Issues in Carrier.php (master) - Issues in master - meanbee/magento2-royalmail - Measure and Improve Code Quality continuously with Scrutinizer

Issues (11)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Model/Carrier.php (2 issues)

Labels

Bug 2

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace Meanbee\MagentoRoyalmail\Model;

use Magento\Framework\App\Config\ScopeConfigInterface;
use Magento\Framework\DataObject;
use Magento\Shipping\Model\Carrier\AbstractCarrier;
use Magento\Shipping\Model\Carrier\CarrierInterface;
use Magento\Shipping\Model\Rate\ResultFactory;
use Magento\Quote\Model\Quote\Address\RateResult\ErrorFactory;
use Magento\Quote\Model\Quote\Address\RateResult\Method;
.
|-- OtherDir
|   |-- Bar.php
|   `-- Foo.php
`-- SomeDir
    `-- Foo.php
use Magento\Quote\Model\Quote\Address\RateResult\MethodFactory;
use Magento\Quote\Model\Quote\Address\RateRequest;
use Meanbee\Royalmail\Carrier as LibCarrier;
use Psr\Log\LoggerInterface;

/**
 * Class Carrier Royal Mail shipping model
 */
class Carrier extends AbstractCarrier implements CarrierInterface
{
    /**
     * Carrier's code
     *
     * @var string
     */
    protected $_code = 'rm';

    /**
     * Whether this carrier has fixed rates calculation
     *
     * @var bool
     */
    protected $_isFixed = true;

    /**
     * @var ResultFactory
     */
    protected $rateResultFactory;

    /**
     * @var MethodFactory
     */
    protected $rateMethodFactory;

    /**
     * @var LibCarrier
     */
    protected $carrier;

    /**
     * @var Rounder
     */
    protected $rounder;

    /**
     * @param ScopeConfigInterface $scopeConfig
     * @param ErrorFactory $rateErrorFactory
     * @param LoggerInterface $logger
     * @param ResultFactory $rateResultFactory
     * @param MethodFactory $rateMethodFactory
     * @param Rounder $rounder
     * @param array $data
     */
    public function __construct(
        ScopeConfigInterface $scopeConfig,
        ErrorFactory $rateErrorFactory,
        LoggerInterface $logger,
        ResultFactory $rateResultFactory,
        MethodFactory $rateMethodFactory,
        Rounder $rounder,
        array $data = []
    ) {
        $this->rateResultFactory = $rateResultFactory;
        $this->rateMethodFactory = $rateMethodFactory;
        $this->rounder = $rounder;
        parent::__construct($scopeConfig, $rateErrorFactory, $logger, $data);
    }

    /**
     * Collect and get rates for storefront
     *
     * @SuppressWarnings(PHPMD.UnusedFormalParameter)
     * @param RateRequest $request
     * @return DataObject|bool|null
     * @api
     */
    public function collectRates(RateRequest $request)
    {
        /**
         * Make sure that Shipping method is enabled
         */
        if (!$this->isActive()) {
            return false;
        }

        $unit = $this->_scopeConfig->getValue(
            \Magento\Directory\Helper\Data::XML_PATH_WEIGHT_UNIT,
            \Magento\Store\Model\ScopeInterface::SCOPE_STORE
        );

        $weight = $this->getPackageWeightInKg($request->getPackageWeight(), $unit);

        $methods = $this->getCarrier()->getRates(
            $request->getDestCountryId(),
            $request->getPackageValue(),
            $weight
        );

        $methods = $this->removeUnusedParcelSizes($methods, $weight);

        $result = $this->rateResultFactory->create();

        $allowedMethods = $this->getAllowedMethods();

        if (empty($allowedMethods)) {
            return $result;
        }

        /** @var \Meanbee\RoyalMail\Method $method */
        foreach ($methods as $libMethod) {
            $method = new \Meanbee\MagentoRoyalmail\Model\Method(
                $libMethod->getId(),
                $libMethod->getCode(),
                $libMethod->getName(),
                $libMethod->getCountryCode(),
                $libMethod->getPrice(),
                $libMethod->getInsuranceValue(),
                $libMethod->getMinimumWeight(),
                $libMethod->getMaximumWeight(),
                $libMethod->getSize()
            );

            if (!array_key_exists($method->getCode(), $allowedMethods)) {
                continue;
            }

            /** @var Method $rate */
            $rate = $this->rateMethodFactory->create();
            $rate->setData('carrier', $this->getCarrierCode());
            $rate->setData('carrier_title', $this->getConfigData('title'));
            $rate->setData('method_title', $method->getName());
            $rate->setData('method', $method->getCode());
            $rate->setPrice(
                $this->rounder->round(
                    $this->getConfigData('rounding_rule'),

