Issues in Module.php (master) - Issues in master - hiqdev/yii2-merchant - Measure and Improve Code Quality continuously with Scrutinizer

Issues (8)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Module.php (1 issue)

Labels

Bug 1

Severity

Critical 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Yii2 extension for payment processing with Omnipay, Payum and more later.
 *
 * @link      https://github.com/hiqdev/yii2-merchant
 * @package   yii2-merchant
 * @license   BSD-3-Clause
 * @copyright Copyright (c) 2015-2017, HiQDev (http://hiqdev.com/)
 */

namespace hiqdev\yii2\merchant;

use hiqdev\yii2\merchant\models\DepositForm;
use hiqdev\yii2\merchant\controllers\PayController;
use hiqdev\yii2\merchant\models\DepositRequest;
use hiqdev\yii2\merchant\models\PurchaseRequest;
use hiqdev\yii2\merchant\transactions\Transaction;
use hiqdev\yii2\merchant\transactions\TransactionException;
use hiqdev\yii2\merchant\transactions\TransactionRepositoryInterface;
use Yii;
use yii\base\InvalidConfigException;
use yii\helpers\Url;

/**
 * Merchant Module.
 *
 * Example application configuration:
 *
 * ```php
 * 'modules' => [
 *     'merchant' => [
 *         'class'         => 'hiqdev\yii2\merchant\Module',
 *         'notifyPage'    => '/my/notify/page',
 *         'collection'    => [
 *             'PayPal' => [
 *                 'purse'     => $params['paypal_purse'],
 *                 'secret'    => $params['paypal_secret'],   /// NEVER keep secret in source control
 *             ],
 *             'webmoney_usd' => [
 *                 'gateway'   => 'WebMoney',
 *                 'purse'     => $params['webmoney_purse'],
 *                 'secret'    => $params['webmoney_secret'], /// NEVER keep secret in source control
 *             ],
 *         ],
 *     ],
 * ],
 * ```
 *
 * @var string returns username for usage in merchant
 */
class Module extends \yii\base\Module
{
    /**
     * The URL prefix that will be used as a key to save current URL in the session.
     *
     * @see rememberUrl()
     * @see previousUrl()
     * @see \yii\helpers\BaseUrl::remember()
     * @see \yii\helpers\BaseUrl::previous()
     */
    const URL_PREFIX = 'merchant_url_';

    /**
     * @var string|class-string<Collection> merchant collection class name. Defaults to [[Collection]]
     */
    public $purchaseRequestCollectionClass = Collection::class;
    /**
     * @var string currencies collection class name. Defaults to [[Collection]]
     */
    public $currenciesCollectionClass;
    /**
     * @var string Deposit model class name. Defaults to [[DepositForm]]
     */
    public $depositFromClass = DepositForm::class;
    /**
     * @var bool Whether to use payment processing only through Cashew
     */
    public bool $cashewOnly = false;

    /**
     * @var TransactionRepositoryInterface
     */
    protected $transactionRepository;

    public function __construct($id, $parent = null, TransactionRepositoryInterface $transactionRepository, array $config = [])
    {
        parent::__construct($id, $parent, $config);

        $this->transactionRepository = $transactionRepository;
    }

    public function setCollection(array $collection)
    {
        $this->_collection = $collection;
    }

    /**
     * @param DepositRequest $depositRequest
     * @return Collection
     * @throws InvalidConfigException
     */
    public function getPurchaseRequestCollection($depositRequest = null)
    {
        return Yii::createObject([
            'class'  => $this->purchaseRequestCollectionClass,
            'module' => $this,
            'depositRequest' => $depositRequest,
        ]);
    }

    /**
     * @return Currencies
     * @throws InvalidConfigException
     */
    public function getAvailableCurrenciesCollection(): Currencies
    {
        return Yii::createObject([
            'class'  => $this->currenciesCollectionClass,
            'module' => $this,
        ]);
    }

    /**
     * @param string $merchant_name merchant id
     * @param DepositRequest $depositRequest
     * @return PurchaseRequest merchant instance
     */
    public function getPurchaseRequest($merchant_name, DepositRequest $depositRequest)
    {
        return $this->getPurchaseRequestCollection($depositRequest)->get($merchant_name);
    }

