Issues in Utility.php (master) - Issues in master - phossa2/middleware - Measure and Improve Code Quality continuously with Scrutinizer

Issues (4)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Middleware/Utility.php (2 issues)

Labels

Duplication 2

Severity

Informational 2

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * Phossa Project
 *
 * PHP version 5.4
 *
 * @category  Library
 * @package   Phossa2\Middleware
 * @copyright Copyright (c) 2016 phossa.com
 * @license   http://mit-license.org/ MIT License
 * @link      http://www.phossa.com/
 */
/*# declare(strict_types=1); */

namespace Phossa2\Middleware;

use Psr\Http\Message\ResponseInterface;

/**
 * Utility
 *
 * Utilities under PSR-7, set cookie etc.
 *
 * Modified from Relay.Middleware/blob/1.x/src/SessionHeadersHandler.php
 *
 * @package Phossa2\Middleware
 * @author  Hong Zhang <[email protected]>
 * @version 2.1.0
 * @since   2.1.0 added
 */
class Utility
{
    /**
     * Set a cookie in the response
     *
     * @param  ResponseInterface $response
     * @param  string $name
     * @param  string $value
     * @param  int $ttl
     * @param  string $path
     * @param  string $domain
     * @param  bool $secure
     * @param  bool $httponly
     * @return ResponseInterface
     * @access public
     */
    public static function setCookie(
        ResponseInterface $response,
        /*# string */ $name,
        /*# string */ $value = null,
        /*# int */ $ttl = null,
        /*# string */ $path = null,
        /*# string */ $domain = null,
        /*# bool */ $secure = false,
        /*# bool */ $httponly = true
    )/*# : ResponseInterface */ {
        $cookie = urlencode($name) . '=' . urlencode($value);

        self::addExpire($cookie, $ttl);

        self::addDomain($cookie, $domain);

        self::addPath($cookie, $path);

        self::addSecure($cookie, $secure);

        self::addHttpOnly($cookie, $httponly);

        return $response->withAddedHeader('Set-Cookie', $cookie);
    }

    /**
     * Unset a cookie
     *
     * @param  ResponseInterface $response
     * @param  string $name
     * @param  string $path
     * @return ResponseInterface
     * @access public
     */
    public static function unsetCookie(
        ResponseInterface $response,
        /*# string */ $name,
        /*# string */ $path = null
    )/*# : ResponseInterface */ {
        return self::setCookie($response, $name, '', time() - 86400, $path);
    }

    /**
     * Set public cache header
     *
     * @param  ResponseInterface $response
     * @param  int $cacheTime cache time in minutes
     * @return ResponseInterface
     * @access public
     */
    public static function publicCache(

        ResponseInterface $response,
        /*# int */ $cacheTime = 120
    )/*# : ResponseInterface */ {
        $maxAge = $cacheTime * 60;
        return $response
            ->withAddedHeader('Expires', self::timeStamp($maxAge))
            ->withAddedHeader('Cache-Control', "public, max-age={$maxAge}")
            ->withAddedHeader('Last-Modified', self::timeStamp());
    }

    /**
     * Set private_no_expire cache header
     *
     * @param  ResponseInterface $response
     * @param  int $cacheTime cache time in minutes
     * @return ResponseInterface
     * @access public
     */
    public static function privateNoExpireCache(

        ResponseInterface $response,
        /*# int */ $cacheTime = 120
    )/*# : ResponseInterface */ {
        $maxAge = $cacheTime * 60;
        return $response
            ->withAddedHeader('Cache-Control', "private, max-age={$maxAge}, pre-check={$maxAge}")
            ->withAddedHeader('Last-Modified', self::timeStamp());
    }

    /**
     * Set private cache header
     *
     * @param  ResponseInterface $response
     * @return ResponseInterface
     * @access protected
     */
    public static function privateCache(
        ResponseInterface $response
    )/*# : ResponseInterface */ {
        return self::privateNoExpireCache(
            $response->withAddedHeader('Expires', self::timeStamp(-3153600))
        );
    }

