Issues in AmazonS3StorageEngine.php (master) - Issues in master - limit-zero/assets - Measure and Improve Code Quality continuously with Scrutinizer

Issues (18)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/StorageEngine/AmazonS3StorageEngine.php (1 issue)

Labels

Deprecated Code 1

Severity

Minor 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/*
 * This file is part of the limit0/assets package.
 *
 * (c) Limit Zero, LLC <[email protected]>
 *
 * For the full copyright and license information, please view the LICENSE
 * file that was distributed with this source code.
 */

namespace Limit0\Assets\StorageEngine;

use Aws\S3\S3Client;
use Aws\S3\Exception\S3Exception;
use Limit0\Assets\Asset;
use Limit0\Assets\AssetFactory;
use Limit0\Assets\Exception\StorageException;
use Limit0\Assets\StorageEngineInterface;

/**
 * This class supports storing, retrieve, and deleting files to Amazon S3 storage.
 * At the moment, no additional storage parameters can be set -- it's best practice
 * to make these the defaults for your bucket to prevent objects being out of sync
 * with your AWS policies.
 *
 * Per AWS best practices, this passes through the authentication of requests to
 * the AWS SDK itself, for more info:
 * @see http://docs.aws.amazon.com/aws-sdk-php/v3/guide/guide/credentials.html#environment-credentials
 *
 * @see setBucket   The bucket must be set when configuring this storage engine.
 * @see setAcl      The default ACL is `private`.
 *
 * @author  Josh Worden <[email protected]>
 */
class AmazonS3StorageEngine implements StorageEngineInterface
{
    /**
     * @var     string
     */
    private $bucket;

    /**
     * @var     string
     */
    private $acl = 'private';

    /**
     * @var     S3Client
     */
    private $client;

    /**
     * @var     string
     */
    private $region = 'us-east-1';

    /**
     * @return  string
     */
    public function getAcl()
    {
        return $this->acl;
    }

    /**
     * @return  string
     */
    public function getBucket()
    {
        if (null === $this->bucket) {
            throw StorageException::invalidConfiguration('bucket');
        }
        return $this->bucket;
    }

    /**
     * Instantiates and returns an S3Client instance
     * @return  S3Client
     */
    public function getClient()
    {
        if (null === $this->client) {
            $this->client = S3Client::factory([

                'version'   => 'latest',
                'region'    => $this->getRegion()
            ]);
        }
        return $this->client;
    }

    /**
     * @return  string
     */
    public function getRegion()
    {
        return $this->region;
    }

    /**
     * {@inheritdoc}
     */
    public function remove($identifier)
    {
        try {
            $this->getClient()->deleteObject([
                'Bucket'    => $this->getBucket(),
                'Key'       => $identifier
            ]);
        } catch (S3Exception $e) {
            throw new StorageException($e->getMessage());
        }

        return true;
    }

    /**
     * {@inheritdoc}
     */
    public function retrieve($identifier)
    {
        $path = explode('/', $identifier);
        $fileName = array_pop($path);
        $localPath = sprintf('%s/%s', sys_get_temp_dir(), $fileName);

        try {
            $this->getClient()->getObject([
                'Bucket' => $this->getBucket(),
                'Key'    => $identifier,
                'SaveAs' => $localPath
            ]);

            $asset = AssetFactory::createFromPath($localPath);
            $asset->setFilename($fileName)->setFilepath(implode('/', $path));
            return $asset;

        } catch (S3Exception $e) {
            throw new StorageException($e->getMessage());
        }
    }

    /**
     * Sets the ACL the asset should be stored with.
     *
     * @param   string
     */
    public function setAcl($acl)
    {
        $this->acl = $acl;
        return $this;
    }

    /**
     * Sets the bucket the assets should be stored to.
     *
     * @param   string
     */
    public function setBucket($bucket)
    {
        $this->bucket = $bucket;
        return $this;
    }

    /**
     * Override the S3 region to connect to
     * @param   string
     */
    public function setRegion($region)
    {
        $this->region = $region;
        return $this;
    }

    /**
     * {@inheritdoc}
     */
    public function store(Asset $asset, $path = null, $filename = null)
    {
        $filename = (null === $filename) ? $asset->getBasename() : $filename;
        $key = sprintf('%s/%s', $path, $filename);

        try {
            $this->getClient()->putObject([
                'ACL'           => $this->getAcl(),
                'Bucket'        => $this->getBucket(),
                'Key'           => $key,
                'ContentType'   => $asset->getMimeType(),
                'Body'          => fopen($asset->getPathname(), 'r')
            ]);

