Issues in HttpDeathByCaptchaAbstract.php (master) - Issues in master - juniorb2ss/deathbycaptcha-php-sdk - Measure and Improve Code Quality continuously with Scrutinizer

Issues (30)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Abstracts/HttpDeathByCaptchaAbstract.php (6 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace juniorb2ss\DeathByCaptcha\Abstracts;

use Psr\Http\Message\ResponseInterface;
use GuzzleHttp\Exception\GuzzleException;
use juniorb2ss\DeathByCaptcha\DeathByCaptcha;
use juniorb2ss\DeathByCaptcha\Exceptions\ClientException;
use juniorb2ss\DeathByCaptcha\Interfaces\ClientInterface;
use juniorb2ss\DeathByCaptcha\Abstracts\HttpHandlerResponseAbstract;

abstract class HttpDeathByCaptchaAbstract extends HttpHandlerResponseAbstract implements ClientInterface
{
    /**
     * Headers por padrão para requisição HTTP
     * @var array
     */
    protected $defaultHeaders = [
        'Accept' => 'application/json',
        'Expect' => '',
        'User-Agent' => DeathByCaptcha::API_VERSION
    ];

    /**
     * Create and send an HTTP request.
     *
     * Use an absolute path to override the base path of the client, or a
     * relative path to append to the base path of the client. The URL can
     * contain the query string as well.
     *
     * @param string              $method  HTTP method.
     * @param string|UriInterface $uri     URI object or string.
     * @param array               $options Request options to apply.
     *
     * @return ResponseInterface
     * @throws GuzzleException
     */
    protected function request($method, $uri, array $options = []): ResponseInterface
    {
        // Handler request to client
        $this->response = $this->client->request($method, $uri, $options);
class MyClass { }

$x = new MyClass();
$x->foo = true;

        // Handler response to check HTTP code erros
        // and content-type and content body
        // Make sure everything is correct before proceeding.
        $this->handlerHttpResponseIsOk();

        // all is ok!
        return $this->response;
    }

    /**
     * Efetua requisição GET no client
     * @param  string $path
     * @param  array  $query
     * @param  array  $headers
     * @return ResponseInterface
     */
    protected function get(string $path, array $query = [], array $headers = []): ResponseInterface

    {
        $query = $this->getQueryForClientRequest($query);
        $headers = $this->getHeadersForClientRequest($headers);

        $options = array_merge(['query' => $query], $this->getClientOptions($headers));

        $response = $this->request('GET', static::API_URL . $path, $options);

        return $response;
    }

    /**
     * Efetua requisição POST no client
     * @param  string $path
     * @param  array  $query
     * @param  array  $headers
     * @return ResponseInterface
     */
    protected function post(string $path, array $query = [], array $headers = []): ResponseInterface

    {
        $query = $this->getQueryForClientRequest($query);
        $headers = $this->getHeadersForClientRequest($headers);

        $options = array_merge(['form_params' => $query], $this->getClientOptions($headers));
        $response = $this->request('POST', static::API_URL . $path, $options);

        return $response;
    }

    /**
     * Retorna os headers que serão utilizados
     * nas requisições no cliente
     * @param  array  $headers
     * @return array  $headers
     */
    protected function getHeadersForClientRequest(array $headers = []): array
    {
        $headers = array_merge($headers, $this->defaultHeaders);

        return $headers;
    }

    /**
     * Retorna array de dados que serão utilizados
     * nas requisições no cliente
     * @param  array  $query
     * @return array  $query
     */
    protected function getQueryForClientRequest(array $query = []): array
    {
        $auth = $this->getAuthData();
        $query = array_merge($query, $auth);

        return $query;
    }

    /**
     * Retorna dados de autenticação
     * para as requisições
     * @return array
     */
    protected function getAuthData()
    {
        return [
            'username' => $this->username,
class MyClass { }

