Issues in RpcRequest.php (master) - Issues in master - comodojo/rpcclient - Measure and Improve Code Quality continuously with Scrutinizer

Issues (6)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Comodojo/RpcClient/RpcRequest.php (1 issue)

Labels

Severity

Minor 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php namespace Comodojo\RpcClient;

use \Comodojo\Foundation\Utils\UniqueId;
use \InvalidArgumentException;
use \Exception;

/**
 * @package     Comodojo Spare Parts
 * @author      Marco Giovinazzi <[email protected]>
 * @license     MIT
 *
 * LICENSE:
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 * THE SOFTWARE.
 */

class RpcRequest {

    /**
     * @var string
     */
    private $method;

    /**
     * @var array
     */
    private $parameters = [];

    /**
     * @var array
     */
    private $special_types = [];

    private static $supported_special_types = [
        "base64",
        "datetime",
        "cdata"
    ];

    /**
     * Request's id
     *
     * @var boolean|integer
     */
    private $id = true;

    /**
     * @var string
     */
    private $uid;

    public function __construct() {

        $this->uid = UniqueId::generate(32);

    }

    /**
     * Get request's unique id
     *
     * @return string
     */
    public function getUniqueId() {

        return $this->uid;

    }

    /**
     * Get rpc method
     *
     * @return string|null
     */
    public function getMethod() {

        return $this->method;

    }

    /**
     * Set rpc method
     *
     * @param string $method
     * @return self
     * @throws InvalidArgumentException
     */
    public function setMethod($method) {

        if ( empty($method) || !is_string($method) ) throw new InvalidArgumentException("Invalid RPC method");

        $this->method = $method;

        return $this;

    }

    /**
     * Get parameters
     *
     * @return array
     */
    public function getParameters() {

        return $this->parameters;

    }

    /**
     * Set parameters
     *
     * @param array $params
     * @return self
     */
    public function setParameters(array $params = []) {

        $this->parameters = $params;

        return $this;

    }

    /**
     * Get values marked as special type
     *
     * @return array
     */
    public function getSpecialTypes() {

        return $this->special_types;

    }

    /**
     * Set values as special type
     *
     * @param string $value
     * @param string $type
     * @return self
     * @throws InvalidArgumentException
     */
    public function setSpecialType(&$value, $type) {

        $type = strtolower($type);

        if ( empty($value) || !in_array($type, self::$supported_special_types) ) {
            throw new InvalidArgumentException("Invalid value type");
        }

        $this->special_types[$value] = $type;

        return $this;

    }

    /**
     * Get request's id
     *
     * @return int|bool|null
     */
    public function getId() {

        return $this->id;

    }

    /**
     * Set request's id
     *
     * @param int|bool|null $id
     * @return self
     * @throws InvalidArgumentException
     */
    public function setId($id = null) {

        if (
            $id === null ||
            is_bool($id) ||
            ( is_int($id) && $id > 0 ) ||
            ( is_string($id) && !empty($id) )
        ) {

            $this->id = $id;
class Id
{
    public $id;

    public function __construct($id)
    {
        $this->id = $id;
    }

}

class Account
{
    /** @var  Id $id */
    public $id;
}

$account_id = false;

if (starsAreRight()) {
    $account_id = new Id(42);
}

$account = new Account();
if ($account instanceof Id)
{
    $account->id = $account_id;
}

        } else {

            throw new InvalidArgumentException("Invalid RPC id");

        }

        return $this;

    }

    /**
     * Export request as an array
     *
     * @return array
     */
    public function toArray() {

        return [
            'uid' => $this->uid,
            'method' => $this->method,
            'parameters' => $this->parameters,
            'special_types' => $this->special_types,
            'id' => $this->id
        ];

    }

    /**
     * Static constructor
     *
     * @param string $method
     * @param array $parameters
     * @param int|bool|null $id
     * @return RpcRequest
     * @throws Exception
     */
    public static function create($method, array $parameters = [], $id = true) {

        $request = new RpcRequest();

        try {

            $request->setMethod($method)
                ->setParameters($parameters)
                ->setId($id);

        } catch (Exception $e) {

            throw $e;

        }

        return $request;

