Issues in Client.php (master) - Issues in master - php-http/buzz-adapter - Measure and Improve Code Quality continuously with Scrutinizer

Issues (2)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Client.php (1 issue)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace Http\Adapter\Buzz;

use Buzz\Browser;
use Buzz\Client\ClientInterface;
use Buzz\Client\Curl;
use Buzz\Client\FileGetContents;
use Buzz\Exception as BuzzException;
use Buzz\Message\Request as BuzzRequest;
use Buzz\Message\RequestInterface as BuzzRequestInterface;
use Buzz\Message\Response as BuzzResponse;
use Http\Client\HttpClient;
use Http\Discovery\MessageFactoryDiscovery;
use Http\Message\ResponseFactory;
use Psr\Http\Message\RequestInterface;
use Psr\Http\Message\ResponseInterface;
use Http\Client\Exception as HttplugException;

/**
 * @author Tobias Nyholm <[email protected]>
 */
class Client implements HttpClient
{
    /**
     * @var ClientInterface
     */
    private $client;

    /**
     * @var ResponseFactory
     */
    private $responseFactory;

    /**
     * @param ClientInterface|Browser|null $client
     * @param ResponseFactory|null         $responseFactory
     */
    public function __construct($client = null, ResponseFactory $responseFactory = null)
    {
        $this->client = $client;

        if (null === $this->client) {
            $this->client = new FileGetContents();
            $this->client->setMaxRedirects(0);
        }

        if ((!$this->client instanceof ClientInterface) && (!$this->client instanceof Browser)) {
            throw new \InvalidArgumentException(
                sprintf(
                    'The client passed to the Buzz adapter must either implement %s or be an instance of %s. You passed %s.',
                    ClientInterface::class,
                    Browser::class,
                    is_object($client) ? get_class($client) : gettype($client)
                )
            );
        }

        $this->responseFactory = $responseFactory ?: MessageFactoryDiscovery::find();
    }

    /**
     * {@inheritdoc}
     */
    public function sendRequest(RequestInterface $request)
    {
        $this->assertRequestHasValidBody($request);

        $buzzRequest = $this->createRequest($request);

        try {
            $buzzResponse = new BuzzResponse();
            $this->client->send($buzzRequest, $buzzResponse);
        } catch (BuzzException\RequestException $e) {
            if (28 === $e->getCode() || strstr($e->getMessage(), 'failed to open stream: Operation timed out')) {
                // Timeout
                throw new HttplugException\NetworkException($e->getMessage(), $request, $e);
            }

            throw new HttplugException\RequestException($e->getMessage(), $request, $e);
        } catch (BuzzException\ClientException $e) {
            throw new HttplugException\TransferException($e->getMessage(), 0, $e);
        }

        return $this->createResponse($buzzResponse);
    }

    /**
     * Converts a PSR request into a BuzzRequest request.
     *
     * @param RequestInterface $request
     *
     * @return BuzzRequest
     */
    private function createRequest(RequestInterface $request)
    {
        $buzzRequest = new BuzzRequest();
        $buzzRequest->setMethod($request->getMethod());
        $buzzRequest->fromUrl($request->getUri()->__toString());
        $buzzRequest->setProtocolVersion($request->getProtocolVersion());
        $buzzRequest->setContent((string) $request->getBody());

        $this->addPsrHeadersToBuzzRequest($request, $buzzRequest);

        return $buzzRequest;
    }

    /**
     * Converts a Buzz response into a PSR response.
     *
     * @param BuzzResponse $response
     *
     * @return ResponseInterface
     */
    private function createResponse(BuzzResponse $response)
    {
        $body = $response->getContent();

        return $this->responseFactory->createResponse(
            $response->getStatusCode(),
            null,
            $this->getBuzzHeaders($response),
            $body,
            number_format($response->getProtocolVersion(), 1)
        );
    }

    /**
     * Apply headers on a Buzz request.
     *
     * @param RequestInterface $request
     * @param BuzzRequest      $buzzRequest
     */
    private function addPsrHeadersToBuzzRequest(RequestInterface $request, BuzzRequest $buzzRequest)
    {
        $headers = $request->getHeaders();
        foreach ($headers as $name => $values) {
            foreach ($values as $header) {
                $buzzRequest->addHeader($name.': '.$header);
            }
        }
    }

