Issues in Acl.php (master) - Issues in master - kot13/bootstrapi - Measure and Improve Code Quality continuously with Scrutinizer

Issues (68)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

app/src/Common/Acl.php (6 issues)

Labels

Severity

Minor 6

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
namespace App\Common;

use Zend\Permissions\Acl\Acl as ZendAcl;
use Zend\Permissions\Acl\Role\GenericRole as GenericRole;
use Zend\Permissions\Acl\Resource\GenericResource as GenericResource;

final class Acl extends ZendAcl
{
    /**
     * @var string privilege to make POST request to the specified resource
     */
    const PRIVILEGE_POST = 'post';

    /**
     * @var string privilege to mekt GET request to the specified resource
     */
    const PRIVILEGE_GET = 'get';

    /**
     * @var string guard can be applied to resources
     */
    const GUARD_TYPE_RESOURCE = 'resources';

    /**
     * @var string guard can be applied to routes
     */
    const GUARD_TYPE_ROUTE = 'routes';

    /**
     * @var string guard can be applied to callables
     */
    const GUARD_TYPE_CALLABLE = 'callables';

    /**
     * Acl constructor.
     *
     * @param array $configuration ACL configuration - see app settings ACL section
     * @throws \Exception
     */
    public function __construct($configuration)
    {
        // setup roles
        foreach ($configuration['roles'] as $role => $parents) {
            $this->addRole(new GenericRole($role), $parents);
        }

        // setup resources
        if (array_key_exists('resources', $configuration)) {
            foreach ($configuration['resources'] as $resource => $parent) {
                // create resource
                $this->addResource(new GenericResource($resource), $parent);
            }
        }

        // setup guards
        foreach ($configuration['guards'] as $guardType => $guardRules) {
            foreach ($guardRules as $rule) {
                // parse rule into parts
                list($resource, $roles, $privileges) = $this->parseRule($guardType, $rule);

                if ($guardType != static::GUARD_TYPE_RESOURCE) {
                    // resources were already build earlier
                    $resource = static::buildResourceName($guardType, $resource);
                    $this->addResource(new GenericResource($resource));
                }

                // allow access to this resource
                $this->allow($roles, $resource, $privileges);
            }
        }
    }

    /**
     * Verify guard rule correctness
     *
     * @param $guardType
     * @param array $rule
     * @return bool
     * @throws \Exception
     */
    protected function verifyRule($guardType, array $rule)
    {
        switch ($guardType) {
            case static::GUARD_TYPE_RESOURCE:
                // resources guards must have 2 parts

            case static::GUARD_TYPE_CALLABLE:
                // callables guards must have 2 parts
                // 'callables' => [

                //    // resource, roles, privileges
                //    ['App\Controller\CrudController',              ['user']],

                //    ['App\Controller\CrudController:actionIndex',  ['user']],

                if (count($rule) == 2) {
                    // all OK
                    return true;
                }
                break;

            case static::GUARD_TYPE_ROUTE:
                // routes guards must have 3 parts
                // 'routes' => [

                // // resource, roles, privileges
                // ['/api/token', ['guest'], ['post']],

                // ['/api/user',  ['user'],  ['get']],

                if (count($rule) == 3) {
                    // all OK
                    return true;
                }
                break;
        }

        // unknown guard type or incorrect rule structure
        throw new \Exception('Error Processing Request');
    }

    /**
     * Parse rule description into separate parts
     *
     * @param $guardType
     * @param $rule
     * @return array
     * @throws \Exception
     */
    protected function parseRule($guardType, $rule)
    {
        $this->verifyRule($guardType, $rule);

        // resource name is located in $rule[0]
        // roles array is located in $rule[1]
        // privileges are located in $rule[2]
        // return lower-cased array of privileges

        $resource   = $rule[0];
        $roles      = $rule[1];
        $privileges = count($rule) == 3 ? array_map('strtolower', $rule[2]) : null;

        return [$resource, $roles, $privileges];
    }

    /**
     * Build name of the resource based on guard type
     *
     * @param string $guardType guard type
     * @param string $base base part of the resource name to be built
     * @return string ready resource name
     * @throws \Exception
     */
    public static function buildResourceName($guardType, $base)
    {
        switch ($guardType) {
            case static::GUARD_TYPE_CALLABLE:
                return sprintf('callable//%s', $base);

            case static::GUARD_TYPE_ROUTE:
                return sprintf('route//%s', $base);
        }

        // unknown guard type
        throw new \Exception('Error Processing Request');
    }

