Issues in GoogleAuthenticator.php (master) - Issues in master - delboy1978uk/google-auth - Measure and Improve Code Quality continuously with Scrutinizer

Issues (3)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/GoogleAuthenticator.php (3 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace Del\Auth;

use Exception;

class GoogleAuthenticator
{
    protected $_codeLength = 6;

    /**
     * Create new secret.
     * 16 characters, randomly chosen from the allowed base32 characters.
     *
     * @param int $secretLength
     *
     * @return string
     */
    public function createSecret($secretLength = 16)
    {
        $validChars = $this->_getBase32LookupTable();

        // Valid secret lengths are 80 to 640 bits
        if ($secretLength < 16 || $secretLength > 128) {
            throw new Exception('Bad secret length');
        }
        $secret = '';
        $rnd = false;
        if (function_exists('random_bytes')) {
            $rnd = random_bytes($secretLength);
        } elseif (function_exists('mcrypt_create_iv')) {
            $rnd = mcrypt_create_iv($secretLength, MCRYPT_DEV_URANDOM);
        } elseif (function_exists('openssl_random_pseudo_bytes')) {
            $rnd = openssl_random_pseudo_bytes($secretLength, $cryptoStrong);
            if (!$cryptoStrong) {
$a = canBeFalseAndNull();

// Instead of
if ( ! $a) { }

// Better use one of the explicit versions:
if ($a !== null) { }
if ($a !== false) { }
if ($a !== null && $a !== false) { }
                $rnd = false;
            }
        }
        if ($rnd !== false) {
            for ($i = 0; $i < $secretLength; ++$i) {
                $secret .= $validChars[ord($rnd[$i]) & 31];
            }
        } else {
            throw new Exception('No source of secure random');
        }

        return $secret;
    }

    /**
     * Calculate the code, with given secret and point in time.
     *
     * @param string   $secret
     * @param int|null $timeSlice
     *
     * @return string
     */
    public function getCode($secret, $timeSlice = null)
    {
        if ($timeSlice === null) {
            $timeSlice = floor(time() / 30);
        }

        $secretkey = $this->_base32Decode($secret);

        // Pack time into binary string
        $time = chr(0).chr(0).chr(0).chr(0).pack('N*', $timeSlice);
        // Hash it with users secret key
        $hm = hash_hmac('SHA1', $time, $secretkey, true);
        // Use last nipple of result as index/offset
        $offset = ord(substr($hm, -1)) & 0x0F;
        // grab 4 bytes of the result
        $hashpart = substr($hm, $offset, 4);

        // Unpak binary value
        $value = unpack('N', $hashpart);
        $value = $value[1];
        // Only 32 bits
        $value = $value & 0x7FFFFFFF;

        $modulo = pow(10, $this->_codeLength);

        return str_pad($value % $modulo, $this->_codeLength, '0', STR_PAD_LEFT);
    }

    /**
     * Get QR-Code URL for image, from google charts.
     *
     * @param string $name
     * @param string $secret
     * @param string $title
     * @param array  $params
     *
     * @return string
     */
    public function getQRCodeGoogleUrl($name, $secret, $title = null, $params = array())
    {
        $width = !empty($params['width']) && (int) $params['width'] > 0 ? (int) $params['width'] : 200;
        $height = !empty($params['height']) && (int) $params['height'] > 0 ? (int) $params['height'] : 200;
        $level = !empty($params['level']) && array_search($params['level'], array('L', 'M', 'Q', 'H')) !== false ? $params['level'] : 'M';

        $urlencoded = urlencode('otpauth://totp/'.$name.'?secret='.$secret.'');
        if (isset($title)) {
            $urlencoded .= urlencode('&issuer='.urlencode($title));
        }

        return 'https://chart.googleapis.com/chart?chs='.$width.'x'.$height.'&chld='.$level.'|0&cht=qr&chl='.$urlencoded.'';
    }

