Issues in idplist.php (master) - Issues in master - cilogon/service - Measure and Improve Code Quality continuously with Scrutinizer

Issues (51)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

util/idplist.php (2 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

set_include_path(
    '/var/www/html' . PATH_SEPARATOR .
    '/var/www/html/vendor/pear/pear-core-minimal/src' . PATH_SEPARATOR .
    '/var/www/html/vendor/pear/pear_exception' . PATH_SEPARATOR .
    '/var/www/html/vendor/pear/log' . PATH_SEPARATOR .
    '/var/www/html/vendor/pear/db' . PATH_SEPARATOR .
    '/var/www/html/vendor/pear/net_ldap2' . PATH_SEPARATOR .
    '/var/www/html/vendor/cilogon/service-lib/src/Service' . PATH_SEPARATOR .
    '.'
);

require_once 'config.php';
include_once 'config.secrets.php';
require_once 'DBService.php';
require_once 'Util.php';
require_once 'IdpList.php';

use CILogon\Service\IdpList;

if (($argc >= 2) && ($argc <= 4)) {
    $idpfile = $argv[1];
    $filetype = 'json';
    if ($argc >= 3) {
        $filetype = strtolower($argv[2]);
    }
    $checkfornew = 0;
    if ($argc >= 4) {
        $checkfornew = 1;
    }

    $oldEntityIdList = array();

    // If checkfornew, attempt to read in the already existing
    // /var/www/html/include/idplist.{json,xml} file so we can use
    // that as the list of current IdPs. This will allow us to find
    // out if any new IdPs have been added to the InCommon metadata.
    if ($checkfornew) {
        // First, try reading /var/www/html/include/idplist.json
        $oldidplist = new IdpList(DEFAULT_IDP_JSON, '', false, 'json');
        $oldEntityIDList = $oldidplist->getEntityIDs();
        if (empty($oldEntityIDList)) {
            // Next, try /var/www/html/include/idplist.xml
            $filename = preg_replace(
                '/\.json$/',
                '.xml',
                DEFAULT_IDP_JSON
            );
            $oldidplist = new IdpList($filename, '', false, 'xml');
            $oldEntityIDList = $oldidplist->getEntityIDs();
        }
        // If we couldn't read in an exiting idplist, print warning message.
        if (empty($oldEntityIDList)) {
            fwrite(
                STDERR,
                "Warning: Unable to read an existing idplist file,\n",
                "         so unable to check for new InCommon IdPs.\n"
            );
        }
    }

    // Now, create a new idplist from the InCommon Metadata
    $idplist = new IdpList(
        $idpfile,
        DEFAULT_INCOMMON_XML,
        false,
        $filetype
    );
    $idplist->create();
    if (!$idplist->write($filetype)) {
$a = canBeFalseAndNull();

// Instead of
if ( ! $a) { }

// Better use one of the explicit versions:
if ($a !== null) { }
if ($a !== false) { }
if ($a !== null && $a !== false) { }
        fwrite(
            STDERR,
            "Error! There was a problem writing to the file '" .
            $idpfile . "'\n"
        );
        exit(1);
    }

    // If we successfully read in a 'good' idplist.{json.xml} file from
    // /var/www/html/include, use that as the list of currently
    // 'greenlit' IdPs and check to see if any new IdP were added to
    // the InCommon metadata.
    $newIdPList = array();
    if (!empty($oldEntityIDList)) {
        $entityIDList = $idplist->getEntityIDs();
        foreach ($entityIDList as $value) {
            if (!in_array($value, $oldEntityIDList)) {
                $newIdPList[$value] = 1;
            }
        }
    }

    // Found some new InCommon metadata entries. Print them to STDOUT.
    if (!empty($newIdPList)) {
        $plural = (count($newIdPList) > 1);
        echo($plural ? 'New' : 'A new') , ' Identity Provider',
             ($plural ? 's were' : ' was') , ' found in metadata ',
             "and added to the \nlist of available IdPs.\n",
             '--------------------------------------------------------------',
             "\n\n";
        foreach ($newIdPList as $entityID => $value) {
            echo "EntityId               = $entityID\n";
            echo "Organization Name      = " .
                $idplist->getOrganizationName($entityID) . "\n";
            echo "Display Name           = " .
                $idplist->getDisplayName($entityID) . "\n";
            if ($idplist->isRegisteredByInCommon($entityID)) {
                echo "Registered by InCommon = Yes\n";
            }
            if ($idplist->isInCommonRandS($entityID)) {
                echo "InCommon R & S         = Yes\n";
            }
            if ($idplist->isREFEDSRandS($entityID)) {
                echo "REFEDS R & S           = Yes\n";
            }
            if ($idplist->isSIRTFI($entityID)) {
                echo "SIRTFI                 = Yes\n";
            }
            echo "\n";
        }
    }
} else {
    printUsage();
}

