Issues in User.php (master) - Issues in master - charlesportwoodii/yii2-api-rest-components - Measure and Improve Code Quality continuously with Scrutinizer

Issues (102)

Security Analysis not enabled

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

Header Injection

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

models/User.php (3 issues)

Labels

Severity

Major 3

<?php

namespace yrc\models;

use Base32\Base32;
use OTPHP\TOTP;

use yii\behaviors\TimestampBehavior;
use yii\db\ActiveRecord;
use yii\filters\RateLimitInterface;
use yii\web\IdentityInterface;
use Yii;

/**
 * This is the model class for table "user".
 *
 * @property integer $id
 * @property string $email
 * @property string $username
 * @property string $password
 * @property string $activation_token
 * @property string $reset_token
 * @property integer $verified
 * @property string $otp_secret
 * @property string $otp_enabled
 * @property integer $created_at
 * @property integer $updated_at
 */
abstract class User extends ActiveRecord implements IdentityInterface, RateLimitInterface
{
    const TOKEN_CLASS = '\yrc\models\redis\Token';
    
    /**
     * password_hash Algorithm
     * @var integer
     */
    private $passwordHashAlgorithm = PASSWORD_BCRYPT;
    
    /**
     * The rate limit
     * @var integer
     */
    private $rateLimit = 150;

    /**
     * The rate limit window
     * @var integer
     */
    private $rateLimitWindow = 900;
    
    /**
     * password_hash options
     * @var array
     */
    private $passwordHashOptions = [
        'cost' => 13,
        'memory_cost' => 1<<12,
        'time_cost' => 3,
        'threads' => 1
    ];
    
    /**
     * The token used to authenticate the user
     * @var app\models\Token
filter:
    dependency_paths: ["lib/*"]
     */
    protected $token;

    /**
     * Sets the token used to authenticate the user
     * @return app\models\Token
     */
    public function getToken()
    {
        return $this->token;
    }

    /**
     * Sets the token that was used to authenticate the user
     */
    public function setToken($token)
    {
        if ($this->token !== null) {
            throw new \yii\base\Exception(Yii::t('yrc', 'The user has already been authenticated.'));
        }

        $this->token = $token;
    }

    /**
     * Overrides init
     */
    public function init()
    {
        // self init
        parent::init();

        // Prefer Argon2 if it is available, but fall back to BCRYPT if it isn't
        if (defined('PASSWORD_ARGON2ID')) {
            $this->passwordHashAlgorithm = PASSWORD_ARGON2ID;
        } elseif (defined('PASSWORD_ARGON2I')) {
            $this->passwordHashAlgorithm = PASSWORD_ARGON2I;
        }

        // Lower the bcrypt cost when running tests
        if (YII_DEBUG && $this->passwordHashAlgorithm === PASSWORD_BCRYPT) {
            $this->passwordHashOptions['cost'] = 10;
        }
    }

    /**
     * @inheritdoc
     */
    public function behaviors()
    {
        return [
            TimestampBehavior::class,
        ];
    }

    /**
     * @inheritdoc
     */
    public function getRateLimit($request, $action)
    {
        return [
            $this->rateLimit,
            $this->rateLimitWindow
        ];
    }

    /**
     * @inheritdoc
     */
    public function loadAllowance($request, $action)
    {
        $hash = Yii::$app->user->id . $request->getUrl() . $action->id;
        $allowance = Yii::$app->cache->get($hash);

        if ($allowance === false) {
            return [
                $this->rateLimit,
                time()
            ];
        }

        return $allowance;
    }

    /**
     * @inheritdoc
     */
    public function saveAllowance($request, $action, $allowance, $timestamp)
    {
        $hash = Yii::$app->user->id . $request->getUrl() . $action->id;
        $allowance = [
            $allowance,
            $timestamp
        ];

        Yii::$app->cache->set($hash, $allowance, $this->rateLimitWindow);
    }
    
    /**
     * @inheritdoc
     */
    public static function tableName()
    {
        return 'user';
    }

