Issues in Cbs.php (master) - Issues in master - infinitypaul/laravel-cbs - Measure and Improve Code Quality continuously with Scrutinizer

Issues (4)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Cbs.php (1 issue)

Labels

Bug 1

Severity

Major 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/*
 * This file is part of the Laravel Cbs package.
 *
 * (c) Edward Paul <[email protected]>
 *
 * For the full copyright and license information, please view the LICENSE
 * file that was distributed with this source code.
 */

namespace Infinitypaul\Cbs;

use GuzzleHttp\Client;
use Illuminate\Support\Facades\Config;
use Infinitypaul\Cbs\Exceptions\InvalidPostException;
use Infinitypaul\Cbs\Exceptions\NotSetException;

class Cbs
{
    /**
     * Issue Secret Key from CBS.
     * @var string
     */
    protected $secretKey;

    /**
     * Issue Client ID from CBS.
     * @var string
     */
    protected $clientId;

    /**
     * Issue URL from CBS.
     * @var string
     */
    protected $baseUrl;

    /**
     * Issue Revenue Head from CBS.
     * @var int
     */
    protected $revenueHeads;

    /**
     * Issue Category ID from CBS Admin.
     * @var int
     */
    protected $categoryId;

    /**
     *  Response from requests made to CBS.
     * @var mixed
     */
    protected $response;

    /**
     *  Hashed Key.
     * @var mixed
     */
    protected $signature;

    /**
     * Payment Url - CBS payment page.
     * @var string
     */
    protected $url;

    /**
     *  Response from CBS.
     * @var mixed
     */
    protected $invoice = [];

    /**
     * Instance of Client.
     * @var Client
     */
    protected $client;

    public function __construct()
    {
        $this->setUrl();
        $this->setConstant();
        $this->checkConstant();
    }

    public function setUrl()
    {
        $this->baseUrl = Config::get('mode') === 'test' ? Config::get('cbs.testUrl') : Config::get('cbs.liveURL');
    }

    /**
     * Get secret key from CBS config file.
     */
    public function setConstant()
    {
        $this->secretKey = Config::get('cbs.secret');
        $this->clientId = Config::get('cbs.clientId');
        $this->revenueHeads = Config::get('cbs.revenueHead');
        $this->categoryId = Config::get('cbs.categoryId');
    }

    protected function checkConstant()
    {
        if (! $this->revenueHeads) {
            throw new NotSetException('Set Your Revenue Head');
        }
        if (! $this->clientId) {
            throw new NotSetException('Set Your Client Id');
        }
        if (! $this->secretKey) {
            throw new NotSetException('Set Your Secret Id');
        }
        if (! $this->categoryId) {
            throw new NotSetException('Set Your Category Id');
        }
        if (! $this->baseUrl) {
            throw new NotSetException('Set Your Test and Live Base Url');
        }
    }

    protected function setSignature($amount, $callback)
    {
        $amount = number_format((float) $amount, 2, '.', '');
        $string = $this->revenueHeads.$amount.$callback.$this->clientId;
        //dd($string);
        $this->signature = base64_encode(hash_hmac('sha256', $string, $this->secretKey, true));
        $this->setRequestOptions();
    }

    /**
     * Set options for making the Client request.
     */
    private function setRequestOptions()
    {
        $this->client = new Client([
            'base_uri' => $this->baseUrl,
            'headers' => [
                'Content-Type' => 'application/json',
                'Accept' => 'application/json',
                'CLIENTID' => $this->clientId,
                'Signature' => $this->signature,
            ],
        ]);
    }

    /**
     * @param $relativeUri
     * @param string $method
     * @param array $body
     *
     * @return \Infinitypaul\Cbs\Cbs
     * @throws \Infinitypaul\Cbs\Exceptions\NotSetException
     */
    private function setHttpResponse($relativeUri, $method, $body = [])
    {
        if (is_null($method)) {
            throw new NotSetException('Empty Method Not Allowed');
        }
        $this->response = $this->client->{strtolower($method)}(
            $this->baseUrl.$relativeUri,
            ['body' => json_encode($body)]
        );

        return $this;
    }

    private function getResponse()
    {
        return json_decode($this->response->getBody(), true);
    }

    protected function setUser($data)
    {
        if (isset($data['payerID'])) {
            $user = ['PayerId' => $data['payerID']];
        } else {
            $user = [
                'Recipient' => $data['full_name'],
                'Email' => $data['email'],
                'Address' => $data['address'],
                'PhoneNumber' => $data['mobile_number'],
                'TaxPayerIdentificationNumber' => isset($data['tin']) ? $data['tin'] : '',
            ];
        }

        return [
            'TaxEntity' => $user,
            'Amount' => intval($data['amount']),
            'InvoiceDescription' => $data['description'],
            'CategoryId' => $this->categoryId,
        ];
    }

