Issues in CurlLogger.php (master) - Issues in master - facebook/facebook-php-ads-sdk - Measure and Improve Code Quality continuously with Scrutinizer

Issues (45)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/FacebookAds/Logger/CurlLogger.php (2 issues)

Labels

Bug 2

Severity

Major 2

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Copyright (c) 2014-present, Facebook, Inc. All rights reserved.
 *
 * You are hereby granted a non-exclusive, worldwide, royalty-free license to
 * use, copy, modify, and distribute this software in source code or binary
 * form for use in connection with the web services and APIs provided by
 * Facebook.
 *
 * As with any software that integrates with the Facebook platform, your use
 * of this software is subject to the Facebook Developer Principles and
 * Policies [http://developers.facebook.com/policy/]. This copyright notice
 * shall be included in all copies or substantial portions of the software.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
 * DEALINGS IN THE SOFTWARE.
 *
 */

namespace FacebookAds\Logger;

use FacebookAds\Http\FileParameter;
use FacebookAds\Http\Parameters;
use FacebookAds\Http\RequestInterface;
use FacebookAds\Http\ResponseInterface;
use FacebookAds\Logger\CurlLogger\JsonAwareParameters;

class CurlLogger implements LoggerInterface {

  /**
   * @var string
   */
  const PARAM_DEFAULT_FLAG = 'd';

  /**
   * @var string
   */
  const PARAM_URLENCODE_FLAG = '-data-urlencode';

  /**
   * @var string
   */
  const PARAM_POST_FLAG = 'F';

  /**
   * @var string
   */
  const METHOD_DEFAULT_FLAG = '';

  /**
   * @var string
   */
  const METHOD_GET_FLAG = 'G';

  /**
   * @var string
   */
  const METHOD_PUT_FLAG = 'X PUT';

  /**
   * @var string
   */
  const METHOD_DELETE_FLAG = 'X DELETE';

  /**
   * @var resource
   */
  protected $handle;

  /**
   * @var bool
   */
  protected $jsonPrettyPrint = false;

  /**
   * @param resource $handle
   */
  public function __construct($handle = null) {
    if (!defined('STDOUT')) {
        define('STDOUT', fopen('php://stdout', 'w'));
    }
    $this->handle = is_resource($handle) ? $handle : STDOUT;
  }

  /**
   * @return bool
   */
  public function isJsonPrettyPrint() {
    return $this->jsonPrettyPrint;
  }

  /**
   * @param bool $json_pretty_print
   * @return $this
   */
  public function setJsonPrettyPrint($json_pretty_print) {
    $this->jsonPrettyPrint = $json_pretty_print;
    return $this;
  }

  /**
   * @param string $method
   * @return string
   */
  public static function getMethodFlag($method) {
    switch ($method) {
      case RequestInterface::METHOD_GET:
        return static::METHOD_GET_FLAG;
      case RequestInterface::METHOD_PUT:
        return static::METHOD_PUT_FLAG;
      case RequestInterface::METHOD_DELETE:
        return static::METHOD_DELETE_FLAG;
    }

    return static::METHOD_DEFAULT_FLAG;
  }

  /**
   * @param string $method
   * @param string $value
   * @return string
   */
  public static function getParamFlag($method, $value) {
    return $method === RequestInterface::METHOD_POST
      ? static::PARAM_POST_FLAG
      : (strstr($value, "\n")
        ? static::PARAM_URLENCODE_FLAG
        : static::PARAM_DEFAULT_FLAG);
  }

  /**
   * @param string $string
   * @param int $indent
   * @return string
   */
  protected function indent($string, $indent) {
    return str_replace("\n", " \n".str_repeat(' ', $indent), $string);
  }

