Issues in Api.php (master) - Issues in master - jamesryanbell/cloudflare - Measure and Improve Code Quality continuously with Scrutinizer

Issues (86)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/CloudFlare/Api.php (2 issues)

Labels

Duplication 2

Severity

Informational 2

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace Cloudflare;

use Cloudflare\Exception\AuthenticationException;
use Cloudflare\Exception\UnauthorizedException;

/**
 * CloudFlare API wrapper
 *
 * A work in progress library for the Cloudflare API. The documentation for the API can be found at https://www.cloudflare.com/docs/.
 *
 * @author James Bell <[email protected]>
 *
 * @version 1
 */
class Api
{
    /**
     * Holds the provided email address for API authentication
     *
     * @var string
     */
    public $email;

    /**
     * Holds the provided auth_key for API authentication
     *
     * @var string
     */
    public $auth_key;

    /**
     * Holds the curl options
     *
     * @var array
     */
    public $curl_options;

    /**
     * Make a new instance of the API client
     * This can be done via providing the email address and api key as seperate parameters
     * or by passing in an already instantiated object from which the details will be extracted
     */
    public function __construct()
    {
        $num_args = func_num_args();
        if ($num_args === 1) {
            $parameters = func_get_args();
            $client = $parameters[0];
            $this->email = $client->email;
            $this->auth_key = $client->auth_key;
            $this->curl_options = $client->curl_options;
        } elseif ($num_args === 2) {
            $parameters = func_get_args();
            $this->email = $parameters[0];
            $this->auth_key = $parameters[1];
        }
    }

    /**
     * Setter to allow the setting of the email address
     *
     * @param string $email The email address associated with the Cloudflare account
     */
    public function setEmail($email)
    {
        $this->email = $email;
    }

    /**
     * Setter to allow the setting of the Authentication Key
     *
     * @param string $token Authentication key, this can be retrieve from the 'My Account' section of the Cloudflare account
     */
    public function setAuthKey($token)
    {
        $this->auth_key = $token;
    }

    /**
     * Setter to allow the adding / changing of the Curl options that will be used within the HTTP requests
     *
     * @param int   $key   The CURLOPT_XXX option to set e.g. CURLOPT_TIMEOUT
     * @param mixed $value The value to be set on option e.g. 10
     */
    public function setCurlOption($key, $value)
    {
        $this->curl_options[$key] = $value;
    }

    /**
     * API call method for sending requests using GET
     *
     * @param string $path Path of the endpoint
     * @param array  $data Data to be sent along with the request
     *
     * @return mixed
     */
    public function get($path, array $data = [])
    {
        return $this->request($path, $data, 'get');
    }

    /**
     * API call method for sending requests using POST
     *
     * @param string $path Path of the endpoint
     * @param array  $data Data to be sent along with the request
     *
     * @return mixed
     */
    public function post($path, array $data = [])
    {
        return $this->request($path, $data, 'post');
    }

    /**
     * API call method for sending requests using PUT
     *
     * @param string $path Path of the endpoint
     * @param array  $data Data to be sent along with the request
     *
     * @return mixed
     */
    public function put($path, array $data = [])
    {
        return $this->request($path, $data, 'put');
    }

    /**
     * API call method for sending requests using DELETE
     *
     * @param string $path Path of the endpoint
     * @param array  $data Data to be sent along with the request
     *
     * @return mixed
     */
    public function delete($path, array $data = [])
    {
        return $this->request($path, $data, 'delete');
    }

    /**
     * API call method for sending requests using PATCH
     *
     * @param string $path Path of the endpoint
     * @param array  $data Data to be sent along with the request
     *
     * @return mixed
     */
    public function patch($path, array $data = [])
    {
        return $this->request($path, $data, 'patch');
    }

    /**
     * @codeCoverageIgnore
     *
     * API call method for sending requests using GET, POST, PUT, DELETE OR PATCH
     *
     * @param string $path   Path of the endpoint
     * @param array  $data   Data to be sent along with the request
     * @param string $method Type of method that should be used ('GET', 'POST', 'PUT', 'DELETE', 'PATCH')
     *
     * @return mixed
     */
    protected function request($path, array $data = [], $method = 'get')
    {
        if (!isset($this->email, $this->auth_key) || false === filter_var($this->email, FILTER_VALIDATE_EMAIL)) {
            throw new AuthenticationException('Authentication information must be provided');
        }

        //Removes null entries
        $data = array_filter($data, function ($val) {
            return !is_null($val);
        });

        $url = 'https://api.cloudflare.com/client/v4/'.$path;

        $default_curl_options = [
            CURLOPT_VERBOSE        => false,
            CURLOPT_FORBID_REUSE   => true,
            CURLOPT_RETURNTRANSFER => 1,
            CURLOPT_HEADER         => false,
            CURLOPT_TIMEOUT        => 30,
            CURLOPT_SSL_VERIFYPEER => true,
        ];

