Issues in Authentication.php (master) - Issues in master - doctrine/DoctrineModule - Measure and Improve Code Quality continuously with Scrutinizer

Issues (89)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/DoctrineModule/Options/Authentication.php (3 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

declare(strict_types=1);

namespace DoctrineModule\Options;

use Doctrine\Persistence\Mapping\ClassMetadata;
use Doctrine\Persistence\ObjectManager;
use Doctrine\Persistence\ObjectRepository;
use Laminas\Authentication\Adapter\Exception;
use Laminas\Authentication\Storage\StorageInterface;
use Laminas\Stdlib\AbstractOptions;
use function gettype;
use function interface_exists;
use function is_callable;
use function is_string;
use function sprintf;

/**
 * This options class can be consumed by five different classes:
 *
 * DoctrineModule\Authentication\Adapter\ObjectRepository
 * DoctrineModule\Service\Authentication\AdapterFactory
 * DoctrineModule\Authentication\Storage\ObjectRepository
 * DoctrineModule\Service\Authentication\ServiceFactory
 * DoctrineModule\Service\Authentication\AuthenticationServiceFactory
 *
 * When using with DoctrineModule\Authentication\Adapter\ObjectRepository the following
 * options are required:
 *
 * $identityProperty
 * $credentialProperty
 *
 * In addition either $objectRepository or $objectManager and $identityClass must be set.
 * If $objectRepository is set, it takes precedence over $objectManager and $identityClass.
 * If $objectManager is used, it must be an instance of ObjectManager.
 *
 * All remains the same using with DoctrineModule\Service\AuthenticationAdapterFactory,
 * however, a string may be passed to $objectManager. This string must be a valid key to
 * retrieve an ObjectManager instance from the ServiceManager.
 *
 * When using with DoctrineModule\Authentication\Service\Object repository the following
 * options are required:
 *
 * Either $objectManager, or $classMetadata and $objectRepository.
 *
 * All remains the same using with DoctrineModule\Service\AuthenticationStorageFactory,
 * however, a string may be passed to $objectManager. This string must be a valid key to
 * retrieve an ObjectManager instance from the ServiceManager.
 *
 * @link    http://www.doctrine-project.org/
 */
class Authentication extends AbstractOptions
{
    /**
     * A valid object implementing ObjectManager interface
     *
     * @var string | ObjectManager
     */
    protected $objectManager;

    /**
     * A valid object implementing ObjectRepository interface (or ObjectManager/identityClass)
     *
     * @var ObjectRepository
     */
    protected $objectRepository;

    /**
     * Entity's class name
     *
     * @var string
     */
    protected $identityClass;

    /**
     * Property to use for the identity
     *
     * @var string
     */
    protected $identityProperty;

    /**
     * Property to use for the credential
     *
     * @var string
     */
    protected $credentialProperty;

    /**
     * Callable function to check if a credential is valid
     *
     * @var mixed
     */
    protected $credentialCallable;

    /**
     * If an objectManager is not supplied, this metadata will be used
     * by DoctrineModule/Authentication/Storage/ObjectRepository
     *
     * @var ClassMetadata
     */
    protected $classMetadata;

    /**
     * When using this options class to create a DoctrineModule/Authentication/Storage/ObjectRepository
     * this is the storage instance that the object key will be stored in.
     *
     * When using this options class to create an AuthenticationService with and
     * the option storeOnlyKeys == false, this is the storage instance that the whole
     * object will be stored in.
     *
     * @var StorageInterface|string;
     */
    protected $storage = 'DoctrineModule\Authentication\Storage\Session';

    /**
     * @param  string | ObjectManager $objectManager
     */
    public function setObjectManager($objectManager) : Authentication
    {
        $this->objectManager = $objectManager;

        return $this;
    }

    /**
     * Causes issue with unit test StorageFactoryTest::testCanInstantiateStorageFromServiceLocator
     * when return type is specified
     * : ObjectManager
     *
     * @return mixed
     */
    public function getObjectManager()
    {
        return $this->objectManager;
    }

    public function setObjectRepository(ObjectRepository $objectRepository) : Authentication
    {
        $this->objectRepository = $objectRepository;

        return $this;
    }

    public function getObjectRepository() : ObjectRepository
    {
        if ($this->objectRepository) {
            return $this->objectRepository;
        }

        return $this->objectManager->getRepository($this->identityClass);