    /**
     * Checks if merchant exists in the hub.
     *
     * @param string $id merchant id
     * @return bool whether merchant exist
     */
    public function hasPurchaseRequest($id)
    {
        return $this->getPurchaseRequestCollection()->has($id);
    }

    /**
     * Method builds data for merchant request.
     *
     * @param DepositRequest $depositRequest
     */
    public function prepareRequestData($depositRequest): void
    {
        $depositRequest->username = $this->getUsername();
        $depositRequest->notifyUrl = $this->buildUrl('notify', $depositRequest);
        $depositRequest->returnUrl = $this->buildUrl('return', $depositRequest);
        $depositRequest->cancelUrl = $this->buildUrl('cancel', $depositRequest);
        $depositRequest->finishUrl = $this->buildUrl('finish', $depositRequest);
    }

    /**
     * @var string client login
     */
    protected $_username;

    /**
     * Sets [[_username]].
     *
     * @param $username
     */
    public function setUsername($username)
    {
        $this->_username = $username;
    }

    /**
     * Gets [[_username]] when defined, otherwise - `Yii::$app->user->identity->username`,
     * otherwise `Yii::$app->user->identity->getId()`.
     * @throws InvalidConfigException
     * @return string
     */
    public function getUsername()
    {
        if (isset($this->_username)) {
            return $this->_username;
        } elseif (($identity = Yii::$app->user->identity) !== null) {
            if ($identity->hasProperty('username')) {
                $this->_username = $identity->username;
            } else {
                $this->_username = $identity->getId();
            }

            return $this->_username;
        }
        throw new InvalidConfigException('Unable to determine username');
    }

    /**
     * @var string|array the URL that will be used for payment system notifications. Will be passed through [[Url::to()]]
     */
    public $notifyPage = 'notify';
    /**
     * @var string|array the URL that will be used to redirect client from the merchant after the success payment.
     * Will be passed through [[Url::to()]]
     */
    public $returnPage = 'return';
    /**
     * @var string|array the URL that will be used to redirect client from the merchant after the failed payment.
     * Will be passed through [[Url::to()]]
     */
    public $cancelPage = 'cancel';
    /**
     * @var string|array the URL that might be used to redirect used from the success or error page to the finish page.
     * Will be passed through [[Url::to()]]
     */
    public $finishPage = 'finish';

    /**
     * Builds URLs that will be passed in the request to the merchant.
     *
     * @param string $destination `notify`, `return`, `cancel`
     * @param DepositRequest $depositRequest
     * @return string URL
     */
    public function buildUrl($destination, DepositRequest $depositRequest)
    {
        $page = [
            $this->getPage($destination, $depositRequest),
            'username'      => $depositRequest->username,
            'merchant'      => $depositRequest->merchant,
            'transactionId' => $depositRequest->id,
        ];

        if (is_array($page)) {
            $page[0] = $this->localizePage($page[0]);
        } else {
            $page = $this->localizePage($page);
        }

        return Url::to($page, true);
    }

    /**
     * Builds url to `this_module/pay/$page` if page is not /full/page.
     * @param mixed $page
     * @return mixed
     */
    public function localizePage($page)
    {
        return is_string($page) && $page[0] !== '/' ? ('/' . $this->id . '/pay/' . $page) : $page;
    }

    public function getPage($destination, DepositRequest $depositRequest)
    {
        $property = $destination . 'Url';
        if ($depositRequest->$property) {
            return $depositRequest->$property;
        }

        $name = $destination . 'Page';

        return $this->hasProperty($name) ? $this->{$name} : $destination;
    }

    /**
     * Saves the $url to session with [[URL_PREFIX]] key, trailed with $name.
     *
     * @param array|string $url
     * @param string $name the trailing part for the URL save key. Defaults to `back`
     * @void
     */
    public function rememberUrl($url, $name = 'back')
    {
        Url::remember($url, static::URL_PREFIX . $name);
    }

