Issues in Card.php (master) - Issues in master - laravel-validation-rules/credit-card - Measure and Improve Code Quality continuously with Scrutinizer

Issues (6)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Cards/Card.php (1 issue)

Labels

Severity

Major 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace LVR\CreditCard\Cards;

use LVR\CreditCard\Exceptions\CreditCardCharactersException;
use LVR\CreditCard\Exceptions\CreditCardChecksumException;
use LVR\CreditCard\Exceptions\CreditCardCvcException;
use LVR\CreditCard\Exceptions\CreditCardException;
use LVR\CreditCard\Exceptions\CreditCardLengthException;
use LVR\CreditCard\Exceptions\CreditCardNameException;
use LVR\CreditCard\Exceptions\CreditCardPatternException;
use LVR\CreditCard\Exceptions\CreditCardTypeException;

abstract class Card
{
    /**
     * Regular expression for card number recognition.
     *
     * @var string
     */
    public static $pattern;

    /**
     * Credit card type: "debit", "credit".
     *
     * @var string
     */
    protected $type;

    /**
     * Credit card name.
     *
     * @var string
     */
    protected $name;

    /**
     * Brand name.
     *
     * @var string
     */
    protected $brand;

    /**
     * Card number length's.
     *
     * @var array
     */
    protected $number_length;

    /**
     * CVC code length's.
     *
     * @var array
     */
    protected $cvc_length;

    /**
     * Test cvc code checksum against Luhn algorithm.
     *
     * @var bool
     */
    protected $checksum_test;

    /**
     * @var string|null
     */
    private $card_number;

    /**
     * Card constructor.
     *
     * @param string $card_number
     *
     * @throws \LVR\CreditCard\Exceptions\CreditCardException
     */
    public function __construct(string $card_number = '')
    {
        $this->checkImplementation();

        if ($card_number) {
            $this->setCardNumber($card_number);
        }
    }

    /**
     * @param string $card_number
     *
     * @return $this
     * @throws \LVR\CreditCard\Exceptions\CreditCardPatternException
     */
    public function setCardNumber(string $card_number)
    {
        $this->card_number = preg_replace('/\s+/', '', $card_number);

        $this->isValidCardNumber();

        if (! $this->validPattern()) {
            throw new CreditCardPatternException(
                sprintf('Wrong "%s" card pattern', $this->card_number)
            );
        }

        return $this;
    }

    /**
     * @return bool
     * @throws \LVR\CreditCard\Exceptions\CreditCardChecksumException
     * @throws \LVR\CreditCard\Exceptions\CreditCardCharactersException
     * @throws \LVR\CreditCard\Exceptions\CreditCardException
     * @throws \LVR\CreditCard\Exceptions\CreditCardLengthException
     */
    public function isValidCardNumber()
    {
        if (! $this->card_number) {
''   == false // true
''   == null  // true
'ab' == false // false
'ab' == null  // false

// It is often better to use strict comparison
'' === false // false
'' === null  // false
            throw new CreditCardException('Card number is not set');
        }

        if (! is_numeric(preg_replace('/\s+/', '', $this->card_number))) {
            throw new CreditCardCharactersException(
                sprintf('Card number "%s" contains invalid characters', $this->card_number)
            );
        }

        if (! $this->validLength()) {
            throw new CreditCardLengthException(
                sprintf('Incorrect "%s" card length', $this->card_number)
            );
        }

        if (! $this->validChecksum()) {
            throw new CreditCardChecksumException(
                sprintf('Invalid card number: "%s". Checksum is wrong', $this->card_number)
            );
        }

        return true;
    }

    /**
     * @return string
     */
    public function type()
    {
        return $this->type;
    }

    /**
     * @return string
     */
    public function name()
    {
        return $this->name;
    }

    /**
     * @return string
     */
    public function brand()
    {
        return $this->brand;
    }

    /**
     * @param $cvc
     *
     * @return bool
     */
    public function isValidCvc($cvc)
    {
        return is_numeric($cvc)
            && self::isValidCvcLength($cvc, $this->cvc_length);
    }

    /**
     * Check CVS length against possible lengths.
     *
     * @param string|int $cvc
     *
     * @param array $available_lengths
     *
     * @return bool
     */
    public static function isValidCvcLength($cvc, array $available_lengths = [3, 4])
    {
        return
            is_numeric($cvc)
            && in_array(strlen($cvc), $available_lengths, true);
    }

