Issues in PostmarkTransport.php (master) - Issues in master - coconutcraig/laravel-postmark - Measure and Improve Code Quality continuously with Scrutinizer

Issues (1)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/PostmarkTransport.php (1 issue)

Labels

Documentation 1

Severity

Minor 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace Coconuts\Mail;

use Swift_MimePart;
use Swift_Attachment;
use Swift_Mime_SimpleMessage;
use GuzzleHttp\ClientInterface;
use Illuminate\Mail\Transport\Transport;
use Coconuts\Mail\Exceptions\PostmarkException;

class PostmarkTransport extends Transport
{
    /**
     * Guzzle client instance.
     *
     * @var \GuzzleHttp\ClientInterface
     */
    protected $client;

    /**
     * The Postmark API key.
     *
     * @var string
     */
    protected $key;

    /**
     * The Postmark API end-point.
     *
     * @var string
     */
    protected $url = 'https://api.postmarkapp.com/email';

    /**
     * Create a new Postmark transport instance.
     *
     * @param \GuzzleHttp\ClientInterface $client
     * @param string $key
     *
     * @return void
     * @throws \Coconuts\Mail\Exceptions\PostmarkException
     */
    public function __construct(ClientInterface $client, $key)
    {
        if (empty(trim($key))) {
            throw new PostmarkException(
                'The Postmark secret is not set. Make sure that the `postmark.secret` config key is set.'
            );
        }

        $this->key = $key;
        $this->client = $client;
    }

    /**
     * {@inheritdoc}
     */
    public function send(Swift_Mime_SimpleMessage $message, &$failedRecipients = null)
    {
        $this->beforeSendPerformed($message);

        $response = $this->client->post($this->url, $this->payload($message));

        $message->getHeaders()->addTextHeader(
            'X-PM-Message-Id',
            $this->getMessageId($response)
        );

        $this->sendPerformed($message);

        return $this->numberOfRecipients($message);
    }

    /**
     * Get all attachments for the given message.
     *
     * @param \Swift_Mime_SimpleMessage $message
     *
     * @return array
     */
    protected function getAttachments(Swift_Mime_SimpleMessage $message)
    {
        return collect($message->getChildren())
            ->filter(function ($child) {
                return $child instanceof Swift_Attachment;
            })
            ->map(function ($child) {
                return [
                    'Name' => $child->getHeaders()->get('content-type')->getParameter('name'),
                    'Content' => base64_encode($child->getBody()),
                    'ContentType' => $child->getContentType(),
                ];
            })
            ->values()
            ->toArray();
    }

    /**
     * Format the display name.
     *
     * @param  string
     * @return string
     */
    protected function getDisplayname($value)
    {
        if (strpos($value, ',') !== false) {
            return '"'.$value.'"';
        }

        return $value;
    }

    /**
     * Format the contacts for the API request.
     *
     * @param string|array $contacts
     *
     * @return string
     */
    protected function getContacts($contacts)
    {
        return collect($contacts)
            ->map(function ($display, $address) {
                return $display ? $this->getDisplayname($display)." <{$address}>" : $address;
            })
            ->values()
            ->implode(',');
    }

    /**
     * Get the message ID from the response.
     *
     * @param \GuzzleHttp\Psr7\Response $response
     *
     * @return string
     */
    protected function getMessageId($response)
    {
        return object_get(
            json_decode($response->getBody()->getContents()),
            'MessageID'
        );
    }

    /**
     * Get the body for the given message.
     *
     * @param \Swift_Mime_SimpleMessage $message
     *
     * @return string
     */
    protected function getBody(Swift_Mime_SimpleMessage $message)
    {
        return $message->getBody() ?: '';
    }

    /**
     * Get the text and html fields for the given message.
     *
     * @param \Swift_Mime_SimpleMessage $message
     *
     * @return array
     */
    protected function getHtmlAndTextBody(Swift_Mime_SimpleMessage $message)
    {
        $key = collect([
            'text/html' => 'HtmlBody',
            'multipart/mixed' => 'HtmlBody',
            'multipart/related' => 'HtmlBody',
            'multipart/alternative' => 'HtmlBody',
        ])
        ->get($message->getContentType(), 'TextBody');

        return collect([
            $key => $this->getBody($message),
        ])->when($this->getMimePart($message, 'text/plain'), function ($collection, $value) {
function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
            return $collection->put('TextBody', $value->getBody());
        })->when($this->getMimePart($message, 'text/html'), function ($collection, $value) {
            return $collection->put('HtmlBody', $value->getBody());
        })->all();
    }

    /**
     * Get a mime part from the given message.
     *
     * @param \Swift_Mime_SimpleMessage $message
     * @param string $mimeType
     *
     * @return \Swift_MimePart|null
     */
    protected function getMimePart(Swift_Mime_SimpleMessage $message, $mimeType)
    {
        return collect($message->getChildren())
            ->filter(function ($child) {
                return $child instanceof Swift_MimePart;
            })
            ->filter(function ($child) use ($mimeType) {
                return strpos($child->getContentType(), $mimeType) === 0;
            })
            ->first();
    }