    /**
     * Get one of PRIVILEGE_XXX constants based on HTTP method - GET, POST, PUT, etc
     *
     * @param string $method HTTP method GET, POST, PUT, etc
     * @return null|string
     */
    public static function getPrivilegeByHTTPMethod($method)
    {
        switch (strtolower($method)) {
            case 'post':
                return static::PRIVILEGE_POST;

            case 'get':
                return static::PRIVILEGE_GET;
        }

        return null;
    }
}


1			<?php
2			namespace App\Common;
3
4			use Zend\Permissions\Acl\Acl as ZendAcl;
5			use Zend\Permissions\Acl\Role\GenericRole as GenericRole;
6			use Zend\Permissions\Acl\Resource\GenericResource as GenericResource;
7
8			final class Acl extends ZendAcl
9			{
10			/**
11			* @var string privilege to make POST request to the specified resource
12			*/
13			const PRIVILEGE_POST = 'post';
14
15			/**
16			* @var string privilege to mekt GET request to the specified resource
17			*/
18			const PRIVILEGE_GET = 'get';
19
20			/**
21			* @var string guard can be applied to resources
22			*/
23			const GUARD_TYPE_RESOURCE = 'resources';
24
25			/**
26			* @var string guard can be applied to routes
27			*/
28			const GUARD_TYPE_ROUTE = 'routes';
29
30			/**
31			* @var string guard can be applied to callables
32			*/
33			const GUARD_TYPE_CALLABLE = 'callables';
34
35			/**
36			* Acl constructor.
37			*
38			* @param array $configuration ACL configuration - see app settings ACL section
39			* @throws \Exception
40			*/
41			public function __construct($configuration)
42			{
43			// setup roles
44			foreach ($configuration['roles'] as $role => $parents) {
45			$this->addRole(new GenericRole($role), $parents);
46			}
47
48			// setup resources
49			if (array_key_exists('resources', $configuration)) {
50			foreach ($configuration['resources'] as $resource => $parent) {
51			// create resource
52			$this->addResource(new GenericResource($resource), $parent);
53			}
54			}
55
56			// setup guards
57			foreach ($configuration['guards'] as $guardType => $guardRules) {
58			foreach ($guardRules as $rule) {
59			// parse rule into parts
60			list($resource, $roles, $privileges) = $this->parseRule($guardType, $rule);
61
62			if ($guardType != static::GUARD_TYPE_RESOURCE) {
63			// resources were already build earlier
64			$resource = static::buildResourceName($guardType, $resource);
65			$this->addResource(new GenericResource($resource));
66			}
67
68			// allow access to this resource
69			$this->allow($roles, $resource, $privileges);
70			}
71			}
72			}
73
74			/**
75			* Verify guard rule correctness
76			*
77			* @param $guardType
78			* @param array $rule
79			* @return bool
80			* @throws \Exception
81			*/
82			protected function verifyRule($guardType, array $rule)
83			{
84			switch ($guardType) {
85			case static::GUARD_TYPE_RESOURCE:
86			// resources guards must have 2 parts
87
88			case static::GUARD_TYPE_CALLABLE:
89			// callables guards must have 2 parts
90			// 'callables' => [
			0 ignored issues – show Unused Code Comprehensibility introduced 2017-05-25 07:12 UTC by Report Bug Copy Issue Report Show Similar Issues like this `50%` of this comment could be valid code. Did you maybe forget this after debugging? Sometimes obsolete code just ends up commented out instead of removed. In this case it is better to remove the code once you have checked you do not need it. The code might also have been commented out for debugging purposes. In this case it is vital that someone uncomments it again or your project may behave in very unexpected ways in production. This check looks for comments that seem to be mostly valid code and reports them. Loading history...
91			// // resource, roles, privileges
92			// ['App\Controller\CrudController', ['user']],
			0 ignored issues – show Unused Code Comprehensibility introduced 2017-05-25 07:12 UTC by Report Bug Copy Issue Report Show Similar Issues like this `80%` of this comment could be valid code. Did you maybe forget this after debugging? Sometimes obsolete code just ends up commented out instead of removed. In this case it is better to remove the code once you have checked you do not need it. The code might also have been commented out for debugging purposes. In this case it is vital that someone uncomments it again or your project may behave in very unexpected ways in production. This check looks for comments that seem to be mostly valid code and reports them. Loading history...
93			// ['App\Controller\CrudController:actionIndex', ['user']],