    }

    public function setIdentityClass(string $identityClass) : Authentication
    {
        $this->identityClass = $identityClass;

        return $this;
    }

    public function getIdentityClass() : string
    {
        return $this->identityClass;
    }

    /**
     * @throws Exception\InvalidArgumentException
     */
    public function setIdentityProperty(string $identityProperty) : Authentication
    {
        if (! is_string($identityProperty) || $identityProperty === '') {
            throw new Exception\InvalidArgumentException(
                sprintf('Provided $identityProperty is invalid, %s given', gettype($identityProperty))
            );
        }

        $this->identityProperty = $identityProperty;

        return $this;
    }

    public function getIdentityProperty() : string
    {
        return $this->identityProperty;
    }

    /**
     * @throws Exception\InvalidArgumentException
     */
    public function setCredentialProperty(string $credentialProperty) : Authentication
    {
        if (! is_string($credentialProperty) || $credentialProperty === '') {
            throw new Exception\InvalidArgumentException(
                sprintf('Provided $credentialProperty is invalid, %s given', gettype($credentialProperty))
            );
        }

        $this->credentialProperty = $credentialProperty;

        return $this;
    }

    public function getCredentialProperty() : string
    {
        return $this->credentialProperty;
    }

    /**
     * @param  mixed $credentialCallable
     *
     * @throws Exception\InvalidArgumentException
     */
    public function setCredentialCallable($credentialCallable) : Authentication
    {
        if (! is_callable($credentialCallable)) {
            throw new Exception\InvalidArgumentException(
                sprintf(
                    '"%s" is not a callable',
                    is_string($credentialCallable) ? $credentialCallable : gettype($credentialCallable)
                )
            );
        }

        $this->credentialCallable = $credentialCallable;

        return $this;
    }

    /**
     * @return mixed
     */
    public function getCredentialCallable()
    {
        return $this->credentialCallable;
    }

    public function getClassMetadata() : ClassMetadata
    {
        if ($this->classMetadata) {
            return $this->classMetadata;
        }

        return $this->objectManager->getClassMetadata($this->identityClass);

    }

    public function setClassMetadata(ClassMetadata $classMetadata) : void
    {
        $this->classMetadata = $classMetadata;
    }

    /**
     * @return StorageInterface|string
     */
    public function getStorage()
    {
        return $this->storage;
    }

    /**
     * @param StorageInterface|string $storage
     */
    public function setStorage($storage) : void
    {
        $this->storage = $storage;
class Id
{
    public $id;

    public function __construct($id)
    {
        $this->id = $id;
    }

}

class Account
{
    /** @var  Id $id */
    public $id;
}

$account_id = false;

if (starsAreRight()) {
    $account_id = new Id(42);
}

$account = new Account();
if ($account instanceof Id)
{
    $account->id = $account_id;
}
    }
}

interface_exists(ClassMetadata::class);
interface_exists(ObjectRepository::class);