                    $this->getFinalPriceWithHandlingFee($method->getPrice())
                )
            );
            $result->append($rate);
        }

        return $result;
    }


    /**
     * Gets the methods selected in the admin area of the extension
     * to ensure that not allowed methods can be removed in the collect
     * rates method
     *
     * @return array
     */
    public function getAllowedMethods()
    {
        $configMethods = explode(',', $this->getConfigData('allowed_methods'));
        $allMethods = $this->getMethods();

        return array_intersect_key($allMethods, array_flip($configMethods));
    }
    /**
     * Gets the clean method names from the royal mail library data
     * class. These names link directly to method names, but are used
     * to ensure that duplicates are not created as similar names
     * exists for multiple methods.
     *
     * @return array
     */
    public function getMethods()
    {
        $libraryMethods = $this->getCarrier()->getAllMethods();

        $methods = array();
        foreach ($libraryMethods as $libMethodCode => $libMethodLabel) {
            $method = new \Meanbee\MagentoRoyalmail\Model\Method(
                $libMethodCode,
                $libMethodCode,
                $libMethodLabel
            );

            $methods[$method->getCode()] = $method->getName();
        }

        return $methods;
    }

    /**
     * @return LibCarrier
     */
    public function getCarrier()
    {
        /**
         * Bug in Magento, when production mode is enabled
         * if you're trying to inject an external library, magento won't discover
         * the correct dependencies. Even if it is clearly defined in di.xml.
         * This odd behaviour results in an instance of ObjectManager being injected.
         * Solution is to skip DI, and instantiate yourself.
         *
         * @TODO Once issue is resolved, we can use the constructor instantiated $carrier object.
         * @link https://github.com/magento/magento2/issues/6739
         */
        if (!$this->carrier) {
            $this->carrier = new LibCarrier();
        }

        return $this->carrier;
    }

    /**
     * @deprecated
     * @param $libCarrier
     * @return $this
     */
    public function setCarrier($libCarrier)
    {
        $this->carrier = $libCarrier;
        return $this;
    }

    /**
     * Get package weight in Kilograms converting from lbs if necessary.
     *
     * @param $weight
     * @param $unit
     * @return mixed
     */
    protected function getPackageWeightInKg($weight, $unit)
    {
        if ($unit == 'lbs') {
            $weight = $weight * 0.453592;
        }

        return $weight;
    }

    /**
     * Both small and medium sized parcels can serve up to 2KG.
     * Configuration option determines which size we show to customer.
     *
     * @param \Meanbee\RoyalMail\Method[] $methods
     * @param int $weight
     * @return \Meanbee\RoyalMail\Method[]
     */
    protected function removeUnusedParcelSizes($methods, $weight)
    {
        $parcelSize = $this->getConfigData('parcel_size');
        if ($weight <= 2 && $parcelSize) {
            foreach ($methods as $key => $method) {
                if ($method->getSize() && $method->getSize() != $parcelSize) {
                    unset($methods[$key]);
                }
            }
        }

