Issues in ChronopostFtpAdapter.php (master) - Issues in master - lwiesel/delivery-tracking - Measure and Improve Code Quality continuously with Scrutinizer

Issues (1)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Adapter/ChronopostFtpAdapter.php (1 issue)

Labels

Severity

Major 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace LWI\DeliveryTracking\Adapter;

use LWI\DeliveryTracking\Behavior\ChronopostCodesTransformer;
use LWI\DeliveryTracking\Behavior\ExceptionThrower;
use LWI\DeliveryTracking\DeliveryEvent;
use LWI\DeliveryTracking\DeliveryServiceInterface;
use LWI\DeliveryTracking\DeliveryStatus;
use LWI\DeliveryTracking\Exception\DataNotFoundException;
use LWI\DeliveryTracking\Parser\FixedWidthColumnsParser;
use \DateTime;
use \DateTimeZone;

/**
 * Class ChronopostFtpAdapter
 */
class ChronopostFtpAdapter extends AbstractFtpAdapter implements DeliveryServiceInterface
{
    use ExceptionThrower, ChronopostCodesTransformer;

    /**
     * @var array
     */
    protected $fileStructure = [
        'accountNumber' => 8,
        'subAccountNumber' => 3,
        'date' => 8,
        'expeditionRef' => 35,
        'target' => 35,
        'chronopostNumber' => 13,
        'chronopostBarcode' => 45,
        'status' => 3,
        'statusReason' => 3,
        'statusDate' => 8,
        'statusTime' => 4,
        'zipcode' => 9,
        'receiver' => 35,
    ];

    /**
     * File pattern to retrieve, will be validated by preg_match
     *
     * @var string
     */
    protected $filePattern = '/CHRARCONSEIL_EDP02_40478001_/';

    /**
     * @var FixedWidthColumnsParser
     */
    protected $fixedWidthParser;


    /**
     * Paths of the already downloaded files
     *
     * @var array
     */
    protected $downloadedFiles = [];

    /**
     * Parsed events locally and temporary stored
     *
     * @var array | DeliveryEvent[]
     */
    protected $events = [];

    /**
     * Parsed events locally and temporary stored, indexed by internal number
     *
     * @var array | DeliveryEvent[]
     */
    protected $eventsByInternalNumber = [];

    /**
     * Number of file parsed while searching for a delivery before it throws a DataNotFoundException
     *
     * @var int
     */
    protected $depth = 168;// 1 week

    /**
     * ChronopostFtpAdapter constructor.
     * @param array $config
     */
    public function __construct(array $config)
    {
        $this->filePattern = isset($config['filePattern']) ? $config['filePattern'] : $this->filePattern;

        $this->fixedWidthParser = new FixedWidthColumnsParser($this->fileStructure);

        parent::__construct($config);
    }

    /**
     * @param string $trackingNumber
     *
     * @return DeliveryStatus
     */
    public function getDeliveryStatus($trackingNumber)
    {
        return $this->getLastEvent($trackingNumber)->getStatus();
    }

    /**
     * @param array $trackingNumbers
     *
     * @return array | DeliveryStatus[]
     */
    public function getDeliveryStatuses($trackingNumbers)
    {
        $statuses = [];

        foreach ($trackingNumbers as $trackingNumber) {
            $statuses[$trackingNumber] = $this->getDeliveryStatus($trackingNumber);
        }

        return $statuses;
    }


    /**
     * @param $trackingNumber
     *
     * @return DeliveryEvent
     *
     * @throws DataNotFoundException
     */
    public function getLastEvent($trackingNumber)
    {
        $try = 0;
        while ($try < $this->depth && !isset($this->events[$trackingNumber])) {
            $this->retrieveOneMoreFile();
            $try ++;
        }

        if ($try >= $this->depth && !isset($this->events[$trackingNumber])) {
            $this->throwDataNotFoundException();
        }

        return $this->events[$trackingNumber];
    }

    /**
     * @param array $trackingNumbers
     *
     * @return array | DeliveryEvent[]
     */
    public function getLastEventForMultipleDeliveries($trackingNumbers)
    {
        $events = [];

        foreach ($trackingNumbers as $trackingNumber) {
            $events[$trackingNumber] = $this->getLastEvent($trackingNumber);
        }

        return $events;
    }

    /**
     * @param string $reference
     *
     * @return string
     */
    public function getTrackingNumberByInternalReference($reference)
    {
        $try = 0;
        while ($try < $this->depth && !isset($this->eventsByInternalNumber[$reference])) {
            $this->retrieveOneMoreFile();
            $try ++;
        }

        if ($try >= $this->depth && !isset($this->eventsByInternalNumber[$reference])) {
            $this->throwDataNotFoundException();
        }

        return $this->eventsByInternalNumber[$reference]->getTrackingNumber();
    }

    /**
     * @param array $references
     *
     * @return void
     */
    public function getTrackingNumbersByInternalReferences($references)
    {
        // TODO
    }