    /**
     * Set no cache header
     *
     * @param  ResponseInterface $response
     * @return ResponseInterface
     * @access public
     */
    public static function noCache(
        ResponseInterface $response
    )/*# : ResponseInterface */ {
        return $response
            ->withAddedHeader('Expires', self::timeStamp(-3153600))
            ->withAddedHeader(
                'Cache-Control',
                'no-store, no-cache, must-revalidate, post-check=0, pre-check=0'
            )
            ->withAddedHeader('Pragma', 'no-cache');
    }

    protected static function timeStamp(/*# int */ $ttl= 0)
    {
        return gmdate('D, d M Y H:i:s T', time() + $ttl);
    }

    protected static function addExpire(/*# string */ &$cookie, $ttl)
    {
        if ($ttl) {
            $expires = self::timeStamp($ttl);
            $cookie .= "; expires={$expires}; max-age={$ttl}";
        }
    }

    protected static function addDomain(/*# string */ &$cookie, $domain)
    {
        if ($domain) {
            $cookie .= "; domain={$domain}";
        }
    }

    protected static function addPath(/*# string */ &$cookie, $path)
    {
        if ($path) {
            $cookie .= "; path={$path}";
        }
    }

    protected static function addSecure(/*# string */ &$cookie, $secure)
    {
        if ($secure) {
            $cookie .= '; secure';
        }
    }

    protected static function addHttpOnly(/*# string */ &$cookie, $httponly)
    {
        if ($httponly) {
            $cookie .= '; httponly';
        }
    }
}


GitHub Access Token became invalid

Issues (4)