  /**
   * @param Parameters $params
   * @param string $method
   * @param bool $is_file
   * @return string
   */
  protected function processParams(Parameters $params, $method, $is_file) {
    $chunks = array();
    if ($this->isJsonPrettyPrint()) {
      $params = new JsonAwareParameters($params);
    }
    foreach ($params->export() as $name => $value) {
      if ($is_file && $params->offsetGet($name) instanceof FileParameter) {
        $value = "@" . $this->normalizeFileParam($params->offsetGet($name));
      } else {
        $value = addcslashes(
          strpos($value, "\n") !== false
            ? $this->indent($value, 2)
            : $value,
          '\'');
      }
      $chunks[$name] = sprintf(
        '-%s \'%s=%s\'',
        $this->getParamFlag($method, $value),
        $name,
        $value);
    }

    return $chunks;
  }

  /**
   * @param FileParameter $file_param
   * @return string
   */
  protected function normalizeFileParam(FileParameter $file_param) {
    return sprintf('%s%s%s%s%s',
      $file_param->getPath(),
      $file_param->getMimeType() != null ? ";type=" : "",

      $file_param->getMimeType(),
      $file_param->getName() != null ? ";name=" : "",

      $file_param->getName());
  }

  /**
   * @param RequestInterface $request
   * @return string
   */
  protected function processUrl(RequestInterface $request) {
    return $request->getProtocol().$request->getDomain()
      .'/v'.$request->getGraphVersion().$request->getPath();
  }

  /**
   * @param string $buffer
   */
  protected function flush($buffer) {
    fwrite($this->handle, $buffer.PHP_EOL.PHP_EOL);
  }

  /**
   * @param mixed $level
   * @param string $message
   * @param array $context
   */
  public function log($level, $message, array $context = array()) {
    // We only care about requests
  }

  /**
   * @param array $array
   * @param mixed $key
   * @return mixed
   */
  protected function removeArrayKey(array &$array, $key) {
    if (array_key_exists($key, $array)) {
      $value = $array[$key];
      unset($array[$key]);
      return $value;
    } else {
      return null;
    }
  }

  /**
   * @param array $params
   * @return array
   */
  protected function sortParams(array $params) {
    $access_token = $this->removeArrayKey($params, 'access_token');
    $appsecret_proof = $this->removeArrayKey($params, 'appsecret_proof');
    $access_token !== null && $params['access_token'] = $access_token;
    $appsecret_proof !== null && $params['appsecret_proof'] = $appsecret_proof;

    return $params;
  }

  /**
   * @param string $level
   * @param RequestInterface $request
   * @param array $context
   */
  public function logRequest(
    $level, RequestInterface $request, array $context = array()) {

    $new_line = ' \\'.PHP_EOL.'  ';
    $method = $request->getMethod();
    $method_flag = static::getMethodFlag($method);
    $params = $this->sortParams(array_merge(
      $this->processParams($request->getQueryParams(), $method, false),
      $this->processParams($request->getBodyParams(), $method, false),
      $this->processParams($request->getFileParams(), $method, true)));

    $buffer = 'curl'.($method_flag ? ' -'.$method_flag : '');
    foreach ($params as $param) {
      $buffer .= $new_line.$param;
    }
    $buffer .= $new_line.$this->processUrl($request);

    $this->flush($buffer);
  }

  /**
   * @param string $level
   * @param ResponseInterface $response
   * @param array $context
   */
  public function logResponse(
    $level, ResponseInterface $response, array $context = array()) {
    // We only care about requests
  }
}