    /**
     *  Retrieve one more file and save the events it in the local store if the are more recent
     */
    protected function retrieveOneMoreFile()
    {
        $lastUnreadFilePath = $this->getLastUnreadFilePath();

        $events = $this->retrieveFileEvents($lastUnreadFilePath);

        foreach ($events as $event) {
            if (isset($this->events[$event->getTrackingNumber()])) {
                if ($event->getEventDate() > $this->events[$event->getTrackingNumber()]->getEventDate()) {
                    $this->events[$event->getTrackingNumber()] = $event;
                }
            } else {
                $this->events[$event->getTrackingNumber()] = $event;

                if ($event->getInternalNumber()) {
                    $this->eventsByInternalNumber[$event->getInternalNumber()] = $event;
                }
            }
        }
    }

    /**
     * Retrieve the path of the more recent unread file
     * so if a new file is remotely created before this method is called, its path will be returned
     *
     * @return string
     */
    protected function getLastUnreadFilePath()
    {
        $lastUnreadFile = null;
        $chronopostFiles = $this->listDirectoryContents('OUT');

        $filteredFiles = [];
        foreach ($chronopostFiles as $file) {
            if (preg_match($this->filePattern, $file['path'])) {
                $filteredFiles[] = $file;
            }
        }
        $chronopostFiles = $filteredFiles;

        usort($chronopostFiles, function ($fileA, $fileB) {
            return ($fileA['date'] > $fileB['date']) ? -1 : 1;
        });

        foreach ($chronopostFiles as $file) {
            if (!in_array($file['path'], $this->downloadedFiles)) {
                $lastUnreadFile = $file['path'];
                break;
            }
        }

        if ($lastUnreadFile === null) {
            $this->throwDataNotFoundException();
        }

        return $lastUnreadFile;
    }

    /**
     * @param $path
     *
     * @return array | DeliveryEvent[]
     */
    protected function retrieveFileEvents($path)
    {
        $lastFileContent = $this->read($path)['contents'];

        $eventsRawData = $this->fixedWidthParser->parseMultiLine($lastFileContent);

        $events = [];
        foreach ($eventsRawData as $singleEventRawData) {
            $eventDate = DateTime::createFromFormat(
                'Ymd-Hi',
                $singleEventRawData['statusDate'].'-'.$singleEventRawData['statusTime'],
                new DateTimeZone('Europe/Paris')
            );

            $eventCode = isset($singleEventRawData['status']) ? $singleEventRawData['status'] : '';
            $internalNumber = !empty($singleEventRawData['expeditionRef']) ? $singleEventRawData['expeditionRef'] : '';

            $events[] = new DeliveryEvent(
                $singleEventRawData['chronopostNumber'],
                $eventDate,
<?php

function getDate($date)
{
    if ($date !== null) {
        return new DateTime($date);
    }

    return false;
}
                $this->getStateFromCode($eventCode),
                $internalNumber
            );
        }

        $this->downloadedFiles[] = $path;