    /**
     * Check if the code is correct. This will accept codes starting from $discrepancy*30sec ago to $discrepancy*30sec from now.
     *
     * @param string   $secret
     * @param string   $code
     * @param int      $discrepancy      This is the allowed time drift in 30 second units (8 means 4 minutes before or after)
     * @param int|null $currentTimeSlice time slice if we want use other that time()
     *
     * @return bool
     */
    public function verifyCode($secret, $code, $discrepancy = 1, $currentTimeSlice = null)
    {
        if ($currentTimeSlice === null) {
            $currentTimeSlice = floor(time() / 30);
        }

        if (strlen($code) != 6) {
            return false;
        }

        for ($i = -$discrepancy; $i <= $discrepancy; ++$i) {
            $calculatedCode = $this->getCode($secret, $currentTimeSlice + $i);
            if ($this->timingSafeEquals($calculatedCode, $code)) {
                return true;
            }
        }

        return false;
    }

    /**
     * Set the code length, should be >=6.
     *
     * @param int $length
     *
     * @return PHPGangsta_GoogleAuthenticator
     */
    public function setCodeLength($length)
    {
        $this->_codeLength = $length;

        return $this;
    }

    /**
     * Helper class to decode base32.
     *
     * @param $secret
     *
     * @return bool|string
     */
    protected function _base32Decode($secret)
    {
        if (empty($secret)) {
            return '';
        }

        $base32chars = $this->_getBase32LookupTable();
        $base32charsFlipped = array_flip($base32chars);

        $paddingCharCount = substr_count($secret, $base32chars[32]);
        $allowedValues = array(6, 4, 3, 1, 0);
        if (!in_array($paddingCharCount, $allowedValues)) {
            return false;
        }
        for ($i = 0; $i < 4; ++$i) {
            if ($paddingCharCount == $allowedValues[$i] &&
                substr($secret, -($allowedValues[$i])) != str_repeat($base32chars[32], $allowedValues[$i])) {
                return false;
            }
        }
        $secret = str_replace('=', '', $secret);
        $secret = str_split($secret);
        $binaryString = '';
        for ($i = 0; $i < count($secret); $i = $i + 8) {
for ($i=0; $i<count($array); $i++) { // calls count() on each iteration
}

// Better
for ($i=0, $c=count($array); $i<$c; $i++) { // calls count() just once
}
            $x = '';
            if (!in_array($secret[$i], $base32chars)) {
                return false;
            }
            for ($j = 0; $j < 8; ++$j) {
                $x .= str_pad(base_convert(@$base32charsFlipped[@$secret[$i + $j]], 10, 2), 5, '0', STR_PAD_LEFT);
            }
            $eightBits = str_split($x, 8);
            for ($z = 0; $z < count($eightBits); ++$z) {
for ($i=0; $i<count($array); $i++) { // calls count() on each iteration
}

// Better
for ($i=0, $c=count($array); $i<$c; $i++) { // calls count() just once
}
                $binaryString .= (($y = chr(base_convert($eightBits[$z], 2, 10))) || ord($y) == 48) ? $y : '';
            }
        }

        return $binaryString;
    }

    /**
     * Get array with all 32 characters for decoding from/encoding to base32.
     *
     * @return array
     */
    protected function _getBase32LookupTable()
    {
        return array(
            'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', //  7
            'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', // 15
            'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', // 23
            'Y', 'Z', '2', '3', '4', '5', '6', '7', // 31
            '=',  // padding char
        );
    }

    /**
     * A timing safe equals comparison
     * more info here: http://blog.ircmaxell.com/2014/11/its-all-about-time.html.
     *
     * @param string $safeString The internal (safe) value to be checked
     * @param string $userString The user submitted (unsafe) value
     *
     * @return bool True if the two strings are identical
     */
    private function timingSafeEquals($safeString, $userString)
    {
        if (function_exists('hash_equals')) {
            return hash_equals($safeString, $userString);
        }
        $safeLen = strlen($safeString);
        $userLen = strlen($userString);

        if ($userLen != $safeLen) {
            return false;
        }

        $result = 0;

        for ($i = 0; $i < $userLen; ++$i) {
            $result |= (ord($safeString[$i]) ^ ord($userString[$i]));
        }

        // They are only identical strings if $result is exactly 0...
        return $result === 0;
    }
}