    /**
     * @throws \LVR\CreditCard\Exceptions\CreditCardException
     */
    protected function checkImplementation()
    {
        if (! $this->type || ! is_string($this->type) || ! in_array($this->type, ['debit', 'credit'])) {
            throw new CreditCardTypeException('Credit card type is missing');
        }

        if (! $this->name || ! is_string($this->name)) {
            throw new CreditCardNameException('Credit card name is missing or is not a string');
        }

        if (! static::$pattern || ! is_string(static::$pattern)) {
            throw new CreditCardPatternException(
                'Credit card number recognition pattern is missing or is not a string'
            );
        }

        if (empty($this->number_length) || ! is_array($this->number_length)) {
            throw new CreditCardLengthException(
                'Credit card number length is missing or is not an array'
            );
        }

        if (empty($this->cvc_length) || ! is_array($this->cvc_length)) {
            throw new CreditCardCvcException(
                'Credit card cvc code length is missing or is not an array'
            );
        }

        if ($this->checksum_test === null || ! is_bool($this->checksum_test)) {
            throw new CreditCardChecksumException(
                'Credit card checksum test is missing or is not a boolean'
            );
        }
    }

    /**
     * @return bool
     */
    protected function validPattern()
    {
        return (bool) preg_match(static::$pattern, $this->card_number);
    }

    /**
     * @return bool
     */
    protected function validLength()
    {
        return in_array(strlen($this->card_number), $this->number_length, true);
    }

    /**
     * @return bool
     */
    protected function validChecksum()
    {
        return ! $this->checksum_test || $this->checksumTest();
    }

    /**
     * @return bool
     */
    protected function checksumTest()
    {
        $checksum = 0;
        $len = strlen($this->card_number);
        for ($i = 2 - ($len % 2); $i <= $len; $i += 2) {
            $checksum += $this->card_number[$i - 1];
        }
        // Analyze odd digits in even length strings or even digits in odd length strings.
        for ($i = $len % 2 + 1; $i < $len; $i += 2) {
            $digit = $this->card_number[$i - 1] * 2;
            if ($digit < 10) {
                $checksum += $digit;
            } else {
                $checksum += $digit - 9;
            }
        }