1		<?php
2
3		declare(strict_types=1);
4
5		namespace DoctrineModule\Options;
6
7		use Doctrine\Persistence\Mapping\ClassMetadata;
8		use Doctrine\Persistence\ObjectManager;
9		use Doctrine\Persistence\ObjectRepository;
10		use Laminas\Authentication\Adapter\Exception;
11		use Laminas\Authentication\Storage\StorageInterface;
12		use Laminas\Stdlib\AbstractOptions;
13		use function gettype;
14		use function interface_exists;
15		use function is_callable;
16		use function is_string;
17		use function sprintf;
18
19		/**
20		* This options class can be consumed by five different classes:
21		*
22		* DoctrineModule\Authentication\Adapter\ObjectRepository
23		* DoctrineModule\Service\Authentication\AdapterFactory
24		* DoctrineModule\Authentication\Storage\ObjectRepository
25		* DoctrineModule\Service\Authentication\ServiceFactory
26		* DoctrineModule\Service\Authentication\AuthenticationServiceFactory
27		*
28		* When using with DoctrineModule\Authentication\Adapter\ObjectRepository the following
29		* options are required:
30		*
31		* $identityProperty
32		* $credentialProperty
33		*
34		* In addition either $objectRepository or $objectManager and $identityClass must be set.
35		* If $objectRepository is set, it takes precedence over $objectManager and $identityClass.
36		* If $objectManager is used, it must be an instance of ObjectManager.
37		*
38		* All remains the same using with DoctrineModule\Service\AuthenticationAdapterFactory,
39		* however, a string may be passed to $objectManager. This string must be a valid key to
40		* retrieve an ObjectManager instance from the ServiceManager.
41		*
42		* When using with DoctrineModule\Authentication\Service\Object repository the following
43		* options are required:
44		*
45		* Either $objectManager, or $classMetadata and $objectRepository.
46		*
47		* All remains the same using with DoctrineModule\Service\AuthenticationStorageFactory,
48		* however, a string may be passed to $objectManager. This string must be a valid key to
49		* retrieve an ObjectManager instance from the ServiceManager.
50		*
51		* @link http://www.doctrine-project.org/
52		*/
53		class Authentication extends AbstractOptions
54		{
55		/**
56		* A valid object implementing ObjectManager interface
57		*
58		* @var string \| ObjectManager
59		*/
60		protected $objectManager;
61
62		/**
63		* A valid object implementing ObjectRepository interface (or ObjectManager/identityClass)
64		*
65		* @var ObjectRepository
66		*/
67		protected $objectRepository;
68
69		/**
70		* Entity's class name
71		*
72		* @var string
73		*/
74		protected $identityClass;
75
76		/**
77		* Property to use for the identity
78		*
79		* @var string
80		*/
81		protected $identityProperty;
82
83		/**
84		* Property to use for the credential
85		*
86		* @var string
87		*/
88		protected $credentialProperty;
89
90		/**
91		* Callable function to check if a credential is valid
92		*
93		* @var mixed
94		*/
95		protected $credentialCallable;
96
97		/**
98		* If an objectManager is not supplied, this metadata will be used
99		* by DoctrineModule/Authentication/Storage/ObjectRepository
100		*
101		* @var ClassMetadata
102		*/
103		protected $classMetadata;
104
105		/**
106		* When using this options class to create a DoctrineModule/Authentication/Storage/ObjectRepository
107		* this is the storage instance that the object key will be stored in.
108		*
109		* When using this options class to create an AuthenticationService with and
110		* the option storeOnlyKeys == false, this is the storage instance that the whole
111		* object will be stored in.
112		*
113		* @var StorageInterface\|string;
114		*/
115		protected $storage = 'DoctrineModule\Authentication\Storage\Session';
116
117		/**
118		* @param string \| ObjectManager $objectManager
119		*/
120	7	public function setObjectManager($objectManager) : Authentication
121		{
122	7	$this->objectManager = $objectManager;
123
124	7	return $this;
125		}
126
127		/**
128		* Causes issue with unit test StorageFactoryTest::testCanInstantiateStorageFromServiceLocator
129		* when return type is specified
130		* : ObjectManager
131		*
132		* @return mixed
133		*/
134	4	public function getObjectManager()
135		{
136	4	return $this->objectManager;
137		}
138
139	6	public function setObjectRepository(ObjectRepository $objectRepository) : Authentication
140		{
141	6	$this->objectRepository = $objectRepository;
142
143	6	return $this;
144		}
145
146	7	public function getObjectRepository() : ObjectRepository
147		{
148	7	if ($this->objectRepository) {
149	6	return $this->objectRepository;
150		}
151
152	1	return $this->objectManager->getRepository($this->identityClass);
		0 ignored issues – show Bug introduced 2020-04-07 21:38 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `getRepository` cannot be called on `$this->objectManager` (of type `string`). Methods can only be called on objects. This check looks for methods being called on variables that have been inferred to never be objects. Loading history...
