Issues in Consumer.php (2.x) - Issues in 2.x - fusonic/opengraph - Measure and Improve Code Quality continuously with Scrutinizer

Issues (7)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Consumer.php (1 issue)

Labels

Bug 1

Severity

Critical 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace Fusonic\OpenGraph;

use DOMElement;
use Fusonic\Linq\Linq;
use Fusonic\OpenGraph\Objects\ObjectBase;
use Fusonic\OpenGraph\Objects\Website;
use LogicException;
use Psr\Http\Client\ClientExceptionInterface;
use Psr\Http\Client\ClientInterface;
use Psr\Http\Message\RequestFactoryInterface;
use Symfony\Component\DomCrawler\Crawler;

/**
 * Consumer that extracts Open Graph data from either a URL or a HTML string.
 */
class Consumer
{
    private ?ClientInterface $client;

    private ?RequestFactoryInterface $requestFactory;

    /**
     * When enabled, crawler will read content of title and meta description if no
     * Open Graph data is provided by target page.
     */
    public bool $useFallbackMode = false;

    /**
     * When enabled, crawler will throw exceptions for some crawling errors like unexpected
     * Open Graph elements.
     */
    public bool $debug = false;

    /**
     * @param ClientInterface|null         $client         A PSR-18 ClientInterface implementation.
     * @param RequestFactoryInterface|null $requestFactory A PSR-17 RequestFactoryInterface implementation.
     */
    public function __construct(?ClientInterface $client = null, ?RequestFactoryInterface $requestFactory = null)
    {
        $this->client = $client;
        $this->requestFactory = $requestFactory;
    }

    /**
     * Fetches HTML content from the given URL and then crawls it for Open Graph data.
     *
     * @param string $url URL to be crawled.
     *
     * @return ObjectBase
     *
     * @throws ClientExceptionInterface
     */
    public function loadUrl(string $url): ObjectBase
    {
        if ($this->client === null) {
            throw new LogicException(
                "To use loadUrl() you must provide \$client and \$requestFactory when instantiating the consumer."
            );
        }

        $request = $this->requestFactory->createRequest("GET", $url);
        $response = $this->client->sendRequest($request);

        return $this->loadHtml($response->getBody()->getContents(), $url);
    }

    /**
     * Crawls the given HTML string for OpenGraph data.
     *
     * @param string $html        HTML string, usually whole content of crawled web resource.
     * @param string $fallbackUrl URL to use when fallback mode is enabled.
     *
     * @return  ObjectBase
     */
    public function loadHtml(string $html, string $fallbackUrl = null): ObjectBase
    {
        // Extract all data that can be found
        $page = $this->extractOpenGraphData($html);

        // Use the user's URL as fallback
        if ($this->useFallbackMode && $page->url === null) {
            $page->url = $fallbackUrl;
        }

        // Return result
        return $page;
    }

    private function extractOpenGraphData(string $content): ObjectBase
    {
        $crawler = new Crawler;
        $crawler->addHTMLContent($content, 'UTF-8');

        $properties = [];
        foreach(['name', 'property'] as $t)
        {
            // Get all meta-tags starting with "og:"
            $ogMetaTags = $crawler->filter("meta[{$t}^='og:']");
            // Create clean property array
            $props = Linq::from($ogMetaTags)
                ->select(
                    function (DOMElement $tag) use ($t) {
                        $name = strtolower(trim($tag->getAttribute($t)));
                        $value = trim($tag->getAttribute("content"));
                        return new Property($name, $value);
                    }
                )
                ->toArray();
            $properties = array_merge($properties, $props);
          
        }
            
        // Create new object of the correct type
        $typeProperty = Linq::from($properties)
            ->firstOrNull(
                function (Property $property) {
                    return $property->key === Property::TYPE;
                }
            );
        switch ($typeProperty !== null ? $typeProperty->value : null) {
            default:
                $object = new Website();
                break;
        }

        // Assign all properties to the object
        $object->assignProperties($properties, $this->debug);

        // Fallback for url
        if ($this->useFallbackMode && !$object->url) {
            $urlElement = $crawler->filter("link[rel='canonical']")->first();
            if ($urlElement->count() > 0) {
                $object->url = trim($urlElement->attr("href"));
            }
        }

        // Fallback for title
        if ($this->useFallbackMode && !$object->title) {
            $titleElement = $crawler->filter("title")->first();
            if ($titleElement->count() > 0) {
                $object->title = trim($titleElement->text());
            }
        }