$x = new MyClass();
$x->foo = true;
            'password' => $this->password
class MyClass { }

$x = new MyClass();
$x->foo = true;
        ];
    }

    /**
     * Retorna as opções da requisição para
     * o cliente
     * @param  array   $headers
     * @param  boolean $referer
     * @return array
     */
    protected function getClientOptions(array $headers, $referer = false): array
    {
        return [
            'allow_redirects' => [
                'referer' => $referer
            ],
            'http_errors' => false,
            'timeout' => DeathByCaptcha::DEFAULT_TIMEOUT,
            'connect_timeout' => (DeathByCaptcha::DEFAULT_TIMEOUT / 4),
            'headers' => $headers
        ];
    }

    /**
     * Efetua requisição no cliente
     * retornando informações da conta no serviço
     * @return ResponseInterface
     */
    public function accountRequest(): ResponseInterface
    {
        $response = $this->get('user');

        return $response;
    }

    /**
     * Efetua requisição no cliente
     * retornando informações do status do serviço
     * @return ResponseInterface
     */
    public function statusRequest(): ResponseInterface
    {
        $response = $this->get('status');

        return $response;
    }

    /**
     * Informa pro serviço que o captcha recuperado
     * é inválido
     * @param  int    $id
     * @return ResponseInterface
     */
    public function captchAsIncorrect(int $id): ResponseInterface
    {
        $response = $this->post("captcha/{$id}/report");

        return $response;
    }

    /**
     * Recupera o resultado de um captcha através
     * do ID recentemente retornado pelo método
     * upload.
     * @param  int    $id
     * @return ResponseInterface
     */
    public function retrieveCaptcha(int $id): ResponseInterface
    {
        $response = $this->get("captcha/{$id}");

        return $response;
    }

    /**
     * Envia o captcha para o serviço
     * @param  string $imageBase64
     * @return ResponseInterface
     */
    public function uploadCaptcha($imageBase64): ResponseInterface
    {
        $response = $this->post('captcha', [
            'captchafile' => $imageBase64
        ]);

        return $response;
    }

    /**
     * Envia o captcha para o serviço
     * @param  string $googlekey
     * @param  $url
     * @return ResponseInterface
     */
    public function sendReCaptchaV2($googlekey, $url)
    {
        $response = $this->post('captcha', [
            'type' => 4,
            'token_params' => json_encode([
                'proxytype' => 'HTTP',
                'googlekey' => $googlekey,
                'pageurl' => $url,
            ])
        ]);

        return $response;
    }
}


GitHub Access Token became invalid

Issues (30)

Security Analysis no request data

src/Abstracts/HttpDeathByCaptchaAbstract.php (6 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