function printUsage()
/**
 * @ignore
 */
function getUser() {

}

function getUser($id, $realm) {

}
{
    echo "Usage: idplist.php IDPFILE {FILETYPE} <CHECK>\n";
    echo "     IDPFILE  is the full path name of the idplist file.\n";
    echo "     FILETYPE is either 'xml' or 'json'. Defaults to 'json.'\n";
    echo "     CHECK    means see if new IdPs added to InCommon metadata.\n";
    echo "This function reads the InCommon metadata and writes out the\n";
    echo "IDPFILE, which contains the list of all IdPs along with\n";
    echo "their attributes needed by the CILogon Service.\n";
    echo "If CHECK (optional) is specified, it attempts to read in an\n";
    echo "existing /var/www/html/include,{json,xml} file as the 'current'\n";
    echo "list of IdPs so it can check if any new IdPs have beenn added\n";
    echo "to InCommon metadata. If so, the new IdPs are printed to STDOUT.\n";
}


1			<?php
2
3			set_include_path(
4			'/var/www/html' . PATH_SEPARATOR .
5			'/var/www/html/vendor/pear/pear-core-minimal/src' . PATH_SEPARATOR .
6			'/var/www/html/vendor/pear/pear_exception' . PATH_SEPARATOR .
7			'/var/www/html/vendor/pear/log' . PATH_SEPARATOR .
8			'/var/www/html/vendor/pear/db' . PATH_SEPARATOR .
9			'/var/www/html/vendor/pear/net_ldap2' . PATH_SEPARATOR .
10			'/var/www/html/vendor/cilogon/service-lib/src/Service' . PATH_SEPARATOR .
11			'.'
12			);
13
14			require_once 'config.php';
15			include_once 'config.secrets.php';
16			require_once 'DBService.php';
17			require_once 'Util.php';
18			require_once 'IdpList.php';
19
20			use CILogon\Service\IdpList;
21
22			if (($argc >= 2) && ($argc <= 4)) {
23			$idpfile = $argv[1];
24			$filetype = 'json';
25			if ($argc >= 3) {
26			$filetype = strtolower($argv[2]);
27			}
28			$checkfornew = 0;
29			if ($argc >= 4) {
30			$checkfornew = 1;
31			}
32
33			$oldEntityIdList = array();
34
35			// If checkfornew, attempt to read in the already existing
36			// /var/www/html/include/idplist.{json,xml} file so we can use
37			// that as the list of current IdPs. This will allow us to find
38			// out if any new IdPs have been added to the InCommon metadata.
39			if ($checkfornew) {
40			// First, try reading /var/www/html/include/idplist.json
41			$oldidplist = new IdpList(DEFAULT_IDP_JSON, '', false, 'json');
42			$oldEntityIDList = $oldidplist->getEntityIDs();
43			if (empty($oldEntityIDList)) {
44			// Next, try /var/www/html/include/idplist.xml
45			$filename = preg_replace(
46			'/\.json$/',
47			'.xml',
48			DEFAULT_IDP_JSON
49			);
50			$oldidplist = new IdpList($filename, '', false, 'xml');
51			$oldEntityIDList = $oldidplist->getEntityIDs();
52			}
53			// If we couldn't read in an exiting idplist, print warning message.
54			if (empty($oldEntityIDList)) {
55			fwrite(
56			STDERR,
57			"Warning: Unable to read an existing idplist file,\n",
58			" so unable to check for new InCommon IdPs.\n"
59			);
60			}
61			}
62
63			// Now, create a new idplist from the InCommon Metadata
64			$idplist = new IdpList(
65			$idpfile,
66			DEFAULT_INCOMMON_XML,
67			false,
68			$filetype
69			);
70			$idplist->create();
71			if (!$idplist->write($filetype)) {
			0 ignored issues – show Bug Best Practice introduced 2017-04-05 19:36 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$idplist->write($filetype)` of type `boolean\|null` is loosely compared to `false`; this is ambiguous if the boolean can be false. You might want to explicitly use `!== null` instead. If an expression can have both `false`, and `null` as possible values. It is generally a good practice to always use strict comparison to clearly distinguish between those two values. $a = canBeFalseAndNull(); // Instead of if ( ! $a) { } // Better use one of the explicit versions: if ($a !== null) { } if ($a !== false) { } if ($a !== null && $a !== false) { } Loading history...
