Issues in Request.php (master) - Issues in master - dirkgroenen/pinterest-api-php - Measure and Improve Code Quality continuously with Scrutinizer

Issues (21)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Pinterest/Transport/Request.php (4 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Copyright 2015 Dirk Groenen
 *
 * (c) Dirk Groenen <[email protected]>
 *
 * For the full copyright and license information, please view the LICENSE
 * file that was distributed with this source code.
 */

namespace DirkGroenen\Pinterest\Transport;

use DirkGroenen\Pinterest\Utils\CurlBuilder;
use DirkGroenen\Pinterest\Exceptions\PinterestException;
use DirkGroenen\Pinterest\Exceptions\CurlException;

class Request {

    /**
     * Host to make the calls to
     *
     * @var string
     */
    private $host = "https://api.pinterest.com/v1/";

    /**
     * Access token
     *
     * @var string
     */
    protected $access_token = null;

    /**
     * Instance of the CurlBuilder class
     *
     * @var CurlBuilder
     */
    private $curlbuilder;

    /**
     * Array with the headers from the last request
     *
     * @var array
     */
    private $headers;

    /**
     * Constructor
     *
     * @param  CurlBuilder   $curlbuilder
     */
    public function __construct(CurlBuilder $curlbuilder)
    {
        $this->curlbuilder = $curlbuilder;
    }

    /**
     * Set the access token
     *
     * @access public
     * @param  string   $token
     * @return void
     */
    public function setAccessToken($token)
    {
        $this->access_token = $token;
    }

    /**
     * Make a get request to the given endpoint
     *
     * @access public
     * @param  string   $endpoint
     * @param  array    $parameters
     * @return Response
     */
    public function get($endpoint, array $parameters = array())

    {
        if (!empty($parameters)) {
            $path = sprintf("%s?%s", $endpoint, http_build_query($parameters));
        } else {
            $path = $endpoint;
        }

        return $this->execute("GET", sprintf("%s%s", $this->host, $path));
    }

    /**
     * Make a post request to the given endpoint
     *
     * @access public
     * @param  string   $endpoint
     * @param  array    $parameters
     * @return Response
     */
    public function post($endpoint, array $parameters = array())
    {
        return $this->execute("POST", sprintf("%s%s", $this->host, $endpoint), $parameters);
    }

    /**
     * Make a put request to the given endpoint
     *
     * @access public
     * @param  string   $endpoint
     * @param  array    $parameters
     * @return Response
     */
    public function put($endpoint, array $parameters = array())
    {
        return $this->execute("PUT", sprintf("%s%s", $this->host, $endpoint), $parameters);
    }

    /**
     * Make a delete request to the given endpoint
     *
     * @access public
     * @param  string   $endpoint
     * @param  array    $parameters
     * @return Response
     */
    public function delete($endpoint, array $parameters = array())
    {
        return $this->execute("DELETE", sprintf("%s%s", $this->host, $endpoint) . "/", $parameters);
    }

    /**
     * Make an update request to the given endpoint
     *
     * @access public
     * @param  string   $endpoint
     * @param  array    $parameters
     * @param  array    $queryparameters
     * @return Response
     */
    public function update($endpoint, array $parameters = array(), array $queryparameters = array())

    {
        if (!empty($queryparameters)) {
            $path = sprintf("%s?%s", $endpoint, http_build_query($queryparameters));
        } else {
            $path = $endpoint;
        }

        return $this->execute("PATCH", sprintf("%s%s", $this->host, $path), $parameters);
    }

    /**
     * Return the headers from the last request
     *
     * @return array
     */
    public function getHeaders()
    {
        return $this->headers;
    }

    /**
     * Execute the http request
     *
     * @access public
     * @param  string $method
     * @param  string $apiCall
     * @param  array $parameters
     * @param  array $headers
     * @return Response
     * @throws CurlException
     * @throws PinterestException
     */
    public function execute($method, $apiCall, array $parameters = array(), $headers = array())
    {
        // Check if the access token needs to be added
        if ($this->access_token != null) {
            $headers = array_merge($headers, array(
                "Authorization: Bearer " . $this->access_token,
            ));
        }

