This project does not seem to handle request data directly as such no vulnerable execution paths were found.
include
, or for example
via PHP's auto-loading mechanism.
These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
1 | <?php |
||
2 | |||
3 | |||
4 | namespace Mvdstam\Oauth2ServerLaravel\Providers; |
||
5 | |||
6 | |||
7 | use DateInterval; |
||
8 | use Illuminate\Support\ServiceProvider; |
||
9 | use League\OAuth2\Server\AuthorizationServer; |
||
10 | use League\OAuth2\Server\CryptKey; |
||
11 | use League\OAuth2\Server\Entities\AccessTokenEntityInterface; |
||
12 | use League\OAuth2\Server\Entities\AuthCodeEntityInterface; |
||
13 | use League\OAuth2\Server\Entities\ClientEntityInterface; |
||
14 | use League\OAuth2\Server\Entities\RefreshTokenEntityInterface; |
||
15 | use League\OAuth2\Server\Entities\ScopeEntityInterface; |
||
16 | use League\OAuth2\Server\Entities\UserEntityInterface; |
||
17 | use League\OAuth2\Server\Grant\AuthCodeGrant; |
||
18 | use League\OAuth2\Server\Grant\GrantTypeInterface; |
||
19 | use League\OAuth2\Server\Grant\ImplicitGrant; |
||
20 | use League\OAuth2\Server\Repositories\AccessTokenRepositoryInterface; |
||
21 | use League\OAuth2\Server\Repositories\AuthCodeRepositoryInterface; |
||
22 | use League\OAuth2\Server\Repositories\ClientRepositoryInterface; |
||
23 | use League\OAuth2\Server\Repositories\RefreshTokenRepositoryInterface; |
||
24 | use League\OAuth2\Server\Repositories\ScopeRepositoryInterface; |
||
25 | use League\OAuth2\Server\Repositories\UserRepositoryInterface; |
||
26 | use League\OAuth2\Server\ResourceServer; |
||
27 | use Mvdstam\Oauth2ServerLaravel\Commands\CreateClientCommand; |
||
28 | use Mvdstam\Oauth2ServerLaravel\Commands\CreateScopeCommand; |
||
29 | use Mvdstam\Oauth2ServerLaravel\Commands\CreateUserCommand; |
||
30 | use Mvdstam\Oauth2ServerLaravel\Commands\GenerateKeyPairCommand; |
||
31 | use Mvdstam\Oauth2ServerLaravel\Contracts\JWTFactoryInterface; |
||
32 | use Mvdstam\Oauth2ServerLaravel\Entities\AccessToken; |
||
33 | use Mvdstam\Oauth2ServerLaravel\Entities\AuthCode; |
||
34 | use Mvdstam\Oauth2ServerLaravel\Entities\Client; |
||
35 | use Mvdstam\Oauth2ServerLaravel\Entities\RefreshToken; |
||
36 | use Mvdstam\Oauth2ServerLaravel\Entities\Scope; |
||
37 | use Mvdstam\Oauth2ServerLaravel\Entities\User; |
||
38 | use Mvdstam\Oauth2ServerLaravel\Factories\JWTFactory; |
||
39 | use Mvdstam\Oauth2ServerLaravel\Repositories\AccessTokenRepository; |
||
40 | use Mvdstam\Oauth2ServerLaravel\Repositories\AuthCodeRepository; |
||
41 | use Mvdstam\Oauth2ServerLaravel\Repositories\ClientRepository; |
||
42 | use Mvdstam\Oauth2ServerLaravel\Repositories\RefreshTokenRepository; |
||
43 | use Mvdstam\Oauth2ServerLaravel\Repositories\ScopeRepository; |
||
44 | use Mvdstam\Oauth2ServerLaravel\Repositories\UserRepository; |
||
45 | |||
46 | class Oauth2ServerServiceProvider extends ServiceProvider |
||
47 | { |
||
48 | |||
49 | 55 | public function boot() |
|
50 | { |
||
51 | $this |
||
52 | 55 | ->publishConfig() |
|
53 | 55 | ->loadRoutes() |
|
54 | 55 | ->loadMigrations() |
|
55 | 55 | ->registerCommands(); |
|
56 | 55 | } |
|
57 | |||
58 | 55 | public function register() |
|
59 | { |
||
60 | // Merge config |
||
61 | 55 | $this->mergeConfigFrom( |
|
62 | 55 | dirname(__DIR__).'/config/oauth2-server.php', 'oauth2-server' |
|
63 | ); |
||
64 | |||
65 | /* |
||
66 | * Bind entities |
||
67 | */ |
||
68 | 55 | $this->app->bind(AccessTokenEntityInterface::class, AccessToken::class); |
|
69 | 55 | $this->app->bind(AuthCodeEntityInterface::class, AuthCode::class); |
|
70 | 55 | $this->app->bind(ClientEntityInterface::class, Client::class); |
|
71 | 55 | $this->app->bind(RefreshTokenEntityInterface::class, RefreshToken::class); |
|
72 | 55 | $this->app->bind(ScopeEntityInterface::class, Scope::class); |
|
73 | 55 | $this->app->bind(UserEntityInterface::class, User::class); |
|