        return $events;
    }
}


1			<?php
2
3			namespace LWI\DeliveryTracking\Adapter;
4
5			use LWI\DeliveryTracking\Behavior\ChronopostCodesTransformer;
6			use LWI\DeliveryTracking\Behavior\ExceptionThrower;
7			use LWI\DeliveryTracking\DeliveryEvent;
8			use LWI\DeliveryTracking\DeliveryServiceInterface;
9			use LWI\DeliveryTracking\DeliveryStatus;
10			use LWI\DeliveryTracking\Exception\DataNotFoundException;
11			use LWI\DeliveryTracking\Parser\FixedWidthColumnsParser;
12			use \DateTime;
13			use \DateTimeZone;
14
15			/**
16			* Class ChronopostFtpAdapter
17			*/
18			class ChronopostFtpAdapter extends AbstractFtpAdapter implements DeliveryServiceInterface
19			{
20			use ExceptionThrower, ChronopostCodesTransformer;
21
22			/**
23			* @var array
24			*/
25			protected $fileStructure = [
26			'accountNumber' => 8,
27			'subAccountNumber' => 3,
28			'date' => 8,
29			'expeditionRef' => 35,
30			'target' => 35,
31			'chronopostNumber' => 13,
32			'chronopostBarcode' => 45,
33			'status' => 3,
34			'statusReason' => 3,
35			'statusDate' => 8,
36			'statusTime' => 4,
37			'zipcode' => 9,
38			'receiver' => 35,
39			];
40
41			/**
42			* File pattern to retrieve, will be validated by preg_match
43			*
44			* @var string
45			*/
46			protected $filePattern = '/CHRARCONSEIL_EDP02_40478001_/';
47
48			/**
49			* @var FixedWidthColumnsParser
50			*/
51			protected $fixedWidthParser;
52
53
54			/**
55			* Paths of the already downloaded files
56			*
57			* @var array
58			*/
59			protected $downloadedFiles = [];
60
61			/**
62			* Parsed events locally and temporary stored
63			*
64			* @var array \| DeliveryEvent[]
65			*/
66			protected $events = [];
67
68			/**
69			* Parsed events locally and temporary stored, indexed by internal number
70			*
71			* @var array \| DeliveryEvent[]
72			*/
73			protected $eventsByInternalNumber = [];
74
75			/**
76			* Number of file parsed while searching for a delivery before it throws a DataNotFoundException
77			*
78			* @var int
79			*/
80			protected $depth = 168;// 1 week
81
82			/**
83			* ChronopostFtpAdapter constructor.
84			* @param array $config
85			*/
86			public function __construct(array $config)
87			{
88			$this->filePattern = isset($config['filePattern']) ? $config['filePattern'] : $this->filePattern;
89
90			$this->fixedWidthParser = new FixedWidthColumnsParser($this->fileStructure);
91
92			parent::__construct($config);
93			}
94
95			/**
96			* @param string $trackingNumber
97			*
98			* @return DeliveryStatus
99			*/
100			public function getDeliveryStatus($trackingNumber)
101			{
102			return $this->getLastEvent($trackingNumber)->getStatus();
103			}
104
105			/**
106			* @param array $trackingNumbers
107			*
108			* @return array \| DeliveryStatus[]
109			*/
110			public function getDeliveryStatuses($trackingNumbers)
111			{
112			$statuses = [];
113
114			foreach ($trackingNumbers as $trackingNumber) {
115			$statuses[$trackingNumber] = $this->getDeliveryStatus($trackingNumber);
116			}
117
118			return $statuses;
119			}
120
121
122			/**
123			* @param $trackingNumber
124			*
125			* @return DeliveryEvent
126			*
127			* @throws DataNotFoundException
128			*/
129			public function getLastEvent($trackingNumber)
130			{
131			$try = 0;
132			while ($try < $this->depth && !isset($this->events[$trackingNumber])) {
133			$this->retrieveOneMoreFile();
134			$try ++;
135			}
136
137			if ($try >= $this->depth && !isset($this->events[$trackingNumber])) {
138			$this->throwDataNotFoundException();
139			}
140
141			return $this->events[$trackingNumber];
142			}
143
144			/**
145			* @param array $trackingNumbers
146			*
147			* @return array \| DeliveryEvent[]
148			*/
149			public function getLastEventForMultipleDeliveries($trackingNumbers)
150			{
151			$events = [];
152
153			foreach ($trackingNumbers as $trackingNumber) {
154			$events[$trackingNumber] = $this->getLastEvent($trackingNumber);
155			}
156
157			return $events;
158			}
159
160			/**
161			* @param string $reference
162			*
163			* @return string
164			*/
165			public function getTrackingNumberByInternalReference($reference)
166			{
167			$try = 0;
168			while ($try < $this->depth && !isset($this->eventsByInternalNumber[$reference])) {
169			$this->retrieveOneMoreFile();
170			$try ++;
171			}
172
173			if ($try >= $this->depth && !isset($this->eventsByInternalNumber[$reference])) {