153		}
154
155	7	public function setIdentityClass(string $identityClass) : Authentication
156		{
157	7	$this->identityClass = $identityClass;
158
159	7	return $this;
160		}
161
162		public function getIdentityClass() : string
163		{
164		return $this->identityClass;
165		}
166
167		/**
168		* @throws Exception\InvalidArgumentException
169		*/
170	10	public function setIdentityProperty(string $identityProperty) : Authentication
171		{
172	10	if (! is_string($identityProperty) \|\| $identityProperty === '') {
173	1	throw new Exception\InvalidArgumentException(
174	1	sprintf('Provided $identityProperty is invalid, %s given', gettype($identityProperty))
175		);
176		}
177
178	9	$this->identityProperty = $identityProperty;
179
180	9	return $this;
181		}
182
183	6	public function getIdentityProperty() : string
184		{
185	6	return $this->identityProperty;
186		}
187
188		/**
189		* @throws Exception\InvalidArgumentException
190		*/
191	10	public function setCredentialProperty(string $credentialProperty) : Authentication
192		{
193	10	if (! is_string($credentialProperty) \|\| $credentialProperty === '') {
194	1	throw new Exception\InvalidArgumentException(
195	1	sprintf('Provided $credentialProperty is invalid, %s given', gettype($credentialProperty))
196		);
197		}
198
199	9	$this->credentialProperty = $credentialProperty;
200
201	9	return $this;
202		}
203
204	6	public function getCredentialProperty() : string
205		{
206	6	return $this->credentialProperty;
207		}
208
209		/**
210		* @param mixed $credentialCallable
211		*
212		* @throws Exception\InvalidArgumentException
213		*/
214	2	public function setCredentialCallable($credentialCallable) : Authentication
215		{
216	2	if (! is_callable($credentialCallable)) {
217	1	throw new Exception\InvalidArgumentException(
218	1	sprintf(
219	1	'"%s" is not a callable',
220	1	is_string($credentialCallable) ? $credentialCallable : gettype($credentialCallable)
221		)
222		);
223		}
224
225	1	$this->credentialCallable = $credentialCallable;
226
227	1	return $this;
228		}
229
230		/**
231		* @return mixed
232		*/
233	4	public function getCredentialCallable()
234		{
235	4	return $this->credentialCallable;
236		}
237
238	1	public function getClassMetadata() : ClassMetadata
239		{
240	1	if ($this->classMetadata) {
241	1	return $this->classMetadata;
242		}
243
244		return $this->objectManager->getClassMetadata($this->identityClass);
		0 ignored issues – show Bug introduced 2020-04-07 21:38 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `getClassMetadata` cannot be called on `$this->objectManager` (of type `string`). Methods can only be called on objects. This check looks for methods being called on variables that have been inferred to never be objects. Loading history...
245		}
246
247	1	public function setClassMetadata(ClassMetadata $classMetadata) : void
248		{
249	1	$this->classMetadata = $classMetadata;
250	1	}
251
252		/**
253		* @return StorageInterface\|string
254		*/
255	4	public function getStorage()
256		{
257	4	return $this->storage;
258		}
259
260		/**
261		* @param StorageInterface\|string $storage
262		*/
263	4	public function setStorage($storage) : void
264		{
265	4	$this->storage = $storage;
		0 ignored issues – show Documentation Bug introduced 2020-04-08 18:49 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$storage` can also be of type `object<Laminas\Authentic...orage\StorageInterface>`. However, the property `$storage` is declared as type `string`. Maybe add an additional type check? Our type inference engine has found a suspicous assignment of a value to a property. This check raises an issue when a value that can be of a mixed type is assigned to a property that is type hinted more strictly. For example, imagine you have a variable `$accountId` that can either hold an Id object or false (if there is no account id yet). Your code now assigns that value to the `id` property of an instance of the `Account` class. This class holds a proper account, so the id value must no longer be false. Either this assignment is in error or a type check should be added for that assignment. class Id { public $id; public function __construct($id) { $this->id = $id; } } class Account { /** @var Id $id */ public $id; } $account_id = false; if (starsAreRight()) { $account_id = new Id(42); } $account = new Account(); if ($account instanceof Id) { $account->id = $account_id; } Loading history...
266	4	}
267		}
268
269	1	interface_exists(ClassMetadata::class);
270		interface_exists(ObjectRepository::class);
271

doctrine / DoctrineModule

Issues (89)

Security Analysis no request data

src/DoctrineModule/Options/Authentication.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like