1			<?php
2
3			namespace Del\Auth;
4
5			use Exception;
6
7			class GoogleAuthenticator
8			{
9			protected $_codeLength = 6;
10
11			/**
12			* Create new secret.
13			* 16 characters, randomly chosen from the allowed base32 characters.
14			*
15			* @param int $secretLength
16			*
17			* @return string
18			*/
19			public function createSecret($secretLength = 16)
20			{
21			$validChars = $this->_getBase32LookupTable();
22
23			// Valid secret lengths are 80 to 640 bits
24			if ($secretLength < 16 \|\| $secretLength > 128) {
25			throw new Exception('Bad secret length');
26			}
27			$secret = '';
28			$rnd = false;
29			if (function_exists('random_bytes')) {
30			$rnd = random_bytes($secretLength);
31			} elseif (function_exists('mcrypt_create_iv')) {
32			$rnd = mcrypt_create_iv($secretLength, MCRYPT_DEV_URANDOM);
33			} elseif (function_exists('openssl_random_pseudo_bytes')) {
34			$rnd = openssl_random_pseudo_bytes($secretLength, $cryptoStrong);
35			if (!$cryptoStrong) {
			0 ignored issues – show Bug Best Practice introduced 2017-11-23 12:05 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$cryptoStrong` of type `boolean\|null` is loosely compared to `false`; this is ambiguous if the boolean can be false. You might want to explicitly use `!== null` instead. If an expression can have both `false`, and `null` as possible values. It is generally a good practice to always use strict comparison to clearly distinguish between those two values. $a = canBeFalseAndNull(); // Instead of if ( ! $a) { } // Better use one of the explicit versions: if ($a !== null) { } if ($a !== false) { } if ($a !== null && $a !== false) { } Loading history...
36			$rnd = false;
37			}
38			}
39			if ($rnd !== false) {
40			for ($i = 0; $i < $secretLength; ++$i) {
41			$secret .= $validChars[ord($rnd[$i]) & 31];
42			}
43			} else {
44			throw new Exception('No source of secure random');
45			}
46
47			return $secret;
48			}
49
50			/**
51			* Calculate the code, with given secret and point in time.
52			*
53			* @param string $secret
54			* @param int\|null $timeSlice
55			*
56			* @return string
57			*/
58			public function getCode($secret, $timeSlice = null)
59			{
60			if ($timeSlice === null) {
61			$timeSlice = floor(time() / 30);
62			}
63
64			$secretkey = $this->_base32Decode($secret);
65
66			// Pack time into binary string
67			$time = chr(0).chr(0).chr(0).chr(0).pack('N*', $timeSlice);
68			// Hash it with users secret key
69			$hm = hash_hmac('SHA1', $time, $secretkey, true);
70			// Use last nipple of result as index/offset
71			$offset = ord(substr($hm, -1)) & 0x0F;
72			// grab 4 bytes of the result
73			$hashpart = substr($hm, $offset, 4);
74
75			// Unpak binary value
76			$value = unpack('N', $hashpart);
77			$value = $value[1];
78			// Only 32 bits
79			$value = $value & 0x7FFFFFFF;
80
81			$modulo = pow(10, $this->_codeLength);
82
83			return str_pad($value % $modulo, $this->_codeLength, '0', STR_PAD_LEFT);
84			}
85
86			/**
87			* Get QR-Code URL for image, from google charts.
88			*
89			* @param string $name
90			* @param string $secret
91			* @param string $title
92			* @param array $params
93			*
94			* @return string
95			*/
96			public function getQRCodeGoogleUrl($name, $secret, $title = null, $params = array())
97			{
98			$width = !empty($params['width']) && (int) $params['width'] > 0 ? (int) $params['width'] : 200;
99			$height = !empty($params['height']) && (int) $params['height'] > 0 ? (int) $params['height'] : 200;
100			$level = !empty($params['level']) && array_search($params['level'], array('L', 'M', 'Q', 'H')) !== false ? $params['level'] : 'M';
101
102			$urlencoded = urlencode('otpauth://totp/'.$name.'?secret='.$secret.'');
103			if (isset($title)) {
104			$urlencoded .= urlencode('&issuer='.urlencode($title));
105			}
106
107			return 'https://chart.googleapis.com/chart?chs='.$width.'x'.$height.'&chld='.$level.'\|0&cht=qr&chl='.$urlencoded.'';
108			}
109
110			/**
111			* Check if the code is correct. This will accept codes starting from $discrepancy30sec ago to $discrepancy30sec from now.
112			*
113			* @param string $secret
114			* @param string $code
115			* @param int $discrepancy This is the allowed time drift in 30 second units (8 means 4 minutes before or after)
116			* @param int\|null $currentTimeSlice time slice if we want use other that time()
117			*
118			* @return bool
119			*/
120			public function verifyCode($secret, $code, $discrepancy = 1, $currentTimeSlice = null)
121			{
122			if ($currentTimeSlice === null) {
123			$currentTimeSlice = floor(time() / 30);
124			}
125
126			if (strlen($code) != 6) {
127			return false;
128			}
129
130			for ($i = -$discrepancy; $i <= $discrepancy; ++$i) {
