Issues in Session.php (master) - Issues in master - nabble/ajde - Measure and Improve Code Quality continuously with Scrutinizer

Issues (1919)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

lib/Ajde/Session.php (2 issues)

Labels

Severity

Minor 2

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

class Ajde_Session extends Ajde_Object_Standard
{
    protected $_namespace = null;

    public function __bootstrap()
    {
        // Session name
        $sessionName = config('app.id').'_session';
        session_name($sessionName);

        // Session lifetime
        $lifetime = config('session.lifetime');

        // Security garbage collector
        ini_set('session.gc_maxlifetime',
            ($lifetime == 0 ? 180 * 60 : $lifetime * 60)); // PHP session garbage collection timeout in minutes
        ini_set('session.gc_divisor', 100);        // Set divisor and probability for cronjob Ubuntu/Debian
        //		ini_set('session.gc_probability', 1);	// @see http://www.php.net/manual/en/function.session-save-path.php#98106

        // Set session save path
        if (config('session.savepath')) {
            ini_set('session.save_path', str_replace('~', LOCAL_ROOT, config('session.savepath')));
        }

        // Set sessions to use cookies
        ini_set('session.use_cookies', 1);
        ini_set('session.use_only_cookies',
            1); // @see http://www.php.net/manual/en/session.configuration.php#ini.session.use-only-cookies

        // Session cookie parameter
        $path = config('app.path');
        $domain = config('security.cookie.domain');
        $secure = config('security.cookie.secure');
        $httponly = config('security.cookie.httponly');

        // Set cookie lifetime
        session_set_cookie_params($lifetime * 60, $path, $domain, $secure, $httponly);
        session_cache_limiter('private_no_expire');

        // Start the session!
        session_start();

        // Strengthen session security with REMOTE_ADDR and HTTP_USER_AGENT
        // @see http://shiflett.org/articles/session-hijacking

        // Removed REMOTE_ADDR, use HTTP_X_FORWARDED_FOR if available
        $remoteIp = Ajde_Http_Request::getClientIP();

        // Ignore Google Chrome frame as it has a split personality
        // @todo TODO: security issue!!
        // @see http://www.chromium.org/developers/how-tos/chrome-frame-getting-started/understanding-chrome-frame-user-agent
        if (
            isset($_SERVER['HTTP_USER_AGENT']) &&
            substr_count($_SERVER['HTTP_USER_AGENT'], 'chromeframe/') === 0 &&
            isset($_SESSION['client']) &&
            $_SESSION['client'] !== md5($remoteIp.$_SERVER['HTTP_USER_AGENT'].config('security.secret'))
        ) {

            // TODO: overhead to call session_regenerate_id? is it not required??
            //session_regenerate_id();

            // thoroughly destroy the current session
            session_destroy();
            unset($_SESSION);
            setcookie(session_name(), session_id(), time() - 3600, $path, $domain, $secure, $httponly);

            // TODO:
            $exception = new Ajde_Core_Exception_Security('Possible session hijacking detected. Bailing out.');
            if (config('app.debug') === true) {
                throw $exception;
            } else {
                // don't redirect/log for resource items, as they should have no side effect
                // this makes it possible for i.e. web crawlers/error pages to view resources
                $request = Ajde_Http_Request::fromGlobal();
                $route = $request->initRoute();
                Ajde::app()->setRequest($request);
class ParentClass {
    private $data = array();

    public function __call($method, array $args) {
        if (0 === strpos($method, 'get')) {
            return $this->data[strtolower(substr($method, 3))];
        }

        throw new \LogicException(sprintf('Unsupported method: %s', $method));
    }
}

/**
 * If this class knows which fields exist, you can specify the methods here:
 *
 * @method string getName()
 */
class SomeClass extends ParentClass { }
                if (!in_array($route->getFormat(), ['css', 'js'])) {
                    Ajde_Exception_Log::logException($exception);
function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
                    Ajde_Cache::getInstance()->disable();
                    // Just destroying the session should be enough
                    //					Ajde_Http_Response::dieOnCode(Ajde_Http_Response::RESPONSE_TYPE_FORBIDDEN);
                }
            }
        } else {
            $_SESSION['client'] = md5($remoteIp.issetor($_SERVER['HTTP_USER_AGENT']).config('security.secret'));

            if ($lifetime > 0) {
                // Force send new cookie with updated lifetime (forcing keep-alive)
                // @see http://www.php.net/manual/en/function.session-set-cookie-params.php#100672
                //session_regenerate_id();

                // Set cookie manually if session_start didn't just sent a cookie
                // @see http://www.php.net/manual/en/function.session-set-cookie-params.php#100657
                if (isset($_COOKIE[$sessionName])) {
                    setcookie(session_name(), session_id(), time() + ($lifetime * 60), $path, $domain, $secure,
                        $httponly);
                }
            }
        }

        // remove cache headers invoked by session_start();
        if (version_compare(PHP_VERSION, '5.3.0') >= 0) {
            header_remove('X-Powered-By');
        }

        return true;
    }

    public function __construct($namespace = 'default')
    {
        $this->_namespace = $namespace;
    }

    public function destroy($key = null)
    {
        if (isset($key)) {
            if ($this->has($key)) {
                $_SESSION[$this->_namespace][$key] = null;
                $this->remove($key);
            }
        } else {
            $_SESSION[$this->_namespace] = null;
            $this->reset();
        }
        Ajde_Cache::getInstance()->updateHash($this->hash());
    }

    public function setModel($name, $object)
    {
        $this->set($name, serialize($object));
    }

    public function getModel($name)
    {
        // If during the session class definitions has changed, this will throw an exception.
        try {
            return unserialize($this->get($name));
        } catch (Exception $e) {
            Ajde_Dump::warn('Model definition changed during session');

            return false;
        }
    }

    public function has($key)
    {
        if (!isset($this->_data[$key]) && isset($_SESSION[$this->_namespace][$key])) {
            $this->set($key, $_SESSION[$this->_namespace][$key]);
        }

        return parent::has($key);
    }

    public function set($key, $value)
    {
        parent::set($key, $value);
        if ($value instanceof Ajde_Model) {
            // TODO:
            throw new Ajde_Exception('It is not allowed to store a Model directly in the session, use Ajde_Session::setModel() instead.');
        }
        $_SESSION[$this->_namespace][$key] = $value;
        Ajde_Cache::getInstance()->updateHash($this->hash());
    }

    public function hash()
    {
        return serialize($_SESSION[$this->_namespace]);
    }

    public function getOnce($key)
    {
        $return = $this->get($key);
        $this->set($key, null);

        return $return;
    }
}


1			<?php
2
3			class Ajde_Session extends Ajde_Object_Standard
4			{
5			protected $_namespace = null;
6
7			public function __bootstrap()
8			{
9			// Session name
10			$sessionName = config('app.id').'_session';
11			session_name($sessionName);
12
13			// Session lifetime
14			$lifetime = config('session.lifetime');
15
16			// Security garbage collector
17			ini_set('session.gc_maxlifetime',
18			($lifetime == 0 ? 180 * 60 : $lifetime * 60)); // PHP session garbage collection timeout in minutes
19			ini_set('session.gc_divisor', 100); // Set divisor and probability for cronjob Ubuntu/Debian
20			// ini_set('session.gc_probability', 1); // @see http://www.php.net/manual/en/function.session-save-path.php#98106
21
22			// Set session save path
23			if (config('session.savepath')) {
24			ini_set('session.save_path', str_replace('~', LOCAL_ROOT, config('session.savepath')));
25			}
26
27			// Set sessions to use cookies
28			ini_set('session.use_cookies', 1);
29			ini_set('session.use_only_cookies',
30			1); // @see http://www.php.net/manual/en/session.configuration.php#ini.session.use-only-cookies
31
32			// Session cookie parameter
33			$path = config('app.path');
34			$domain = config('security.cookie.domain');
35			$secure = config('security.cookie.secure');
36			$httponly = config('security.cookie.httponly');
37
38			// Set cookie lifetime
39			session_set_cookie_params($lifetime * 60, $path, $domain, $secure, $httponly);
40			session_cache_limiter('private_no_expire');
41
42			// Start the session!
43			session_start();
44
45			// Strengthen session security with REMOTE_ADDR and HTTP_USER_AGENT
46			// @see http://shiflett.org/articles/session-hijacking
47
48			// Removed REMOTE_ADDR, use HTTP_X_FORWARDED_FOR if available
49			$remoteIp = Ajde_Http_Request::getClientIP();
50
51			// Ignore Google Chrome frame as it has a split personality
52			// @todo TODO: security issue!!
53			// @see http://www.chromium.org/developers/how-tos/chrome-frame-getting-started/understanding-chrome-frame-user-agent
54			if (
55			isset($_SERVER['HTTP_USER_AGENT']) &&
56			substr_count($_SERVER['HTTP_USER_AGENT'], 'chromeframe/') === 0 &&
57			isset($_SESSION['client']) &&
58			$_SESSION['client'] !== md5($remoteIp.$_SERVER['HTTP_USER_AGENT'].config('security.secret'))
59			) {
60
61			// TODO: overhead to call session_regenerate_id? is it not required??
62			//session_regenerate_id();
63
64			// thoroughly destroy the current session
65			session_destroy();
66			unset($_SESSION);
67			setcookie(session_name(), session_id(), time() - 3600, $path, $domain, $secure, $httponly);
68
69			// TODO:
70			$exception = new Ajde_Core_Exception_Security('Possible session hijacking detected. Bailing out.');
71			if (config('app.debug') === true) {
72			throw $exception;
73			} else {
74			// don't redirect/log for resource items, as they should have no side effect
75			// this makes it possible for i.e. web crawlers/error pages to view resources
76			$request = Ajde_Http_Request::fromGlobal();
77			$route = $request->initRoute();
78			Ajde::app()->setRequest($request);
			0 ignored issues – show Documentation Bug introduced 2015-12-10 15:15 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `setRequest` does not exist on `object<Ajde_Application>`? Since you implemented `__call`, maybe consider adding a @method annotation. If you implement `__call` and you know which methods are available, you can improve IDE auto-completion and static analysis by adding a @method annotation to the class. This is often the case, when `__call` is implemented by a parent class and only the child class knows which methods exist: class ParentClass { private $data = array(); public function __call($method, array $args) { if (0 === strpos($method, 'get')) { return $this->data[strtolower(substr($method, 3))]; } throw new \LogicException(sprintf('Unsupported method: %s', $method)); } } /** * If this class knows which fields exist, you can specify the methods here: * * @method string getName() */ class SomeClass extends ParentClass { } Loading history...
79			if (!in_array($route->getFormat(), ['css', 'js'])) {
80			Ajde_Exception_Log::logException($exception);
			0 ignored issues – show Documentation introduced 2016-09-18 20:01 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$exception` is of type `object<Ajde_Core_Exception_Security>`, but the function expects a `object<Throwable>`. It seems like the type of the argument is not accepted by the function/method which you are calling. In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug. We suggest to add an explicit type cast like in the following example: function acceptsInteger($int) { } $x = '123'; // string "123" // Instead of acceptsInteger($x); // we recommend to use acceptsInteger((integer) $x); Loading history...
81			Ajde_Cache::getInstance()->disable();
82			// Just destroying the session should be enough
83			// Ajde_Http_Response::dieOnCode(Ajde_Http_Response::RESPONSE_TYPE_FORBIDDEN);
84			}
85			}
86			} else {
87			$_SESSION['client'] = md5($remoteIp.issetor($_SERVER['HTTP_USER_AGENT']).config('security.secret'));
88
89			if ($lifetime > 0) {
90			// Force send new cookie with updated lifetime (forcing keep-alive)
91			// @see http://www.php.net/manual/en/function.session-set-cookie-params.php#100672
92			//session_regenerate_id();
93
94			// Set cookie manually if session_start didn't just sent a cookie
95			// @see http://www.php.net/manual/en/function.session-set-cookie-params.php#100657
96			if (isset($_COOKIE[$sessionName])) {
97			setcookie(session_name(), session_id(), time() + ($lifetime * 60), $path, $domain, $secure,
98			$httponly);
99			}
100			}
101			}
102
103			// remove cache headers invoked by session_start();
104			if (version_compare(PHP_VERSION, '5.3.0') >= 0) {
105			header_remove('X-Powered-By');
106			}
107
108			return true;
109			}
110
111			public function __construct($namespace = 'default')
112			{
113			$this->_namespace = $namespace;
114			}
115
116			public function destroy($key = null)
117			{
118			if (isset($key)) {
119			if ($this->has($key)) {
120			$_SESSION[$this->_namespace][$key] = null;
121			$this->remove($key);
122			}
123			} else {
124			$_SESSION[$this->_namespace] = null;
125			$this->reset();
126			}
127			Ajde_Cache::getInstance()->updateHash($this->hash());
128			}
129
130			public function setModel($name, $object)
131			{
132			$this->set($name, serialize($object));
133			}
134
135			public function getModel($name)
136			{
137			// If during the session class definitions has changed, this will throw an exception.
138			try {
139			return unserialize($this->get($name));
140			} catch (Exception $e) {
141			Ajde_Dump::warn('Model definition changed during session');
142
143			return false;
144			}
145			}
146
147			public function has($key)
148			{
149			if (!isset($this->_data[$key]) && isset($_SESSION[$this->_namespace][$key])) {
150			$this->set($key, $_SESSION[$this->_namespace][$key]);
151			}
152
153			return parent::has($key);
154			}
155
156			public function set($key, $value)
157			{
158			parent::set($key, $value);
159			if ($value instanceof Ajde_Model) {
160			// TODO:
161			throw new Ajde_Exception('It is not allowed to store a Model directly in the session, use Ajde_Session::setModel() instead.');
162			}
163			$_SESSION[$this->_namespace][$key] = $value;
164			Ajde_Cache::getInstance()->updateHash($this->hash());
165			}
166
167			public function hash()
168			{
169			return serialize($_SESSION[$this->_namespace]);
170			}
171
172			public function getOnce($key)
173			{
174			$return = $this->get($key);
175			$this->set($key, null);
176
177			return $return;
178			}
179			}
180

nabble / ajde

Issues (1919)

Security Analysis not enabled

lib/Ajde/Session.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like