174			$this->throwDataNotFoundException();
175			}
176
177			return $this->eventsByInternalNumber[$reference]->getTrackingNumber();
178			}
179
180			/**
181			* @param array $references
182			*
183			* @return void
184			*/
185			public function getTrackingNumbersByInternalReferences($references)
186			{
187			// TODO
188			}
189
190
191			/**
192			* Retrieve one more file and save the events it in the local store if the are more recent
193			*/
194			protected function retrieveOneMoreFile()
195			{
196			$lastUnreadFilePath = $this->getLastUnreadFilePath();
197
198			$events = $this->retrieveFileEvents($lastUnreadFilePath);
199
200			foreach ($events as $event) {
201			if (isset($this->events[$event->getTrackingNumber()])) {
202			if ($event->getEventDate() > $this->events[$event->getTrackingNumber()]->getEventDate()) {
203			$this->events[$event->getTrackingNumber()] = $event;
204			}
205			} else {
206			$this->events[$event->getTrackingNumber()] = $event;
207
208			if ($event->getInternalNumber()) {
209			$this->eventsByInternalNumber[$event->getInternalNumber()] = $event;
210			}
211			}
212			}
213			}
214
215			/**
216			* Retrieve the path of the more recent unread file
217			* so if a new file is remotely created before this method is called, its path will be returned
218			*
219			* @return string
220			*/
221			protected function getLastUnreadFilePath()
222			{
223			$lastUnreadFile = null;
224			$chronopostFiles = $this->listDirectoryContents('OUT');
225
226			$filteredFiles = [];
227			foreach ($chronopostFiles as $file) {
228			if (preg_match($this->filePattern, $file['path'])) {
229			$filteredFiles[] = $file;
230			}
231			}
232			$chronopostFiles = $filteredFiles;
233
234			usort($chronopostFiles, function ($fileA, $fileB) {
235			return ($fileA['date'] > $fileB['date']) ? -1 : 1;
236			});
237
238			foreach ($chronopostFiles as $file) {
239			if (!in_array($file['path'], $this->downloadedFiles)) {
240			$lastUnreadFile = $file['path'];
241			break;
242			}
243			}
244
245			if ($lastUnreadFile === null) {
246			$this->throwDataNotFoundException();
247			}
248
249			return $lastUnreadFile;
250			}
251
252			/**
253			* @param $path
254			*
255			* @return array \| DeliveryEvent[]
256			*/
257			protected function retrieveFileEvents($path)
258			{
259			$lastFileContent = $this->read($path)['contents'];
260
261			$eventsRawData = $this->fixedWidthParser->parseMultiLine($lastFileContent);
262
263			$events = [];
264			foreach ($eventsRawData as $singleEventRawData) {
265			$eventDate = DateTime::createFromFormat(
266			'Ymd-Hi',
267			$singleEventRawData['statusDate'].'-'.$singleEventRawData['statusTime'],
268			new DateTimeZone('Europe/Paris')
269			);
270
271			$eventCode = isset($singleEventRawData['status']) ? $singleEventRawData['status'] : '';
272			$internalNumber = !empty($singleEventRawData['expeditionRef']) ? $singleEventRawData['expeditionRef'] : '';
273
274			$events[] = new DeliveryEvent(
275			$singleEventRawData['chronopostNumber'],
276			$eventDate,
			0 ignored issues – show Security Bug introduced 2016-01-16 22:40 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$eventDate` defined by `\DateTime::createFromFor...meZone('Europe/Paris'))` on line `265` can also be of type `false`; however, `LWI\DeliveryTracking\DeliveryEvent::__construct()` does only seem to accept `object<DateTime>`, did you maybe forget to handle an error condition? This check looks for type mismatches where the missing type is `false`. This is usually indicative of an error condtion. Consider the follow example <?php function getDate($date) { if ($date !== null) { return new DateTime($date); } return false; } This function either returns a new `DateTime` object or false, if there was an error. This is a typical pattern in PHP programming to show that an error has occurred without raising an exception. The calling code should check for this returned `false` before passing on the value to another function or method that may not be able to handle a `false`. Loading history...
277			$this->getStateFromCode($eventCode),
278			$internalNumber
279			);
280			}
281
282			$this->downloadedFiles[] = $path;
283
284			return $events;
285			}
286			}
287

lwiesel / delivery-tracking

Issues (1)

Security Analysis no request data

src/Adapter/ChronopostFtpAdapter.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like