        return $methods;
    }
}


1		<?php
2
3		namespace Meanbee\MagentoRoyalmail\Model;
4
5		use Magento\Framework\App\Config\ScopeConfigInterface;
6		use Magento\Framework\DataObject;
7		use Magento\Shipping\Model\Carrier\AbstractCarrier;
8		use Magento\Shipping\Model\Carrier\CarrierInterface;
9		use Magento\Shipping\Model\Rate\ResultFactory;
10		use Magento\Quote\Model\Quote\Address\RateResult\ErrorFactory;
11		use Magento\Quote\Model\Quote\Address\RateResult\Method;
		0 ignored issues – show Bug introduced 2017-05-23 10:58 UTC by Report Bug Copy Issue Report Show Similar Issues like this This use statement conflicts with another class in this namespace, `Meanbee\MagentoRoyalmail\Model\Method`. Let’s assume that you have a directory layout like this: . \|-- OtherDir \| \|-- Bar.php \| `-- Foo.php `-- SomeDir `-- Foo.php and let’s assume the following content of `Bar.php`: // Bar.php namespace OtherDir; use SomeDir\Foo; // This now conflicts the class OtherDir\Foo If both files `OtherDir/Foo.php` and `SomeDir/Foo.php` are loaded in the same runtime, you will see a PHP error such as the following: PHP Fatal error: Cannot use SomeDir\Foo as Foo because the name is already in use in OtherDir/Foo.php However, as `OtherDir/Foo.php` does not necessarily have to be loaded and the error is only triggered if it is loaded before `OtherDir/Bar.php`, this problem might go unnoticed for a while. In order to prevent this error from surfacing, you must import the namespace with a different alias: // Bar.php namespace OtherDir; use SomeDir\Foo as SomeDirFoo; // There is no conflict anymore. Loading history...
12		use Magento\Quote\Model\Quote\Address\RateResult\MethodFactory;
13		use Magento\Quote\Model\Quote\Address\RateRequest;
14		use Meanbee\Royalmail\Carrier as LibCarrier;
15		use Psr\Log\LoggerInterface;
16
17		/**
18		* Class Carrier Royal Mail shipping model
19		*/
20		class Carrier extends AbstractCarrier implements CarrierInterface
21		{
22		/**
23		* Carrier's code
24		*
25		* @var string
26		*/
27		protected $_code = 'rm';
28
29		/**
30		* Whether this carrier has fixed rates calculation
31		*
32		* @var bool
33		*/
34		protected $_isFixed = true;
35
36		/**
37		* @var ResultFactory
38		*/
39		protected $rateResultFactory;
40
41		/**
42		* @var MethodFactory
43		*/
44		protected $rateMethodFactory;
45
46		/**
47		* @var LibCarrier
48		*/
49		protected $carrier;
50
51		/**
52		* @var Rounder
53		*/
54		protected $rounder;
55
56		/**
57		* @param ScopeConfigInterface $scopeConfig
58		* @param ErrorFactory $rateErrorFactory
59		* @param LoggerInterface $logger
60		* @param ResultFactory $rateResultFactory
61		* @param MethodFactory $rateMethodFactory
62		* @param Rounder $rounder
63		* @param array $data
64		*/
65		public function __construct(
66		ScopeConfigInterface $scopeConfig,
67		ErrorFactory $rateErrorFactory,
68	8	LoggerInterface $logger,
69		ResultFactory $rateResultFactory,
70		MethodFactory $rateMethodFactory,
71		Rounder $rounder,
72		array $data = []
73		) {
74		$this->rateResultFactory = $rateResultFactory;
75		$this->rateMethodFactory = $rateMethodFactory;
76		$this->rounder = $rounder;
77	8	parent::__construct($scopeConfig, $rateErrorFactory, $logger, $data);
78	8	}
79	8
80	8	/**
81	8	* Collect and get rates for storefront
82		*
83		* @SuppressWarnings(PHPMD.UnusedFormalParameter)
84		* @param RateRequest $request
85		* @return DataObject\|bool\|null
86		* @api
87		*/
88		public function collectRates(RateRequest $request)
89		{
90		/**
91	6	* Make sure that Shipping method is enabled
92		*/
93		if (!$this->isActive()) {
94		return false;
95		}
96	6
97	1	$unit = $this->_scopeConfig->getValue(
98		\Magento\Directory\Helper\Data::XML_PATH_WEIGHT_UNIT,
99		\Magento\Store\Model\ScopeInterface::SCOPE_STORE
100	5	);
101	5
102		$weight = $this->getPackageWeightInKg($request->getPackageWeight(), $unit);
103	5
104		$methods = $this->getCarrier()->getRates(
105	5	$request->getDestCountryId(),
106		$request->getPackageValue(),
107	5	$weight
108	5	);
109	5
110		$methods = $this->removeUnusedParcelSizes($methods, $weight);
111	5
112		$result = $this->rateResultFactory->create();
113	5
114		$allowedMethods = $this->getAllowedMethods();
115	5
116		if (empty($allowedMethods)) {
117	5	return $result;
118		}
119	5
120	1	/** @var \Meanbee\RoyalMail\Method $method */
121		foreach ($methods as $libMethod) {
122		$method = new \Meanbee\MagentoRoyalmail\Model\Method(
123		$libMethod->getId(),
124	4	$libMethod->getCode(),
125	2	$libMethod->getName(),
126	1	$libMethod->getCountryCode(),
127		$libMethod->getPrice(),
128		$libMethod->getInsuranceValue(),
129		$libMethod->getMinimumWeight(),
