);
92			}
93
94			return true;
95			}
96
97			/**
98			* Cleanup old sessions
99			*
100			* @link http://php.net/manual/en/sessionhandlerinterface.gc.php
101			* @param int $maxlifetime <p>
102			* Sessions that have not updated for
103			* the last maxlifetime seconds will be removed.
104			* </p>
105			* @return bool <p>
106			* The return value (usually TRUE on success, FALSE on failure).
107			* Note this value is returned internally to PHP for processing.
108			* </p>
109			* @since 5.4.0
110			*/
111			public function gc($maxlifetime)
112			{
113			return true;
114			}
115
116			/**
117			* Initialize session
118			*
119			* @link http://php.net/manual/en/sessionhandlerinterface.open.php
120			* @param string $save_path The path where to store/retrieve the session.
121			* @param string $name The session name.
122			* @return bool <p>
123			* The return value (usually TRUE on success, FALSE on failure).
124			* Note this value is returned internally to PHP for processing.
125			* </p>
126			* @since 5.4.0
127			*/
128			public function open($save_path, $name)
129			{
130			return true;
131			}
132
133			/**
134			* Read session data
135			*
136			* @link http://php.net/manual/en/sessionhandlerinterface.read.php
137			* @param string $session_id The session id to read data for.
138			* @return string <p>
139			* Returns an encoded string of the read data.
140			* If nothing was read, it must return an empty string.
141			* Note this value is returned internally to PHP for processing.
142			* </p>
143			* @since 5.4.0
144			*/
145			public function read($session_id)
146			{
147			try {
148			if (isset($_COOKIE[self::COOKIE_PREFIX . $this->sessionConfig->getSessionContext()])) {
149			$jwt = new JwtWrapper(
150			$this->sessionConfig->getServerName(),
151			$this->sessionConfig->getKey()
152			);
153			$data = $jwt->extractData($_COOKIE[self::COOKIE_PREFIX . $this->sessionConfig->getSessionContext()]);
154
155			if (empty($data->data)) {
156			return '';
157			}
158
159			return $data->data;
160			}
161			return '';
162			} catch (\Exception $ex) {
163			return '';
164			}
165			}
166
167			/**
168			* Write session data
169			*
170			* @link http://php.net/manual/en/sessionhandlerinterface.write.php
171			* @param string $session_id The session id.
172			* @param string $session_data <p>
173			* The encoded session data. This data is the
174			* result of the PHP internally encoding
175			* the $_SESSION superglobal to a serialized
176			* string and passing it as this parameter.
177			* Please note sessions use an alternative serialization method.
178			* </p>
179			* @return bool <p>
180			* The return value (usually TRUE on success, FALSE on failure).
181			* Note this value is returned internally to PHP for processing.
182			* </p>
183			* @throws \ByJG\Util\JwtWrapperException
184			* @since 5.4.0
185			*/
186			public function write($session_id, $session_data)
187			{
188			$jwt = new JwtWrapper(
189			$this->sessionConfig->getServerName(),
190			$this->sessionConfig->getKey()
191			);
192			$data = $jwt->createJwtData($session_data, $this->sessionConfig->getTimeoutMinutes() * 60);
193			$token = $jwt->generateToken($data);
194
195			if (!headers_sent()) {
196			setcookie(
197			self::COOKIE_PREFIX . $this->sessionConfig->getSessionContext(),
198			$token,
199			(time()+$this->sessionConfig->getTimeoutMinutes()*60) ,
200			$this->sessionConfig->getCookiePath(),
201			$this->sessionConfig->getCookieDomain(),
202			false,
203			true
204			);
205			if (defined("SETCOOKIE_FORTEST")) {
206			$_COOKIE[self::COOKIE_PREFIX . $this->sessionConfig->getSessionContext()] = $token;
207			}
208			}
209
210			return true;
211			}
212
213			public function serializeSessionData($array)
214			{
215			$result = '';
216			foreach ($array as $key => $value) {
217			$result .= $key . "\|" . serialize($value);
218			}
219
220			return $result;
221			}
222
223			/**
224			* @param $session_data
225			* @return array
226			* @throws JwtSessionException
227			*/
228			public function unSerializeSessionData($session_data)
229			{
230			$return_data = array();
231			$offset = 0;
232			while ($offset < strlen($session_data)) {
233			if (!strstr(substr($session_data, $offset), "\|")) {
234			throw new JwtSessionException("invalid data, remaining: " . substr($session_data, $offset));
235			}
236			$pos = strpos($session_data, "\|", $offset);
237			$num = $pos - $offset;
238			$varname = substr($session_data, $offset, $num);
239			$offset += $num + 1;
240			$data = unserialize(substr($session_data, $offset));
241			$return_data[$varname] = $data;
242			$offset += strlen(serialize($data));
243			}
244
245			return $return_data;
246			}
247			}
248

byjg / jwt-session

Issues (3)

Security Analysis not enabled

src/JwtSession.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like