Issues in Request.php (master) - Issues in master - gjerokrsteski/pimf-framework - Measure and Improve Code Quality continuously with Scrutinizer

Issues (27)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

core/Pimf/Request.php (1 issue)

Labels

Bug 1

Severity

Minor 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Pimf
 *
 * @copyright Copyright (c)  Gjero Krsteski (http://krsteski.de)
 * @license   http://opensource.org/licenses/MIT MIT
 */
namespace Pimf;

/**
 * Request Manager - for controlled access to the global state of the world.
 *
 * @package Pimf
 * @author  Gjero Krsteski <[email protected]>
 */
class Request
{
    /**
     * @var Param
     */
    public static $postData;

    /**
     * @var Param
     */
    public static $getData;

    /**
     * @var Param
     */
    public static $cookieData;

    /**
     * @var Param
     */
    public static $cliData;

    /**
     * @var Util\Uploaded
     */
    public static $filesData;

    /**
     * @var Environment
     */
    public $env;

    /**
     * The request HTTP method send by the client-browser.
     *
     * @var null|string
     */
    protected $method = null;

    /**
     * @param array             $getData
     * @param array             $postData
     * @param array             $cookieData
     * @param array             $cliData
     * @param array             $filesData
     * @param \Pimf\Environment $env
     */
    public function __construct(
        array $getData,
        array $postData = array(),
        array $cookieData = array(),
        array $cliData = array(),
        array $filesData = array(),
        \Pimf\Environment $env
    ) {

        static::$getData = new Param($getData);
        static::$postData = new Param($postData);
        static::$cookieData = new Param($cookieData);
        static::$cliData = new Param($cliData);
        static::$filesData = Util\Uploaded\Factory::get($filesData);

        $this->env    = $env;
        $this->method = '' . strtoupper($env->REQUEST_METHOD);
    }

    /**
     * For fetching body/params sent via PUT|DELETE|PATCH Http method.
     *
     * @param bool $asResource
     *
     * @return Param|resource|boolean
     */
    public function streamInput($asResource = false)
    {
        if (0 === strpos($this->env->getRequestHeader('CONTENT_TYPE'), 'application/x-www-form-urlencoded')
            && in_array($this->env->data()->get('REQUEST_METHOD', 'GET'), array('PUT', 'DELETE', 'PATCH'))
        ) {

            if ($asResource === true) {
                return $this->getContent($asResource);
            }

            $body = array();
            parse_str($this->getContent(), $body);

            return new Param($body);
/**
 * @return array|string
 */
function returnsDifferentValues($x) {
    if ($x) {
        return 'foo';
    }

    return array();
}

$x = returnsDifferentValues($y);
if (is_array($x)) {
    // $x is an array.
}
        }

        return false;
    }

    /**
     * HTTP GET variables.
     *
     * @return Param
     */
    public function fromGet()
    {
        return static::$getData;
    }

    /**
     * CLI arguments passed to script.
     *
     * @return Param
     */
    public function fromCli()
    {
        return static::$cliData;
    }

    /**
     * HTTP POST variables.
     *
     * @return Param
     */
    public function fromPost()
    {
        return static::$postData;
    }

    /**
     * HTTP Cookies.
     *
     * @return Param
     */
    public function fromCookie()
    {
        return static::$cookieData;
    }

    /**
     * Strip slashes from string or array
     *
     * @param $rawData
     *
     * @return array|string
     */
    public static function stripSlashes($rawData)
    {
        return is_array($rawData)
            ? array_map(
                function ($value) {
                    return \Pimf\Request::stripSlashes($value);
                },
                $rawData
            )
            : stripslashes($rawData);
    }

    /**
     * @param bool $asResource
     *
     * @return resource|string
     * @throws \LogicException When using the resource twice times.
     */
    public function getContent($asResource = false)
    {
        static $content;

        if (false === $content || (true === $asResource && null !== $content)) {
            throw new \LogicException('resource can only be returned once');
        }

        if (true === $asResource) {
            $content = false;

            return fopen('php://input', 'rb');
        }

        if (null === $content) {
            $content = file_get_contents('php://input');
        }

        return $content;
    }

    /**
     * The request method send by the client-browser.
     *
     * @return null|string
     */
    public function getMethod()
    {
        return $this->method;
    }
}


GitHub Access Token became invalid

Issues (27)