        // Force cURL to not send Expect header to workaround bug with Akamai CDN not handling
        // this type of requests correctly
        $headers = array_merge($headers, array(
            "Expect:",
        ));

        // Setup CURL
        $ch = $this->curlbuilder->create();

        // Set default options
        $ch->setOptions(array(
            CURLOPT_URL             => $apiCall,
            CURLOPT_HTTPHEADER      => $headers,
            CURLOPT_CONNECTTIMEOUT  => 20,
            CURLOPT_TIMEOUT         => 90,
            CURLOPT_RETURNTRANSFER  => true,
            CURLOPT_SSL_VERIFYPEER  => false,
            CURLOPT_SSL_VERIFYHOST  => false,
            CURLOPT_HEADER          => false,
            CURLINFO_HEADER_OUT     => true
        ));

        switch ($method) {
            case 'POST':
                $ch->setOptions(array(
                    CURLOPT_CUSTOMREQUEST   => "POST",
                    CURLOPT_POST            => count($parameters),
                    CURLOPT_POSTFIELDS      => $parameters
                ));

                if (!class_exists('\CURLFile') && defined('CURLOPT_SAFE_UPLOAD')) {
                    $ch->setOption(CURLOPT_SAFE_UPLOAD, false);
                }
                elseif (class_exists('\CURLFile') && defined('CURLOPT_SAFE_UPLOAD')) {
                    $ch->setOption(CURLOPT_SAFE_UPLOAD, true);
function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
                }

                break;
            case 'DELETE':
                $ch->setOption(CURLOPT_CUSTOMREQUEST, "DELETE");
                break;
            case 'PATCH':
                $ch->setOptions(array(
                    CURLOPT_CUSTOMREQUEST   => "PATCH",
                    CURLOPT_POST            => count($parameters),
                    CURLOPT_POSTFIELDS      => $parameters
                ));
                break;
            default:
                $ch->setOption(CURLOPT_CUSTOMREQUEST, "GET");
                break;
        }

        // Execute request and catch response
        $response_data = $ch->execute();

        if ($response_data === false && !$ch->hasErrors()) {
            throw new CurlException("Error: Curl request failed");
        }
        else if($ch->hasErrors()) {
            throw new PinterestException('Error: execute() - cURL error: ' . $ch->getErrors(), $ch->getErrorNumber());
        }

        // Initiate the response
        $response = new Response($response_data, $ch);
<?php

function getDate($date)
{
    if ($date !== null) {
        return new DateTime($date);
    }

    return false;
}

        // Check the response code
        if ($response->getResponseCode() >= 400) {
            throw new PinterestException('Pinterest error (code: ' . $response->getResponseCode() . ') with message: ' . $response->getMessage(), $response->getResponseCode());
        }

        // Get headers from last request
        $this->headers = $ch->getHeaders();

        // Close curl resource
        $ch->close();

        // Return the response
        return $response;
    }

}


GitHub Access Token became invalid

Issues (21)

Security Analysis not enabled

src/Pinterest/Transport/Request.php (4 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

