Issues (89)

Security Analysis    not enabled

This project does not seem to handle request data directly as such no vulnerable execution paths were found.

  Cross-Site Scripting
Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.
  File Exposure
File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.
  File Manipulation
File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.
  Object Injection
Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.
  Code Injection
Code Injection enables an attacker to execute arbitrary code on the server.
  Response Splitting
Response Splitting can be used to send arbitrary responses.
  File Inclusion
File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.
  Command Injection
Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.
  SQL Injection
SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.
  XPath Injection
XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.
  LDAP Injection
LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.
  Header Injection
  Other Vulnerability
This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.
  Regex Injection
Regex Injection enables an attacker to execute arbitrary code in your PHP process.
  XML Injection
XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.
  Variable Injection
Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.
Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Message/MessageFactory.php (4 issues)

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

1
<?php
2
3
/*
4
 * This file is part of the Ivory Http Adapter package.
5
 *
6
 * (c) Eric GELOEN <[email protected]>
7
 *
8
 * For the full copyright and license information, please read the LICENSE
9
 * file that was distributed with this source code.
10
 */
11
12
namespace Ivory\HttpAdapter\Message;
13
14
use Ivory\HttpAdapter\Normalizer\HeadersNormalizer;
15
use Psr\Http\Message\StreamInterface;
16
use Zend\Diactoros\Stream;
17
use Zend\Diactoros\Uri;
18
19
/**
20
 * @author GeLo <[email protected]>
21
 */
22
class MessageFactory implements MessageFactoryInterface
23
{
24
    /**
25
     * @var Uri|null
26
     */
27
    private $baseUri;
28
29
    /**
30
     * @param string $baseUri
31
     */
32 16340
    public function __construct($baseUri = null)
33
    {
34 16340
        $this->setBaseUri($baseUri);
35 16340
    }
36
37
    /**
38
     * {@inheritdoc}
39
     */
40 15471
    public function hasBaseUri()
41 4
    {
42 15471
        return $this->baseUri !== null;
43
    }
44
45
    /**
46
     * {@inheritdoc}
47
     */
48 36
    public function getBaseUri()
49
    {
50 36
        return $this->baseUri;
51
    }
52
53
    /**
54
     * {@inheritdoc}
55
     */
56 16340
    public function setBaseUri($baseUri = null)
57
    {
58 16340
        if (is_string($baseUri)) {
59 36
            $baseUri = new Uri($baseUri);
60 28
        }
61
62 16340
        $this->baseUri = $baseUri;
63 16340
    }
64
65
    /**
66
     * {@inheritdoc}
67
     */
68 4236
    public function createRequest(
69
        $uri,
70
        $method = RequestInterface::METHOD_GET,
71
        $protocolVersion = RequestInterface::PROTOCOL_VERSION_1_1,
72
        array $headers = [],
73
        $body = null,
74
        array $parameters = []
75
    ) {
76 4236
        return (new Request(
77 4236
            $this->createUri($uri),
0 ignored issues
show
It seems like $uri defined by parameter $uri on line 69 can also be of type object; however, Ivory\HttpAdapter\Messag...ageFactory::createUri() does only seem to accept string, maybe add an additional type check?

This check looks at variables that have been passed in as parameters and are passed out again to other methods.

If the outgoing method call has stricter type requirements than the method itself, an issue is raised.

An additional type check may prevent trouble.

Loading history...
78 3264
            $method,
79 4236
            $this->createStream($body),
0 ignored issues
show
It seems like $body defined by parameter $body on line 73 can also be of type object<Guzzle\Stream\StreamInterface>; however, Ivory\HttpAdapter\Messag...Factory::createStream() does only seem to accept resource|string|object<P...e\StreamInterface>|null, maybe add an additional type check?

This check looks at variables that have been passed in as parameters and are passed out again to other methods.

If the outgoing method call has stricter type requirements than the method itself, an issue is raised.

An additional type check may prevent trouble.

Loading history...
80 4236
            HeadersNormalizer::normalize($headers),
81
            $parameters
82 4236
        ))->withProtocolVersion($protocolVersion);
83
    }
84
85
    /**
86
     * {@inheritdoc}
87
     */
88 15408
    public function createInternalRequest(
89
        $uri,
90
        $method = RequestInterface::METHOD_GET,
91
        $protocolVersion = RequestInterface::PROTOCOL_VERSION_1_1,
92
        array $headers = [],
93
        $datas = [],
94
        array $files = [],
95
        array $parameters = []
96
    ) {
97 15408
        $body = null;
98
99 15408
        if (!is_array($datas)) {
100 4227
            $body = $this->createStream($datas);
101 4227
            $datas = $files = [];
102 3257
        }
103
104 15408
        return (new InternalRequest(
105 15408
            $this->createUri($uri),
0 ignored issues
show
It seems like $uri defined by parameter $uri on line 89 can also be of type object; however, Ivory\HttpAdapter\Messag...ageFactory::createUri() does only seem to accept string, maybe add an additional type check?

This check looks at variables that have been passed in as parameters and are passed out again to other methods.

If the outgoing method call has stricter type requirements than the method itself, an issue is raised.

An additional type check may prevent trouble.

Loading history...
106 11872
            $method,
107 15408
            $body !== null ? $body : 'php://memory',
108 11872
            $datas,
109 11872
            $files,
110 15408
            HeadersNormalizer::normalize($headers),
111
            $parameters
112 15408
        ))->withProtocolVersion($protocolVersion);
113
    }
114
115
    /**
116
     * {@inheritdoc}
117
     */
118 14841
    public function createResponse(
119
        $statusCode = 200,
120
        $protocolVersion = RequestInterface::PROTOCOL_VERSION_1_1,
121
        array $headers = [],
122
        $body = null,
123
        array $parameters = []
124
    ) {
125 14841
        return (new Response(
126 14841
            $this->createStream($body),
0 ignored issues
show
It seems like $body defined by parameter $body on line 122 can also be of type object<Guzzle\Stream\StreamInterface>; however, Ivory\HttpAdapter\Messag...Factory::createStream() does only seem to accept resource|string|object<P...e\StreamInterface>|null, maybe add an additional type check?

This check looks at variables that have been passed in as parameters and are passed out again to other methods.

If the outgoing method call has stricter type requirements than the method itself, an issue is raised.

An additional type check may prevent trouble.

Loading history...
127 11435
            $statusCode,
128 14841
            HeadersNormalizer::normalize($headers),
129
            $parameters
130 14841
        ))->withProtocolVersion($protocolVersion);
131
    }
132
133
    /**
134
     * @param string $uri
135
     *
136
     * @return string
137
     */
138 15435
    private function createUri($uri)
139
    {
140 15435
        if ($this->hasBaseUri() && (stripos($uri, $baseUri = (string) $this->getBaseUri()) === false)) {
141 18
            return $baseUri.$uri;
142
        }
143
144 15417
        return $uri;
145
    }
146
147
    /**
148
     * @param resource|string|StreamInterface|null $body
149
     *
150
     * @return StreamInterface
151
     */
152 14886
    private function createStream($body)
153
    {
154 14886
        if ($body instanceof StreamInterface) {
155 14259
            $body->rewind();
156
157 14259
            return $body;
158
        }
159
160 14868
        if (is_resource($body)) {
161 3426
            return $this->createStream(new Stream($body));
162
        }
163
164 12401
        $stream = new Stream('php://memory', 'rw');
165
166 12401
        if ($body === null) {
167 1227
            return $stream;
168
        }
169
170 11774
        $stream->write((string) $body);
171
172 11774
        return $this->createStream($stream);
173
    }
174
}
175