    /**
     * Get the subject for the given message.
     *
     * @param \Swift_Mime_SimpleMessage $message
     *
     * @return string
     */
    protected function getSubject(Swift_Mime_SimpleMessage $message)
    {
        return $message->getSubject() ?: '';
    }

    /**
     * Get the tag for the given message.
     *
     * @param \Swift_Mime_SimpleMessage $message
     *
     * @return string
     */
    protected function getTag(Swift_Mime_SimpleMessage $message)
    {
        return optional(
            collect($message->getHeaders()->getAll('tag'))
            ->last()
        )
        ->getFieldBody() ?: '';
    }

    /**
     * Get the HTTP payload for sending the Postmark message.
     *
     * @param \Swift_Mime_SimpleMessage $message
     *
     * @return array
     */
    protected function payload(Swift_Mime_SimpleMessage $message)
    {
        return collect([
            'headers' => [
                'Accept' => 'application/json',
                'Content-Type' => 'application/json',
                'X-Postmark-Server-Token' => $this->key,
            ],
        ])
        ->merge([
            'json' => collect([
                'Cc' => $this->getContacts($message->getCc()),
                'Bcc' => $this->getContacts($message->getBcc()),
                'Tag' => $this->getTag($message),
                'Subject' => $this->getSubject($message),
                'ReplyTo' => $this->getContacts($message->getReplyTo()),
                'Attachments' => $this->getAttachments($message),
            ])
            ->reject(function ($item) {
                return empty($item);
            })
            ->put('From', $this->getContacts($message->getFrom()))
            ->put('To', $this->getContacts($message->getTo()))
            ->merge($this->getHtmlAndTextBody($message)),
        ])
        ->toArray();
    }
}