    /**
     * Extracts the URL from session storage, saved with [[URL_PREFIX]] key, trailed with $name.
     *
     * @param string $name the trailing part for the URL save key. Defaults to `back`
     * @return string
     */
    public function previousUrl($name = 'back')
    {
        return Url::previous(static::URL_PREFIX . $name);
    }

    /**
     * @var PayController The Payment controller
     */
    protected $_payController;

    /**
     * @throws InvalidConfigException
     *
     * @return PayController
     */
    public function getPayController()
    {
        if ($this->_payController === null) {
            $this->_payController = $this->createControllerById('pay');
        }

        return $this->_payController;
    }

    /**
     * Renders page, that contains list of payment systems, that might be choosen by user.
     * Should be implemented in `PayController`.
     *
     * @param DepositForm $form
     * @return \yii\web\Response
     */
    public function renderDeposit($form)
    {
        return $this->getPayController()->renderDeposit($form);
    }

    /**
     * @param Transaction $transaction
     * @return Transaction
     */
    public function saveTransaction($transaction)
    {
        return $this->transactionRepository->save($transaction);
    }

    public function insertTransaction($id, $merchant, $data)
    {
        $transaction = $this->transactionRepository->create($id, $merchant, $data);

        return $this->transactionRepository->insert($transaction);
    }

    /**
     * @param string $id transaction ID
     * @return Transaction|null
     */
    public function findTransaction($id)
    {
        try {
            return $this->transactionRepository->findById($id);
        } catch (TransactionException $e) {
            return null;
        }
    }
}


