Issues in index-functions.php (master) - Issues in master - cilogon/service - Measure and Improve Code Quality continuously with Scrutinizer

Issues (51)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

testidp/index-functions.php (3 issues)

Labels

Severity

Minor 3

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/**
 * This file contains functions called by index.php. The index.php
 * file should include this file with the following statement at the top:
 *
 * require_once __DIR__ . '/index-functions.php';
 */

use CILogon\Service\Util;
use CILogon\Service\Content;

/**
 * printLogonPage
 *
 * This function prints out the HTML for the IdP Selector page.
 * Explanatory text is shown as well as a button to log in to an IdP
 * and get rerouted to the Shibboleth protected testidp script.
 *
 * @param bool $clearcookies True if the Shibboleth cookies and session
 *        variables  should be cleared out before displaying the page.
 *        Defaults to false.
 */
function printLogonPage($clearcookies = false)
/**
 * @ignore
 */
function getUser() {

}

function getUser($id, $realm) {

}
{
    Util::setSessionVar('cilogon_skin', 'orcidfirst');
    Util::getSkin();
    if ($clearcookies) {
        Util::removeShibCookies();
        Util::unsetAllUserSessionVars();
    }

    Content::printHeader('Test Your Identity Provider With CILogon');
    Content::printCollapseBegin('testidp', 'Test Your Identity Provider', false);

    echo '
        <div class="card-body px-5">
          <div class="card-text my-2">
            To test that your identity provider works with CILogon, please
            select it from the list below and Log On.
          </div> <!-- end card-text -->
        </div> <!-- end card-body -->
    ';

    Content::printCollapseEnd();
    Content::printWAYF(false);
    Content::printFooter();
}

/**
 * printMainPage
 *
 * This function prints the user attributes and IdP metadata after the user
 * has logged on.
 */
function printMainPage()
/**
 * @ignore
 */
function getUser() {

}

function getUser($id, $realm) {

}
{
    // If the 'idp' PHP session variable isn't set, then force the user to
    // start over by logging in again.
    $idp = Util::getSessionVar('idp');
    if (empty($idp)) {
        printLogonPage(true);

        return; // No further processing necessary
    }

    // CIL-626 Allow browser 'reload page' by adding CSRF to the PHP session
    Util::setSessionVar('submit', 'Proceed');
    Util::getCsrf()->setTheSession();

    Content::printHeader('Test Identity Provider');

    Content::printCollapseBegin('showidp', 'Verify Attribute Release', false);

    echo '
        <div class="card-body px-5">
          <div class="card-text my-2">
            Thank you for your interest in the CILogon Service. This page
            enables you to verify that all necessary attributes have been
            released to the CILogon Service Provider
            (<abbr title="Service Provider">SP</abbr>) by your selected
            Identity Provider (<abbr title="Identity Provider">IdP</abbr>).
            Below you will see the various attributes required by the
            CILogon Service and their values as released by your IdP.
          </div> <!-- end card-text -->
    ';

    echo '
          <div class="row my-3">
            <div class="col-1 text-center">';

    if (
        ((strlen(Util::getSessionVar('remote_user')) > 0) ||
            (strlen(Util::getSessionVar('eppn')) > 0) ||
            (strlen(Util::getSessionVar('eptid')) > 0) ||
            (strlen(Util::getSessionVar('subject_id')) > 0) ||
            (strlen(Util::getSessionVar('pairwise_id')) > 0) ||
            (strlen(Util::getSessionVar('open_id')) > 0) ||
            (strlen(Util::getSessionVar('oidc')) > 0)) &&
        (strlen(Util::getSessionVar('idp')) > 0) &&
        (strlen(Util::getSessionVar('idp_display_name')) > 0)
    ) {
        echo '<large>' ,
            Content::getIcon('fa-check-square fa-2x', 'lime'), '</large>
            </div> <!-- end col-1 -->
            <div class="col">
              All required attributes have been released by your
              IdP. For details of the various attributes utilized
              by the CILogon Service and their current values,
              see the sections below.
            </div>
          </div> <!-- end row -->
          <div class="row align-items-center justify-content-center">
            <div class="col-auto">
              <a class="btn btn-primary" href="/">Proceed
              to the CILogon Service</a>
            </div> <!-- end col-auto -->
        ';
    } else {
        echo Content::getIcon(
            'fa-exclamation-circle fa-2x',
            'red',
            'Missing one or more attributes.'
        ), '
            </div> <!-- end col-1 -->
            <div class="col">
              One or more of the attributes required by the CILogon Service
              are not available. Please see the sections below for details.
              Contact <a href="mailto:', EMAIL_HELP, '">', EMAIL_HELP, '</a>
              for additional information and assistance.
            </div>
          </div> <!-- end row -->
          <div class="row align-items-center justify-content-center">
        ';
    }
    echo '
            <div class="col-auto">
               <a class="btn btn-primary" href="/logout">Logout</a>
            </div> <!-- end col-auto -->
          </div> <!-- end row align-items-center -->
        </div> <!-- end card-body --> ';