1		<?php
2
3		namespace Coconuts\Mail;
4
5		use Swift_MimePart;
6		use Swift_Attachment;
7		use Swift_Mime_SimpleMessage;
8		use GuzzleHttp\ClientInterface;
9		use Illuminate\Mail\Transport\Transport;
10		use Coconuts\Mail\Exceptions\PostmarkException;
11
12		class PostmarkTransport extends Transport
13		{
14		/**
15		* Guzzle client instance.
16		*
17		* @var \GuzzleHttp\ClientInterface
18		*/
19		protected $client;
20
21		/**
22		* The Postmark API key.
23		*
24		* @var string
25		*/
26		protected $key;
27
28		/**
29		* The Postmark API end-point.
30		*
31		* @var string
32		*/
33		protected $url = 'https://api.postmarkapp.com/email';
34
35		/**
36		* Create a new Postmark transport instance.
37		*
38		* @param \GuzzleHttp\ClientInterface $client
39		* @param string $key
40		*
41		* @return void
42		* @throws \Coconuts\Mail\Exceptions\PostmarkException
43		*/
44	30	public function __construct(ClientInterface $client, $key)
45		{
46	30	if (empty(trim($key))) {
47	1	throw new PostmarkException(
48	1	'The Postmark secret is not set. Make sure that the `postmark.secret` config key is set.'
49		);
50		}
51
52	30	$this->key = $key;
53	30	$this->client = $client;
54	30	}
55
56		/**
57		* {@inheritdoc}
58		*/
59	1	public function send(Swift_Mime_SimpleMessage $message, &$failedRecipients = null)
60		{
61	1	$this->beforeSendPerformed($message);
62
63	1	$response = $this->client->post($this->url, $this->payload($message));
64
65	1	$message->getHeaders()->addTextHeader(
66	1	'X-PM-Message-Id',
67	1	$this->getMessageId($response)
68		);
69
70	1	$this->sendPerformed($message);
71
72	1	return $this->numberOfRecipients($message);
73		}
74
75		/**
76		* Get all attachments for the given message.
77		*
78		* @param \Swift_Mime_SimpleMessage $message
79		*
80		* @return array
81		*/
82	19	protected function getAttachments(Swift_Mime_SimpleMessage $message)
83		{
84	19	return collect($message->getChildren())
85	19	->filter(function ($child) {
86	16	return $child instanceof Swift_Attachment;
87	19	})
88	19	->map(function ($child) {
89		return [
90	15	'Name' => $child->getHeaders()->get('content-type')->getParameter('name'),
91	15	'Content' => base64_encode($child->getBody()),
92	15	'ContentType' => $child->getContentType(),
93		];
94	19	})
95	19	->values()
96	19	->toArray();
97		}
98
99		/**
100		* Format the display name.
101		*
102		* @param string
103		* @return string
104		*/
105	7	protected function getDisplayname($value)
106		{
107	7	if (strpos($value, ',') !== false) {
108	1	return '"'.$value.'"';
109		}
110
111	6	return $value;
112		}
113
114		/**
115		* Format the contacts for the API request.
116		*
117		* @param string\|array $contacts
118		*
119		* @return string
120		*/
121	19	protected function getContacts($contacts)
122		{
123	19	return collect($contacts)
124	19	->map(function ($display, $address) {
125	14	return $display ? $this->getDisplayname($display)." <{$address}>" : $address;
126	19	})
127	19	->values()
128	19	->implode(',');
129		}
130
131		/**
132		* Get the message ID from the response.
133		*
134		* @param \GuzzleHttp\Psr7\Response $response
135		*
136		* @return string
137		*/
138	1	protected function getMessageId($response)
139		{
140	1	return object_get(
141	1	json_decode($response->getBody()->getContents()),
142	1	'MessageID'
143		);
144		}
145
146		/**
147		* Get the body for the given message.
148		*
149		* @param \Swift_Mime_SimpleMessage $message
150		*
151		* @return string
152		*/
153	20	protected function getBody(Swift_Mime_SimpleMessage $message)
154		{
155	20	return $message->getBody() ?: '';
156		}
157
158		/**
159		* Get the text and html fields for the given message.
160		*
161		* @param \Swift_Mime_SimpleMessage $message
162		*
163		* @return array
164		*/
165	18	protected function getHtmlAndTextBody(Swift_Mime_SimpleMessage $message)
166		{
167	18	$key = collect([
168	18	'text/html' => 'HtmlBody',
169		'multipart/mixed' => 'HtmlBody',
170		'multipart/related' => 'HtmlBody',
171		'multipart/alternative' => 'HtmlBody',
172		])
173	18	->get($message->getContentType(), 'TextBody');
174
175	18	return collect([
176	18	$key => $this->getBody($message),
177	1	])->when($this->getMimePart($message, 'text/plain'), function ($collection, $value) {
		0 ignored issues – show Documentation introduced 2018-09-02 22:20 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$this->getMimePart($message, 'text/plain')` is of type `object<Swift_MimePart>\|null`, but the function expects a `boolean`. It seems like the type of the argument is not accepted by the function/method which you are calling. In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug. We suggest to add an explicit type cast like in the following example: function acceptsInteger($int) { } $x = '123'; // string "123" // Instead of acceptsInteger($x); // we recommend to use acceptsInteger((integer) $x); Loading history...
178	1	return $collection->put('TextBody', $value->getBody());
179		})->when($this->getMimePart($message, 'text/html'), function ($collection, $value) {
180	13	return $collection->put('HtmlBody', $value->getBody());
181	18	})->all();
182		}
183
184		/**
185		* Get a mime part from the given message.
186		*
187		* @param \Swift_Mime_SimpleMessage $message
188		* @param string $mimeType
189		*
190		* @return \Swift_MimePart\|null
191		*/
192	19	protected function getMimePart(Swift_Mime_SimpleMessage $message, $mimeType)
193		{
194	19	return collect($message->getChildren())
195	19	->filter(function ($child) {
196	16	return $child instanceof Swift_MimePart;
197	19	})
198	19	->filter(function ($child) use ($mimeType) {
199	15	return strpos($child->getContentType(), $mimeType) === 0;
200	19	})
201	19	->first();
202		}
203
204		/**
205		* Get the subject for the given message.
206		*
207		* @param \Swift_Mime_SimpleMessage $message
208		*
209		* @return string
210		*/
211	20	protected function getSubject(Swift_Mime_SimpleMessage $message)
212		{
213	20	return $message->getSubject() ?: '';
214		}
215
216		/**
217		* Get the tag for the given message.
218		*
219		* @param \Swift_Mime_SimpleMessage $message
220		*
221		* @return string
222		*/
223	21	protected function getTag(Swift_Mime_SimpleMessage $message)
224		{
225	21	return optional(
226	21	collect($message->getHeaders()->getAll('tag'))
227	21	->last()
228		)
229	21	->getFieldBody() ?: '';
230		}
231
232		/**
233		* Get the HTTP payload for sending the Postmark message.
234		*
235		* @param \Swift_Mime_SimpleMessage $message
236		*
237		* @return array
238		*/
239	18	protected function payload(Swift_Mime_SimpleMessage $message)
240		{
241	18	return collect([
242		'headers' => [
243	18	'Accept' => 'application/json',
244	18	'Content-Type' => 'application/json',
245	18	'X-Postmark-Server-Token' => $this->key,
246		],
247		])
248	18	->merge([
249	18	'json' => collect([
250	18	'Cc' => $this->getContacts($message->getCc()),
251	18	'Bcc' => $this->getContacts($message->getBcc()),
252	18	'Tag' => $this->getTag($message),
253	18	'Subject' => $this->getSubject($message),
254	18	'ReplyTo' => $this->getContacts($message->getReplyTo()),
255	18	'Attachments' => $this->getAttachments($message),
256		])
257	18	->reject(function ($item) {
258	18	return empty($item);
259	18	})
260	18	->put('From', $this->getContacts($message->getFrom()))
261	18	->put('To', $this->getContacts($message->getTo()))
262	18	->merge($this->getHtmlAndTextBody($message)),
263		])
264	18	->toArray();
265		}
266		}
267

coconutcraig / laravel-postmark

Issues (1)

Security Analysis not enabled

src/PostmarkTransport.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like