1		<?php
2		/**
3		* Copyright (c) 2014-present, Facebook, Inc. All rights reserved.
4		*
5		* You are hereby granted a non-exclusive, worldwide, royalty-free license to
6		* use, copy, modify, and distribute this software in source code or binary
7		* form for use in connection with the web services and APIs provided by
8		* Facebook.
9		*
10		* As with any software that integrates with the Facebook platform, your use
11		* of this software is subject to the Facebook Developer Principles and
12		* Policies [http://developers.facebook.com/policy/]. This copyright notice
13		* shall be included in all copies or substantial portions of the software.
14		*
15		* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16		* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17		* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
18		* THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19		* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
20		* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
21		* DEALINGS IN THE SOFTWARE.
22		*
23		*/
24
25		namespace FacebookAds\Logger;
26
27		use FacebookAds\Http\FileParameter;
28		use FacebookAds\Http\Parameters;
29		use FacebookAds\Http\RequestInterface;
30		use FacebookAds\Http\ResponseInterface;
31		use FacebookAds\Logger\CurlLogger\JsonAwareParameters;
32
33		class CurlLogger implements LoggerInterface {
34
35		/**
36		* @var string
37		*/
38		const PARAM_DEFAULT_FLAG = 'd';
39
40		/**
41		* @var string
42		*/
43		const PARAM_URLENCODE_FLAG = '-data-urlencode';
44
45		/**
46		* @var string
47		*/
48		const PARAM_POST_FLAG = 'F';
49
50		/**
51		* @var string
52		*/
53		const METHOD_DEFAULT_FLAG = '';
54
55		/**
56		* @var string
57		*/
58		const METHOD_GET_FLAG = 'G';
59
60		/**
61		* @var string
62		*/
63		const METHOD_PUT_FLAG = 'X PUT';
64
65		/**
66		* @var string
67		*/
68		const METHOD_DELETE_FLAG = 'X DELETE';
69
70		/**
71		* @var resource
72		*/
73		protected $handle;
74
75		/**
76		* @var bool
77		*/
78		protected $jsonPrettyPrint = false;
79
80		/**
81		* @param resource $handle
82		*/
83	7	public function __construct($handle = null) {
84	7	if (!defined('STDOUT')) {
85		define('STDOUT', fopen('php://stdout', 'w'));
86		}
87	7	$this->handle = is_resource($handle) ? $handle : STDOUT;
88	7	}
89
90		/**
91		* @return bool
92		*/
93	5	public function isJsonPrettyPrint() {
94	5	return $this->jsonPrettyPrint;
95		}
96
97		/**
98		* @param bool $json_pretty_print
99		* @return $this
100		*/
101	1	public function setJsonPrettyPrint($json_pretty_print) {
102	1	$this->jsonPrettyPrint = $json_pretty_print;
103	1	return $this;
104		}
105
106		/**
107		* @param string $method
108		* @return string
109		*/
110	5	public static function getMethodFlag($method) {
111		switch ($method) {
112	5	case RequestInterface::METHOD_GET:
113	1	return static::METHOD_GET_FLAG;
114	4	case RequestInterface::METHOD_PUT:
115	1	return static::METHOD_PUT_FLAG;
116	3	case RequestInterface::METHOD_DELETE:
117	1	return static::METHOD_DELETE_FLAG;
118		}
119
120	2	return static::METHOD_DEFAULT_FLAG;
121		}
122
123		/**
124		* @param string $method
125		* @param string $value
126		* @return string
127		*/
128	5	public static function getParamFlag($method, $value) {
129		return $method === RequestInterface::METHOD_POST
130	5	? static::PARAM_POST_FLAG
131	5	: (strstr($value, "\n")
132	4	? static::PARAM_URLENCODE_FLAG
133	5	: static::PARAM_DEFAULT_FLAG);
134		}
135
136		/**
137		* @param string $string
138		* @param int $indent
139		* @return string
140		*/
141	1	protected function indent($string, $indent) {
142	1	return str_replace("\n", " \n".str_repeat(' ', $indent), $string);
143		}
144
145		/**
146		* @param Parameters $params
147		* @param string $method
148		* @param bool $is_file
149		* @return string
150		*/
151	5	protected function processParams(Parameters $params, $method, $is_file) {
152	5	$chunks = array();
153	5	if ($this->isJsonPrettyPrint()) {
154	1	$params = new JsonAwareParameters($params);
155	1	}
156	5	foreach ($params->export() as $name => $value) {
157	5	if ($is_file && $params->offsetGet($name) instanceof FileParameter) {