1			<?php
2			/**
3			* Copyright 2015 Dirk Groenen
4			*
5			* (c) Dirk Groenen <[email protected]>
6			*
7			* For the full copyright and license information, please view the LICENSE
8			* file that was distributed with this source code.
9			*/
10
11			namespace DirkGroenen\Pinterest\Transport;
12
13			use DirkGroenen\Pinterest\Utils\CurlBuilder;
14			use DirkGroenen\Pinterest\Exceptions\PinterestException;
15			use DirkGroenen\Pinterest\Exceptions\CurlException;
16
17			class Request {
18
19			/**
20			* Host to make the calls to
21			*
22			* @var string
23			*/
24			private $host = "https://api.pinterest.com/v1/";
25
26			/**
27			* Access token
28			*
29			* @var string
30			*/
31			protected $access_token = null;
32
33			/**
34			* Instance of the CurlBuilder class
35			*
36			* @var CurlBuilder
37			*/
38			private $curlbuilder;
39
40			/**
41			* Array with the headers from the last request
42			*
43			* @var array
44			*/
45			private $headers;
46
47			/**
48			* Constructor
49			*
50			* @param CurlBuilder $curlbuilder
51			*/
52	43		public function __construct(CurlBuilder $curlbuilder)
53			{
54	43		$this->curlbuilder = $curlbuilder;
55	43		}
56
57			/**
58			* Set the access token
59			*
60			* @access public
61			* @param string $token
62			* @return void
63			*/
64	43		public function setAccessToken($token)
65			{
66	43		$this->access_token = $token;
67	43		}
68
69			/**
70			* Make a get request to the given endpoint
71			*
72			* @access public
73			* @param string $endpoint
74			* @param array $parameters
75			* @return Response
76			*/
77	27	View Code Duplication	public function get($endpoint, array $parameters = array())
			0 ignored issues – show Duplication introduced 2017-09-14 09:21 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
78			{
79	27		if (!empty($parameters)) {
80	5		$path = sprintf("%s?%s", $endpoint, http_build_query($parameters));
81			} else {
82	22		$path = $endpoint;
83			}
84
85	27		return $this->execute("GET", sprintf("%s%s", $this->host, $path));
86			}
87
88			/**
89			* Make a post request to the given endpoint
90			*
91			* @access public
92			* @param string $endpoint
93			* @param array $parameters
94			* @return Response
95			*/
96	3		public function post($endpoint, array $parameters = array())
97			{
98	3		return $this->execute("POST", sprintf("%s%s", $this->host, $endpoint), $parameters);
99			}
100
101			/**
102			* Make a put request to the given endpoint
103			*
104			* @access public
105			* @param string $endpoint
106			* @param array $parameters
107			* @return Response
108			*/
109	1		public function put($endpoint, array $parameters = array())
110			{
111	1		return $this->execute("PUT", sprintf("%s%s", $this->host, $endpoint), $parameters);
112			}
113
114			/**
115			* Make a delete request to the given endpoint
116			*
117			* @access public
118			* @param string $endpoint
119			* @param array $parameters
120			* @return Response
121			*/
122	6		public function delete($endpoint, array $parameters = array())
123			{
124	6		return $this->execute("DELETE", sprintf("%s%s", $this->host, $endpoint) . "/", $parameters);
125			}
126
127			/**
128			* Make an update request to the given endpoint
129			*
130			* @access public
131			* @param string $endpoint
132			* @param array $parameters
133			* @param array $queryparameters
134			* @return Response
135			*/
136	2	View Code Duplication	public function update($endpoint, array $parameters = array(), array $queryparameters = array())
			0 ignored issues – show Duplication introduced 2017-09-14 09:21 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
137			{
138	2		if (!empty($queryparameters)) {
139			$path = sprintf("%s?%s", $endpoint, http_build_query($queryparameters));
140			} else {
141	2		$path = $endpoint;
142			}
143
144	2		return $this->execute("PATCH", sprintf("%s%s", $this->host, $path), $parameters);
145			}
146
147			/**
148			* Return the headers from the last request
149			*
150			* @return array
151			*/
152	2		public function getHeaders()
153			{
154	2		return $this->headers;
155			}
156
157			/**
158			* Execute the http request
159			*
160			* @access public
161			* @param string $method
162			* @param string $apiCall
163			* @param array $parameters
164			* @param array $headers
165			* @return Response
166			* @throws CurlException
167			* @throws PinterestException
168			*/
169	39		public function execute($method, $apiCall, array $parameters = array(), $headers = array())
170			{
171			// Check if the access token needs to be added