        } catch (S3Exception $e) {
            throw new StorageException($e->getMessage());
        }

        return true;
    }
}


1			<?php
2
3			/*
4			* This file is part of the limit0/assets package.
5			*
6			* (c) Limit Zero, LLC <[email protected]>
7			*
8			* For the full copyright and license information, please view the LICENSE
9			* file that was distributed with this source code.
10			*/
11
12			namespace Limit0\Assets\StorageEngine;
13
14			use Aws\S3\S3Client;
15			use Aws\S3\Exception\S3Exception;
16			use Limit0\Assets\Asset;
17			use Limit0\Assets\AssetFactory;
18			use Limit0\Assets\Exception\StorageException;
19			use Limit0\Assets\StorageEngineInterface;
20
21			/**
22			* This class supports storing, retrieve, and deleting files to Amazon S3 storage.
23			* At the moment, no additional storage parameters can be set -- it's best practice
24			* to make these the defaults for your bucket to prevent objects being out of sync
25			* with your AWS policies.
26			*
27			* Per AWS best practices, this passes through the authentication of requests to
28			* the AWS SDK itself, for more info:
29			* @see http://docs.aws.amazon.com/aws-sdk-php/v3/guide/guide/credentials.html#environment-credentials
30			*
31			* @see setBucket The bucket must be set when configuring this storage engine.
32			* @see setAcl The default ACL is `private`.
33			*
34			* @author Josh Worden <[email protected]>
35			*/
36			class AmazonS3StorageEngine implements StorageEngineInterface
37			{
38			/**
39			* @var string
40			*/
41			private $bucket;
42
43			/**
44			* @var string
45			*/
46			private $acl = 'private';
47
48			/**
49			* @var S3Client
50			*/
51			private $client;
52
53			/**
54			* @var string
55			*/
56			private $region = 'us-east-1';
57
58			/**
59			* @return string
60			*/
61			public function getAcl()
62			{
63			return $this->acl;
64			}
65
66			/**
67			* @return string
68			*/
69			public function getBucket()
70			{
71			if (null === $this->bucket) {
72			throw StorageException::invalidConfiguration('bucket');
73			}
74			return $this->bucket;
75			}
76
77			/**
78			* Instantiates and returns an S3Client instance
79			* @return S3Client
80			*/
81			public function getClient()
82			{
83			if (null === $this->client) {
84			$this->client = S3Client::factory([
			0 ignored issues – show Deprecated Code introduced 2017-01-28 01:26 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `Aws\AwsClient::factory()` has been deprecated. This method has been deprecated. Loading history...
85			'version' => 'latest',
86			'region' => $this->getRegion()
87			]);
88			}
89			return $this->client;
90			}
91
92			/**
93			* @return string
94			*/
95			public function getRegion()
96			{
97			return $this->region;
98			}
99
100			/**
101			* {@inheritdoc}
102			*/
103			public function remove($identifier)
104			{
105			try {
106			$this->getClient()->deleteObject([
107			'Bucket' => $this->getBucket(),
108			'Key' => $identifier
109			]);
110			} catch (S3Exception $e) {
111			throw new StorageException($e->getMessage());
112			}
113
114			return true;
115			}
116
117			/**
118			* {@inheritdoc}
119			*/
120			public function retrieve($identifier)
121			{
122			$path = explode('/', $identifier);
123			$fileName = array_pop($path);
124			$localPath = sprintf('%s/%s', sys_get_temp_dir(), $fileName);
125
126			try {
127			$this->getClient()->getObject([
128			'Bucket' => $this->getBucket(),
129			'Key' => $identifier,
130			'SaveAs' => $localPath
131			]);
132
133			$asset = AssetFactory::createFromPath($localPath);
134			$asset->setFilename($fileName)->setFilepath(implode('/', $path));
135			return $asset;
136
137			} catch (S3Exception $e) {
138			throw new StorageException($e->getMessage());
139			}
140			}
141
142			/**
143			* Sets the ACL the asset should be stored with.
144			*
145			* @param string
146			*/
147			public function setAcl($acl)
148			{
149			$this->acl = $acl;
150			return $this;
151			}
152
153			/**
154			* Sets the bucket the assets should be stored to.
155			*
156			* @param string
157			*/
158			public function setBucket($bucket)
159			{
160			$this->bucket = $bucket;
161			return $this;
162			}
163
164			/**
165			* Override the S3 region to connect to
166			* @param string
167			*/
168			public function setRegion($region)
169			{
170			$this->region = $region;
171			return $this;
172			}
173
174			/**
175			* {@inheritdoc}
176			*/
177			public function store(Asset $asset, $path = null, $filename = null)
178			{
179			$filename = (null === $filename) ? $asset->getBasename() : $filename;
180			$key = sprintf('%s/%s', $path, $filename);
181
182			try {
183			$this->getClient()->putObject([
184			'ACL' => $this->getAcl(),
185			'Bucket' => $this->getBucket(),
186			'Key' => $key,
187			'ContentType' => $asset->getMimeType(),
188			'Body' => fopen($asset->getPathname(), 'r')
189			]);
190
191			} catch (S3Exception $e) {
192			throw new StorageException($e->getMessage());
193			}
194
195			return true;
196			}
197			}
198

limit-zero / assets

Issues (18)

Security Analysis not enabled

src/StorageEngine/AmazonS3StorageEngine.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like