158		$value = "@" . $this->normalizeFileParam($params->offsetGet($name));
159		} else {
160	5	$value = addcslashes(
161	5	strpos($value, "\n") !== false
162	5	? $this->indent($value, 2)
163	5	: $value,
164	5	'\'');
165		}
166	5	$chunks[$name] = sprintf(
167	5	'-%s \'%s=%s\'',
168	5	$this->getParamFlag($method, $value),
169	5	$name,
170	5	$value);
171	5	}
172
173	5	return $chunks;
174		}
175
176		/**
177		* @param FileParameter $file_param
178		* @return string
179		*/
180		protected function normalizeFileParam(FileParameter $file_param) {
181		return sprintf('%s%s%s%s%s',
182		$file_param->getPath(),
183		$file_param->getMimeType() != null ? ";type=" : "",
		0 ignored issues – show Bug introduced 2017-11-08 10:38 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you are loosely comparing `$file_param->getMimeType()` of type `string\|null` against `null`; this is ambiguous if the string can be empty. Consider using a strict comparison `!==` instead. Loading history...
184		$file_param->getMimeType(),
185		$file_param->getName() != null ? ";name=" : "",
		0 ignored issues – show Bug introduced 2017-11-08 10:38 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you are loosely comparing `$file_param->getName()` of type `string\|null` against `null`; this is ambiguous if the string can be empty. Consider using a strict comparison `!==` instead. Loading history...
186		$file_param->getName());
187		}
188
189		/**
190		* @param RequestInterface $request
191		* @return string
192		*/
193	5	protected function processUrl(RequestInterface $request) {
194	5	return $request->getProtocol().$request->getDomain()
195	5	.'/v'.$request->getGraphVersion().$request->getPath();
196		}
197
198		/**
199		* @param string $buffer
200		*/
201	5	protected function flush($buffer) {
202	5	fwrite($this->handle, $buffer.PHP_EOL.PHP_EOL);
203	5	}
204
205		/**
206		* @param mixed $level
207		* @param string $message
208		* @param array $context
209		*/
210	1	public function log($level, $message, array $context = array()) {
211		// We only care about requests
212	1	}
213
214		/**
215		* @param array $array
216		* @param mixed $key
217		* @return mixed
218		*/
219	5	protected function removeArrayKey(array &$array, $key) {
220	5	if (array_key_exists($key, $array)) {
221	4	$value = $array[$key];
222	4	unset($array[$key]);
223	4	return $value;
224		} else {
225	1	return null;
226		}
227		}
228
229		/**
230		* @param array $params
231		* @return array
232		*/
233	5	protected function sortParams(array $params) {
234	5	$access_token = $this->removeArrayKey($params, 'access_token');
235	5	$appsecret_proof = $this->removeArrayKey($params, 'appsecret_proof');
236	5	$access_token !== null && $params['access_token'] = $access_token;
237	5	$appsecret_proof !== null && $params['appsecret_proof'] = $appsecret_proof;
238
239	5	return $params;
240		}
241
242		/**
243		* @param string $level
244		* @param RequestInterface $request
245		* @param array $context
246		*/
247	5	public function logRequest(
248		$level, RequestInterface $request, array $context = array()) {
249
250	5	$new_line = ' \\'.PHP_EOL.' ';
251	5	$method = $request->getMethod();
252	5	$method_flag = static::getMethodFlag($method);
253	5	$params = $this->sortParams(array_merge(
254	5	$this->processParams($request->getQueryParams(), $method, false),
255	5	$this->processParams($request->getBodyParams(), $method, false),
256	5	$this->processParams($request->getFileParams(), $method, true)));
257
258	5	$buffer = 'curl'.($method_flag ? ' -'.$method_flag : '');
259	5	foreach ($params as $param) {
260	5	$buffer .= $new_line.$param;
261	5	}
262	5	$buffer .= $new_line.$this->processUrl($request);
263
264	5	$this->flush($buffer);
265	5	}
266
267		/**
268		* @param string $level
269		* @param ResponseInterface $response
270		* @param array $context
271		*/
272	1	public function logResponse(
273		$level, ResponseInterface $response, array $context = array()) {
274		// We only care about requests
275	1	}
276		}
277

facebook / facebook-php-ads-sdk

Issues (45)

Security Analysis no request data

src/FacebookAds/Logger/CurlLogger.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like