1			<?php
2
3			namespace juniorb2ss\DeathByCaptcha\Abstracts;
4
5			use Psr\Http\Message\ResponseInterface;
6			use GuzzleHttp\Exception\GuzzleException;
7			use juniorb2ss\DeathByCaptcha\DeathByCaptcha;
8			use juniorb2ss\DeathByCaptcha\Exceptions\ClientException;
9			use juniorb2ss\DeathByCaptcha\Interfaces\ClientInterface;
10			use juniorb2ss\DeathByCaptcha\Abstracts\HttpHandlerResponseAbstract;
11
12			abstract class HttpDeathByCaptchaAbstract extends HttpHandlerResponseAbstract implements ClientInterface
13			{
14			/**
15			* Headers por padrão para requisição HTTP
16			* @var array
17			*/
18			protected $defaultHeaders = [
19			'Accept' => 'application/json',
20			'Expect' => '',
21			'User-Agent' => DeathByCaptcha::API_VERSION
22			];
23
24			/**
25			* Create and send an HTTP request.
26			*
27			* Use an absolute path to override the base path of the client, or a
28			* relative path to append to the base path of the client. The URL can
29			* contain the query string as well.
30			*
31			* @param string $method HTTP method.
32			* @param string\|UriInterface $uri URI object or string.
33			* @param array $options Request options to apply.
34			*
35			* @return ResponseInterface
36			* @throws GuzzleException
37			*/
38	78		protected function request($method, $uri, array $options = []): ResponseInterface
39			{
40			// Handler request to client
41	78		$this->response = $this->client->request($method, $uri, $options);
			0 ignored issues – show Bug introduced 2017-08-09 19:58 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `response` does not exist. Did you maybe forget to declare it? In PHP it is possible to write to properties without declaring them. For example, the following is perfectly valid PHP code: class MyClass { } $x = new MyClass(); $x->foo = true; Generally, it is a good practice to explictly declare properties to avoid accidental typos and provide IDE auto-completion: class MyClass { public $foo; } $x = new MyClass(); $x->foo = true; Loading history... Bug introduced 2017-08-09 19:58 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `client` does not exist. Did you maybe forget to declare it? In PHP it is possible to write to properties without declaring them. For example, the following is perfectly valid PHP code: class MyClass { } $x = new MyClass(); $x->foo = true; Generally, it is a good practice to explictly declare properties to avoid accidental typos and provide IDE auto-completion: class MyClass { public $foo; } $x = new MyClass(); $x->foo = true; Loading history...
42
43			// Handler response to check HTTP code erros
44			// and content-type and content body
45			// Make sure everything is correct before proceeding.
46	78		$this->handlerHttpResponseIsOk();
47
48			// all is ok!
49	51		return $this->response;
50			}
51
52			/**
53			* Efetua requisição GET no client
54			* @param string $path
55			* @param array $query
56			* @param array $headers
57			* @return ResponseInterface
58			*/
59	63	View Code Duplication	protected function get(string $path, array $query = [], array $headers = []): ResponseInterface
			0 ignored issues – show Duplication introduced 2017-08-09 19:58 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
60			{
61	63		$query = $this->getQueryForClientRequest($query);
62	63		$headers = $this->getHeadersForClientRequest($headers);
63
64	63		$options = array_merge(['query' => $query], $this->getClientOptions($headers));
65
66	63		$response = $this->request('GET', static::API_URL . $path, $options);
67
68	45		return $response;
69			}
70
71			/**
72			* Efetua requisição POST no client
73			* @param string $path
74			* @param array $query
75			* @param array $headers
76			* @return ResponseInterface
77			*/
78	15	View Code Duplication	protected function post(string $path, array $query = [], array $headers = []): ResponseInterface
			0 ignored issues – show Duplication introduced 2017-08-09 19:58 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
79			{
80	15		$query = $this->getQueryForClientRequest($query);
81	15		$headers = $this->getHeadersForClientRequest($headers);
82
83	15		$options = array_merge(['form_params' => $query], $this->getClientOptions($headers));
84	15		$response = $this->request('POST', static::API_URL . $path, $options);
85
86	6		return $response;
87			}
88
89			/**
90			* Retorna os headers que serão utilizados
91			* nas requisições no cliente
92			* @param array $headers
93			* @return array $headers
94			*/
95	78		protected function getHeadersForClientRequest(array $headers = []): array
96			{
97	78		$headers = array_merge($headers, $this->defaultHeaders);
98