    /**
     * Initiate a payment request to Cbs
     * Included the option to pass the payload to this method for situations
     * when the payload is built on the fly (not passed to the controller from a view).
     *
     * @param array $data
     *
     * @return \Infinitypaul\Cbs\Cbs
     * @throws \Infinitypaul\Cbs\Exceptions\NotSetException
     */
    public function generateInvoice($data)
    {
        if (empty($data)) {
            $TaxEntityInvoice = $this->setUser(request()->toArray());
            $callback = request()->callback;
            $quantity = request()->quantity;
            $ExternalRefNumber = request()->has('externalRefNumber') ? request()->externalRefNumber : null;
        } else {
            $TaxEntityInvoice = $this->setUser($data);
            $callback = $data['callback'];
            $quantity = $data['quantity'];
            $ExternalRefNumber = isset($data['externalRefNumber']) ? $data['externalRefNumber'] : null;
        }

        $data = [
            'RevenueHeadId' => $this->revenueHeads,
            'TaxEntityInvoice' => $TaxEntityInvoice,
            'CallBackURL' => $callback,
            'RequestReference' => ReferenceNumber::getHashedToken(),
            'Quantity' => $quantity,
            'ExternalRefNumber' => $ExternalRefNumber,

        ];

        $this->setSignature($TaxEntityInvoice['Amount'], $callback);
        array_filter($data);

        $this->setHttpResponse('/api/v1/invoice/create', 'POST', $data);

        return $this;
    }

    /**
     * Set the invoice data from the callback response.
     *
     * @param array $data
     *
     * @return \Infinitypaul\Cbs\Cbs
     * @throws \Infinitypaul\Cbs\Exceptions\NotSetException
     */
    public function setInvoice($data = [])
    {
        $this->generateInvoice($data);
        $this->invoice = $this->getResponse();

        return $this;
    }

    /**
     * Get the invoice data from the callback response.
     */
    public function getData()
    {
        return $this->invoice;
    }

    /**
     * Get the invoice payment url from the callback response.
     */
    public function redirectNow()
    {
        return redirect($this->invoice['ResponseObject']['PaymentURL']);
    }

    /**
     * Compute Mac Address.
     *
     * @param $invoiceNumber
     * @param $paymentRef
     * @param $amount
     *
     *
     * @param $RequestReference
     *
     * @return string
     */
    protected function computeMac($invoiceNumber, $paymentRef, $amount, $RequestReference)
    {
        $amount = number_format((float) $amount, 2, '.', '');
        $string = $invoiceNumber.$paymentRef.$amount.$RequestReference;

        return base64_encode(hash_hmac('sha256', $string, $this->secretKey, true));
    }

    /**
     * Get Payment details if the transaction was verified successfully.
     *
     * @throws \Infinitypaul\Cbs\Exceptions\InvalidPostException
     */
    public function getPaymentData()
    {
        $mac = $this->computeMac(request()->InvoiceNumber, request()->PaymentRef, request()->AmountPaid, request()->RequestReference);
        if ($mac != request()->Mac) {
            throw new InvalidPostException('Invalid Call');
        } else {
            return response()->json(request()->toArray());
class A
{
    public function foo() { }
}

class B extends A
{
    public function bar() { }
}

/**
 * @param A|B $x
 */
function someFunction($x)
{
    $x->foo(); // This call is fine as the method exists in A and B.
    $x->bar(); // This method only exists in B and might cause an error.
}
        }
    }
}


Issues (4)

Security Analysis not enabled

src/Cbs.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Available Fixes

1			<?php
2			/*
3			* This file is part of the Laravel Cbs package.
4			*
5			* (c) Edward Paul <[email protected]>
6			*
7			* For the full copyright and license information, please view the LICENSE
8			* file that was distributed with this source code.
9			*/
10
11			namespace Infinitypaul\Cbs;
12
13			use GuzzleHttp\Client;
14			use Illuminate\Support\Facades\Config;
15			use Infinitypaul\Cbs\Exceptions\InvalidPostException;
16			use Infinitypaul\Cbs\Exceptions\NotSetException;
17
18			class Cbs
19			{
20			/**
21			* Issue Secret Key from CBS.
22			* @var string
23			*/
24			protected $secretKey;
25
26			/**
27			* Issue Client ID from CBS.
28			* @var string
29			*/
30			protected $clientId;
31
32			/**
33			* Issue URL from CBS.
34			* @var string
35			*/
36			protected $baseUrl;
37
38			/**
39			* Issue Revenue Head from CBS.
40			* @var int
41			*/
42			protected $revenueHeads;
43
44			/**
45			* Issue Category ID from CBS Admin.
46			* @var int
47			*/
48			protected $categoryId;
49
50			/**
51			* Response from requests made to CBS.
52			* @var mixed
53			*/
54			protected $response;
55
56			/**
57			* Hashed Key.
58			* @var mixed
59			*/
60			protected $signature;
61
62			/**
63			* Payment Url - CBS payment page.
64			* @var string
65			*/
66			protected $url;
67
68			/**
69			* Response from CBS.
70			* @var mixed
71			*/
72			protected $invoice = [];
73
74			/**
75			* Instance of Client.
76			* @var Client
77			*/
78			protected $client;
79
80			public function __construct()
81			{
82			$this->setUrl();
83			$this->setConstant();
84			$this->checkConstant();
85			}
86
87			public function setUrl()
88			{
89			$this->baseUrl = Config::get('mode') === 'test' ? Config::get('cbs.testUrl') : Config::get('cbs.liveURL');
90			}
91
92			/**
93			* Get secret key from CBS config file.
94			*/
95			public function setConstant()
96			{
97			$this->secretKey = Config::get('cbs.secret');
98			$this->clientId = Config::get('cbs.clientId');
99			$this->revenueHeads = Config::get('cbs.revenueHead');
100			$this->categoryId = Config::get('cbs.categoryId');
101			}
102
103			protected function checkConstant()
104			{
105			if (! $this->revenueHeads) {
106			throw new NotSetException('Set Your Revenue Head');
107			}
108			if (! $this->clientId) {
109			throw new NotSetException('Set Your Client Id');
110			}
111			if (! $this->secretKey) {
112			throw new NotSetException('Set Your Secret Id');
113			}
114			if (! $this->categoryId) {
115			throw new NotSetException('Set Your Category Id');
116			}
117			if (! $this->baseUrl) {
118			throw new NotSetException('Set Your Test and Live Base Url');
119			}
120			}
121
122			protected function setSignature($amount, $callback)
123			{
124			$amount = number_format((float) $amount, 2, '.', '');
125			$string = $this->revenueHeads.$amount.$callback.$this->clientId;
126			//dd($string);
127			$this->signature = base64_encode(hash_hmac('sha256', $string, $this->secretKey, true));
128			$this->setRequestOptions();
129			}
130
131			/**
132			* Set options for making the Client request.
133			*/
134			private function setRequestOptions()
135			{
136			$this->client = new Client([
137			'base_uri' => $this->baseUrl,
138			'headers' => [
139			'Content-Type' => 'application/json',
140			'Accept' => 'application/json',
141			'CLIENTID' => $this->clientId,
142			'Signature' => $this->signature,
143			],
144			]);
145			}
146
147			/**
148			* @param $relativeUri
149			* @param string $method
150			* @param array $body
151			*
152			* @return \Infinitypaul\Cbs\Cbs
153			* @throws \Infinitypaul\Cbs\Exceptions\NotSetException
154			*/
155			private function setHttpResponse($relativeUri, $method, $body = [])
156			{
157			if (is_null($method)) {
158			throw new NotSetException('Empty Method Not Allowed');
159			}
160			$this->response = $this->client->{strtolower($method)}(
161			$this->baseUrl.$relativeUri,
162			['body' => json_encode($body)]
163			);
164
165			return $this;
166			}
167
168			private function getResponse()
169			{
170			return json_decode($this->response->getBody(), true);
171			}
172
173			protected function setUser($data)
174			{
175			if (isset($data['payerID'])) {
176			$user = ['PayerId' => $data['payerID']];
177			} else {
178			$user = [
179			'Recipient' => $data['full_name'],
180			'Email' => $data['email'],
181			'Address' => $data['address'],
182			'PhoneNumber' => $data['mobile_number'],
183			'TaxPayerIdentificationNumber' => isset($data['tin']) ? $data['tin'] : '',
184			];
185			}
186
187			return [
188			'TaxEntity' => $user,
189			'Amount' => intval($data['amount']),
190			'InvoiceDescription' => $data['description'],
191			'CategoryId' => $this->categoryId,
192			];
193			}
194
195			/**
196			* Initiate a payment request to Cbs
197			* Included the option to pass the payload to this method for situations
198			* when the payload is built on the fly (not passed to the controller from a view).
199			*
200			* @param array $data
201			*
202			* @return \Infinitypaul\Cbs\Cbs
203			* @throws \Infinitypaul\Cbs\Exceptions\NotSetException
204			*/
205			public function generateInvoice($data)
206			{
207			if (empty($data)) {
208			$TaxEntityInvoice = $this->setUser(request()->toArray());
209			$callback = request()->callback;
210			$quantity = request()->quantity;
211			$ExternalRefNumber = request()->has('externalRefNumber') ? request()->externalRefNumber : null;
212			} else {
213			$TaxEntityInvoice = $this->setUser($data);
214			$callback = $data['callback'];
215			$quantity = $data['quantity'];
216			$ExternalRefNumber = isset($data['externalRefNumber']) ? $data['externalRefNumber'] : null;
217			}
218
219			$data = [
220			'RevenueHeadId' => $this->revenueHeads,
221			'TaxEntityInvoice' => $TaxEntityInvoice,
222			'CallBackURL' => $callback,
223			'RequestReference' => ReferenceNumber::getHashedToken(),
224			'Quantity' => $quantity,
225			'ExternalRefNumber' => $ExternalRefNumber,
226
227			];
228
229			$this->setSignature($TaxEntityInvoice['Amount'], $callback);
230			array_filter($data);
231
232			$this->setHttpResponse('/api/v1/invoice/create', 'POST', $data);
233
234			return $this;
235			}
236
237			/**
238			* Set the invoice data from the callback response.
239			*
240			* @param array $data
241			*
242			* @return \Infinitypaul\Cbs\Cbs
243			* @throws \Infinitypaul\Cbs\Exceptions\NotSetException
244			*/
245			public function setInvoice($data = [])
246			{
247			$this->generateInvoice($data);
248			$this->invoice = $this->getResponse();
249
250			return $this;
251			}
252
253			/**
254			* Get the invoice data from the callback response.
255			*/
256			public function getData()
257			{
258			return $this->invoice;
259			}
260
261			/**
262			* Get the invoice payment url from the callback response.
263			*/
264			public function redirectNow()
265			{
266			return redirect($this->invoice['ResponseObject']['PaymentURL']);
267			}
268
269			/**
270			* Compute Mac Address.
271			*
272			* @param $invoiceNumber
273			* @param $paymentRef
274			* @param $amount
275			*
276			*
277			* @param $RequestReference
278			*
279			* @return string
280			*/
281			protected function computeMac($invoiceNumber, $paymentRef, $amount, $RequestReference)
282			{
283			$amount = number_format((float) $amount, 2, '.', '');
284			$string = $invoiceNumber.$paymentRef.$amount.$RequestReference;
285
286			return base64_encode(hash_hmac('sha256', $string, $this->secretKey, true));
287			}
288
289			/**
290			* Get Payment details if the transaction was verified successfully.
291			*
292			* @throws \Infinitypaul\Cbs\Exceptions\InvalidPostException
293			*/
294			public function getPaymentData()
295			{
296			$mac = $this->computeMac(request()->InvoiceNumber, request()->PaymentRef, request()->AmountPaid, request()->RequestReference);
297			if ($mac != request()->Mac) {
298			throw new InvalidPostException('Invalid Call');
299			} else {
300			return response()->json(request()->toArray());
			0 ignored issues – show Bug introduced 2020-04-25 15:01 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `json` does only exist in `Illuminate\Contracts\Routing\ResponseFactory`, but not in `Illuminate\Http\Response`. It seems like the method you are trying to call exists only in some of the possible types. Let’s take a look at an example: class A { public function foo() { } } class B extends A { public function bar() { } } /** * @param A\|B $x / function someFunction($x) { $x->foo(); // This call is fine as the method exists in A and B. $x->bar(); // This method only exists in B and might cause an error. } Available Fixes Add an additional type-check: /* * @param A\|B $x / function someFunction($x) { $x->foo(); if ($x instanceof B) { $x->bar(); } } Only allow a single type to be passed if the variable comes from a parameter: function someFunction(B $x) { /* ... */ } Loading history...
301			}
302			}
303			}
304

infinitypaul / laravel-cbs

Issues (4)

Security Analysis not enabled

src/Cbs.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Available Fixes

Duplication Side-by-Side

Filter issues like