Issues in Blacklist.php (master) - Issues in master - framgia/laravel-jwt - Measure and Improve Code Quality continuously with Scrutinizer

Issues (5)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Blacklist.php (1 issue)

Labels

Bug 1

Severity

Major 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace Framgia\Jwt;

use Carbon\Carbon;
use Lcobucci\JWT\Token;
use Framgia\Jwt\Contracts\Storage;

class Blacklist
{
    /**
     * @var \Framgia\Jwt\Contracts\Storage
     */
    protected $storage;

    /**
     * The grace period when a token is blacklisted. In seconds.
     *
     * @var int
     */
    protected $gracePeriod = 0;

    /**
     * Number of minutes from issue date in which a JWT can be refreshed.
     *
     * @var int
     */
    protected $refreshTTL = 20160;

    /**
     * The unique key held within the blacklist.
     *
     * @var string
     */
    protected $key = 'jti';


    /**
     * @param \Framgia\Jwt\Contracts\Storage $storage
     */
    public function __construct(Storage $storage)
    {
        $this->storage = $storage;
    }


    /**
     * Add the token (jti claim) to the blacklist.
     *
     * @param  \Lcobucci\JWT\Token  $token
     *
     * @return bool
     */
    public function add(Token $token)
    {
        // if there is no exp claim then add the jwt to
        // the blacklist indefinitely
        if (! $token->hasClaim('exp')) {
            return $this->addForever($token);
        }

        $this->storage->add(
            $this->getKey($token),
            ['valid_until' => $this->getGraceTimestamp()],
            $this->getMinutesUntilExpired($token)
        );
        return true;
    }

    /**
     * Get the number of minutes until the token expiry.
     *
     * @param  \Lcobucci\JWT\Token  $token
     *
     * @return int
     */
    protected function getMinutesUntilExpired(Token $token)
    {
        $exp = Carbon::createFromTimestamp($token->getClaim('exp'));
        $iat = Carbon::createFromTimestamp($token->hasClaim('iat') ? $token->getClaim('iat') : 0);
        // get the latter of the two expiration dates and find
        // the number of minutes until the expiration date,
        // plus 1 minute to avoid overlap
        return $exp->max($iat->addMinutes($this->refreshTTL))->addMinute()->diffInMinutes();
    }

    /**
     * Add the token (jti claim) to the blacklist indefinitely.
     *
     * @param  \Lcobucci\JWT\Token  $token
     *
     * @return bool
     */
    public function addForever(Token $token)
    {
        $this->storage->forever($this->getKey($token), 'forever');
        return true;
    }

    /**
     * Determine whether the token has been blacklisted.
     *
     * @param  \Lcobucci\JWT\Token  $token
     *
     * @return bool
     */
    public function has(Token $token)
    {
        $val = $this->storage->get($this->getKey($token));


        // exit early if the token was blacklisted forever
        if ($val === 'forever') {
            return true;
        }

        // check whether the expiry + grace has past
        return $val !== null && ! Carbon::createFromTimestamp($val['valid_until'])->isFuture();
    }

    /**
     * Remove the token (jti claim) from the blacklist.
     *
     * @param  \Lcobucci\JWT\Token  $token
     *
     * @return bool
     */
    public function remove(Token $token)
    {
        return $this->storage->destroy($this->getKey($token));
    }

    /**
     * Remove all tokens from the blacklist.
     *
     * @return bool
     */
    public function clear()
    {
        $this->storage->flush();
        return true;
    }

    /**
     * Get the timestamp when the blacklist comes into effect
     * This defaults to immediate (0 seconds).
     *
     * @return int
     */
    protected function getGraceTimestamp()
    {
        return Carbon::now()->addSeconds($this->gracePeriod)->getTimestamp();
    }

    /**
     * Set the grace period.
     *
     * @param  int  $gracePeriod
     *
     * @return $this
     */
    public function setGracePeriod($gracePeriod)
    {
        $this->gracePeriod = (int) $gracePeriod;
        return $this;
    }

    /**
     * Get the unique key held within the blacklist.
     *
     * @param  \Lcobucci\JWT\Token  $token
     *
     * @return mixed
     */
    public function getKey(Token $token)
    {
        return $token->getClaim($this->key);
    }

    /**
     * Set the unique key held within the blacklist.
     *
     * @param  string  $key
     *
     * @return $this
     */
    public function setKey($key)
    {
        $this->key = value($key);
        return $this;
    }

    /**
     * Set the refresh time limit.
     *
     * @param  int  $ttl
     *
     * @return $this
     */
    public function setRefreshTTL($ttl)
    {
        $this->refreshTTL = (int) $ttl;
        return $this;
    }
}


1			<?php
2
3			namespace Framgia\Jwt;
4
5			use Carbon\Carbon;
6			use Lcobucci\JWT\Token;
7			use Framgia\Jwt\Contracts\Storage;
8
9			class Blacklist
10			{
11			/**
12			* @var \Framgia\Jwt\Contracts\Storage
13			*/
14			protected $storage;
15
16			/**
17			* The grace period when a token is blacklisted. In seconds.
18			*
19			* @var int
20			*/
21			protected $gracePeriod = 0;
22
23			/**
24			* Number of minutes from issue date in which a JWT can be refreshed.
25			*
26			* @var int
27			*/
28			protected $refreshTTL = 20160;
29
30			/**
31			* The unique key held within the blacklist.
32			*
33			* @var string
34			*/
35			protected $key = 'jti';
36
37
38			/**
39			* @param \Framgia\Jwt\Contracts\Storage $storage
40			*/
41			public function __construct(Storage $storage)
42			{
43			$this->storage = $storage;
44			}
45
46
47			/**
48			* Add the token (jti claim) to the blacklist.
49			*
50			* @param \Lcobucci\JWT\Token $token
51			*
52			* @return bool
53			*/
54			public function add(Token $token)
55			{
56			// if there is no exp claim then add the jwt to
57			// the blacklist indefinitely
58			if (! $token->hasClaim('exp')) {
59			return $this->addForever($token);
60			}
61
62			$this->storage->add(
63			$this->getKey($token),
64			['valid_until' => $this->getGraceTimestamp()],
65			$this->getMinutesUntilExpired($token)
66			);
67			return true;
68			}
69
70			/**
71			* Get the number of minutes until the token expiry.
72			*
73			* @param \Lcobucci\JWT\Token $token
74			*
75			* @return int
76			*/
77			protected function getMinutesUntilExpired(Token $token)
78			{
79			$exp = Carbon::createFromTimestamp($token->getClaim('exp'));
80			$iat = Carbon::createFromTimestamp($token->hasClaim('iat') ? $token->getClaim('iat') : 0);
81			// get the latter of the two expiration dates and find
82			// the number of minutes until the expiration date,
83			// plus 1 minute to avoid overlap
84			return $exp->max($iat->addMinutes($this->refreshTTL))->addMinute()->diffInMinutes();
85			}
86
87			/**
88			* Add the token (jti claim) to the blacklist indefinitely.
89			*
90			* @param \Lcobucci\JWT\Token $token
91			*
92			* @return bool
93			*/
94			public function addForever(Token $token)
95			{
96			$this->storage->forever($this->getKey($token), 'forever');
97			return true;
98			}
99
100			/**
101			* Determine whether the token has been blacklisted.
102			*
103			* @param \Lcobucci\JWT\Token $token
104			*
105			* @return bool
106			*/
107			public function has(Token $token)
108			{
109			$val = $this->storage->get($this->getKey($token));
			0 ignored issues – show Bug introduced 2016-05-18 07:12 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `get()` does not seem to exist on `object<Framgia\Jwt\Contracts\Storage>`. This check looks for calls to methods that do not seem to exist on a given type. It looks for the method on the type itself as well as in inherited classes or implemented interfaces. This is most likely a typographical error or the method has been renamed. Loading history...
110
111			// exit early if the token was blacklisted forever
112			if ($val === 'forever') {
113			return true;
114			}
115
116			// check whether the expiry + grace has past
117			return $val !== null && ! Carbon::createFromTimestamp($val['valid_until'])->isFuture();
118			}
119
120			/**
121			* Remove the token (jti claim) from the blacklist.
122			*
123			* @param \Lcobucci\JWT\Token $token
124			*
125			* @return bool
126			*/
127			public function remove(Token $token)
128			{
129			return $this->storage->destroy($this->getKey($token));
130			}
131
132			/**
133			* Remove all tokens from the blacklist.
134			*
135			* @return bool
136			*/
137			public function clear()
138			{
139			$this->storage->flush();
140			return true;
141			}
142
143			/**
144			* Get the timestamp when the blacklist comes into effect
145			* This defaults to immediate (0 seconds).
146			*
147			* @return int
148			*/
149			protected function getGraceTimestamp()
150			{
151			return Carbon::now()->addSeconds($this->gracePeriod)->getTimestamp();
152			}
153
154			/**
155			* Set the grace period.
156			*
157			* @param int $gracePeriod
158			*
159			* @return $this
160			*/
161			public function setGracePeriod($gracePeriod)
162			{
163			$this->gracePeriod = (int) $gracePeriod;
164			return $this;
165			}
166
167			/**
168			* Get the unique key held within the blacklist.
169			*
170			* @param \Lcobucci\JWT\Token $token
171			*
172			* @return mixed
173			*/
174			public function getKey(Token $token)
175			{
176			return $token->getClaim($this->key);
177			}
178
179			/**
180			* Set the unique key held within the blacklist.
181			*
182			* @param string $key
183			*
184			* @return $this
185			*/
186			public function setKey($key)
187			{
188			$this->key = value($key);
189			return $this;
190			}
191
192			/**
193			* Set the refresh time limit.
194			*
195			* @param int $ttl
196			*
197			* @return $this
198			*/
199			public function setRefreshTTL($ttl)
200			{
201			$this->refreshTTL = (int) $ttl;
202			return $this;
203			}
204			}
205

framgia / laravel-jwt

Issues (5)

Security Analysis no request data

src/Blacklist.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like