Issues in xmpp.js (master) - Issues in master - owncloud/chat - Measure and Improve Code Quality continuously with Scrutinizer

Issues (158)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

js/src/app/backends/xmpp.js (4 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

angular.module('chat').factory('xmpp', ['convs', 'contacts', 'initvar', 'session', 'authorize', 'time', function(convs, contacts, initvar, $session, authorize, Time) {
	var $XMPP = {
		jid: initvar.backends.xmpp.config.jid,
		password: initvar.backends.xmpp.config.password,
		bosh_url: initvar.backends.xmpp.config.bosh_url,
		conn : null,
		/**
		 * Called when we receive a new message
		 * This function adds the message to the correct conversation if it exits otherwise it will create a new conversation first
		 * @param msg XMLDocument
		 * @returns true
		 * */
		onMessage : function(msg){
			var to = msg.getAttribute('to');
			var from = msg.getAttribute('from');
			var type = msg.getAttribute('type');
			var elems = msg.getElementsByTagName('body');

			if (type == "chat" && elems.length > 0) {
				var body = elems[0];
				var convId = Strophe.getBareJidFromJid(from);
				if (!convs.exists(convId)) {
					var contact = contacts.generateTempContact(convId, false, convId,
						[{"id": "xmpp", "displayname": "XMPP", "protocol": "xmpp", "namespace": "xmpp", "value": convId}]);
					contacts.contacts[convId] = contact;
					convs.addConv(convId, [contact, contacts.self()], 'xmpp', [], []);
				}
				convs.addChatMsg(
					convId,
					contacts.findByBackendValue('xmpp', convId),
					Strophe.getText(body),
					Time.now(),
					'xmpp'
				);
			}
			return true;
		},
		/**
		 * This function is called when we are connected and authorized to the XMPP server
		 * This function requests the XMPP roster
		 * This function will call the generateConvs function to initialize the Conversation list
		 * @param status
		 */
		onConnect : function(status){
			if (status == Strophe.Status.CONNECTED) {
				initvar.backends.xmpp.connected = true;

				$XMPP.con.addHandler($XMPP.onMessage, null, 'message', null, null, null);

				// Get roster information
				var iq = $iq({type: "get"}).c('query', {xmlns: "jabber:iq:roster"});
				$XMPP.con.addHandler($XMPP.processRoster, 'jabber:iq:roster', 'iq');
				$XMPP.con.send(iq);
				$XMPP.con.addHandler($XMPP.onPresence, null, "presence")

				$XMPP.con.send($pres());
				$XMPP.generateConvs();

			} else if (status == Strophe.Status.AUTHFAIL){
				// TODO
				alert('auth fail');
			}
		},
		/**
		 * This function process the roster when it's fetched from the XMPP server.
		 * This can happen multiple times during a session. E.g. when a contact
		 * was removed or added to the roster.
		 * Each item in the roster which isn't in the Contacts app will be added
		 * to the Contacts app/DB. It will also subscribe to the presence of
		 * that contact.
		 * @param iq XMLDocument
		 * @returns true
		 */
		processRoster : function (iq) {
			var contactsToAdd = [];
			var contactsToRemove = [];
			$(iq).find('item').each(function () {
				// for each contact in the roster

				var jid = $(this).attr('jid');
				var bareJid = Strophe.getBareJidFromJid(jid);
				var name = $(this).attr('name') || jid;
				var subscription = $(this).attr('subscription');
				if ($XMPP.roster.indexOf(bareJid) === -1 && subscription !== 'remove') {
					$XMPP.roster.push(bareJid);
				}
				// Check if the contact is know
				var contact = contacts.findByBackendValue('xmpp', bareJid);
				if (!contact && subscription !== 'remove') {
					// add contact
					var oContact = {
						"FN": name,
						"IMPP": bareJid
					};
					if(contactsToAdd.indexOf(oContact) === -1){
						contactsToAdd.push(oContact);
					}
				}
			});

			if (contactsToAdd.length > 0) {
				// add the contacts from the roster to the contacts
				contacts.addContacts(contactsToAdd, function () {
					$XMPP.generateConvs();
				});
			}
			return true; // Keep this handler
		},
		/**
		 * This function fetch all contacts which supports XMPP from the contacts app.
		 * And it create conversations with all these contacts.
		 */
		generateConvs : function () {
			var XMPPContacts = contacts.findByBackend('xmpp');
			for (var key in XMPPContacts) {
				var XMPPContact = XMPPContacts[key];
				for (var backendKey in XMPPContact.backends) {
					var backend = XMPPContact.backends[backendKey];
					if (backend.id === 'xmpp') {
						convs.addConv(backend.value, [XMPPContact, contacts.self()], 'xmpp', [], []);
					}
				}
			}
		},
		onRaw : function (data) {
		},
		/**
		 * This function handles three things
		 * 1. a contact asks to subscribe: we ask the user if he want to approve or deny this request
		 * 2. a contact's presence has changed to online
		 * 3. a contact's presence has changed to offline
		 * @param iq XMLDocument
		 * @returns true
		 */
		onPresence : function (iq) {
			var presenceType = $(iq).attr('type');
			var from = $(iq).attr('from');
			var bareJid =  Strophe.getBareJidFromJid(from);
			var contact = contacts.findByBackendValue('xmpp', bareJid);
			var user =  Strophe.getNodeFromJid(from);

			if (contact === false && user === $session.user.id){
				// TODO
				return true;
			}

			if (presenceType === 'subscribe') {
				authorize.jid = bareJid;
				authorize.name = contact.displayname;
				authorize.approve = function () {
					$XMPP.con.send($pres({to: authorize.jid, "type": "subscribed"}));
					$XMPP.con.send($pres({to: authorize.jid, "type": "subscribe"}));
					authorize.show = false;
					authorize.jid = null;
					authorize.name = null;
				};
				authorize.deny = function () {
					$XMPP.con.send($pres({to: authorize.jid, "type": "unsubscribed"}));
					authorize.show = false;
					authorize.jid = null;
					authorize.name = null;;

				};
				authorize.show = true;

			} else if (presenceType !== 'error') {
				if (presenceType === 'unavailable') {
					contacts.markOffline(contact.id)

				} else {
					var show = $(iq).find("show").text();
					if (show === "" || show === "chat") {
						contacts.markOnline(contact.id);
					} else {
						contacts.markOffline(contact.id);
					}
				}
			}
			return true;
		},
		roster : []
	};

	return {
		init : function(){
			//Create connection
			initvar.backends.xmpp.configErrors = []; // Reset all errors
			if (
				$XMPP.jid !== null &&
				$XMPP.jid !== '' &&
				typeof $XMPP.jid !== 'undefined' &&
				$XMPP.password !== null &&
				$XMPP.password !== '' &&
				typeof $XMPP.password !== 'undefined' &&
				$XMPP.bosh_url !== null &&
				$XMPP.bosh_url !== '' &&
				typeof $XMPP.bosh_url !== 'undefined'
			) {
				try {
					// Connect to XMPP sever
					$XMPP.con = new Strophe.Connection($XMPP.bosh_url);
					$XMPP.con.connect($XMPP.jid, $XMPP.password, $XMPP.onConnect);
					$XMPP.con.rawInput = $XMPP.onRaw;
					$XMPP.con.rawOutput = $XMPP.onRaw;
				} catch (e) {
					if (e.name === 'TypeError' && e.message === 'service is undefined') {
						initvar.backends.xmpp.configErrors.push('Service is undefined');
					}
				}
			} else {
				initvar.backends.xmpp.configErrors.push('Fill in all the fields');
			}
		},
		quit : function(){
		},
		sendChatMsg : function(convId, msg){
			var reply = $msg({to: convId, from: $XMPP.jid , type: 'chat'}).c('body', null,msg
			);
			$XMPP.con.send(reply.tree());
		},
		invite : function(convId, userToInvite, groupConv, callback){
		},
		newConv : function(userToInvite, success){
			// add temp contact to the contacts
			var bareJid = Strophe.getBareJidFromJid(userToInvite);
			var contact = contacts.generateTempContact(bareJid, false, bareJid,
				[{"id": "xmpp", "displayname": "XMPP", "protocol": "xmpp", "namespace": "xmpp", "value": bareJid}]);
			contacts.contacts[bareJid] = contact;
			convs.addConv(bareJid, [contact, contacts.self()], 'xmpp', [], []);

		},
		attachFile : function(convId, paths, user){
		},
		removeFile : function(convId, path){
		},
		configChanged : function(){
			$XMPP.jid = initvar.backends.xmpp.config.jid;
			$XMPP.password = initvar.backends.xmpp.config.password;
			$XMPP.bosh_url = initvar.backends.xmpp.config.bosh_url;
			if(
				typeof $XMPP.con !== 'undefined'
				&& $XMPP.con !== null

			) {
				$XMPP.con.disconnect();
			}
			this.init();
		},
		addContactToRoster : function (backendValue) {
			var bareJid = Strophe.getBareJidFromJid(backendValue);
			var contact = contacts.findByBackendValue('xmpp', bareJid);
			var name = contact.displayname;
			// add contact to roster
			var iq = $iq({type: "set"}).c("query", {xmlns: "jabber:iq:roster"})
				.c("item", {jid: bareJid, name: name});
			$XMPP.con.sendIQ(iq);

			var subscribe = $pres({to: bareJid, "type": "subscribe"});
			$XMPP.con.send(subscribe);
			// set subscription for presence
		},
		removeContactFromRoster : function (backendValue) {
			var iq = $iq({type: "set"}).c("query", {xmlns: Strophe.NS.ROSTER}).c("item", {jid: backendValue, subscription: "remove"});
			$XMPP.con.sendIQ(iq);
			// Remove contact from roster
			var index = $XMPP.roster.indexOf(backendValue);
			delete $XMPP.roster[index];
		},
		contactInRoster : function (id) {
			if ($XMPP.roster.indexOf(id) === -1){
				return false;
			} else {
				return true;
			}
		}
	};
}]);


1			angular.module('chat').factory('xmpp', ['convs', 'contacts', 'initvar', 'session', 'authorize', 'time', function(convs, contacts, initvar, $session, authorize, Time) {
2			var $XMPP = {
3			jid: initvar.backends.xmpp.config.jid,
4			password: initvar.backends.xmpp.config.password,
5			bosh_url: initvar.backends.xmpp.config.bosh_url,
6			conn : null,
7			/**
8			* Called when we receive a new message
9			* This function adds the message to the correct conversation if it exits otherwise it will create a new conversation first
10			* @param msg XMLDocument
11			* @returns true
12			* */
13			onMessage : function(msg){
14			var to = msg.getAttribute('to');
15			var from = msg.getAttribute('from');
16			var type = msg.getAttribute('type');
17			var elems = msg.getElementsByTagName('body');
18
19			if (type == "chat" && elems.length > 0) {
20			var body = elems[0];
21			var convId = Strophe.getBareJidFromJid(from);
22			if (!convs.exists(convId)) {
23			var contact = contacts.generateTempContact(convId, false, convId,
24			[{"id": "xmpp", "displayname": "XMPP", "protocol": "xmpp", "namespace": "xmpp", "value": convId}]);
25			contacts.contacts[convId] = contact;
26			convs.addConv(convId, [contact, contacts.self()], 'xmpp', [], []);
27			}
28			convs.addChatMsg(
29			convId,
30			contacts.findByBackendValue('xmpp', convId),
31			Strophe.getText(body),
32			Time.now(),
33			'xmpp'
34			);
35			}
36			return true;
37			},
38			/**
39			* This function is called when we are connected and authorized to the XMPP server
40			* This function requests the XMPP roster
41			* This function will call the generateConvs function to initialize the Conversation list
42			* @param status
43			*/
44			onConnect : function(status){
45			if (status == Strophe.Status.CONNECTED) {
46			initvar.backends.xmpp.connected = true;
47
48			$XMPP.con.addHandler($XMPP.onMessage, null, 'message', null, null, null);
49
50			// Get roster information
51			var iq = $iq({type: "get"}).c('query', {xmlns: "jabber:iq:roster"});
52			$XMPP.con.addHandler($XMPP.processRoster, 'jabber:iq:roster', 'iq');
53			$XMPP.con.send(iq);
54			$XMPP.con.addHandler($XMPP.onPresence, null, "presence")
			0 ignored issues – show Coding Style introduced 2015-12-29 06:25 UTC by Report Bug Copy Issue Report Show Similar Issues like this There should be a semicolon. Requirement of semicolons purely is a coding style issue since JavaScript has specific rules about semicolons which are followed by all browsers. Further Readings: An Open Letter to JavaScript Leaders Regarding Semicolons by Isaac Schlueter JavaScript Semicolon Insertion Loading history...
55			$XMPP.con.send($pres());
56			$XMPP.generateConvs();
57
58			} else if (status == Strophe.Status.AUTHFAIL){
59			// TODO
60			alert('auth fail');
61			}
62			},
63			/**
64			* This function process the roster when it's fetched from the XMPP server.
65			* This can happen multiple times during a session. E.g. when a contact
66			* was removed or added to the roster.
67			* Each item in the roster which isn't in the Contacts app will be added
68			* to the Contacts app/DB. It will also subscribe to the presence of
69			* that contact.
70			* @param iq XMLDocument
71			* @returns true
72			*/
73			processRoster : function (iq) {
74			var contactsToAdd = [];
75			var contactsToRemove = [];
76			$(iq).find('item').each(function () {
77			// for each contact in the roster
78
79			var jid = $(this).attr('jid');
80			var bareJid = Strophe.getBareJidFromJid(jid);
81			var name = $(this).attr('name') \|\| jid;
82			var subscription = $(this).attr('subscription');
83			if ($XMPP.roster.indexOf(bareJid) === -1 && subscription !== 'remove') {
84			$XMPP.roster.push(bareJid);
85			}
86			// Check if the contact is know
87			var contact = contacts.findByBackendValue('xmpp', bareJid);
88			if (!contact && subscription !== 'remove') {
89			// add contact
90			var oContact = {
91			"FN": name,
92			"IMPP": bareJid
93			};
94			if(contactsToAdd.indexOf(oContact) === -1){
95			contactsToAdd.push(oContact);
96			}
97			}
98			});
99
100			if (contactsToAdd.length > 0) {
101			// add the contacts from the roster to the contacts
102			contacts.addContacts(contactsToAdd, function () {
103			$XMPP.generateConvs();
104			});
105			}
106			return true; // Keep this handler
107			},
108			/**
109			* This function fetch all contacts which supports XMPP from the contacts app.
110			* And it create conversations with all these contacts.
111			*/
112			generateConvs : function () {
113			var XMPPContacts = contacts.findByBackend('xmpp');
114			for (var key in XMPPContacts) {
115			var XMPPContact = XMPPContacts[key];
116			for (var backendKey in XMPPContact.backends) {
117			var backend = XMPPContact.backends[backendKey];
118			if (backend.id === 'xmpp') {
119			convs.addConv(backend.value, [XMPPContact, contacts.self()], 'xmpp', [], []);
120			}
121			}
122			}
123			},
124			onRaw : function (data) {
125			},
126			/**
127			* This function handles three things
128			* 1. a contact asks to subscribe: we ask the user if he want to approve or deny this request
129			* 2. a contact's presence has changed to online
130			* 3. a contact's presence has changed to offline
131			* @param iq XMLDocument
132			* @returns true
133			*/
134			onPresence : function (iq) {
135			var presenceType = $(iq).attr('type');
136			var from = $(iq).attr('from');
137			var bareJid = Strophe.getBareJidFromJid(from);
138			var contact = contacts.findByBackendValue('xmpp', bareJid);
139			var user = Strophe.getNodeFromJid(from);
140
141			if (contact === false && user === $session.user.id){
142			// TODO
143			return true;
144			}
145
146			if (presenceType === 'subscribe') {
147			authorize.jid = bareJid;
148			authorize.name = contact.displayname;
149			authorize.approve = function () {
150			$XMPP.con.send($pres({to: authorize.jid, "type": "subscribed"}));
151			$XMPP.con.send($pres({to: authorize.jid, "type": "subscribe"}));
152			authorize.show = false;
153			authorize.jid = null;
154			authorize.name = null;
155			};
156			authorize.deny = function () {
157			$XMPP.con.send($pres({to: authorize.jid, "type": "unsubscribed"}));
158			authorize.show = false;
159			authorize.jid = null;
160			authorize.name = null;;
			0 ignored issues – show Coding Style introduced 2015-12-29 06:25 UTC by Report Bug Copy Issue Report Show Similar Issues like this This semicolons seems to be unnecessary. Loading history...
161			};
162			authorize.show = true;
163
164			} else if (presenceType !== 'error') {
165			if (presenceType === 'unavailable') {
166			contacts.markOffline(contact.id)
			0 ignored issues – show Coding Style introduced 2015-12-29 06:25 UTC by Report Bug Copy Issue Report Show Similar Issues like this There should be a semicolon. Requirement of semicolons purely is a coding style issue since JavaScript has specific rules about semicolons which are followed by all browsers. Further Readings: An Open Letter to JavaScript Leaders Regarding Semicolons by Isaac Schlueter JavaScript Semicolon Insertion Loading history...
167			} else {
168			var show = $(iq).find("show").text();
169			if (show === "" \|\| show === "chat") {
170			contacts.markOnline(contact.id);
171			} else {
172			contacts.markOffline(contact.id);
173			}
174			}
175			}
176			return true;
177			},
178			roster : []
179			};
180
181			return {
182			init : function(){
183			//Create connection
184			initvar.backends.xmpp.configErrors = []; // Reset all errors
185			if (
186			$XMPP.jid !== null &&
187			$XMPP.jid !== '' &&
188			typeof $XMPP.jid !== 'undefined' &&
189			$XMPP.password !== null &&
190			$XMPP.password !== '' &&
191			typeof $XMPP.password !== 'undefined' &&
192			$XMPP.bosh_url !== null &&
193			$XMPP.bosh_url !== '' &&
194			typeof $XMPP.bosh_url !== 'undefined'
195			) {
196			try {
197			// Connect to XMPP sever
198			$XMPP.con = new Strophe.Connection($XMPP.bosh_url);
199			$XMPP.con.connect($XMPP.jid, $XMPP.password, $XMPP.onConnect);
200			$XMPP.con.rawInput = $XMPP.onRaw;
201			$XMPP.con.rawOutput = $XMPP.onRaw;
202			} catch (e) {
203			if (e.name === 'TypeError' && e.message === 'service is undefined') {
204			initvar.backends.xmpp.configErrors.push('Service is undefined');
205			}
206			}
207			} else {
208			initvar.backends.xmpp.configErrors.push('Fill in all the fields');
209			}
210			},
211			quit : function(){
212			},
213			sendChatMsg : function(convId, msg){
214			var reply = $msg({to: convId, from: $XMPP.jid , type: 'chat'}).c('body', null,msg
215			);
216			$XMPP.con.send(reply.tree());
217			},
218			invite : function(convId, userToInvite, groupConv, callback){
219			},
220			newConv : function(userToInvite, success){
221			// add temp contact to the contacts
222			var bareJid = Strophe.getBareJidFromJid(userToInvite);
223			var contact = contacts.generateTempContact(bareJid, false, bareJid,
224			[{"id": "xmpp", "displayname": "XMPP", "protocol": "xmpp", "namespace": "xmpp", "value": bareJid}]);
225			contacts.contacts[bareJid] = contact;
226			convs.addConv(bareJid, [contact, contacts.self()], 'xmpp', [], []);
227
228			},
229			attachFile : function(convId, paths, user){
230			},
231			removeFile : function(convId, path){
232			},
233			configChanged : function(){
234			$XMPP.jid = initvar.backends.xmpp.config.jid;
235			$XMPP.password = initvar.backends.xmpp.config.password;
236			$XMPP.bosh_url = initvar.backends.xmpp.config.bosh_url;
237			if(
238			typeof $XMPP.con !== 'undefined'
239			&& $XMPP.con !== null
			0 ignored issues – show Bug introduced 2015-12-29 06:25 UTC by Report Bug Copy Issue Report Show Similar Issues like this There seems to be a bad line break before `&&`. Loading history...
240			) {
241			$XMPP.con.disconnect();
242			}
243			this.init();
244			},
245			addContactToRoster : function (backendValue) {
246			var bareJid = Strophe.getBareJidFromJid(backendValue);
247			var contact = contacts.findByBackendValue('xmpp', bareJid);
248			var name = contact.displayname;
249			// add contact to roster
250			var iq = $iq({type: "set"}).c("query", {xmlns: "jabber:iq:roster"})
251			.c("item", {jid: bareJid, name: name});
252			$XMPP.con.sendIQ(iq);
253
254			var subscribe = $pres({to: bareJid, "type": "subscribe"});
255			$XMPP.con.send(subscribe);
256			// set subscription for presence
257			},
258			removeContactFromRoster : function (backendValue) {
259			var iq = $iq({type: "set"}).c("query", {xmlns: Strophe.NS.ROSTER}).c("item", {jid: backendValue, subscription: "remove"});
260			$XMPP.con.sendIQ(iq);
261			// Remove contact from roster
262			var index = $XMPP.roster.indexOf(backendValue);
263			delete $XMPP.roster[index];
264			},
265			contactInRoster : function (id) {
266			if ($XMPP.roster.indexOf(id) === -1){
267			return false;
268			} else {
269			return true;
270			}
271			}
272			};
273			}]);
274

owncloud / chat

Issues (158)

Security Analysis no request data

js/src/app/backends/xmpp.js (4 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like