Security Analysis no request data

src/Middleware/Utility.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

1		<?php
2		/**
3		* Phossa Project
4		*
5		* PHP version 5.4
6		*
7		* @category Library
8		* @package Phossa2\Middleware
9		* @copyright Copyright (c) 2016 phossa.com
10		* @license http://mit-license.org/ MIT License
11		* @link http://www.phossa.com/
12		*/
13		/# declare(strict_types=1); /
14
15		namespace Phossa2\Middleware;
16
17		use Psr\Http\Message\ResponseInterface;
18
19		/**
20		* Utility
21		*
22		* Utilities under PSR-7, set cookie etc.
23		*
24		* Modified from Relay.Middleware/blob/1.x/src/SessionHeadersHandler.php
25		*
26		* @package Phossa2\Middleware
27		* @author Hong Zhang <[email protected]>
28		* @version 2.1.0
29		* @since 2.1.0 added
30		*/
31		class Utility
32		{
33		/**
34		* Set a cookie in the response
35		*
36		* @param ResponseInterface $response
37		* @param string $name
38		* @param string $value
39		* @param int $ttl
40		* @param string $path
41		* @param string $domain
42		* @param bool $secure
43		* @param bool $httponly
44		* @return ResponseInterface
45		* @access public
46		*/
47		public static function setCookie(
48		ResponseInterface $response,
49		/# string / $name,
50		/# string / $value = null,
51		/# int / $ttl = null,
52		/# string / $path = null,
53		/# string / $domain = null,
54		/# bool / $secure = false,
55		/# bool / $httponly = true
56		)/# : ResponseInterface / {
57		$cookie = urlencode($name) . '=' . urlencode($value);
58
59		self::addExpire($cookie, $ttl);
60
61		self::addDomain($cookie, $domain);
62
63		self::addPath($cookie, $path);
64
65		self::addSecure($cookie, $secure);
66
67		self::addHttpOnly($cookie, $httponly);
68
69		return $response->withAddedHeader('Set-Cookie', $cookie);
70		}
71
72		/**
73		* Unset a cookie
74		*
75		* @param ResponseInterface $response
76		* @param string $name
77		* @param string $path
78		* @return ResponseInterface
79		* @access public
80		*/
81		public static function unsetCookie(
82		ResponseInterface $response,
83		/# string / $name,
84		/# string / $path = null
85		)/# : ResponseInterface / {
86		return self::setCookie($response, $name, '', time() - 86400, $path);
87		}
88
89		/**
90		* Set public cache header
91		*
92		* @param ResponseInterface $response
93		* @param int $cacheTime cache time in minutes
94		* @return ResponseInterface
95		* @access public
96		*/
97	View Code Duplication	public static function publicCache(
		0 ignored issues – show Duplication introduced 2016-10-11 07:59 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
98		ResponseInterface $response,
99		/# int / $cacheTime = 120
100		)/# : ResponseInterface / {
101		$maxAge = $cacheTime * 60;
102		return $response
103		->withAddedHeader('Expires', self::timeStamp($maxAge))
104		->withAddedHeader('Cache-Control', "public, max-age={$maxAge}")
105		->withAddedHeader('Last-Modified', self::timeStamp());
106		}
107
108		/**
109		* Set private_no_expire cache header
110		*
111		* @param ResponseInterface $response
112		* @param int $cacheTime cache time in minutes
113		* @return ResponseInterface
114		* @access public
115		*/
116	View Code Duplication	public static function privateNoExpireCache(
		0 ignored issues – show Duplication introduced 2016-10-11 07:59 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
117		ResponseInterface $response,
118		/# int / $cacheTime = 120
119		)/# : ResponseInterface / {
120		$maxAge = $cacheTime * 60;
121		return $response
122		->withAddedHeader('Cache-Control', "private, max-age={$maxAge}, pre-check={$maxAge}")
123		->withAddedHeader('Last-Modified', self::timeStamp());
124		}
125
126		/**
127		* Set private cache header
128		*
129		* @param ResponseInterface $response
130		* @return ResponseInterface
131		* @access protected
132		*/
133		public static function privateCache(
134		ResponseInterface $response
135		)/# : ResponseInterface / {
136		return self::privateNoExpireCache(
137		$response->withAddedHeader('Expires', self::timeStamp(-3153600))
138		);
139		}
140
141		/**
142		* Set no cache header
143		*
144		* @param ResponseInterface $response
145		* @return ResponseInterface
146		* @access public
147		*/
148		public static function noCache(
149		ResponseInterface $response
150		)/# : ResponseInterface / {
151		return $response
152		->withAddedHeader('Expires', self::timeStamp(-3153600))
153		->withAddedHeader(
154		'Cache-Control',
155		'no-store, no-cache, must-revalidate, post-check=0, pre-check=0'
156		)
157		->withAddedHeader('Pragma', 'no-cache');
158		}
159
160		protected static function timeStamp(/# int / $ttl= 0)
161		{
162		return gmdate('D, d M Y H:i:s T', time() + $ttl);
163		}
164
165		protected static function addExpire(/# string / &$cookie, $ttl)
166		{
167		if ($ttl) {
168		$expires = self::timeStamp($ttl);
169		$cookie .= "; expires={$expires}; max-age={$ttl}";
170		}
171		}
172
173		protected static function addDomain(/# string / &$cookie, $domain)
174		{
175		if ($domain) {
176		$cookie .= "; domain={$domain}";
177		}
178		}
179
180		protected static function addPath(/# string / &$cookie, $path)
181		{
182		if ($path) {
183		$cookie .= "; path={$path}";
184		}
185		}
186
187		protected static function addSecure(/# string / &$cookie, $secure)
188		{
189		if ($secure) {
190		$cookie .= '; secure';
191		}
192		}
193
194		protected static function addHttpOnly(/# string / &$cookie, $httponly)
195		{
196		if ($httponly) {
197		$cookie .= '; httponly';
198		}
199		}
200		}
201

phossa2 / middleware

GitHub Access Token became invalid

Issues (4)

Security Analysis no request data

src/Middleware/Utility.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like