        return ($checksum % 10) === 0;
    }
}


1		<?php
2
3		namespace LVR\CreditCard\Cards;
4
5		use LVR\CreditCard\Exceptions\CreditCardCharactersException;
6		use LVR\CreditCard\Exceptions\CreditCardChecksumException;
7		use LVR\CreditCard\Exceptions\CreditCardCvcException;
8		use LVR\CreditCard\Exceptions\CreditCardException;
9		use LVR\CreditCard\Exceptions\CreditCardLengthException;
10		use LVR\CreditCard\Exceptions\CreditCardNameException;
11		use LVR\CreditCard\Exceptions\CreditCardPatternException;
12		use LVR\CreditCard\Exceptions\CreditCardTypeException;
13
14		abstract class Card
15		{
16		/**
17		* Regular expression for card number recognition.
18		*
19		* @var string
20		*/
21		public static $pattern;
22
23		/**
24		* Credit card type: "debit", "credit".
25		*
26		* @var string
27		*/
28		protected $type;
29
30		/**
31		* Credit card name.
32		*
33		* @var string
34		*/
35		protected $name;
36
37		/**
38		* Brand name.
39		*
40		* @var string
41		*/
42		protected $brand;
43
44		/**
45		* Card number length's.
46		*
47		* @var array
48		*/
49		protected $number_length;
50
51		/**
52		* CVC code length's.
53		*
54		* @var array
55		*/
56		protected $cvc_length;
57
58		/**
59		* Test cvc code checksum against Luhn algorithm.
60		*
61		* @var bool
62		*/
63		protected $checksum_test;
64
65		/**
66		* @var string\|null
67		*/
68		private $card_number;
69
70		/**
71		* Card constructor.
72		*
73		* @param string $card_number
74		*
75		* @throws \LVR\CreditCard\Exceptions\CreditCardException
76		*/
77	124	public function __construct(string $card_number = '')
78		{
79	124	$this->checkImplementation();
80
81	119	if ($card_number) {
82	48	$this->setCardNumber($card_number);
83		}
84	89	}
85
86		/**
87		* @param string $card_number
88		*
89		* @return $this
90		* @throws \LVR\CreditCard\Exceptions\CreditCardPatternException
91		*/
92	90	public function setCardNumber(string $card_number)
93		{
94	90	$this->card_number = preg_replace('/\s+/', '', $card_number);
95
96	90	$this->isValidCardNumber();
97
98	45	if (! $this->validPattern()) {
99	13	throw new CreditCardPatternException(
100	13	sprintf('Wrong "%s" card pattern', $this->card_number)
101		);
102		}
103
104	32	return $this;
105		}
106
107		/**
108		* @return bool
109		* @throws \LVR\CreditCard\Exceptions\CreditCardChecksumException
110		* @throws \LVR\CreditCard\Exceptions\CreditCardCharactersException
111		* @throws \LVR\CreditCard\Exceptions\CreditCardException
112		* @throws \LVR\CreditCard\Exceptions\CreditCardLengthException
113		*/
114	104	public function isValidCardNumber()
115		{
116	104	if (! $this->card_number) {
		0 ignored issues – show Bug Best Practice introduced 2021-01-27 11:44 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$this->card_number` of type `string\|null` is loosely compared to `false`; this is ambiguous if the string can be empty. You might want to explicitly use `=== null` instead. In PHP, under loose comparison (like `==`, or `!=`, or `switch` conditions), values of different types might be equal. For `string` values, the empty string `''` is a special case, in particular the following results might be unexpected: '' == false // true '' == null // true 'ab' == false // false 'ab' == null // false // It is often better to use strict comparison '' === false // false '' === null // false Loading history...
117	14	throw new CreditCardException('Card number is not set');
118		}
119
120	90	if (! is_numeric(preg_replace('/\s+/', '', $this->card_number))) {
121	16	throw new CreditCardCharactersException(
122	16	sprintf('Card number "%s" contains invalid characters', $this->card_number)
123		);
124		}
125
126	74	if (! $this->validLength()) {
127	27	throw new CreditCardLengthException(
128	27	sprintf('Incorrect "%s" card length', $this->card_number)
129		);
130		}
131
132	59	if (! $this->validChecksum()) {
133	14	throw new CreditCardChecksumException(
134	14	sprintf('Invalid card number: "%s". Checksum is wrong', $this->card_number)
135		);
136		}
137
138	45	return true;
139		}
140
141		/**
142		* @return string
143		*/
144	14	public function type()
145		{
146	14	return $this->type;
147		}
148
149		/**
150		* @return string
151		*/
152	1	public function name()
153		{
154	1	return $this->name;
155		}
156
157		/**
158		* @return string
159		*/
160	1	public function brand()
161		{
162	1	return $this->brand;
163		}
164
165		/**
166		* @param $cvc
167		*
168		* @return bool
169		*/
170	1	public function isValidCvc($cvc)
171		{
172	1	return is_numeric($cvc)
173	1	&& self::isValidCvcLength($cvc, $this->cvc_length);
174		}
175
176		/**
177		* Check CVS length against possible lengths.
178		*
179		* @param string\|int $cvc
180		*
181		* @param array $available_lengths
182		*
183		* @return bool
184		*/
185	2	public static function isValidCvcLength($cvc, array $available_lengths = [3, 4])
186		{
187		return
188	2	is_numeric($cvc)
189	2	&& in_array(strlen($cvc), $available_lengths, true);
190		}
191
192		/**
193		* @throws \LVR\CreditCard\Exceptions\CreditCardException
194		*/
195	124	protected function checkImplementation()
196		{
197	124	if (! $this->type \|\| ! is_string($this->type) \|\| ! in_array($this->type, ['debit', 'credit'])) {
198	1	throw new CreditCardTypeException('Credit card type is missing');
199		}
200
201	124	if (! $this->name \|\| ! is_string($this->name)) {
202	2	throw new CreditCardNameException('Credit card name is missing or is not a string');
203		}
204
205	123	if (! static::$pattern \|\| ! is_string(static::$pattern)) {
206	2	throw new CreditCardPatternException(
207	2	'Credit card number recognition pattern is missing or is not a string'
208		);
209		}
210
211	122	if (empty($this->number_length) \|\| ! is_array($this->number_length)) {
212	2	throw new CreditCardLengthException(
213	2	'Credit card number length is missing or is not an array'
214		);
215		}
216
217	121	if (empty($this->cvc_length) \|\| ! is_array($this->cvc_length)) {
218	2	throw new CreditCardCvcException(
219	2	'Credit card cvc code length is missing or is not an array'
220		);
221		}
222
223	120	if ($this->checksum_test === null \|\| ! is_bool($this->checksum_test)) {
224	2	throw new CreditCardChecksumException(
225	2	'Credit card checksum test is missing or is not a boolean'
226		);
227		}
228	119	}
229
230		/**
231		* @return bool
232		*/
233	45	protected function validPattern()
234		{
235	45	return (bool) preg_match(static::$pattern, $this->card_number);
236		}
237
238		/**
239		* @return bool
240		*/
241	74	protected function validLength()
242		{
243	74	return in_array(strlen($this->card_number), $this->number_length, true);
244		}
245
246		/**
247		* @return bool
248		*/
249	59	protected function validChecksum()
250		{
251	59	return ! $this->checksum_test \|\| $this->checksumTest();
252		}
253
254		/**
255		* @return bool
256		*/
257	56	protected function checksumTest()
258		{
259	56	$checksum = 0;
260	56	$len = strlen($this->card_number);
261	56	for ($i = 2 - ($len % 2); $i <= $len; $i += 2) {
262	56	$checksum += $this->card_number[$i - 1];
263		}
264		// Analyze odd digits in even length strings or even digits in odd length strings.
265	56	for ($i = $len % 2 + 1; $i < $len; $i += 2) {
266	56	$digit = $this->card_number[$i - 1] * 2;
267	56	if ($digit < 10) {
268	56	$checksum += $digit;
269		} else {
270	50	$checksum += $digit - 9;
271		}
272		}
273
274	56	return ($checksum % 10) === 0;
275		}
276		}
277

laravel-validation-rules / credit-card

Issues (6)

Security Analysis no request data

src/Cards/Card.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like