172	39		if ($this->access_token != null) {
173	39		$headers = array_merge($headers, array(
174	39		"Authorization: Bearer " . $this->access_token,
175			));
176			}
177
178			// Force cURL to not send Expect header to workaround bug with Akamai CDN not handling
179			// this type of requests correctly
180	39		$headers = array_merge($headers, array(
181	39		"Expect:",
182			));
183
184			// Setup CURL
185	39		$ch = $this->curlbuilder->create();
186
187			// Set default options
188	39		$ch->setOptions(array(
189	39		CURLOPT_URL => $apiCall,
190	39		CURLOPT_HTTPHEADER => $headers,
191	39		CURLOPT_CONNECTTIMEOUT => 20,
192	39		CURLOPT_TIMEOUT => 90,
193	39		CURLOPT_RETURNTRANSFER => true,
194	39		CURLOPT_SSL_VERIFYPEER => false,
195	39		CURLOPT_SSL_VERIFYHOST => false,
196	39		CURLOPT_HEADER => false,
197	39		CURLINFO_HEADER_OUT => true
198			));
199
200			switch ($method) {
201	39		case 'POST':
202	3		$ch->setOptions(array(
203	3		CURLOPT_CUSTOMREQUEST => "POST",
204	3		CURLOPT_POST => count($parameters),
205	3		CURLOPT_POSTFIELDS => $parameters
206			));
207
208	3		if (!class_exists('\CURLFile') && defined('CURLOPT_SAFE_UPLOAD')) {
209			$ch->setOption(CURLOPT_SAFE_UPLOAD, false);
210			}
211	3		elseif (class_exists('\CURLFile') && defined('CURLOPT_SAFE_UPLOAD')) {
212	3		$ch->setOption(CURLOPT_SAFE_UPLOAD, true);
			0 ignored issues – show Documentation introduced 2016-05-06 10:30 UTC by Report Bug Copy Issue Report Show Similar Issues like this `true` is of type `boolean`, but the function expects a `false\|string`. It seems like the type of the argument is not accepted by the function/method which you are calling. In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug. We suggest to add an explicit type cast like in the following example: function acceptsInteger($int) { } $x = '123'; // string "123" // Instead of acceptsInteger($x); // we recommend to use acceptsInteger((integer) $x); Loading history...
213			}
214
215	3		break;
216	36		case 'DELETE':
217	6		$ch->setOption(CURLOPT_CUSTOMREQUEST, "DELETE");
218	6		break;
219	30		case 'PATCH':
220	2		$ch->setOptions(array(
221	2		CURLOPT_CUSTOMREQUEST => "PATCH",
222	2		CURLOPT_POST => count($parameters),
223	2		CURLOPT_POSTFIELDS => $parameters
224			));
225	2		break;
226			default:
227	28		$ch->setOption(CURLOPT_CUSTOMREQUEST, "GET");
228	28		break;
229			}
230
231			// Execute request and catch response
232	39		$response_data = $ch->execute();
233
234	39		if ($response_data === false && !$ch->hasErrors()) {
235			throw new CurlException("Error: Curl request failed");
236			}
237	39		else if($ch->hasErrors()) {
238			throw new PinterestException('Error: execute() - cURL error: ' . $ch->getErrors(), $ch->getErrorNumber());
239			}
240
241			// Initiate the response
242	39		$response = new Response($response_data, $ch);
			0 ignored issues – show Security Bug introduced 2016-05-06 15:09 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$response_data` defined by `$ch->execute()` on line `232` can also be of type `false`; however, `DirkGroenen\Pinterest\Tr...Response::__construct()` does only seem to accept `string`, did you maybe forget to handle an error condition? This check looks for type mismatches where the missing type is `false`. This is usually indicative of an error condtion. Consider the follow example <?php function getDate($date) { if ($date !== null) { return new DateTime($date); } return false; } This function either returns a new `DateTime` object or false, if there was an error. This is a typical pattern in PHP programming to show that an error has occurred without raising an exception. The calling code should check for this returned `false` before passing on the value to another function or method that may not be able to handle a `false`. Loading history...
243
244			// Check the response code
245	39		if ($response->getResponseCode() >= 400) {
246	1		throw new PinterestException('Pinterest error (code: ' . $response->getResponseCode() . ') with message: ' . $response->getMessage(), $response->getResponseCode());
247			}
248
249			// Get headers from last request
250	38		$this->headers = $ch->getHeaders();
251
252			// Close curl resource
253	38		$ch->close();
254
255			// Return the response
256	38		return $response;
257			}
258
259			}
260

dirkgroenen / pinterest-api-php

GitHub Access Token became invalid

Issues (21)

Security Analysis not enabled

src/Pinterest/Transport/Request.php (4 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like