    /**
     * @inheritdoc
     */
    public function rules()
    {
        return [
            [['password', 'email', 'username'], 'required'],
            [['email'], 'email'],
            [['password'], 'string', 'length' => [8, 100]],
            [['username'], 'string', 'length' => [1, 100]],
            [['created_at', 'updated_at', 'otp_enabled', 'verified'], 'integer'],
            [['password', 'email'], 'string', 'max' => 255],
            [['email'], 'unique'],
            [['username'], 'unique'],
        ];
    }

    /**
     * @inheritdoc
     */
    public function attributeLabels()
    {
        return [
            'id'                => 'ID',
            'email'             => 'Email Address',
            'username'          => 'Username',
            'password'          => 'Password',
            'activation_token'  => 'Activation Token',
            'otp_secret'        => 'One Time Password Secret Value',
            'otp_enabled'       => 'Is Two Factor Authentication Enabled?',
            'verified'          => 'Is the account email verified?',
            'created_at'        => 'Created At',
            'updated_at'        => 'Last Updated At'
        ];
    }

    public function beforeValidate()
    {
        if (parent::beforeValidate()) {
            $this->username = \strtolower($this->username);
            return true;
        }

        return false;
    }

    /**
     * Before save occurs
     * @return bool
     */
    public function beforeSave($insert)
    {
        if (parent::beforeSave($insert)) {
            if ($this->isNewRecord || $this->password !== $this->oldAttributes['password']) {
                $this->password = password_hash($this->password, $this->passwordHashAlgorithm, $this->passwordHashOptions);
            }
            
            return true;
        }
        
        return false;
    }
    
    /**
     * Validates the user's password
     * @param string $password
     * return bool
     */
    public function validatePassword($password)
    {
        if (password_verify($password, $this->password)) {
            if (password_needs_rehash($this->password, $this->passwordHashAlgorithm, $this->passwordHashOptions)) {
                $this->password = password_hash($password, $this->passwordHashAlgorithm, $this->passwordHashOptions);
                
                // Allow authentication to continue if we weren't able to update the password, but log the message
                if (!$this->save()) {
                    Yii::warning('Unable to save newly hashed password for user: ' . $this->id);
                }
            }

            return true;
        }
        
        return false;
    }

    /**
     * Returns true of OTP is enabled
     * @return boolean
     */
    public function isOTPEnabled()
    {
        return (bool)$this->otp_enabled;
    }
    
    /**
     * Provisions TOTP for the account
     * @return boolean|string
     */
    public function provisionOTP()
    {
        if ($this->isOTPEnabled() === true) {
            return false;
        }

        $secret = \random_bytes(256);
        $encodedSecret = Base32::encode($secret);
        $totp = TOTP::create(
            $encodedSecret,
            30,             // 30 second window
            'sha256',       // SHA256 for the hashing algorithm
            6               // 6 digits
        );
        $totp->setLabel($this->username);

        $this->otp_secret = $encodedSecret;

        if ($this->save()) {
            return $totp->getProvisioningUri();
        }

        return false;
    }

    /**
     * Enables OTP
     * @return boolean
     */
    public function enableOTP()
    {
        if ($this->isOTPEnabled() === true) {
            return true;
        }

        if ($this->otp_secret == "") {
            return false;
        }
        
        $this->otp_enabled = 1;

        return $this->save();
    }

    /**
     * Disables OTP
     * @return boolean
     */
    public function disableOTP()
    {
        $this->otp_secret = "";
        $this->otp_enabled = 0;

        return $this->save();
    }

    /**
     * Verifies the OTP code
     * @param integer $code
     * @return boolean
     */
    public function verifyOTP($code)
    {
        $totp = TOTP::create(
            $this->otp_secret,
            30,             // 30 second window
            'sha256',       // SHA256 for the hashing algorithm
            6               // 6 digits
        );

        $totp->setLabel($this->username);

        return $totp->verify($code);
    }

    /**
     * Activates the user
     * @return boolean
     */
    public function activate()
    {
        $this->verified = 1;
        return $this->save();
    }

    /**
     * Whether or not a user is activated or not
     * @return boolean
     */
    public function isActivated()
    {
        return (bool)$this->verified;
    }

    /**
     * @inheritdoc
     */
    public static function findIdentity($id)
    {
        return static::findOne($id);
interface HasName {
    /** @return string */
    public function getName();
}

class Name {
    public $name;
}

class User implements HasName {
    /** @return string|Name */
    public function getName() {
        return new Name('foo'); // This is a violation of the ``HasName`` interface
                                // which only allows a string value to be returned.
    }
}
    }
    
    /**
     * @inheritdoc
     */
    public static function findIdentityByAccessToken($token, $type = null)
    {
        // Checking of the Token is performed in app\components\filters\auth\HMACSignatureAuth
        if ($token === null) {
            return null;
        }
        
        return static::find()->where(['id' => $token->user_id])->one();

    }

    /**
     * @inheritdoc
     */
    public function getAuthKey()
    {
    }

    /**
     * @inheritdoc
     */
    public function validateAuthKey($authKey)
    {
        return true;
    }

    /**
     * @inheritdoc
     */
    public function getId()
    {
        return $this->id;
    }
}


1			<?php
2
3			namespace yrc\models;
4
5			use Base32\Base32;
6			use OTPHP\TOTP;
7
8			use yii\behaviors\TimestampBehavior;
9			use yii\db\ActiveRecord;
10			use yii\filters\RateLimitInterface;
11			use yii\web\IdentityInterface;
12			use Yii;
13
14			/**
15			* This is the model class for table "user".
16			*
17			* @property integer $id
18			* @property string $email
19			* @property string $username
20			* @property string $password
21			* @property string $activation_token
22			* @property string $reset_token
23			* @property integer $verified
24			* @property string $otp_secret
25			* @property string $otp_enabled
26			* @property integer $created_at
27			* @property integer $updated_at
28			*/
29			abstract class User extends ActiveRecord implements IdentityInterface, RateLimitInterface
30			{
31			const TOKEN_CLASS = '\yrc\models\redis\Token';
32
33			/**
34			* password_hash Algorithm
35			* @var integer
36			*/
37			private $passwordHashAlgorithm = PASSWORD_BCRYPT;
38
39			/**
40			* The rate limit
41			* @var integer
42			*/
43			private $rateLimit = 150;
44
45			/**
46			* The rate limit window
47			* @var integer
48			*/
49			private $rateLimitWindow = 900;
50
51			/**
52			* password_hash options
53			* @var array
54			*/
55			private $passwordHashOptions = [
56			'cost' => 13,
57			'memory_cost' => 1<<12,
58			'time_cost' => 3,
59			'threads' => 1
60			];
61
62			/**
63			* The token used to authenticate the user
64			* @var app\models\Token
			0 ignored issues – show Bug introduced 2018-04-19 20:10 UTC by Report Bug Copy Issue Report Show Similar Issues like this The type `yrc\models\app\models\Token` was not found. Maybe you did not declare it correctly or list all dependencies? The issue could also be caused by a filter entry in the build configuration. If the path has been excluded in your configuration, e.g. `excluded_paths: ["lib/"]`, you can move it to the dependency path list as follows: filter: dependency_paths: ["lib/"] For further information see https://scrutinizer-ci.com/docs/tools/php/php-scrutinizer/#list-dependency-paths Loading history...
65			*/
66			protected $token;
67
68			/**
69			* Sets the token used to authenticate the user
70			* @return app\models\Token
71			*/
72			public function getToken()
73			{
74			return $this->token;
75			}
76
77			/**
78			* Sets the token that was used to authenticate the user
79			*/
80			public function setToken($token)
81			{
82			if ($this->token !== null) {
83			throw new \yii\base\Exception(Yii::t('yrc', 'The user has already been authenticated.'));
84			}
85
86			$this->token = $token;
87			}
88
89			/**
90			* Overrides init
91			*/
92			public function init()
93			{
94			// self init
95			parent::init();
96
97			// Prefer Argon2 if it is available, but fall back to BCRYPT if it isn't
98			if (defined('PASSWORD_ARGON2ID')) {
99			$this->passwordHashAlgorithm = PASSWORD_ARGON2ID;
100			} elseif (defined('PASSWORD_ARGON2I')) {
101			$this->passwordHashAlgorithm = PASSWORD_ARGON2I;
102			}
103
104			// Lower the bcrypt cost when running tests
105			if (YII_DEBUG && $this->passwordHashAlgorithm === PASSWORD_BCRYPT) {
106			$this->passwordHashOptions['cost'] = 10;
107			}
108			}
109
110			/**
111			* @inheritdoc
112			*/
113			public function behaviors()
114			{
115			return [
116			TimestampBehavior::class,
117			];
118			}
119
120			/**
121			* @inheritdoc
122			*/
123			public function getRateLimit($request, $action)
124			{
125			return [
126			$this->rateLimit,
127			$this->rateLimitWindow
128			];
129			}
130
131			/**
132			* @inheritdoc
133			*/
134			public function loadAllowance($request, $action)
135			{
136			$hash = Yii::$app->user->id . $request->getUrl() . $action->id;
137			$allowance = Yii::$app->cache->get($hash);
138
139			if ($allowance === false) {
140			return [
141			$this->rateLimit,
142			time()
143			];
144			}
145
146			return $allowance;
147			}
148
149			/**
150			* @inheritdoc
151			*/
152			public function saveAllowance($request, $action, $allowance, $timestamp)
153			{
154			$hash = Yii::$app->user->id . $request->getUrl() . $action->id;
155			$allowance = [
156			$allowance,
157			$timestamp
158			];
159
160			Yii::$app->cache->set($hash, $allowance, $this->rateLimitWindow);
161			}
162
163			/**
164			* @inheritdoc
165			*/
166			public static function tableName()
167			{
168			return 'user';
169			}
170
171			/**
172			* @inheritdoc
173			*/
174			public function rules()
175			{
176			return [
177			[['password', 'email', 'username'], 'required'],
178			[['email'], 'email'],
179			[['password'], 'string', 'length' => [8, 100]],
180			[['username'], 'string', 'length' => [1, 100]],
181			[['created_at', 'updated_at', 'otp_enabled', 'verified'], 'integer'],
182			[['password', 'email'], 'string', 'max' => 255],
183			[['email'], 'unique'],
184			[['username'], 'unique'],
185			];
186			}
187
188			/**
189			* @inheritdoc
190			*/
191			public function attributeLabels()
192			{
193			return [
194			'id' => 'ID',
195			'email' => 'Email Address',
196			'username' => 'Username',
197			'password' => 'Password',
198			'activation_token' => 'Activation Token',
199			'otp_secret' => 'One Time Password Secret Value',
200			'otp_enabled' => 'Is Two Factor Authentication Enabled?',
201			'verified' => 'Is the account email verified?',
202			'created_at' => 'Created At',
203			'updated_at' => 'Last Updated At'
204			];
205			}
206
207			public function beforeValidate()
208			{
209			if (parent::beforeValidate()) {
210			$this->username = \strtolower($this->username);
211			return true;
212			}
213
214			return false;
215			}
216
217			/**
218			* Before save occurs
219			* @return bool
220			*/
221			public function beforeSave($insert)
222			{
223			if (parent::beforeSave($insert)) {
224			if ($this->isNewRecord \|\| $this->password !== $this->oldAttributes['password']) {
225			$this->password = password_hash($this->password, $this->passwordHashAlgorithm, $this->passwordHashOptions);
226			}
227
228			return true;
229			}
230
231			return false;
232			}
233
234			/**
235			* Validates the user's password
236			* @param string $password
237			* return bool
238			*/
239			public function validatePassword($password)
240			{
241			if (password_verify($password, $this->password)) {
242			if (password_needs_rehash($this->password, $this->passwordHashAlgorithm, $this->passwordHashOptions)) {
243			$this->password = password_hash($password, $this->passwordHashAlgorithm, $this->passwordHashOptions);
244
245			// Allow authentication to continue if we weren't able to update the password, but log the message
246			if (!$this->save()) {
247			Yii::warning('Unable to save newly hashed password for user: ' . $this->id);
248			}
249			}
250
251			return true;
252			}
253
254			return false;
255			}
256
257			/**
258			* Returns true of OTP is enabled
259			* @return boolean
260			*/
261			public function isOTPEnabled()
262			{
263			return (bool)$this->otp_enabled;
264			}
265
266			/**
267			* Provisions TOTP for the account
268			* @return boolean\|string
269			*/
270			public function provisionOTP()
271			{
272			if ($this->isOTPEnabled() === true) {
273			return false;
274			}
275
276			$secret = \random_bytes(256);
277			$encodedSecret = Base32::encode($secret);
278			$totp = TOTP::create(
279			$encodedSecret,
280			30, // 30 second window
281			'sha256', // SHA256 for the hashing algorithm
282			6 // 6 digits
283			);
284			$totp->setLabel($this->username);
285
286			$this->otp_secret = $encodedSecret;
287
288			if ($this->save()) {
289			return $totp->getProvisioningUri();
290			}
291
292			return false;
293			}
294
295			/**
296			* Enables OTP
297			* @return boolean
298			*/
299			public function enableOTP()
300			{
301			if ($this->isOTPEnabled() === true) {
302			return true;
303			}
304
305			if ($this->otp_secret == "") {
306			return false;
307			}
308
309			$this->otp_enabled = 1;
310
311			return $this->save();
312			}
313
314			/**
315			* Disables OTP
316			* @return boolean
317			*/
318			public function disableOTP()
319			{
320			$this->otp_secret = "";
321			$this->otp_enabled = 0;
322
323			return $this->save();
324			}
325
326			/**
327			* Verifies the OTP code
328			* @param integer $code
329			* @return boolean
330			*/
331			public function verifyOTP($code)
332			{
333			$totp = TOTP::create(
334			$this->otp_secret,
335			30, // 30 second window
336			'sha256', // SHA256 for the hashing algorithm
337			6 // 6 digits
338			);
339
340			$totp->setLabel($this->username);
341
342			return $totp->verify($code);
343			}
344
345			/**
346			* Activates the user
347			* @return boolean
348			*/
349			public function activate()
350			{
351			$this->verified = 1;
352			return $this->save();
353			}
354
355			/**
356			* Whether or not a user is activated or not
357			* @return boolean
358			*/
359			public function isActivated()
360			{
361			return (bool)$this->verified;
362			}
363
364			/**
365			* @inheritdoc
366			*/
367			public static function findIdentity($id)
368			{
369			return static::findOne($id);
			0 ignored issues – show Bug Best Practice introduced 2019-01-14 22:43 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `return static::findOne($id)` returns the type `yii\db\ActiveRecord` which is incompatible with the return type mandated by `yii\web\IdentityInterface::findIdentity()` of `yii\web\IdentityInterface`. In the issue above, the returned value is violating the contract defined by the mentioned interface. Let's take a look at an example: interface HasName { /** @return string / public function getName(); } class Name { public $name; } class User implements HasName { /* @return string\|Name */ public function getName() { return new Name('foo'); // This is a violation of the ``HasName`` interface // which only allows a string value to be returned. } } Loading history...
370			}
371
372			/**
373			* @inheritdoc
374			*/
375			public static function findIdentityByAccessToken($token, $type = null)
376			{
377			// Checking of the Token is performed in app\components\filters\auth\HMACSignatureAuth
378			if ($token === null) {
379			return null;
380			}
381
382			return static::find()->where(['id' => $token->user_id])->one();
			0 ignored issues – show Bug Best Practice introduced 2019-01-14 22:43 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `return static::find()->w...token->user_id))->one()` also could return the type `array\|yii\db\ActiveRecord` which is incompatible with the return type mandated by `yii\web\IdentityInterfac...IdentityByAccessToken()` of `yii\web\IdentityInterface`. Loading history...
383			}
384
385			/**
386			* @inheritdoc
387			*/
388			public function getAuthKey()
389			{
390			}
391
392			/**
393			* @inheritdoc
394			*/
395			public function validateAuthKey($authKey)
396			{
397			return true;
398			}
399
400			/**
401			* @inheritdoc
402			*/
403			public function getId()
404			{
405			return $this->id;
406			}
407			}
408

charlesportwoodii / yii2-api-rest-components

Issues (102)

Security Analysis not enabled

models/User.php (3 issues)

Labels

Severity

Introduced By

Duplication Side-by-Side

Filter issues like