    /**
     * Get headers from a Buzz response.
     *
     * @param BuzzResponse $response
     *
     * @return array
     */
    private function getBuzzHeaders(BuzzResponse $response)
    {
        $buzzHeaders = $response->getHeaders();
        unset($buzzHeaders[0]);
        $headers = [];
        foreach ($buzzHeaders as $headerLine) {
            list($name, $value) = explode(':', $headerLine, 2);
            $headers[$name] = trim($value);
        }

        return $headers;
    }

    /**
     * Assert that the request has a valid body based on the request method.
     *
     * @param RequestInterface $request
     */
    private function assertRequestHasValidBody(RequestInterface $request)
    {
        $validMethods = [
            BuzzRequestInterface::METHOD_POST,
            BuzzRequestInterface::METHOD_PUT,
            BuzzRequestInterface::METHOD_DELETE,
            BuzzRequestInterface::METHOD_PATCH,
            BuzzRequestInterface::METHOD_OPTIONS,
        ];

        // The Buzz Curl client does not send request bodies for request methods such as GET, HEAD and TRACE. Instead of
        // silently ignoring the request body in these cases, throw an exception to make users aware.
        if ($this->client instanceof Curl &&
            $request->getBody()->getSize() &&
0   == false // true
0   == null  // true
123 == false // false
123 == null  // false

// It is often better to use strict comparison
0 === false // false
0 === null  // false
            !in_array(strtoupper($request->getMethod()), $validMethods, true)
        ) {
            throw new HttplugException\RequestException(
                sprintf('%s does not support %s requests with a body', Curl::class, $request->getMethod()),
                $request
            );
        }
    }
}