1			<?php
2			/**
3			* Yii2 extension for payment processing with Omnipay, Payum and more later.
4			*
5			* @link https://github.com/hiqdev/yii2-merchant
6			* @package yii2-merchant
7			* @license BSD-3-Clause
8			* @copyright Copyright (c) 2015-2017, HiQDev (http://hiqdev.com/)
9			*/
10
11			namespace hiqdev\yii2\merchant;
12
13			use hiqdev\yii2\merchant\models\DepositForm;
14			use hiqdev\yii2\merchant\controllers\PayController;
15			use hiqdev\yii2\merchant\models\DepositRequest;
16			use hiqdev\yii2\merchant\models\PurchaseRequest;
17			use hiqdev\yii2\merchant\transactions\Transaction;
18			use hiqdev\yii2\merchant\transactions\TransactionException;
19			use hiqdev\yii2\merchant\transactions\TransactionRepositoryInterface;
20			use Yii;
21			use yii\base\InvalidConfigException;
22			use yii\helpers\Url;
23
24			/**
25			* Merchant Module.
26			*
27			* Example application configuration:
28			*
29			* ```php
30			* 'modules' => [
31			* 'merchant' => [
32			* 'class' => 'hiqdev\yii2\merchant\Module',
33			* 'notifyPage' => '/my/notify/page',
34			* 'collection' => [
35			* 'PayPal' => [
36			* 'purse' => $params['paypal_purse'],
37			* 'secret' => $params['paypal_secret'], /// NEVER keep secret in source control
38			* ],
39			* 'webmoney_usd' => [
40			* 'gateway' => 'WebMoney',
41			* 'purse' => $params['webmoney_purse'],
42			* 'secret' => $params['webmoney_secret'], /// NEVER keep secret in source control
43			* ],
44			* ],
45			* ],
46			* ],
47			* ```
48			*
49			* @var string returns username for usage in merchant
50			*/
51			class Module extends \yii\base\Module
52			{
53			/**
54			* The URL prefix that will be used as a key to save current URL in the session.
55			*
56			* @see rememberUrl()
57			* @see previousUrl()
58			* @see \yii\helpers\BaseUrl::remember()
59			* @see \yii\helpers\BaseUrl::previous()
60			*/
61			const URL_PREFIX = 'merchant_url_';
62
63			/**
64			* @var string\|class-string<Collection> merchant collection class name. Defaults to [[Collection]]
65			*/
66			public $purchaseRequestCollectionClass = Collection::class;
67			/**
68			* @var string currencies collection class name. Defaults to [[Collection]]
69			*/
70			public $currenciesCollectionClass;
71			/**
72			* @var string Deposit model class name. Defaults to [[DepositForm]]
73			*/
74			public $depositFromClass = DepositForm::class;
75			/**
76			* @var bool Whether to use payment processing only through Cashew
77			*/
78			public bool $cashewOnly = false;
			0 ignored issues – show Bug introduced 2020-10-08 12:41 UTC by Report Bug Copy Issue Report Show Similar Issues like this This code did not parse for me. Apparently, there is an error somewhere around this line: Syntax error, unexpected T_STRING, expecting T_FUNCTION or T_CONST Loading history...
79			/**
80			* @var TransactionRepositoryInterface
81			*/
82			protected $transactionRepository;
83
84			public function __construct($id, $parent = null, TransactionRepositoryInterface $transactionRepository, array $config = [])
85			{
86			parent::__construct($id, $parent, $config);
87
88			$this->transactionRepository = $transactionRepository;
89			}
90
91			public function setCollection(array $collection)
92			{
93			$this->_collection = $collection;
94			}
95
96			/**
97			* @param DepositRequest $depositRequest
98			* @return Collection
99			* @throws InvalidConfigException
100			*/
101			public function getPurchaseRequestCollection($depositRequest = null)
102			{
103			return Yii::createObject([
104			'class' => $this->purchaseRequestCollectionClass,
105			'module' => $this,
106			'depositRequest' => $depositRequest,
107			]);
108			}
109
110			/**
111			* @return Currencies
112			* @throws InvalidConfigException
113			*/
114			public function getAvailableCurrenciesCollection(): Currencies
115			{
116			return Yii::createObject([
117			'class' => $this->currenciesCollectionClass,
118			'module' => $this,
119			]);
120			}
121
122			/**
123			* @param string $merchant_name merchant id
124			* @param DepositRequest $depositRequest
125			* @return PurchaseRequest merchant instance
126			*/
127			public function getPurchaseRequest($merchant_name, DepositRequest $depositRequest)
128			{
129			return $this->getPurchaseRequestCollection($depositRequest)->get($merchant_name);
130			}
131
132			/**
133			* Checks if merchant exists in the hub.
134			*
135			* @param string $id merchant id
136			* @return bool whether merchant exist
137			*/
138			public function hasPurchaseRequest($id)
139			{
140			return $this->getPurchaseRequestCollection()->has($id);
141			}
142
143			/**
144			* Method builds data for merchant request.
145			*
146			* @param DepositRequest $depositRequest
147			*/
148			public function prepareRequestData($depositRequest): void
149			{
150			$depositRequest->username = $this->getUsername();
151			$depositRequest->notifyUrl = $this->buildUrl('notify', $depositRequest);
152			$depositRequest->returnUrl = $this->buildUrl('return', $depositRequest);
153			$depositRequest->cancelUrl = $this->buildUrl('cancel', $depositRequest);
154			$depositRequest->finishUrl = $this->buildUrl('finish', $depositRequest);
155			}
156
157			/**
158			* @var string client login
159			*/
160			protected $_username;
161
162			/**
163			* Sets [[_username]].
164			*
165			* @param $username
166			*/
167			public function setUsername($username)
