Issues in JujuQuery.php (master) - Issues in master - jobapis/jobs-juju - Measure and Improve Code Quality continuously with Scrutinizer

Issues (3)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Queries/JujuQuery.php (2 issues)

Labels

Coding Style 2

Severity

Minor 2

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php namespace JobApis\Jobs\Client\Queries;

class JujuQuery extends AbstractQuery
{
    /**
     * partnerid
     *
     * Your assigned Publisher ID. This is given to you when signing up.
     *
     * @var string
     */
    protected $partnerid;

    /**
     * ipaddress
     *
     * The IP Address of the end-user
     *
     * @var string
     */
    protected $ipaddress;

    /**
     * useragent
     *
     * The User-Agent of the end-user
     *
     * @var string
     */
    protected $useragent;

    /**
     * k
     *
     * The query. This is in the same format as a basic search.
     *
     * @var string
     */
    protected $k;

    /**
     * l
     *
     * The location. This can be a state, county, city, or zip code. Using multiple locations in one
     * query is not supported.
     *
     * @var string
     */
    protected $l;

    /**
     * c
     *
     * The category within which to limit results. To retrieve from any of several specified categories,
     * specify ','-joined category names. Full list here: http://www.juju.com/publisher/spec/#categories
     *
     * @var string
     */
    protected $c;

    /**
     * r
     *
     * The radius, in miles, around the search location. The default is 20 and the maximum is 100.
     *
     * @var integer
     */
    protected $r;

    /**
     * order
     *
     * The order in which to return results. Choices are: relevance, date, distance. The default is relevance.
     *
     * @var string
     */
    protected $order;

    /**
     * days
     *
     * The number of days back to search. Default is 90.
     *
     * @var integer
     */
    protected $days;

    /**
     * jpp
     *
     * The number of jobs per page to return with each request. The maximum is 20, which is also the default.
     *
     * @var integer
     */
    protected $jpp;

    /**
     * page
     *
     * The page of results to return. Page numbers start at 1, the default.
     *
     * @var integer
     */
    protected $page;

    /**
     * channel
     *
     * The channel name used to track performance for multiple sites.
     *
     * @var string
     */
    protected $channel;

    /**
     * highlight
     *
     * By default, results will be highlighted with HTML bolding. Set this flag to 0 to turn highlighting off.
     *
     * @var boolean
     */
    protected $highlight;

    /**
     * startindex
     *
     * If you are using API results as backfill on one page of results, use this flag to 'skip' jobs from the top
     * of further API results, because you've already shown them in backfill. The minimum (and default) is 1, which
     * indicates that results should start on the first job. Simple paging should be implemented with the page and
     * jpp parameters. If you are unsure, you probably want to use page and jpp.
     *
     * @var integer
     */
    protected $startindex;

    /**
     * session
     *
     * This parameter should be uniquely associated with a particular user. It can be an anonymized persistent or
     * session cookie for web requests, or an anonymized contact id for email. Juju currently uses this internally
     * for testing new algorithms. If you cannot or do not wish to provide this parameter, it's fine to omit it.
     *
     * @var string
     */
    protected $session;

    /**
     * Get baseUrl
     *
     * @return  string Value of the base url to this api
     */
    public function getBaseUrl()
    {
        return 'http://api.juju.com/jobs';
    }

    /**
     * Get keyword
     *
     * @return  string Attribute being used as the search keyword
     */
    public function getKeyword()
    {
        return $this->k;
    }

    /**
     * Default parameters
     *
     * @var array
     */
    protected function defaultAttributes()
    {
        return [
            'ipaddress' => $this->userIp(),
            'useragent' => $this->userAgent(),
        ];
    }

    /**
     * Required parameters
     *
     * @return array
     */
    protected function requiredAttributes()
    {
        return [
            'partnerid',
            'ipaddress',
            'useragent',
        ];
    }

    /**
     * Return the user agent from server
     *
     * @return  string
     */
    protected function userAgent()
// Bad
class Router
{
    public function generate($path)
    {
        return $_SERVER['HOST'].$path;
    }
}

// Better
class Router
{
    private $host;

    public function __construct($host)
    {
        $this->host = $host;
    }

    public function generate($path)
    {
        return $this->host.$path;
    }
}

class Controller
{
    public function myAction(Request $request)
    {
        // Instead of
        $page = isset($_GET['page']) ? intval($_GET['page']) : 1;

        // Better (assuming you use the Symfony2 request)
        $page = $request->query->get('page', 1);
    }
}
    {
        return isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : null;
    }

    /**
     * Return the IP address from server
     *
     * @return  string
     */
    protected function userIp()
// Bad
class Router
{
    public function generate($path)
    {
        return $_SERVER['HOST'].$path;
    }
}

// Better
class Router
{
    private $host;

    public function __construct($host)
    {
        $this->host = $host;
    }

    public function generate($path)
    {
        return $this->host.$path;
    }
}

class Controller
{
    public function myAction(Request $request)
    {
        // Instead of
        $page = isset($_GET['page']) ? intval($_GET['page']) : 1;

        // Better (assuming you use the Symfony2 request)
        $page = $request->query->get('page', 1);
    }
}
    {
        return isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : null;
    }
}