1		<?php
2
3		namespace Http\Adapter\Buzz;
4
5		use Buzz\Browser;
6		use Buzz\Client\ClientInterface;
7		use Buzz\Client\Curl;
8		use Buzz\Client\FileGetContents;
9		use Buzz\Exception as BuzzException;
10		use Buzz\Message\Request as BuzzRequest;
11		use Buzz\Message\RequestInterface as BuzzRequestInterface;
12		use Buzz\Message\Response as BuzzResponse;
13		use Http\Client\HttpClient;
14		use Http\Discovery\MessageFactoryDiscovery;
15		use Http\Message\ResponseFactory;
16		use Psr\Http\Message\RequestInterface;
17		use Psr\Http\Message\ResponseInterface;
18		use Http\Client\Exception as HttplugException;
19
20		/**
21		* @author Tobias Nyholm <[email protected]>
22		*/
23		class Client implements HttpClient
24		{
25		/**
26		* @var ClientInterface
27		*/
28		private $client;
29
30		/**
31		* @var ResponseFactory
32		*/
33		private $responseFactory;
34
35		/**
36		* @param ClientInterface\|Browser\|null $client
37		* @param ResponseFactory\|null $responseFactory
38		*/
39	214	public function __construct($client = null, ResponseFactory $responseFactory = null)
40		{
41	214	$this->client = $client;
42
43	214	if (null === $this->client) {
44	53	$this->client = new FileGetContents();
45	54	$this->client->setMaxRedirects(0);
46	53	}
47
48	214	if ((!$this->client instanceof ClientInterface) && (!$this->client instanceof Browser)) {
49	2	throw new \InvalidArgumentException(
50	2	sprintf(
51	2	'The client passed to the Buzz adapter must either implement %s or be an instance of %s. You passed %s.',
52	2	ClientInterface::class,
53	2	Browser::class,
54	2	is_object($client) ? get_class($client) : gettype($client)
55	2	)
56	2	);
57		}
58
59	212	$this->responseFactory = $responseFactory ?: MessageFactoryDiscovery::find();
60	212	}
61
62		/**
63		* {@inheritdoc}
64		*/
65	212	public function sendRequest(RequestInterface $request)
66		{
67	212	$this->assertRequestHasValidBody($request);
68
69	200	$buzzRequest = $this->createRequest($request);
70
71		try {
72	200	$buzzResponse = new BuzzResponse();
73	200	$this->client->send($buzzRequest, $buzzResponse);
74	200	} catch (BuzzException\RequestException $e) {
75	4	if (28 === $e->getCode() \|\| strstr($e->getMessage(), 'failed to open stream: Operation timed out')) {
76		// Timeout
77		throw new HttplugException\NetworkException($e->getMessage(), $request, $e);
78		}
79
80	4	throw new HttplugException\RequestException($e->getMessage(), $request, $e);
81		} catch (BuzzException\ClientException $e) {
82		throw new HttplugException\TransferException($e->getMessage(), 0, $e);
83		}
84
85	196	return $this->createResponse($buzzResponse);
86		}
87
88		/**
89		* Converts a PSR request into a BuzzRequest request.
90		*
91		* @param RequestInterface $request
92		*
93		* @return BuzzRequest
94		*/
95	200	private function createRequest(RequestInterface $request)
96		{
97	200	$buzzRequest = new BuzzRequest();
98	200	$buzzRequest->setMethod($request->getMethod());
99	200	$buzzRequest->fromUrl($request->getUri()->__toString());
100	200	$buzzRequest->setProtocolVersion($request->getProtocolVersion());
101	200	$buzzRequest->setContent((string) $request->getBody());
102
103	200	$this->addPsrHeadersToBuzzRequest($request, $buzzRequest);
104
105	200	return $buzzRequest;
106		}
107
108		/**
109		* Converts a Buzz response into a PSR response.
110		*
111		* @param BuzzResponse $response
112		*
113		* @return ResponseInterface
114		*/
115	196	private function createResponse(BuzzResponse $response)
116		{
117	196	$body = $response->getContent();
118
119	196	return $this->responseFactory->createResponse(
120	196	$response->getStatusCode(),
121	196	null,
122	196	$this->getBuzzHeaders($response),
123	196	$body,
124	196	number_format($response->getProtocolVersion(), 1)
125	196	);
126		}
127
128		/**
129		* Apply headers on a Buzz request.
130		*
131		* @param RequestInterface $request
132		* @param BuzzRequest $buzzRequest
133		*/
134	200	private function addPsrHeadersToBuzzRequest(RequestInterface $request, BuzzRequest $buzzRequest)
135		{
136	200	$headers = $request->getHeaders();
137	200	foreach ($headers as $name => $values) {
138	200	foreach ($values as $header) {
139	200	$buzzRequest->addHeader($name.': '.$header);
140	200	}
141	200	}
142	200	}
143
144		/**
145		* Get headers from a Buzz response.
146		*
147		* @param BuzzResponse $response
148		*
149		* @return array
150		*/
151	196	private function getBuzzHeaders(BuzzResponse $response)
152		{
153	196	$buzzHeaders = $response->getHeaders();
154	196	unset($buzzHeaders[0]);
155	196	$headers = [];
156	196	foreach ($buzzHeaders as $headerLine) {
157	196	list($name, $value) = explode(':', $headerLine, 2);
158	196	$headers[$name] = trim($value);
159	196	}
160
161	196	return $headers;
162		}
163
164		/**
165		* Assert that the request has a valid body based on the request method.
166		*
167		* @param RequestInterface $request
168		*/
169	212	private function assertRequestHasValidBody(RequestInterface $request)
170		{
171		$validMethods = [
172	212	BuzzRequestInterface::METHOD_POST,
173	212	BuzzRequestInterface::METHOD_PUT,
174	212	BuzzRequestInterface::METHOD_DELETE,
175	212	BuzzRequestInterface::METHOD_PATCH,
176	212	BuzzRequestInterface::METHOD_OPTIONS,
177	212	];
178
179		// The Buzz Curl client does not send request bodies for request methods such as GET, HEAD and TRACE. Instead of
180		// silently ignoring the request body in these cases, throw an exception to make users aware.
181	212	if ($this->client instanceof Curl &&
182	212	$request->getBody()->getSize() &&
		0 ignored issues – show Bug Best Practice introduced 2016-07-07 19:49 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$request->getBody()->getSize()` of type `integer\|null` is loosely compared to `true`; this is ambiguous if the integer can be zero. You might want to explicitly use `!== null` instead. In PHP, under loose comparison (like `==`, or `!=`, or `switch` conditions), values of different types might be equal. For `integer` values, zero is a special case, in particular the following results might be unexpected: 0 == false // true 0 == null // true 123 == false // false 123 == null // false // It is often better to use strict comparison 0 === false // false 0 === null // false Loading history...
183	20	!in_array(strtoupper($request->getMethod()), $validMethods, true)
184	212	) {
185	12	throw new HttplugException\RequestException(
186	12	sprintf('%s does not support %s requests with a body', Curl::class, $request->getMethod()),
187		$request
188	12	);
189		}
190	200	}
191		}
192

php-http / buzz-adapter

Issues (2)

Security Analysis no request data

src/Client.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like