168			{
169			$this->_username = $username;
170			}
171
172			/**
173			* Gets [[_username]] when defined, otherwise - `Yii::$app->user->identity->username`,
174			* otherwise `Yii::$app->user->identity->getId()`.
175			* @throws InvalidConfigException
176			* @return string
177			*/
178			public function getUsername()
179			{
180			if (isset($this->_username)) {
181			return $this->_username;
182			} elseif (($identity = Yii::$app->user->identity) !== null) {
183			if ($identity->hasProperty('username')) {
184			$this->_username = $identity->username;
185			} else {
186			$this->_username = $identity->getId();
187			}
188
189			return $this->_username;
190			}
191			throw new InvalidConfigException('Unable to determine username');
192			}
193
194			/**
195			* @var string\|array the URL that will be used for payment system notifications. Will be passed through [[Url::to()]]
196			*/
197			public $notifyPage = 'notify';
198			/**
199			* @var string\|array the URL that will be used to redirect client from the merchant after the success payment.
200			* Will be passed through [[Url::to()]]
201			*/
202			public $returnPage = 'return';
203			/**
204			* @var string\|array the URL that will be used to redirect client from the merchant after the failed payment.
205			* Will be passed through [[Url::to()]]
206			*/
207			public $cancelPage = 'cancel';
208			/**
209			* @var string\|array the URL that might be used to redirect used from the success or error page to the finish page.
210			* Will be passed through [[Url::to()]]
211			*/
212			public $finishPage = 'finish';
213
214			/**
215			* Builds URLs that will be passed in the request to the merchant.
216			*
217			* @param string $destination `notify`, `return`, `cancel`
218			* @param DepositRequest $depositRequest
219			* @return string URL
220			*/
221			public function buildUrl($destination, DepositRequest $depositRequest)
222			{
223			$page = [
224			$this->getPage($destination, $depositRequest),
225			'username' => $depositRequest->username,
226			'merchant' => $depositRequest->merchant,
227			'transactionId' => $depositRequest->id,
228			];
229
230			if (is_array($page)) {
231			$page[0] = $this->localizePage($page[0]);
232			} else {
233			$page = $this->localizePage($page);
234			}
235
236			return Url::to($page, true);
237			}
238
239			/**
240			* Builds url to `this_module/pay/$page` if page is not /full/page.
241			* @param mixed $page
242			* @return mixed
243			*/
244			public function localizePage($page)
245			{
246			return is_string($page) && $page[0] !== '/' ? ('/' . $this->id . '/pay/' . $page) : $page;
247			}
248
249			public function getPage($destination, DepositRequest $depositRequest)
250			{
251			$property = $destination . 'Url';
252			if ($depositRequest->$property) {
253			return $depositRequest->$property;
254			}
255
256			$name = $destination . 'Page';
257
258			return $this->hasProperty($name) ? $this->{$name} : $destination;
259			}
260
261			/**
262			* Saves the $url to session with [[URL_PREFIX]] key, trailed with $name.
263			*
264			* @param array\|string $url
265			* @param string $name the trailing part for the URL save key. Defaults to `back`
266			* @void
267			*/
268			public function rememberUrl($url, $name = 'back')
269			{
270			Url::remember($url, static::URL_PREFIX . $name);
271			}
272
273			/**
274			* Extracts the URL from session storage, saved with [[URL_PREFIX]] key, trailed with $name.
275			*
276			* @param string $name the trailing part for the URL save key. Defaults to `back`
277			* @return string
278			*/
279			public function previousUrl($name = 'back')
280			{
281			return Url::previous(static::URL_PREFIX . $name);
282			}
283
284			/**
285			* @var PayController The Payment controller
286			*/
287			protected $_payController;
288
289			/**
290			* @throws InvalidConfigException
291			*
292			* @return PayController
293			*/
294			public function getPayController()
295			{
296			if ($this->_payController === null) {
297			$this->_payController = $this->createControllerById('pay');
298			}
299
300			return $this->_payController;
301			}
302
303			/**
304			* Renders page, that contains list of payment systems, that might be choosen by user.
305			* Should be implemented in `PayController`.
306			*
307			* @param DepositForm $form
308			* @return \yii\web\Response
309			*/
310			public function renderDeposit($form)
311			{
312			return $this->getPayController()->renderDeposit($form);
313			}
314
315			/**
316			* @param Transaction $transaction
317			* @return Transaction
318			*/
319			public function saveTransaction($transaction)
320			{
321			return $this->transactionRepository->save($transaction);
322			}
323
324			public function insertTransaction($id, $merchant, $data)
325			{
326			$transaction = $this->transactionRepository->create($id, $merchant, $data);
327
328			return $this->transactionRepository->insert($transaction);
329			}
330
331			/**
332			* @param string $id transaction ID
333			* @return Transaction\|null
334			*/
335			public function findTransaction($id)
336			{
337			try {
338			return $this->transactionRepository->findById($id);
339			} catch (TransactionException $e) {
340			return null;
341			}
342			}
343			}
344

hiqdev / yii2-merchant

Issues (8)

Security Analysis not enabled

src/Module.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like