			0 ignored issues – show Unused Code Comprehensibility introduced 2017-05-25 07:12 UTC by Report Bug Copy Issue Report Show Similar Issues like this `80%` of this comment could be valid code. Did you maybe forget this after debugging? Sometimes obsolete code just ends up commented out instead of removed. In this case it is better to remove the code once you have checked you do not need it. The code might also have been commented out for debugging purposes. In this case it is vital that someone uncomments it again or your project may behave in very unexpected ways in production. This check looks for comments that seem to be mostly valid code and reports them. Loading history...
94			if (count($rule) == 2) {
95			// all OK
96			return true;
97			}
98			break;
99
100			case static::GUARD_TYPE_ROUTE:
101			// routes guards must have 3 parts
102			// 'routes' => [
			0 ignored issues – show Unused Code Comprehensibility introduced 2017-05-25 07:12 UTC by Report Bug Copy Issue Report Show Similar Issues like this `50%` of this comment could be valid code. Did you maybe forget this after debugging? Sometimes obsolete code just ends up commented out instead of removed. In this case it is better to remove the code once you have checked you do not need it. The code might also have been commented out for debugging purposes. In this case it is vital that someone uncomments it again or your project may behave in very unexpected ways in production. This check looks for comments that seem to be mostly valid code and reports them. Loading history...
103			// // resource, roles, privileges
104			// ['/api/token', ['guest'], ['post']],
			0 ignored issues – show Unused Code Comprehensibility introduced 2017-05-25 07:12 UTC by Report Bug Copy Issue Report Show Similar Issues like this `80%` of this comment could be valid code. Did you maybe forget this after debugging? Sometimes obsolete code just ends up commented out instead of removed. In this case it is better to remove the code once you have checked you do not need it. The code might also have been commented out for debugging purposes. In this case it is vital that someone uncomments it again or your project may behave in very unexpected ways in production. This check looks for comments that seem to be mostly valid code and reports them. Loading history...
105			// ['/api/user', ['user'], ['get']],
			0 ignored issues – show Unused Code Comprehensibility introduced 2017-05-25 07:12 UTC by Report Bug Copy Issue Report Show Similar Issues like this `80%` of this comment could be valid code. Did you maybe forget this after debugging? Sometimes obsolete code just ends up commented out instead of removed. In this case it is better to remove the code once you have checked you do not need it. The code might also have been commented out for debugging purposes. In this case it is vital that someone uncomments it again or your project may behave in very unexpected ways in production. This check looks for comments that seem to be mostly valid code and reports them. Loading history...
106			if (count($rule) == 3) {
107			// all OK
108			return true;
109			}
110			break;
111			}
112
113			// unknown guard type or incorrect rule structure
114			throw new \Exception('Error Processing Request');
115			}
116
117			/**
118			* Parse rule description into separate parts
119			*
120			* @param $guardType
121			* @param $rule
122			* @return array
123			* @throws \Exception
124			*/
125			protected function parseRule($guardType, $rule)
126			{
127			$this->verifyRule($guardType, $rule);
128
129			// resource name is located in $rule[0]
130			// roles array is located in $rule[1]
131			// privileges are located in $rule[2]
132			// return lower-cased array of privileges
133
134			$resource = $rule[0];
135			$roles = $rule[1];
136			$privileges = count($rule) == 3 ? array_map('strtolower', $rule[2]) : null;
137
138			return [$resource, $roles, $privileges];
139			}
140
141			/**
142			* Build name of the resource based on guard type
143			*
144			* @param string $guardType guard type
145			* @param string $base base part of the resource name to be built
146			* @return string ready resource name
147			* @throws \Exception
148			*/
149			public static function buildResourceName($guardType, $base)
150			{
151			switch ($guardType) {
152			case static::GUARD_TYPE_CALLABLE:
153			return sprintf('callable//%s', $base);
154
155			case static::GUARD_TYPE_ROUTE:
156			return sprintf('route//%s', $base);
157			}
158
159			// unknown guard type
160			throw new \Exception('Error Processing Request');
161			}
162
163			/**
164			* Get one of PRIVILEGE_XXX constants based on HTTP method - GET, POST, PUT, etc
165			*
166			* @param string $method HTTP method GET, POST, PUT, etc
167			* @return null\|string
168			*/
169			public static function getPrivilegeByHTTPMethod($method)
170			{
171			switch (strtolower($method)) {
172			case 'post':
173			return static::PRIVILEGE_POST;
174
175			case 'get':
176			return static::PRIVILEGE_GET;
177			}
178
179			return null;
180			}
181			}
182

kot13 / bootstrapi

Issues (68)

Security Analysis not enabled

app/src/Common/Acl.php (6 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like