1		<?php namespace JobApis\Jobs\Client\Queries;
2
3		class JujuQuery extends AbstractQuery
4		{
5		/**
6		* partnerid
7		*
8		* Your assigned Publisher ID. This is given to you when signing up.
9		*
10		* @var string
11		*/
12		protected $partnerid;
13
14		/**
15		* ipaddress
16		*
17		* The IP Address of the end-user
18		*
19		* @var string
20		*/
21		protected $ipaddress;
22
23		/**
24		* useragent
25		*
26		* The User-Agent of the end-user
27		*
28		* @var string
29		*/
30		protected $useragent;
31
32		/**
33		* k
34		*
35		* The query. This is in the same format as a basic search.
36		*
37		* @var string
38		*/
39		protected $k;
40
41		/**
42		* l
43		*
44		* The location. This can be a state, county, city, or zip code. Using multiple locations in one
45		* query is not supported.
46		*
47		* @var string
48		*/
49		protected $l;
50
51		/**
52		* c
53		*
54		* The category within which to limit results. To retrieve from any of several specified categories,
55		* specify ','-joined category names. Full list here: http://www.juju.com/publisher/spec/#categories
56		*
57		* @var string
58		*/
59		protected $c;
60
61		/**
62		* r
63		*
64		* The radius, in miles, around the search location. The default is 20 and the maximum is 100.
65		*
66		* @var integer
67		*/
68		protected $r;
69
70		/**
71		* order
72		*
73		* The order in which to return results. Choices are: relevance, date, distance. The default is relevance.
74		*
75		* @var string
76		*/
77		protected $order;
78
79		/**
80		* days
81		*
82		* The number of days back to search. Default is 90.
83		*
84		* @var integer
85		*/
86		protected $days;
87
88		/**
89		* jpp
90		*
91		* The number of jobs per page to return with each request. The maximum is 20, which is also the default.
92		*
93		* @var integer
94		*/
95		protected $jpp;
96
97		/**
98		* page
99		*
100		* The page of results to return. Page numbers start at 1, the default.
101		*
102		* @var integer
103		*/
104		protected $page;
105
106		/**
107		* channel
108		*
109		* The channel name used to track performance for multiple sites.
110		*
111		* @var string
112		*/
113		protected $channel;
114
115		/**
116		* highlight
117		*
118		* By default, results will be highlighted with HTML bolding. Set this flag to 0 to turn highlighting off.
119		*
120		* @var boolean
121		*/
122		protected $highlight;
123
124		/**
125		* startindex
126		*
127		* If you are using API results as backfill on one page of results, use this flag to 'skip' jobs from the top
128		* of further API results, because you've already shown them in backfill. The minimum (and default) is 1, which
129		* indicates that results should start on the first job. Simple paging should be implemented with the page and
130		* jpp parameters. If you are unsure, you probably want to use page and jpp.
131		*
132		* @var integer
133		*/
134		protected $startindex;
135
136		/**
137		* session
138		*
139		* This parameter should be uniquely associated with a particular user. It can be an anonymized persistent or
140		* session cookie for web requests, or an anonymized contact id for email. Juju currently uses this internally
141		* for testing new algorithms. If you cannot or do not wish to provide this parameter, it's fine to omit it.
142		*
143		* @var string
144		*/
145		protected $session;
146
147		/**
148		* Get baseUrl
149		*
150		* @return string Value of the base url to this api
151		*/
152	6	public function getBaseUrl()
153		{
154	6	return 'http://api.juju.com/jobs';
155		}
156
157		/**
158		* Get keyword
159		*
160		* @return string Attribute being used as the search keyword
161		*/
162	4	public function getKeyword()
163		{
164	4	return $this->k;
165		}
166
167		/**
168		* Default parameters
169		*
170		* @var array
171		*/
172	20	protected function defaultAttributes()
173		{
174		return [
175	20	'ipaddress' => $this->userIp(),
176	20	'useragent' => $this->userAgent(),
177	20	];
178		}
179
180		/**
181		* Required parameters
182		*
183		* @return array
184		*/
185	6	protected function requiredAttributes()
186		{
187		return [
188	6	'partnerid',
189	6	'ipaddress',
190	6	'useragent',
191	6	];
192		}
193
194		/**
195		* Return the user agent from server
196		*
197		* @return string
198		*/
199	20	protected function userAgent()
		0 ignored issues – show Coding Style introduced 2016-10-03 23:21 UTC by Report Bug Copy Issue Report Show Similar Issues like this `userAgent` uses the super-global variable `$_SERVER` which is generally not recommended. Instead of super-globals, we recommend to explicitly inject the dependencies of your class. This makes your code less dependent on global state and it becomes generally more testable: // Bad class Router { public function generate($path) { return $_SERVER['HOST'].$path; } } // Better class Router { private $host; public function __construct($host) { $this->host = $host; } public function generate($path) { return $this->host.$path; } } class Controller { public function myAction(Request $request) { // Instead of $page = isset($_GET['page']) ? intval($_GET['page']) : 1; // Better (assuming you use the Symfony2 request) $page = $request->query->get('page', 1); } } Loading history...
200		{
201	20	return isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : null;
202		}
203
204		/**
205		* Return the IP address from server
206		*
207		* @return string
208		*/
209	20	protected function userIp()
		0 ignored issues – show Coding Style introduced 2016-10-03 23:21 UTC by Report Bug Copy Issue Report Show Similar Issues like this `userIp` uses the super-global variable `$_SERVER` which is generally not recommended. Instead of super-globals, we recommend to explicitly inject the dependencies of your class. This makes your code less dependent on global state and it becomes generally more testable: // Bad class Router { public function generate($path) { return $_SERVER['HOST'].$path; } } // Better class Router { private $host; public function __construct($host) { $this->host = $host; } public function generate($path) { return $this->host.$path; } } class Controller { public function myAction(Request $request) { // Instead of $page = isset($_GET['page']) ? intval($_GET['page']) : 1; // Better (assuming you use the Symfony2 request) $page = $request->query->get('page', 1); } } Loading history...
210		{
211	20	return isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : null;
212		}
213		}
214

jobapis / jobs-juju

Issues (3)

Security Analysis no request data

src/Queries/JujuQuery.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like