99	78		return $headers;
100			}
101
102			/**
103			* Retorna array de dados que serão utilizados
104			* nas requisições no cliente
105			* @param array $query
106			* @return array $query
107			*/
108	78		protected function getQueryForClientRequest(array $query = []): array
109			{
110	78		$auth = $this->getAuthData();
111	78		$query = array_merge($query, $auth);
112
113	78		return $query;
114			}
115
116			/**
117			* Retorna dados de autenticação
118			* para as requisições
119			* @return array
120			*/
121	78		protected function getAuthData()
122			{
123			return [
124	78		'username' => $this->username,
			0 ignored issues – show Bug introduced 2017-08-09 19:58 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `username` does not exist. Did you maybe forget to declare it? In PHP it is possible to write to properties without declaring them. For example, the following is perfectly valid PHP code: class MyClass { } $x = new MyClass(); $x->foo = true; Generally, it is a good practice to explictly declare properties to avoid accidental typos and provide IDE auto-completion: class MyClass { public $foo; } $x = new MyClass(); $x->foo = true; Loading history...
125	78		'password' => $this->password
			0 ignored issues – show Bug introduced 2017-08-09 19:58 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `password` does not exist. Did you maybe forget to declare it? In PHP it is possible to write to properties without declaring them. For example, the following is perfectly valid PHP code: class MyClass { } $x = new MyClass(); $x->foo = true; Generally, it is a good practice to explictly declare properties to avoid accidental typos and provide IDE auto-completion: class MyClass { public $foo; } $x = new MyClass(); $x->foo = true; Loading history...
126			];
127			}
128
129			/**
130			* Retorna as opções da requisição para
131			* o cliente
132			* @param array $headers
133			* @param boolean $referer
134			* @return array
135			*/
136	78		protected function getClientOptions(array $headers, $referer = false): array
137			{
138			return [
139	78		'allow_redirects' => [
140	78		'referer' => $referer
141			],
142			'http_errors' => false,
143	78		'timeout' => DeathByCaptcha::DEFAULT_TIMEOUT,
144	78		'connect_timeout' => (DeathByCaptcha::DEFAULT_TIMEOUT / 4),
145	78		'headers' => $headers
146			];
147			}
148
149			/**
150			* Efetua requisição no cliente
151			* retornando informações da conta no serviço
152			* @return ResponseInterface
153			*/
154	39		public function accountRequest(): ResponseInterface
155			{
156	39		$response = $this->get('user');
157
158	24		return $response;
159			}
160
161			/**
162			* Efetua requisição no cliente
163			* retornando informações do status do serviço
164			* @return ResponseInterface
165			*/
166	18		public function statusRequest(): ResponseInterface
167			{
168	18		$response = $this->get('status');
169
170	18		return $response;
171			}
172
173			/**
174			* Informa pro serviço que o captcha recuperado
175			* é inválido
176			* @param int $id
177			* @return ResponseInterface
178			*/
179	3		public function captchAsIncorrect(int $id): ResponseInterface
180			{
181	3		$response = $this->post("captcha/{$id}/report");
182
183	3		return $response;
184			}
185
186			/**
187			* Recupera o resultado de um captcha através
188			* do ID recentemente retornado pelo método
189			* upload.
190			* @param int $id
191			* @return ResponseInterface
192			*/
193	6		public function retrieveCaptcha(int $id): ResponseInterface
194			{
195	6		$response = $this->get("captcha/{$id}");
196
197	3		return $response;
198			}
199
200			/**
201			* Envia o captcha para o serviço
202			* @param string $imageBase64
203			* @return ResponseInterface
204			*/
205	12		public function uploadCaptcha($imageBase64): ResponseInterface
206			{
207	12		$response = $this->post('captcha', [
208	12		'captchafile' => $imageBase64
209			]);
210
211	3		return $response;
212			}
213
214			/**
215			* Envia o captcha para o serviço
216			* @param string $googlekey
217			* @param $url
218			* @return ResponseInterface
219			*/
220			public function sendReCaptchaV2($googlekey, $url)
221			{
222			$response = $this->post('captcha', [
223			'type' => 4,
224			'token_params' => json_encode([
225			'proxytype' => 'HTTP',
226			'googlekey' => $googlekey,
227			'pageurl' => $url,
228			])
229			]);
230
231			return $response;
232			}
233			}
234

juniorb2ss / deathbycaptcha-php-sdk

GitHub Access Token became invalid

Issues (30)

Security Analysis no request data

src/Abstracts/HttpDeathByCaptchaAbstract.php (6 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like