131			$calculatedCode = $this->getCode($secret, $currentTimeSlice + $i);
132			if ($this->timingSafeEquals($calculatedCode, $code)) {
133			return true;
134			}
135			}
136
137			return false;
138			}
139
140			/**
141			* Set the code length, should be >=6.
142			*
143			* @param int $length
144			*
145			* @return PHPGangsta_GoogleAuthenticator
146			*/
147			public function setCodeLength($length)
148			{
149			$this->_codeLength = $length;
150
151			return $this;
152			}
153
154			/**
155			* Helper class to decode base32.
156			*
157			* @param $secret
158			*
159			* @return bool\|string
160			*/
161			protected function _base32Decode($secret)
162			{
163			if (empty($secret)) {
164			return '';
165			}
166
167			$base32chars = $this->_getBase32LookupTable();
168			$base32charsFlipped = array_flip($base32chars);
169
170			$paddingCharCount = substr_count($secret, $base32chars[32]);
171			$allowedValues = array(6, 4, 3, 1, 0);
172			if (!in_array($paddingCharCount, $allowedValues)) {
173			return false;
174			}
175			for ($i = 0; $i < 4; ++$i) {
176			if ($paddingCharCount == $allowedValues[$i] &&
177			substr($secret, -($allowedValues[$i])) != str_repeat($base32chars[32], $allowedValues[$i])) {
178			return false;
179			}
180			}
181			$secret = str_replace('=', '', $secret);
182			$secret = str_split($secret);
183			$binaryString = '';
184			for ($i = 0; $i < count($secret); $i = $i + 8) {
			0 ignored issues – show Performance Best Practice introduced 2017-11-23 12:05 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you are calling the size function `count()` as part of the test condition. You might want to compute the size beforehand, and not on each iteration. If the size of the collection does not change during the iteration, it is generally a good practice to compute it beforehand, and not on each iteration: for ($i=0; $i<count($array); $i++) { // calls count() on each iteration } // Better for ($i=0, $c=count($array); $i<$c; $i++) { // calls count() just once } Loading history...
185			$x = '';
186			if (!in_array($secret[$i], $base32chars)) {
187			return false;
188			}
189			for ($j = 0; $j < 8; ++$j) {
190			$x .= str_pad(base_convert(@$base32charsFlipped[@$secret[$i + $j]], 10, 2), 5, '0', STR_PAD_LEFT);
191			}
192			$eightBits = str_split($x, 8);
193			for ($z = 0; $z < count($eightBits); ++$z) {
			0 ignored issues – show Performance Best Practice introduced 2017-11-23 12:05 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you are calling the size function `count()` as part of the test condition. You might want to compute the size beforehand, and not on each iteration. If the size of the collection does not change during the iteration, it is generally a good practice to compute it beforehand, and not on each iteration: for ($i=0; $i<count($array); $i++) { // calls count() on each iteration } // Better for ($i=0, $c=count($array); $i<$c; $i++) { // calls count() just once } Loading history...
194			$binaryString .= (($y = chr(base_convert($eightBits[$z], 2, 10))) \|\| ord($y) == 48) ? $y : '';
195			}
196			}
197
198			return $binaryString;
199			}
200
201			/**
202			* Get array with all 32 characters for decoding from/encoding to base32.
203			*
204			* @return array
205			*/
206			protected function _getBase32LookupTable()
207			{
208			return array(
209			'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', // 7
210			'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', // 15
211			'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', // 23
212			'Y', 'Z', '2', '3', '4', '5', '6', '7', // 31
213			'=', // padding char
214			);
215			}
216
217			/**
218			* A timing safe equals comparison
219			* more info here: http://blog.ircmaxell.com/2014/11/its-all-about-time.html.
220			*
221			* @param string $safeString The internal (safe) value to be checked
222			* @param string $userString The user submitted (unsafe) value
223			*
224			* @return bool True if the two strings are identical
225			*/
226			private function timingSafeEquals($safeString, $userString)
227			{
228			if (function_exists('hash_equals')) {
229			return hash_equals($safeString, $userString);
230			}
231			$safeLen = strlen($safeString);
232			$userLen = strlen($userString);
233
234			if ($userLen != $safeLen) {
235			return false;
236			}
237
238			$result = 0;
239
240			for ($i = 0; $i < $userLen; ++$i) {
241			$result \|= (ord($safeString[$i]) ^ ord($userString[$i]));
242			}
243
244			// They are only identical strings if $result is exactly 0...
245			return $result === 0;
246			}
247			}
248

delboy1978uk / google-auth

Issues (3)

Security Analysis no request data

src/GoogleAuthenticator.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like