74 | |||
75 | /* |
||
76 | * Bind repositories |
||
77 | */ |
||
78 | 55 | $this->app->bind(AccessTokenRepositoryInterface::class, AccessTokenRepository::class); |
|
79 | 55 | $this->app->bind(AuthCodeRepositoryInterface::class, AuthCodeRepository::class); |
|
80 | 55 | $this->app->bind(ClientRepositoryInterface::class, ClientRepository::class); |
|
81 | 55 | $this->app->bind(RefreshTokenRepositoryInterface::class, RefreshTokenRepository::class); |
|
82 | 55 | $this->app->bind(ScopeRepositoryInterface::class, ScopeRepository::class); |
|
83 | 55 | $this->app->bind(UserRepositoryInterface::class, UserRepository::class); |
|
84 | |||
85 | /* |
||
86 | * Bind miscellaneous classes |
||
87 | */ |
||
88 | 55 | $this->app->bind(JWTFactoryInterface::class, JWTFactory::class); |
|
89 | |||
90 | /* |
||
91 | * OAuth2 Resource server |
||
92 | */ |
||
93 | 55 | $this->app->singleton(ResourceServer::class, function() { |
|
94 | 6 | return new ResourceServer( |
|
95 | 6 | app(AccessTokenRepositoryInterface::class), |
|
96 | 6 | app('oauth2-server.key.public') |
|
97 | ); |
||
98 | 55 | }); |
|
99 | |||
100 | /* |
||
101 | * OAuth2 Authorization server |
||
102 | */ |
||
103 | 55 | $this->app->singleton(AuthorizationServer::class, function() { |
|
104 | 12 | $authServer = new AuthorizationServer( |
|
105 | 12 | app(ClientRepositoryInterface::class), |
|
106 | 12 | app(AccessTokenRepositoryInterface::class), |
|
107 | 12 | app(ScopeRepositoryInterface::class), |
|
108 | 12 | app('oauth2-server.key.private'), |
|
109 | 12 | app('oauth2-server.key.public') |
|
110 | ); |
||
111 | |||
112 | 12 | if (method_exists($authServer, 'setEncryptionKey')) { |
|
113 | 12 | call_user_func([$authServer, 'setEncryptionKey'], env('APP_KEY')); |
|
114 | } |
||
115 | |||
116 | 12 | return $authServer; |
|
117 | 55 | }); |
|
118 | |||
119 | /* |
||
120 | * Add active grants to authorization server |
||
121 | */ |
||
122 | 55 | $this->app->resolving(AuthorizationServer::class, function(AuthorizationServer $authorizationServer) { |
|
123 | 12 | foreach(config('oauth2-server.grants') as $grantConfig) { |
|
124 | 12 | if (!(boolean) $grantConfig['enabled']) continue; |
|
125 | |||
126 | /** @var GrantTypeInterface $grant */ |
||
127 | 11 | $grant = app($grantConfig['class']); |
|
0 ignored issues
–
show
|
|||
128 | |||
129 | // Set refresh token TTL |
||
130 | 11 | if ($grant->getIdentifier() !== 'implicit') { |
|
131 | 10 | $grant->setRefreshTokenTTL(new DateInterval($grantConfig['refresh_token_ttl'])); |
|
132 | } |
||
133 | |||
134 | // Enable grant type |
||
135 | 11 | $authorizationServer->enableGrantType( |
|
136 | 11 | $grant, |
|
137 | 11 | new DateInterval($grantConfig['access_token_ttl']) |
|
138 | ); |
||
139 | } |
||
140 | 55 | }); |
|
141 | |||
142 | /* |
||
143 | * Authorization code grant type |
||
144 | */ |
||
145 | 55 | $this->app->singleton(AuthCodeGrant::class, function() { |
|
146 | 1 | return new AuthCodeGrant( |
|
147 | 1 | app(AuthCodeRepositoryInterface::class), |
|
148 | 1 | app(RefreshTokenRepositoryInterface::class), |
|
149 | 1 | new DateInterval(config('oauth2-server.grants.authorization_code.access_token_ttl')) |
|
150 | ); |
||
151 | 55 | }); |
|
152 | |||
153 | /* |
||
154 | * Implicit grant type |
||
155 | */ |
||
156 | 55 | $this->app->singleton(ImplicitGrant::class, function() { |
|
157 | 1 | return new ImplicitGrant( |
|
158 | 1 | new DateInterval(config('oauth2-server.grants.implicit.access_token_ttl')) |
|
159 | ); |
||
160 | 55 | }); |
|
161 | |||
162 | /* |
||
163 | * RSA keypair for JWT signing |
||
164 | */ |
||
165 | 55 | $this->app->singleton('oauth2-server.key.public', function() { |
|
166 | 14 | return new CryptKey(config('oauth2-server.key.public')); |
|
0 ignored issues
–
show
config('oauth2-server.key.public') can contain request data and is used in file manipulation context(s) leading to a potential security vulnerability.