        $curl_options = $default_curl_options;
        if (isset($this->curl_options) && is_array($this->curl_options)) {
            $curl_options = array_replace($default_curl_options, $this->curl_options);
        }

        $user_agent = __FILE__;
        $headers = [
            "X-Auth-Email: {$this->email}",
            "X-Auth-Key: {$this->auth_key}",
            "User-Agent: {$user_agent}",
            'Content-type: application/json',
        ];

        $ch = curl_init();
        curl_setopt_array($ch, $curl_options);

        $json_data = json_encode($data);

        if ($method === 'post') {
            curl_setopt($ch, CURLOPT_POST, true);
            curl_setopt($ch, CURLOPT_POSTFIELDS, $json_data);
        } elseif ($method === 'put') {

            curl_setopt($ch, CURLOPT_POSTFIELDS, $json_data);
            curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'PUT');
        } elseif ($method === 'delete') {
            curl_setopt($ch, CURLOPT_POSTFIELDS, $json_data);
            curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'DELETE');
        } elseif ($method === 'patch') {

            curl_setopt($ch, CURLOPT_POSTFIELDS, $json_data);
            curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'PATCH');
        } else {
            $url .= '?'.http_build_query($data);
        }

        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
        curl_setopt($ch, CURLOPT_URL, $url);

        $http_result = curl_exec($ch);
        $error = curl_error($ch);
        $information = curl_getinfo($ch);
        $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

        if (in_array($http_code, [401, 403])) {
            throw new UnauthorizedException('You do not have permission to perform this request');
        }

        $response = json_decode($http_result);
        if (!$response) {
            $response = new \stdClass();
            $response->success = false;
        }

        curl_close($ch);
        if ($response->success !== true) {
            $response->error = $error;
            $response->http_code = $http_code;
            $response->method = $method;
            $response->information = $information;
        }

        return $response;
    }
}


GitHub Access Token became invalid

Issues (86)

Security Analysis no request data

src/CloudFlare/Api.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

1			<?php
2
3			namespace Cloudflare;
4
5			use Cloudflare\Exception\AuthenticationException;
6			use Cloudflare\Exception\UnauthorizedException;
7
8			/**
9			* CloudFlare API wrapper
10			*
11			* A work in progress library for the Cloudflare API. The documentation for the API can be found at https://www.cloudflare.com/docs/.
12			*
13			* @author James Bell <[email protected]>
14			*
15			* @version 1
16			*/
17			class Api
18			{
19			/**
20			* Holds the provided email address for API authentication
21			*
22			* @var string
23			*/
24			public $email;
25
26			/**
27			* Holds the provided auth_key for API authentication
28			*
29			* @var string
30			*/
31			public $auth_key;
32
33			/**
34			* Holds the curl options
35			*
36			* @var array
37			*/
38			public $curl_options;
39
40			/**
41			* Make a new instance of the API client
42			* This can be done via providing the email address and api key as seperate parameters
43			* or by passing in an already instantiated object from which the details will be extracted
44			*/
45			public function __construct()
46			{
47			$num_args = func_num_args();
48			if ($num_args === 1) {
49			$parameters = func_get_args();
50			$client = $parameters[0];
51			$this->email = $client->email;
52			$this->auth_key = $client->auth_key;
53			$this->curl_options = $client->curl_options;
54			} elseif ($num_args === 2) {
55			$parameters = func_get_args();
56			$this->email = $parameters[0];
57			$this->auth_key = $parameters[1];
58			}
59			}
60
61			/**
62			* Setter to allow the setting of the email address
63			*
64			* @param string $email The email address associated with the Cloudflare account
65			*/
66			public function setEmail($email)
67			{
68			$this->email = $email;
69			}
70
71			/**
72			* Setter to allow the setting of the Authentication Key
73			*
74			* @param string $token Authentication key, this can be retrieve from the 'My Account' section of the Cloudflare account
75			*/
76			public function setAuthKey($token)
77			{
78			$this->auth_key = $token;
79			}
80
81			/**
82			* Setter to allow the adding / changing of the Curl options that will be used within the HTTP requests
83			*
84			* @param int $key The CURLOPT_XXX option to set e.g. CURLOPT_TIMEOUT
85			* @param mixed $value The value to be set on option e.g. 10
86			*/
87			public function setCurlOption($key, $value)
88			{
89			$this->curl_options[$key] = $value;
90			}
91
92			/**
93			* API call method for sending requests using GET
94			*
95			* @param string $path Path of the endpoint
96			* @param array $data Data to be sent along with the request
97			*
98			* @return mixed
99			*/
100			public function get($path, array $data = [])
101			{
102			return $this->request($path, $data, 'get');
103			}
104
105			/**
106			* API call method for sending requests using POST
107			*
108			* @param string $path Path of the endpoint
109			* @param array $data Data to be sent along with the request
110			*
111			* @return mixed
112			*/
113			public function post($path, array $data = [])
114			{
115			return $this->request($path, $data, 'post');
116			}
117
118			/**
119			* API call method for sending requests using PUT
120			*
121			* @param string $path Path of the endpoint
122			* @param array $data Data to be sent along with the request
123			*
124			* @return mixed
125			*/
126			public function put($path, array $data = [])
127			{
128			return $this->request($path, $data, 'put');
129			}
130
131			/**
132			* API call method for sending requests using DELETE
133			*
134			* @param string $path Path of the endpoint
135			* @param array $data Data to be sent along with the request
136			*
137			* @return mixed
138			*/
139			public function delete($path, array $data = [])
140			{
141			return $this->request($path, $data, 'delete');
142			}
143
144			/**
145			* API call method for sending requests using PATCH
146			*
147			* @param string $path Path of the endpoint
148			* @param array $data Data to be sent along with the request
149			*
150			* @return mixed
151			*/
152			public function patch($path, array $data = [])
153			{
154			return $this->request($path, $data, 'patch');
155			}
156
157			/**
158			* @codeCoverageIgnore
159			*
160			* API call method for sending requests using GET, POST, PUT, DELETE OR PATCH
161			*
162			* @param string $path Path of the endpoint
163			* @param array $data Data to be sent along with the request
164			* @param string $method Type of method that should be used ('GET', 'POST', 'PUT', 'DELETE', 'PATCH')
165			*
166			* @return mixed
167			*/
168			protected function request($path, array $data = [], $method = 'get')
169			{
170			if (!isset($this->email, $this->auth_key) \|\| false === filter_var($this->email, FILTER_VALIDATE_EMAIL)) {
171			throw new AuthenticationException('Authentication information must be provided');
172			}
173
174			//Removes null entries
175			$data = array_filter($data, function ($val) {
176			return !is_null($val);
177			});
178
179			$url = 'https://api.cloudflare.com/client/v4/'.$path;
180
181			$default_curl_options = [
182			CURLOPT_VERBOSE => false,
183			CURLOPT_FORBID_REUSE => true,
184			CURLOPT_RETURNTRANSFER => 1,
185			CURLOPT_HEADER => false,
186			CURLOPT_TIMEOUT => 30,
187			CURLOPT_SSL_VERIFYPEER => true,
188			];
189
190			$curl_options = $default_curl_options;
191			if (isset($this->curl_options) && is_array($this->curl_options)) {
192			$curl_options = array_replace($default_curl_options, $this->curl_options);
193			}
194
195			$user_agent = __FILE__;
196			$headers = [
197			"X-Auth-Email: {$this->email}",
198			"X-Auth-Key: {$this->auth_key}",
199			"User-Agent: {$user_agent}",
200			'Content-type: application/json',
201			];
202
203			$ch = curl_init();
204			curl_setopt_array($ch, $curl_options);
205
206			$json_data = json_encode($data);
207
208			if ($method === 'post') {
209			curl_setopt($ch, CURLOPT_POST, true);
210			curl_setopt($ch, CURLOPT_POSTFIELDS, $json_data);
211			} elseif ($method === 'put') {
			0 ignored issues – show Duplication introduced 2017-02-26 20:41 UTC by Report Bug Copy Issue Report Show Similar Issues like this This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
212			curl_setopt($ch, CURLOPT_POSTFIELDS, $json_data);
213			curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'PUT');
214			} elseif ($method === 'delete') {
215			curl_setopt($ch, CURLOPT_POSTFIELDS, $json_data);
216			curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'DELETE');
217			} elseif ($method === 'patch') {
			0 ignored issues – show Duplication introduced 2016-07-20 08:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
218			curl_setopt($ch, CURLOPT_POSTFIELDS, $json_data);
219			curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'PATCH');
220			} else {
221			$url .= '?'.http_build_query($data);
222			}
223
224			curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
225			curl_setopt($ch, CURLOPT_URL, $url);
226
227			$http_result = curl_exec($ch);
228			$error = curl_error($ch);
229			$information = curl_getinfo($ch);
230			$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
231
232			if (in_array($http_code, [401, 403])) {
233			throw new UnauthorizedException('You do not have permission to perform this request');
234			}
235
236			$response = json_decode($http_result);
237			if (!$response) {
238			$response = new \stdClass();
239			$response->success = false;
240			}
241
242			curl_close($ch);
243			if ($response->success !== true) {
244			$response->error = $error;
245			$response->http_code = $http_code;
246			$response->method = $method;
247			$response->information = $information;
248			}
249
250			return $response;
251			}
252			}
253

jamesryanbell / cloudflare

GitHub Access Token became invalid

Issues (86)

Security Analysis no request data

src/CloudFlare/Api.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like