        // Fallback for description
        if ($this->useFallbackMode && !$object->description) {
            $descriptionElement = $crawler->filter("meta[property='description']")->first();
            if ($descriptionElement->count() > 0) {
                $object->description = trim($descriptionElement->attr("content"));
            }
        }

        return $object;
    }
}


1		<?php
2
3		namespace Fusonic\OpenGraph;
4
5		use DOMElement;
6		use Fusonic\Linq\Linq;
7		use Fusonic\OpenGraph\Objects\ObjectBase;
8		use Fusonic\OpenGraph\Objects\Website;
9		use LogicException;
10		use Psr\Http\Client\ClientExceptionInterface;
11		use Psr\Http\Client\ClientInterface;
12		use Psr\Http\Message\RequestFactoryInterface;
13		use Symfony\Component\DomCrawler\Crawler;
14
15		/**
16		* Consumer that extracts Open Graph data from either a URL or a HTML string.
17		*/
18		class Consumer
19		{
20		private ?ClientInterface $client;
		0 ignored issues – show Bug introduced 2020-05-13 12:23 UTC by Report Bug Copy Issue Report Show Similar Issues like this This code did not parse for me. Apparently, there is an error somewhere around this line: Syntax error, unexpected '?', expecting T_FUNCTION or T_CONST Loading history...
21		private ?RequestFactoryInterface $requestFactory;
22
23		/**
24		* When enabled, crawler will read content of title and meta description if no
25		* Open Graph data is provided by target page.
26		*/
27		public bool $useFallbackMode = false;
28
29		/**
30		* When enabled, crawler will throw exceptions for some crawling errors like unexpected
31		* Open Graph elements.
32		*/
33		public bool $debug = false;
34
35		/**
36		* @param ClientInterface\|null $client A PSR-18 ClientInterface implementation.
37		* @param RequestFactoryInterface\|null $requestFactory A PSR-17 RequestFactoryInterface implementation.
38		*/
39	16	public function __construct(?ClientInterface $client = null, ?RequestFactoryInterface $requestFactory = null)
40		{
41	16	$this->client = $client;
42	16	$this->requestFactory = $requestFactory;
43	16	}
44
45		/**
46		* Fetches HTML content from the given URL and then crawls it for Open Graph data.
47		*
48		* @param string $url URL to be crawled.
49		*
50		* @return ObjectBase
51		*
52		* @throws ClientExceptionInterface
53		*/
54		public function loadUrl(string $url): ObjectBase
55		{
56		if ($this->client === null) {
57		throw new LogicException(
58		"To use loadUrl() you must provide \$client and \$requestFactory when instantiating the consumer."
59		);
60		}
61
62		$request = $this->requestFactory->createRequest("GET", $url);
63		$response = $this->client->sendRequest($request);
64
65		return $this->loadHtml($response->getBody()->getContents(), $url);
66		}
67
68		/**
69		* Crawls the given HTML string for OpenGraph data.
70		*
71		* @param string $html HTML string, usually whole content of crawled web resource.
72		* @param string $fallbackUrl URL to use when fallback mode is enabled.
73		*
74		* @return ObjectBase
75		*/
76	16	public function loadHtml(string $html, string $fallbackUrl = null): ObjectBase
77		{
78		// Extract all data that can be found
79	16	$page = $this->extractOpenGraphData($html);
80
81		// Use the user's URL as fallback
82	13	if ($this->useFallbackMode && $page->url === null) {
83	1	$page->url = $fallbackUrl;
84		}
85
86		// Return result
87	13	return $page;
88		}
89
90	16	private function extractOpenGraphData(string $content): ObjectBase
91		{
92	16	$crawler = new Crawler;
93	16	$crawler->addHTMLContent($content, 'UTF-8');
94
95	16	$properties = [];
96	16	foreach(['name', 'property'] as $t)
97		{
98		// Get all meta-tags starting with "og:"
99	16	$ogMetaTags = $crawler->filter("meta[{$t}^='og:']");
100		// Create clean property array
101	16	$props = Linq::from($ogMetaTags)
102	16	->select(
103		function (DOMElement $tag) use ($t) {
104	13	$name = strtolower(trim($tag->getAttribute($t)));
105	13	$value = trim($tag->getAttribute("content"));
106	13	return new Property($name, $value);
107	16	}
108		)
109	16	->toArray();
110	16	$properties = array_merge($properties, $props);
111
112		}
113
114		// Create new object of the correct type
115	16	$typeProperty = Linq::from($properties)
116	16	->firstOrNull(
117		function (Property $property) {
118	13	return $property->key === Property::TYPE;
119	16	}
120		);
121	16	switch ($typeProperty !== null ? $typeProperty->value : null) {
122		default:
123	16	$object = new Website();
124	16	break;
125		}
126
127		// Assign all properties to the object
128	16	$object->assignProperties($properties, $this->debug);
129
130		// Fallback for url
131	13	if ($this->useFallbackMode && !$object->url) {
132	2	$urlElement = $crawler->filter("link[rel='canonical']")->first();
133	2	if ($urlElement->count() > 0) {
134	1	$object->url = trim($urlElement->attr("href"));
135		}
136		}
137
138		// Fallback for title
139	13	if ($this->useFallbackMode && !$object->title) {
140	2	$titleElement = $crawler->filter("title")->first();
141	2	if ($titleElement->count() > 0) {
142	2	$object->title = trim($titleElement->text());
143		}
144		}
145
146		// Fallback for description
147	13	if ($this->useFallbackMode && !$object->description) {
148	2	$descriptionElement = $crawler->filter("meta[property='description']")->first();
149	2	if ($descriptionElement->count() > 0) {
150	2	$object->description = trim($descriptionElement->attr("content"));
151		}
152		}
153
154	13	return $object;
155		}
156		}
157

fusonic / opengraph

Issues (7)

Security Analysis no request data

src/Consumer.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like