1 path for user data to reach this point
Used in path-write context
General Strategies to prevent injectionIn general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values:
if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
throw new \InvalidArgumentException('This input is not allowed.');
}
For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted;
![]() config('oauth2-server.key.public') can contain request data and is used in file manipulation context(s) leading to a potential security vulnerability.
1 path for user data to reach this point
General Strategies to prevent injectionIn general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values:
if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
throw new \InvalidArgumentException('This input is not allowed.');
}
For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted;
![]() |
|||
167 | 55 | }); |
|
168 | |||
169 | 55 | $this->app->singleton('oauth2-server.key.private', function() { |
|
170 | 12 | return new CryptKey(config('oauth2-server.key.private'), config('oauth2-server.key.passphrase')); |
|
0 ignored issues
–
show
config('oauth2-server.key.private') can contain request data and is used in file manipulation context(s) leading to a potential security vulnerability.
1 path for user data to reach this point
Used in path-write context
General Strategies to prevent injectionIn general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values:
if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
throw new \InvalidArgumentException('This input is not allowed.');
}
For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted;
![]() config('oauth2-server.key.private') can contain request data and is used in file manipulation context(s) leading to a potential security vulnerability.
1 path for user data to reach this point
General Strategies to prevent injectionIn general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values:
if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
throw new \InvalidArgumentException('This input is not allowed.');
}
For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted;
![]() |
|||
171 | 55 | }); |
|
172 | 55 | } |
|
173 | |||
174 | 55 | protected function loadRoutes() |
|
175 | { |
||
176 | 55 | if (!$this->app->routesAreCached()) { |
|
177 | 55 | require dirname(__DIR__) . '/Http/routes.php'; |
|
178 | } |
||
179 | |||
180 | 55 | return $this; |
|
181 | } |
||
182 | |||
183 | 55 | protected function loadMigrations() |
|
184 | { |
||
185 | 55 | $this->publishes([ |
|
186 | 55 | dirname(__DIR__) . '/migrations' => database_path('migrations') |
|
187 | 55 | ], 'migrations'); |
|
188 | |||
189 | 55 | return $this; |
|
190 | } |
||
191 | |||
192 | 55 | protected function publishConfig() |
|
193 | { |
||
194 | 55 | $this->publishes([ |
|
195 | 55 | dirname(__DIR__) . '/config/oauth2-server.php' => config_path('oauth2-server.php'), |
|
196 | ]); |
||
197 | |||
198 | 55 | return $this; |
|
199 | } |
||
200 | |||
201 | 55 | protected function registerCommands() |
|
202 | { |
||
203 | 55 | if ($this->app->runningInConsole()) { |
|
204 | 55 | $this->commands([ |
|
205 | 55 | CreateScopeCommand::class, |
|
206 | CreateClientCommand::class, |
||
207 | CreateUserCommand::class, |
||
208 | GenerateKeyPairCommand::class, |
||
209 | ]); |
||
210 | } |
||
211 | |||
212 | 55 | return $this; |
|
213 | } |
||
214 | |||
215 | } |
||
216 |
$grantConfig['class']
can contain request data and is used in code execution context(s) leading to a potential security vulnerability.1 path for user data to reach this point
$_SERVER
in vendor/src/Illuminate/Foundation/Bootstrap/SetRequestForConsole.php on line 20
in vendor/Request.php on line 324
in vendor/Request.php on line 1936
\Illuminate\Http\Request::create($url, 'GET', array(), array(), array(), $_SERVER)
is passed to Container::instance()in vendor/src/Illuminate/Foundation/Bootstrap/SetRequestForConsole.php on line 20
in vendor/src/Illuminate/Container/Container.php on line 346
in vendor/src/Illuminate/Container/Container.php on line 635
in vendor/src/Illuminate/Foundation/helpers.php on line 106
in vendor/src/Illuminate/Foundation/helpers.php on line 257
$grantConfig
is assignedin src/Providers/Oauth2ServerServiceProvider.php on line 123
Used in code-execution context
in vendor/src/Illuminate/Foundation/helpers.php on line 106
in vendor/src/Illuminate/Container/Container.php on line 644
in vendor/src/Illuminate/Container/Container.php on line 746
General Strategies to prevent injection
In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values:
For numeric data, we recommend to explicitly cast the data: