Issues (158)

Security Analysis    no request data  

This project does not seem to handle request data directly as such no vulnerable execution paths were found.

  Cross-Site Scripting
Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.
  File Exposure
File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.
  File Manipulation
File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.
  Object Injection
Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.
  Code Injection
Code Injection enables an attacker to execute arbitrary code on the server.
  Response Splitting
Response Splitting can be used to send arbitrary responses.
  File Inclusion
File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.
  Command Injection
Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.
  SQL Injection
SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.
  XPath Injection
XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.
  LDAP Injection
LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.
  Header Injection
  Other Vulnerability
This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.
  Regex Injection
Regex Injection enables an attacker to execute arbitrary code in your PHP process.
  XML Injection
XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.
  Variable Injection
Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.
Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

tests/unit/controller/ApiControllerTest.php (5 issues)

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

1
<?php
2
3
namespace OCA\Chat\Controller\OCH;
4
5
use \OCA\Chat\Utility\ControllerTestUtility;
6
use \OCA\Chat\App\Chat;
7
use \OCA\Chat\App\Container;
8
use \OCP\IRequest;
9
use \OCA\Chat\Controller\OCH\ApiController;
10
11
12
function time(){
13
	return '2324';
14
}
15
16
/**
17
 * Class UserMock
18
 * This class mocks \OC\User\User
19
 */
20
class UserMock {
21
22
	public function getUID(){
23
		return 'foo';
24
	}
25
26
}
27
28
class ApiControllerTest extends ControllerTestUtility {
0 ignored issues
show
Coding Style Compatibility introduced by
PSR1 recommends that each class should be in its own file to aid autoloaders.

Having each class in a dedicated file usually plays nice with PSR autoloaders and is therefore a well established practice. If you use other autoloaders, you might not want to follow this rule.

Loading history...
29
30
	/**
31
	 * @var string
32
	 */
33
	private $appName;
34
35
	/**
36
	 * @var \OCP\Irequest
37
	 */
38
	private $request;
39
40
	/**
41
	 * @var \OCA\Chat\Controller\OCH\ApiController
42
	 */
43
	private $controller;
44
45
	/**
46
	 * @var \OCA\Chat\App\Chat
47
	 */
48
	private $app;
0 ignored issues
show
The property $app is not used and could be removed.

This check marks private properties in classes that are never used. Those properties can be removed.

Loading history...
49
50
	public function setUp(){
51
		$this->appName = 'chat';
52
		$this->request =  $this->getMockBuilder('\OCP\IRequest')
53
			->disableOriginalConstructor()
54
			->getMock();
55
56
		$this->container = $this->getMockBuilder('\OCA\Chat\App\Container')
0 ignored issues
show
The property container does not exist. Did you maybe forget to declare it?

In PHP it is possible to write to properties without declaring them. For example, the following is perfectly valid PHP code:

class MyClass { }

$x = new MyClass();
$x->foo = true;

Generally, it is a good practice to explictly declare properties to avoid accidental typos and provide IDE auto-completion:

class MyClass {
    public $foo;
}

$x = new MyClass();
$x->foo = true;
Loading history...
57
			->disableOriginalConstructor()
58
			->getMock();
59
60
		$this->chat = $this->getMockBuilder('\OCA\Chat\App\Chat')
0 ignored issues
show
The property chat does not exist. Did you maybe forget to declare it?

In PHP it is possible to write to properties without declaring them. For example, the following is perfectly valid PHP code:

class MyClass { }

$x = new MyClass();
$x->foo = true;

Generally, it is a good practice to explictly declare properties to avoid accidental typos and provide IDE auto-completion:

class MyClass {
    public $foo;
}

$x = new MyClass();
$x->foo = true;
Loading history...
61
			->disableOriginalConstructor()
62
			->getMock();
63
64
		$this->chatAPI = $this->getMockBuilder('\OCA\Chat\OCH\ChatAPI')
0 ignored issues
show
The property chatAPI does not exist. Did you maybe forget to declare it?

In PHP it is possible to write to properties without declaring them. For example, the following is perfectly valid PHP code:

class MyClass { }

$x = new MyClass();
$x->foo = true;

Generally, it is a good practice to explictly declare properties to avoid accidental typos and provide IDE auto-completion:

class MyClass {
    public $foo;
}

$x = new MyClass();
$x->foo = true;
Loading history...
65
			->disableOriginalConstructor()
66
			->getMock();
67
68
		$this->controller = new ApiController(
69
			$this->appName,
70
			$this->request,
71
			$this->chat,
72
			$this->container
73
		);
74
	}
75
76
	public function testRouteAnnotations(){
77
		$expectedAnnotations = array('NoAdminRequired');
78
		$this->assertAnnotations($this->controller, 'route', $expectedAnnotations);
79
	}
80
81
	public function routeProvider(){
82
		return array(
83
			// test invalid HTTP type
84
			array(
85
				"command::join::response",
86
				array(),
87
				array(
88
					"type" => "command::join::response",
89
					"data" => array(
90
						"status" => "error",
91
						"msg" => ApiController::INVALID_HTTP_TYPE
92
					)
93
				)
94
			),
95
			// test ommitted session id
96
			array(
97
				"command::blub::request",
98
				array(),
99
				array(
100
					"type" => "command::blub::response",
101
					"data" => array(
102
						"status" => "error",
103
						"msg" => ApiController::NO_SESSION_ID
104
					)
105
				)
106
			),
107
			// test ommited user
108
			array(
109
				"command::blub::request",
110
				array(
111
					"session_id" => md5(time())
112
				),
113
				array(
114
					"type" => "command::blub::response",
115
					"data" => array(
116
						"status" => "error",
117
						"msg" => ApiController::NO_USER
118
					)
119
				)
120
			),
121
			// test invalid http type with data as requesttype
122
			array(
123
				"data::join::response",
124
				array(),
125
				array(
126
					"type" => "data::join::response",
127
					"data" => array(
128
						"status" => "error",
129
						"msg" => ApiController::INVALID_HTTP_TYPE
130
					)
131
				)
132
			),
133
			// test ommitted session id with data as requesttype
134
			array(
135
				"data::blub::request",
136
				array(),
137
				array(
138
					"type" => "data::blub::response",
139
					"data" => array(
140
						"status" => "error",
141
						"msg" => ApiController::NO_SESSION_ID
142
					)
143
				)
144
			),
145
			// test ommitted user with data as requesttype
146
			array(
147
				"data::blub::request",
148
				array(
149
					"session_id" => md5(time())
150
				),
151
				array(
152
					"type" => "data::blub::response",
153
					"data" => array(
154
						"status" => "error",
155
						"msg" => ApiController::NO_USER
156
					)
157
				)
158
			),
159
			// test invalid http type with push as requesttype
160
			array(
161
				"push::join::response",
162
				array(),
163
				array(
164
					"type" => "push::join::response",
165
					"data" => array(
166
						"status" => "error",
167
						"msg" => ApiController::INVALID_HTTP_TYPE
168
					)
169
				)
170
			),
171
			// test ommitted session id with push as requesttype
172
			array(
173
				"push::blub::request",
174
				array(),
175
				array(
176
					"type" => "push::blub::response",
177
					"data" => array(
178
						"status" => "error",
179
						"msg" => ApiController::NO_SESSION_ID
180
					)
181
				)
182
			),
183
			// test ommitted user with push as requesttype
184
			array(
185
				"push::blub::request",
186
				array(
187
					"session_id" => md5(time())
188
				),
189
				array(
190
					"type" => "push::blub::response",
191
					"data" => array(
192
						"status" => "error",
193
						"msg" => ApiController::NO_USER
194
					)
195
				)
196
			),
197
			// test not existent command
198
			array(
199
				"command::blub::request",
200
				array(
201
					"session_id" => md5(time()),
202
					"user" => array(
203
						'id' => 'foo',
204
						'displayname' => 'foo',
205
						'backends' => array (
206
							'email' => array (
207
								'id' => NULL,
208
								'displayname' => 'E-mail',
209
								'protocol' => 'email',
210
								'namespace' => ' email',
211
								'value' => array (
212
									0 => array (
213
									),
214
								),
215
							),
216
							'och' => array (
217
								'id' => NULL,
218
								'displayname' => 'ownCloud Handle',
219
								'protocol' => 'x-owncloud-handle',
220
								'namespace' => 'och',
221
								'value' => 'foo',
222
							),
223
						),
224
						'address_book_id' => 'local',
225
						'address_book_backend' => '',
226
					),
227
				),
228
				array(
229
					"type" => "command::blub::response",
230
					"data" => array(
231
						"status" => "error",
232
						"msg" => ApiController::COMMAND_NOT_FOUND
233
					)
234
				)
235
			),
236
			// test not existent data request
237
			array(
238
				"data::blub::request",
239
				array(
240
					"session_id" => md5(time()),
241
					"user" => array(
242
						'id' => 'foo',
243
						'displayname' => 'foo',
244
						'backends' => array (
245
							'email' => array (
246
								'id' => NULL,
247
								'displayname' => 'E-mail',
248
								'protocol' => 'email',
249
								'namespace' => ' email',
250
								'value' => array (
251
									0 => array (
252
									),
253
								),
254
							),
255
							'och' => array (
256
								'id' => NULL,
257
								'displayname' => 'ownCloud Handle',
258
								'protocol' => 'x-owncloud-handle',
259
								'namespace' => 'och',
260
								'value' => 'foo',
261
							),
262
						),
263
						'address_book_id' => 'local',
264
						'address_book_backend' => '',
265
					),
266
				),
267
				array(
268
					"type" => "data::blub::response",
269
					"data" => array(
270
						"status" => "error",
271
						"msg" => ApiController::DATA_ACTION_NOT_FOUND
272
					)
273
				)
274
			),
275
			// test not existent push request
276
			array(
277
				"push::blub::request",
278
				array(
279
					"session_id" => md5(time()),
280
					"user" => array(
281
						'id' => 'foo',
282
						'displayname' => 'foo',
283
						'backends' => array (
284
							'email' => array (
285
								'id' => NULL,
286
								'displayname' => 'E-mail',
287
								'protocol' => 'email',
288
								'namespace' => ' email',
289
								'value' => array (
290
									0 => array (
291
									),
292
								),
293
							),
294
							'och' => array (
295
								'id' => NULL,
296
								'displayname' => 'ownCloud Handle',
297
								'protocol' => 'x-owncloud-handle',
298
								'namespace' => 'och',
299
								'value' => 'foo',
300
							),
301
						),
302
						'address_book_id' => 'local',
303
						'address_book_backend' => '',
304
					),
305
				),
306
				array(
307
					"type" => "push::blub::response",
308
					"data" => array(
309
						"status" => "error",
310
						"msg" => ApiController::PUSH_ACTION_NOT_FOUND
311
					)
312
				)
313
			),
314
			// test user not equal to the logged in OC user
315
			array(
316
				"push::get::request",
317
				array(
318
					"session_id" => md5(time()),
319
					"user" => array(
320
						'id' => 'bar',
321
						'displayname' => 'bar',
322
						'backends' => array (
323
							'email' => array (
324
								'id' => NULL,
325
								'displayname' => 'E-mail',
326
								'protocol' => 'email',
327
								'namespace' => ' email',
328
								'value' => array (
329
									0 => array (
330
									),
331
								),
332
							),
333
							'och' => array (
334
								'id' => NULL,
335
								'displayname' => 'ownCloud Handle',
336
								'protocol' => 'x-owncloud-handle',
337
								'namespace' => 'och',
338
								'value' => 'bar',
339
							),
340
						),
341
						'address_book_id' => 'local',
342
						'address_book_backend' => '',
343
					),
344
				),
345
				array(
346
					"type" => "push::get::response",
347
					"data" => array(
348
						"status" => "error",
349
						"msg" => ApiController::USER_NOT_EQUAL_TO_OC_USER
350
					)
351
				)
352
			),
353
		);
354
	}
355
356
	/**
357
	 * Test if wrong request data will result in the correct error
358
	 * @dataProvider routeProvider
359
	 */
360
	public function	testError($type, $data, $expectedData){
361
		$this->chat->expects($this->any())
362
			->method('getUserId')
363
			->will($this->returnValue('foo'));
364
365
		$this->container->expects($this->any())
366
			->method('query')
367
			->will($this->returnValue($this->chatAPI));
368
369
		$response = $this->controller->route($type, $data);
370
		$this->assertInstanceOf('\OCA\Chat\OCH\Responses\Error', $response);
371
		$this->assertEquals($expectedData, $response->getData());
372
	}
373
374
	public function commandExecutionProivder(){
375
		return array(
376
			array(
377
				"command::join::request",
378
				array(
379
					"conv_id" => md5(time() + 2343),
380
					"timestamp" => time(),
381
					"user" => array(
382
						'id' => 'foo',
383
						'displayname' => 'foo',
384
						'backends' => array (
385
							'email' => array (
386
								'id' => NULL,
387
								'displayname' => 'E-mail',
388
								'protocol' => 'email',
389
								'namespace' => ' email',
390
								'value' => array (
391
									0 => array (
392
									),
393
								),
394
							),
395
							'och' => array (
396
								'id' => NULL,
397
								'displayname' => 'ownCloud Handle',
398
								'protocol' => 'x-owncloud-handle',
399
								'namespace' => 'och',
400
								'value' => 'foo',
401
							),
402
						),
403
						'address_book_id' => 'local',
404
						'address_book_backend' => '',
405
					),
406
					"session_id" => md5(time() -324234)
407
				),
408
				'join',
409
				'command'
410
			),
411
		);
412
	}
413
414
	/**
415
	 * Test if the correct class is executed when asked
416
	 * @dataProvider commandExecutionProivder
417
	 */
418
	public function testCommandExecution($type, $data, $className, $requestType){
419
		$this->chat->expects($this->any())
420
			->method('getUserId')
421
			->will($this->returnValue('foo'));
422
423
		$this->container->expects($this->any())
424
			->method('query')
425
			->will($this->returnCallback(function() use($className, $requestType, $data){
426
				$class = $this->getMockBuilder('\OCA\Chat\OCH\ChatAPI')
427
					->disableOriginalConstructor()
428
					->getMock();
429
430
				$class->expects($this->once())
431
					->method('setRequestData')
432
					->with($this->equalTo($data))
433
					->will($this->returnValue(true));
434
435
				$class->expects($this->once())
436
					->method('execute')
437
					->will($this->returnValue(null));
438
439
				return $class;
440
			}));
441
442
443
		$response = $this->controller->route($type, $data);
444
		$this->assertInstanceOf('\OCA\Chat\OCH\Responses\Success', $response);
445
		$this->assertEquals(array("type" =>  $requestType . '::' . $className . '::response', "data" => array("status" => "success")), $response->getData());
446
447
	}
448
449
	public function dataExecutionProvider(){
450
		return array(
451
			array(
452
				"data::get_users::request",
453
				array(
454
					"conv_id" => md5(time() + 2343),
455
					"timestamp" => time(),
456
					"user" => array(
457
						'id' => 'foo',
458
						'displayname' => 'foo',
459
						'backends' => array (
460
							'email' => array (
461
								'id' => NULL,
462
								'displayname' => 'E-mail',
463
								'protocol' => 'email',
464
								'namespace' => ' email',
465
								'value' => array (
466
									0 => array (
467
									),
468
								),
469
							),
470
							'och' => array (
471
								'id' => NULL,
472
								'displayname' => 'ownCloud Handle',
473
								'protocol' => 'x-owncloud-handle',
474
								'namespace' => 'och',
475
								'value' => 'foo',
476
							),
477
						),
478
						'address_book_id' => 'local',
479
						'address_book_backend' => '',
480
					),
481
					"session_id" => md5(time() -324234)
482
				),
483
				'GetUsers',
484
				'data',
485
				array('dummy' => 'dummydata'),
486
				'get_users'
487
			),
488
		);
489
	}
490
491
	/**
492
	 * @dataProvider dataExecutionProvider
493
	 */
494
	public function testDataExecution($type, $data, $className, $requestType, $dummyData, $commandName){
495
		$this->chat->expects($this->any())
496
			->method('getUserId')
497
			->will($this->returnValue('foo'));
498
499
		$this->container->expects($this->any())
500
			->method('query')
501
			->will($this->returnCallback(function() use($className, $requestType, $data, $dummyData){
502
				$class = $this->getMockBuilder('\OCA\Chat\OCH\ChatAPI')
503
					->disableOriginalConstructor()
504
					->getMock();
505
506
				$class->expects($this->once())
507
					->method('setRequestData')
508
					->with($this->equalTo($data))
509
					->will($this->returnValue(true));
510
511
				$class->expects($this->once())
512
					->method('execute')
513
					->will($this->returnValue($dummyData));
514
515
				return $class;
516
			}));
517
518
		$response = $this->controller->route($type, $data);
519
		$expectedData = array(
520
			"type" =>  $requestType . '::' . $commandName . '::response',
521
			"data" => $dummyData
522
		);
523
		$expectedData['data']["status"] = "success";
524
		$this->assertInstanceOf('\OCA\Chat\OCH\Responses\Success', $response);
525
		$this->assertEquals($expectedData, $response->getData());
526
527
	}
528
529
	public function pushExecutionProvider(){
530
		return array(
531
			array(
532
				"push::get::request",
533
				array(
534
					"conv_id" => md5(time() + 2343),
535
					"timestamp" => time(),
536
					"user" => array(
537
						'id' => 'foo',
538
						'displayname' => 'foo',
539
						'backends' => array (
540
							'email' => array (
541
								'id' => NULL,
542
								'displayname' => 'E-mail',
543
								'protocol' => 'email',
544
								'namespace' => ' email',
545
								'value' => array (
546
									0 => array (
547
									),
548
								),
549
							),
550
							'och' => array (
551
								'id' => NULL,
552
								'displayname' => 'ownCloud Handle',
553
								'protocol' => 'x-owncloud-handle',
554
								'namespace' => 'och',
555
								'value' => 'foo',
556
							),
557
						),
558
						'address_book_id' => 'local',
559
						'address_book_backend' => '',
560
					),
561
					"session_id" => md5(time() -324234)
562
				),
563
				'get',
564
				'push',
565
				array('dummy' => 'dummydata'),
566
			),
567
		);
568
	}
569
570
	/**
571
	 * @dataProvider pushExecutionProvider
572
	 */
573
	public function testPushExecution($type, $data, $className, $requestType, $dummyData){
574
		$this->chat->expects($this->any())
575
			->method('getUserId')
576
			->will($this->returnValue('foo'));
577
578
		$this->container->expects($this->any())
579
			->method('query')
580
			->will($this->returnCallback(function() use($className, $requestType, $data, $dummyData){
581
				$class = $this->getMockBuilder('\OCA\Chat\OCH\ChatAPI')
582
					->disableOriginalConstructor()
583
					->getMock();
584
585
				$class->expects($this->once())
586
					->method('setRequestData')
587
					->with($this->equalTo($data))
588
					->will($this->returnValue(true));
589
590
				$class->expects($this->once())
591
					->method('execute')
592
					->will($this->returnValue($dummyData));
593
594
				return $class;
595
			}));
596
597
		$response = $this->controller->route($type, $data);
598
		$expectedData = array(
599
			'dummy' => 'dummydata'
600
		);
601
		$this->assertEquals($expectedData, $response);
602
	}
603
604
}