    Content::printCollapseEnd();

    Content::printUserAttributes();
    Content::printIdPMetadata();
    Content::printFooter();
}


1			<?php
2
3			/**
4			* This file contains functions called by index.php. The index.php
5			* file should include this file with the following statement at the top:
6			*
7			* require_once __DIR__ . '/index-functions.php';
8			*/
9
10			use CILogon\Service\Util;
11			use CILogon\Service\Content;
12
13			/**
14			* printLogonPage
15			*
16			* This function prints out the HTML for the IdP Selector page.
17			* Explanatory text is shown as well as a button to log in to an IdP
18			* and get rerouted to the Shibboleth protected testidp script.
19			*
20			* @param bool $clearcookies True if the Shibboleth cookies and session
21			* variables should be cleared out before displaying the page.
22			* Defaults to false.
23			*/
24			function printLogonPage($clearcookies = false)
			0 ignored issues – show Best Practice introduced 2019-11-21 22:10 UTC by Report Bug Copy Issue Report Show Similar Issues like this The function `printLogonPage()` has been defined more than once; this definition is ignored, only the first definition in `authorize/index-functions.php` (L22-52) is considered. This check looks for functions that have already been defined in other files. Some Codebases, like WordPress, make a practice of defining functions multiple times. This may lead to problems with the detection of function parameters and types. If you really need to do this, you can mark the duplicate definition with the `@ignore` annotation. /** * @ignore */ function getUser() { } function getUser($id, $realm) { } See also the PhpDoc documentation for @ignore. Loading history...
25			{
26			Util::setSessionVar('cilogon_skin', 'orcidfirst');
27			Util::getSkin();
28			if ($clearcookies) {
29			Util::removeShibCookies();
30			Util::unsetAllUserSessionVars();
31			}
32
33			Content::printHeader('Test Your Identity Provider With CILogon');
34			Content::printCollapseBegin('testidp', 'Test Your Identity Provider', false);
35
36			echo '
37			<div class="card-body px-5">
38			<div class="card-text my-2">
39			To test that your identity provider works with CILogon, please
40			select it from the list below and Log On.
41			</div> <!-- end card-text -->
42			</div> <!-- end card-body -->
43			';
44
45			Content::printCollapseEnd();
46			Content::printWAYF(false);
47			Content::printFooter();
48			}
49
50			/**
51			* printMainPage
52			*
53			* This function prints the user attributes and IdP metadata after the user
54			* has logged on.
55			*/
56			function printMainPage()
			0 ignored issues – show Best Practice introduced 2019-11-21 22:10 UTC by Report Bug Copy Issue Report Show Similar Issues like this The function `printMainPage()` has been defined more than once; this definition is ignored, only the first definition in `authorize/index-functions.php` (L126-224) is considered. This check looks for functions that have already been defined in other files. Some Codebases, like WordPress, make a practice of defining functions multiple times. This may lead to problems with the detection of function parameters and types. If you really need to do this, you can mark the duplicate definition with the `@ignore` annotation. /** * @ignore */ function getUser() { } function getUser($id, $realm) { } See also the PhpDoc documentation for @ignore. Loading history...
57			{
58			// If the 'idp' PHP session variable isn't set, then force the user to
59			// start over by logging in again.
60			$idp = Util::getSessionVar('idp');
61			if (empty($idp)) {
62			printLogonPage(true);