Security Analysis not enabled

core/Pimf/Request.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

1			<?php
2			/**
3			* Pimf
4			*
5			* @copyright Copyright (c) Gjero Krsteski (http://krsteski.de)
6			* @license http://opensource.org/licenses/MIT MIT
7			*/
8			namespace Pimf;
9
10			/**
11			* Request Manager - for controlled access to the global state of the world.
12			*
13			* @package Pimf
14			* @author Gjero Krsteski <[email protected]>
15			*/
16			class Request
17			{
18			/**
19			* @var Param
20			*/
21			public static $postData;
22
23			/**
24			* @var Param
25			*/
26			public static $getData;
27
28			/**
29			* @var Param
30			*/
31			public static $cookieData;
32
33			/**
34			* @var Param
35			*/
36			public static $cliData;
37
38			/**
39			* @var Util\Uploaded
40			*/
41			public static $filesData;
42
43			/**
44			* @var Environment
45			*/
46			public $env;
47
48			/**
49			* The request HTTP method send by the client-browser.
50			*
51			* @var null\|string
52			*/
53			protected $method = null;
54
55			/**
56			* @param array $getData
57			* @param array $postData
58			* @param array $cookieData
59			* @param array $cliData
60			* @param array $filesData
61			* @param \Pimf\Environment $env
62			*/
63			public function __construct(
64			array $getData,
65			array $postData = array(),
66			array $cookieData = array(),
67			array $cliData = array(),
68			array $filesData = array(),
69			\Pimf\Environment $env
70			) {
71
72			static::$getData = new Param($getData);
73			static::$postData = new Param($postData);
74			static::$cookieData = new Param($cookieData);
75			static::$cliData = new Param($cliData);
76			static::$filesData = Util\Uploaded\Factory::get($filesData);
77
78			$this->env = $env;
79			$this->method = '' . strtoupper($env->REQUEST_METHOD);
80			}
81
82			/**
83			* For fetching body/params sent via PUT\|DELETE\|PATCH Http method.
84			*
85			* @param bool $asResource
86			*
87			* @return Param\|resource\|boolean
88			*/
89			public function streamInput($asResource = false)
90			{
91			if (0 === strpos($this->env->getRequestHeader('CONTENT_TYPE'), 'application/x-www-form-urlencoded')
92			&& in_array($this->env->data()->get('REQUEST_METHOD', 'GET'), array('PUT', 'DELETE', 'PATCH'))
93			) {
94
95			if ($asResource === true) {
96			return $this->getContent($asResource);
97			}
98
99			$body = array();
100			parse_str($this->getContent(), $body);
101
102			return new Param($body);
			0 ignored issues – show Bug introduced 2016-01-07 15:03 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$body` can also be of type `null`; however, `Pimf\Param::__construct()` does only seem to accept `array`, maybe add an additional type check? If a method or function can return multiple different values and unless you are sure that you only can receive a single value in this context, we recommend to add an additional type check: /** * @return array\|string */ function returnsDifferentValues($x) { if ($x) { return 'foo'; } return array(); } $x = returnsDifferentValues($y); if (is_array($x)) { // $x is an array. } If this a common case that PHP Analyzer should handle natively, please let us know by opening an issue. Loading history...
103			}
104
105			return false;
106			}
107
108			/**
109			* HTTP GET variables.
110			*
111			* @return Param
112			*/
113			public function fromGet()
114			{
115			return static::$getData;
116			}
117
118			/**
119			* CLI arguments passed to script.
120			*
121			* @return Param
122			*/
123			public function fromCli()
124			{
125			return static::$cliData;
126			}
127
128			/**
129			* HTTP POST variables.
130			*
131			* @return Param
132			*/
133			public function fromPost()
134			{
135			return static::$postData;
136			}
137
138			/**
139			* HTTP Cookies.
140			*
141			* @return Param
142			*/
143			public function fromCookie()
144			{
145			return static::$cookieData;
146			}
147
148			/**
149			* Strip slashes from string or array
150			*
151			* @param $rawData
152			*
153			* @return array\|string
154			*/
155			public static function stripSlashes($rawData)
156			{
157			return is_array($rawData)
158			? array_map(
159			function ($value) {
160			return \Pimf\Request::stripSlashes($value);
161			},
162			$rawData
163			)
164			: stripslashes($rawData);
165			}
166
167			/**
168			* @param bool $asResource
169			*
170			* @return resource\|string
171			* @throws \LogicException When using the resource twice times.
172			*/
173			public function getContent($asResource = false)
174			{
175			static $content;
176
177			if (false === $content \|\| (true === $asResource && null !== $content)) {
178			throw new \LogicException('resource can only be returned once');
179			}
180
181			if (true === $asResource) {
182			$content = false;
183
184			return fopen('php://input', 'rb');
185			}
186
187			if (null === $content) {
188			$content = file_get_contents('php://input');
189			}
190
191			return $content;
192			}
193
194			/**
195			* The request method send by the client-browser.
196			*
197			* @return null\|string
198			*/
199			public function getMethod()
200			{
201			return $this->method;
202			}
203			}
204

gjerokrsteski / pimf-framework

GitHub Access Token became invalid

Issues (27)

Security Analysis not enabled

core/Pimf/Request.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like