72			fwrite(
73			STDERR,
74			"Error! There was a problem writing to the file '" .
75			$idpfile . "'\n"
76			);
77			exit(1);
78			}
79
80			// If we successfully read in a 'good' idplist.{json.xml} file from
81			// /var/www/html/include, use that as the list of currently
82			// 'greenlit' IdPs and check to see if any new IdP were added to
83			// the InCommon metadata.
84			$newIdPList = array();
85			if (!empty($oldEntityIDList)) {
86			$entityIDList = $idplist->getEntityIDs();
87			foreach ($entityIDList as $value) {
88			if (!in_array($value, $oldEntityIDList)) {
89			$newIdPList[$value] = 1;
90			}
91			}
92			}
93
94			// Found some new InCommon metadata entries. Print them to STDOUT.
95			if (!empty($newIdPList)) {
96			$plural = (count($newIdPList) > 1);
97			echo($plural ? 'New' : 'A new') , ' Identity Provider',
98			($plural ? 's were' : ' was') , ' found in metadata ',
99			"and added to the \nlist of available IdPs.\n",
100			'--------------------------------------------------------------',
101			"\n\n";
102			foreach ($newIdPList as $entityID => $value) {
103			echo "EntityId = $entityID\n";
104			echo "Organization Name = " .
105			$idplist->getOrganizationName($entityID) . "\n";
106			echo "Display Name = " .
107			$idplist->getDisplayName($entityID) . "\n";
108			if ($idplist->isRegisteredByInCommon($entityID)) {
109			echo "Registered by InCommon = Yes\n";
110			}
111			if ($idplist->isInCommonRandS($entityID)) {
112			echo "InCommon R & S = Yes\n";
113			}
114			if ($idplist->isREFEDSRandS($entityID)) {
115			echo "REFEDS R & S = Yes\n";
116			}
117			if ($idplist->isSIRTFI($entityID)) {
118			echo "SIRTFI = Yes\n";
119			}
120			echo "\n";
121			}
122			}
123			} else {
124			printUsage();
125			}
126
127			function printUsage()
			0 ignored issues – show Best Practice introduced 2020-04-06 14:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this The function `printUsage()` has been defined more than once; this definition is ignored, only the first definition in `util/convertidplist.php` (L54-63) is considered. This check looks for functions that have already been defined in other files. Some Codebases, like WordPress, make a practice of defining functions multiple times. This may lead to problems with the detection of function parameters and types. If you really need to do this, you can mark the duplicate definition with the `@ignore` annotation. /** * @ignore */ function getUser() { } function getUser($id, $realm) { } See also the PhpDoc documentation for @ignore. Loading history...
128			{
129			echo "Usage: idplist.php IDPFILE {FILETYPE} <CHECK>\n";
130			echo " IDPFILE is the full path name of the idplist file.\n";
131			echo " FILETYPE is either 'xml' or 'json'. Defaults to 'json.'\n";
132			echo " CHECK means see if new IdPs added to InCommon metadata.\n";
133			echo "This function reads the InCommon metadata and writes out the\n";
134			echo "IDPFILE, which contains the list of all IdPs along with\n";
135			echo "their attributes needed by the CILogon Service.\n";
136			echo "If CHECK (optional) is specified, it attempts to read in an\n";
137			echo "existing /var/www/html/include,{json,xml} file as the 'current'\n";
138			echo "list of IdPs so it can check if any new IdPs have beenn added\n";
139			echo "to InCommon metadata. If so, the new IdPs are printed to STDOUT.\n";
140			}
141

cilogon / service

Issues (51)

Security Analysis not enabled

util/idplist.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like