130	1	$libMethod->getMaximumWeight(),
131	1	$libMethod->getSize()
132	1	);
133	1
134	2	if (!array_key_exists($method->getCode(), $allowedMethods)) {
135	1	continue;
136	1	}
137	1
138	1	/** @var Method $rate */
139	1	$rate = $this->rateMethodFactory->create();
140	1	$rate->setData('carrier', $this->getCarrierCode());
141	1	$rate->setData('carrier_title', $this->getConfigData('title'));
142	4	$rate->setData('method_title', $method->getName());
143		$rate->setData('method', $method->getCode());
144	4	$rate->setPrice(
145		$this->rounder->round(
146		$this->getConfigData('rounding_rule'),
		0 ignored issues – show Bug introduced 2016-07-11 09:03 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$this->getConfigData('rounding_rule')` targeting `Magento\Shipping\Model\C...arrier::getConfigData()` can also be of type `false` or `null`; however, `Meanbee\MagentoRoyalmail\Model\Rounder::round()` does only seem to accept `string`, maybe add an additional type check? This check looks at variables that are passed out again to other methods. If the outgoing method call has stricter type requirements than the method itself, an issue is raised. An additional type check may prevent trouble. Loading history...
147		$this->getFinalPriceWithHandlingFee($method->getPrice())
148		)
149		);
150		$result->append($rate);
151		}
152
153		return $result;
154		}
155	6
156
157	6	/**
158	6	* Gets the methods selected in the admin area of the extension
159		* to ensure that not allowed methods can be removed in the collect
160	6	* rates method
161		*
162		* @return array
163		*/
164		public function getAllowedMethods()
165		{
166		$configMethods = explode(',', $this->getConfigData('allowed_methods'));
167		$allMethods = $this->getMethods();
168
169		return array_intersect_key($allMethods, array_flip($configMethods));
170	7	}
171		/**
172	7	* Gets the clean method names from the royal mail library data
173		* class. These names link directly to method names, but are used
174		* to ensure that duplicates are not created as similar names
175		* exists for multiple methods.
176		*
177		* @return array
178	7	*/
179		public function getMethods()
180		{
181		$libraryMethods = $this->getCarrier()->getAllMethods();
182
183		$methods = array();
184		foreach ($libraryMethods as $libMethodCode => $libMethodLabel) {
185		$method = new \Meanbee\MagentoRoyalmail\Model\Method(
186		$libMethodCode,
187		$libMethodCode,
188		$libMethodLabel
189		);
190	7
191		$methods[$method->getCode()] = $method->getName();
192		}
193
194	7	return $methods;
195		}
196
197		/**
198		* @return LibCarrier
199		*/
200		public function getCarrier()
201		{
202	8	/**
203		* Bug in Magento, when production mode is enabled
204	8	* if you're trying to inject an external library, magento won't discover
205	8	* the correct dependencies. Even if it is clearly defined in di.xml.
206		* This odd behaviour results in an instance of ObjectManager being injected.
207		* Solution is to skip DI, and instantiate yourself.
208		*
209		* @TODO Once issue is resolved, we can use the constructor instantiated $carrier object.
210		* @link https://github.com/magento/magento2/issues/6739
211		*/
212		if (!$this->carrier) {
213		$this->carrier = new LibCarrier();
214		}
215	5
216		return $this->carrier;
217	5	}
218	1
219	1	/**
220		* @deprecated
221	5	* @param $libCarrier
222		* @return $this
223		*/
224		public function setCarrier($libCarrier)
225		{
226		$this->carrier = $libCarrier;
227		return $this;
228		}
229
230		/**
231		* Get package weight in Kilograms converting from lbs if necessary.
232	5	*
233		* @param $weight
234	5	* @param $unit
235	5	* @return mixed
236	1	*/
237	1	protected function getPackageWeightInKg($weight, $unit)
238	1	{
239	1	if ($unit == 'lbs') {
240	1	$weight = $weight * 0.453592;
241	1	}
242
243	5	return $weight;
244		}
245
246		/**
247		* Both small and medium sized parcels can serve up to 2KG.
248		* Configuration option determines which size we show to customer.
249		*
250		* @param \Meanbee\RoyalMail\Method[] $methods
251		* @param int $weight
252		* @return \Meanbee\RoyalMail\Method[]
253		*/
254		protected function removeUnusedParcelSizes($methods, $weight)
255		{
256		$parcelSize = $this->getConfigData('parcel_size');
257		if ($weight <= 2 && $parcelSize) {
258		foreach ($methods as $key => $method) {
259		if ($method->getSize() && $method->getSize() != $parcelSize) {
260		unset($methods[$key]);
261		}
262		}
263		}
264
265		return $methods;
266		}
267		}
268

meanbee / magento2-royalmail

Issues (11)

Security Analysis no request data

src/Model/Carrier.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like