			0 ignored issues – show Unused Code introduced 2019-11-21 22:10 UTC by Report Bug Copy Issue Report Show Similar Issues like this The call to `printLogonPage()` has too many arguments starting with `true`. This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue. If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress. In this case you can add the `@ignore` PhpDoc annotation to the duplicate definition and it will be ignored. Loading history...
63			return; // No further processing necessary
64			}
65
66			// CIL-626 Allow browser 'reload page' by adding CSRF to the PHP session
67			Util::setSessionVar('submit', 'Proceed');
68			Util::getCsrf()->setTheSession();
69
70			Content::printHeader('Test Identity Provider');
71
72			Content::printCollapseBegin('showidp', 'Verify Attribute Release', false);
73
74			echo '
75			<div class="card-body px-5">
76			<div class="card-text my-2">
77			Thank you for your interest in the CILogon Service. This page
78			enables you to verify that all necessary attributes have been
79			released to the CILogon Service Provider
80			(<abbr title="Service Provider">SP</abbr>) by your selected
81			Identity Provider (<abbr title="Identity Provider">IdP</abbr>).
82			Below you will see the various attributes required by the
83			CILogon Service and their values as released by your IdP.
84			</div> <!-- end card-text -->
85			';
86
87			echo '
88			<div class="row my-3">
89			<div class="col-1 text-center">';
90
91			if (
92			((strlen(Util::getSessionVar('remote_user')) > 0) \|\|
93			(strlen(Util::getSessionVar('eppn')) > 0) \|\|
94			(strlen(Util::getSessionVar('eptid')) > 0) \|\|
95			(strlen(Util::getSessionVar('subject_id')) > 0) \|\|
96			(strlen(Util::getSessionVar('pairwise_id')) > 0) \|\|
97			(strlen(Util::getSessionVar('open_id')) > 0) \|\|
98			(strlen(Util::getSessionVar('oidc')) > 0)) &&
99			(strlen(Util::getSessionVar('idp')) > 0) &&
100			(strlen(Util::getSessionVar('idp_display_name')) > 0)
101			) {
102			echo '<large>' ,
103			Content::getIcon('fa-check-square fa-2x', 'lime'), '</large>
104			</div> <!-- end col-1 -->
105			<div class="col">
106			All required attributes have been released by your
107			IdP. For details of the various attributes utilized
108			by the CILogon Service and their current values,
109			see the sections below.
110			</div>
111			</div> <!-- end row -->
112			<div class="row align-items-center justify-content-center">
113			<div class="col-auto">
114			<a class="btn btn-primary" href="/">Proceed
115			to the CILogon Service</a>
116			</div> <!-- end col-auto -->
117			';
118			} else {
119			echo Content::getIcon(
120			'fa-exclamation-circle fa-2x',
121			'red',
122			'Missing one or more attributes.'
123			), '
124			</div> <!-- end col-1 -->
125			<div class="col">
126			One or more of the attributes required by the CILogon Service
127			are not available. Please see the sections below for details.
128			Contact <a href="mailto:', EMAIL_HELP, '">', EMAIL_HELP, '</a>
129			for additional information and assistance.
130			</div>
131			</div> <!-- end row -->
132			<div class="row align-items-center justify-content-center">
133			';
134			}
135			echo '
136			<div class="col-auto">
137			<a class="btn btn-primary" href="/logout">Logout</a>
138			</div> <!-- end col-auto -->
139			</div> <!-- end row align-items-center -->
140			</div> <!-- end card-body --> ';
141
142			Content::printCollapseEnd();
143
144			Content::printUserAttributes();
145			Content::printIdPMetadata();
146			Content::printFooter();
147			}
148

cilogon / service

Issues (51)

Security Analysis not enabled

testidp/index-functions.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like