    }

}


1		<?php namespace Comodojo\RpcClient;
2
3		use \Comodojo\Foundation\Utils\UniqueId;
4		use \InvalidArgumentException;
5		use \Exception;
6
7		/**
8		* @package Comodojo Spare Parts
9		* @author Marco Giovinazzi <[email protected]>
10		* @license MIT
11		*
12		* LICENSE:
13		*
14		* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15		* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16		* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
17		* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
18		* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
19		* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
20		* THE SOFTWARE.
21		*/
22
23		class RpcRequest {
24
25		/**
26		* @var string
27		*/
28		private $method;
29
30		/**
31		* @var array
32		*/
33		private $parameters = [];
34
35		/**
36		* @var array
37		*/
38		private $special_types = [];
39
40		private static $supported_special_types = [
41		"base64",
42		"datetime",
43		"cdata"
44		];
45
46		/**
47		* Request's id
48		*
49		* @var boolean\|integer
50		*/
51		private $id = true;
52
53		/**
54		* @var string
55		*/
56		private $uid;
57
58	63	public function __construct() {
59
60	63	$this->uid = UniqueId::generate(32);
61
62	63	}
63
64		/**
65		* Get request's unique id
66		*
67		* @return string
68		*/
69	12	public function getUniqueId() {
70
71	12	return $this->uid;
72
73		}
74
75		/**
76		* Get rpc method
77		*
78		* @return string\|null
79		*/
80	63	public function getMethod() {
81
82	63	return $this->method;
83
84		}
85
86		/**
87		* Set rpc method
88		*
89		* @param string $method
90		* @return self
91		* @throws InvalidArgumentException
92		*/
93	63	public function setMethod($method) {
94
95	63	if ( empty($method) \|\| !is_string($method) ) throw new InvalidArgumentException("Invalid RPC method");
96
97	63	$this->method = $method;
98
99	63	return $this;
100
101		}
102
103		/**
104		* Get parameters
105		*
106		* @return array
107		*/
108	63	public function getParameters() {
109
110	63	return $this->parameters;
111
112		}
113
114		/**
115		* Set parameters
116		*
117		* @param array $params
118		* @return self
119		*/
120	63	public function setParameters(array $params = []) {
121
122	63	$this->parameters = $params;
123
124	63	return $this;
125
126		}
127
128		/**
129		* Get values marked as special type
130		*
131		* @return array
132		*/
133	39	public function getSpecialTypes() {
134
135	39	return $this->special_types;
136
137		}
138
139		/**
140		* Set values as special type
141		*
142		* @param string $value
143		* @param string $type
144		* @return self
145		* @throws InvalidArgumentException
146		*/
147	9	public function setSpecialType(&$value, $type) {
148
149	9	$type = strtolower($type);
150
151	9	if ( empty($value) \|\| !in_array($type, self::$supported_special_types) ) {
152		throw new InvalidArgumentException("Invalid value type");
153		}
154
155	9	$this->special_types[$value] = $type;
156
157	9	return $this;
158
159		}
160
161		/**
162		* Get request's id
163		*
164		* @return int\|bool\|null
165		*/
166	24	public function getId() {
167
168	24	return $this->id;
169
170		}
171
172		/**
173		* Set request's id
174		*
175		* @param int\|bool\|null $id
176		* @return self
177		* @throws InvalidArgumentException
178		*/
179	63	public function setId($id = null) {
180
181		if (
182	63	$id === null \|\|
183	60	is_bool($id) \|\|
184	9	( is_int($id) && $id > 0 ) \|\|
185	44	( is_string($id) && !empty($id) )
186	21	) {
187
188	63	$this->id = $id;
		0 ignored issues – show Documentation Bug introduced 2018-07-31 23:06 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$id` can also be of type `string`. However, the property `$id` is declared as type `boolean\|integer`. Maybe add an additional type check? Our type inference engine has found a suspicous assignment of a value to a property. This check raises an issue when a value that can be of a mixed type is assigned to a property that is type hinted more strictly. For example, imagine you have a variable `$accountId` that can either hold an Id object or false (if there is no account id yet). Your code now assigns that value to the `id` property of an instance of the `Account` class. This class holds a proper account, so the id value must no longer be false. Either this assignment is in error or a type check should be added for that assignment. class Id { public $id; public function __construct($id) { $this->id = $id; } } class Account { /** @var Id $id */ public $id; } $account_id = false; if (starsAreRight()) { $account_id = new Id(42); } $account = new Account(); if ($account instanceof Id) { $account->id = $account_id; } Loading history...
189
190	21	} else {
191
192		throw new InvalidArgumentException("Invalid RPC id");
193
194		}
195
196	63	return $this;
197
198		}
199
200		/**
201		* Export request as an array
202		*
203		* @return array
204		*/
205	36	public function toArray() {
206
207		return [
208	36	'uid' => $this->uid,
209	36	'method' => $this->method,
210	36	'parameters' => $this->parameters,
211	36	'special_types' => $this->special_types,
212	36	'id' => $this->id
213	12	];
214
215		}
216
217		/**
218		* Static constructor
219		*
220		* @param string $method
221		* @param array $parameters
222		* @param int\|bool\|null $id
223		* @return RpcRequest
224		* @throws Exception
225		*/
226	63	public static function create($method, array $parameters = [], $id = true) {
227
228	63	$request = new RpcRequest();
229
230		try {
231
232	63	$request->setMethod($method)
233	63	->setParameters($parameters)
234	63	->setId($id);
235
236	21	} catch (Exception $e) {
237
238		throw $e;
239
240		}
241
242	63	return $request;
243
244		}
245
246		}
247

comodojo / rpcclient

Issues (6)

Security Analysis no request data

src/Comodojo/RpcClient/RpcRequest.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like