Issues in firebaseLib.php (master) - Issues in master - pongo/firebase-php - Measure and Improve Code Quality continuously with Scrutinizer

Issues (27)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/firebaseLib.php (4 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace Firebase;

require_once __DIR__ . '/firebaseInterface.php';

use \Exception;


/**
 * Firebase PHP Client Library
 *
 * @author Tamas Kalman <[email protected]>
 * @url    https://github.com/ktamas77/firebase-php/
 * @link   https://www.firebase.com/docs/rest-api.html
 */

/**
 * Firebase PHP Class
 *
 * @author Tamas Kalman <[email protected]>
 * @link   https://www.firebase.com/docs/rest-api.html
 */
class FirebaseLib implements FirebaseInterface
{
    private $_baseURI;
    private $_timeout;
    private $_token;
    private $_curlHandler;

    /**
     * Constructor
     *
     * @param string $baseURI
     * @param string $token
     */
    function __construct($baseURI = '', $token = '')

    {
        if ($baseURI == '') {
            trigger_error('You must provide a baseURI variable.', E_USER_ERROR);
        }

        if (!extension_loaded('curl')) {
            trigger_error('Extension CURL is not loaded.', E_USER_ERROR);
        }

        $this->setBaseURI($baseURI);
        $this->setTimeOut(10);
        $this->setToken($token);
        $this->initCurlHandler();
    }

    /**
     * Initializing the CURL handler
     *
     * @return void
     */
    public function initCurlHandler()
    {
        $this->_curlHandler = curl_init();
    }

    /**
     * Closing the CURL handler
     *
     * @return void
     */
    public function closeCurlHandler()
    {
        curl_close($this->_curlHandler);
    }

    /**
     * Sets Token
     *
     * @param string $token Token
     *
     * @return void
     */
    public function setToken($token)
    {
        $this->_token = $token;
    }

    /**
     * Sets Base URI, ex: http://yourcompany.firebase.com/youruser
     *
     * @param string $baseURI Base URI
     *
     * @return void
     */
    public function setBaseURI($baseURI)
    {
        $baseURI .= (substr($baseURI, -1) == '/' ? '' : '/');
        $this->_baseURI = $baseURI;
    }

    /**
     * Returns with the normalized JSON absolute path
     *
     * @param  string $path Path
     * @param  array $options Options
     * @return string
     */
    private function _getJsonPath($path, $options = array())
    {
        $url = $this->_baseURI;
        if ($this->_token !== '') {
            $options['auth'] = $this->_token;
        }
        $path = ltrim($path, '/');
        return $url . $path . '.json?' . http_build_query($options);
    }

    /**
     * Sets REST call timeout in seconds
     *
     * @param integer $seconds Seconds to timeout
     *
     * @return void
     */
    public function setTimeOut($seconds)
    {
        $this->_timeout = $seconds;
    }

    /**
     * Writing data into Firebase with a PUT request
     * HTTP 200: Ok
     *
     * @param string $path Path
     * @param mixed $data Data
     * @param array $options Options
     *
     * @return array Response
     */
    public function set($path, $data, $options = array())
    {
        return $this->_writeData($path, $data, 'PUT', $options);
    }

    /**
     * Pushing data into Firebase with a POST request
     * HTTP 200: Ok
     *
     * @param string $path Path
     * @param mixed $data Data
     * @param array $options Options
     *
     * @return array Response
     */
    public function push($path, $data, $options = array())
    {
        return $this->_writeData($path, $data, 'POST', $options);
    }

    /**
     * Updating data into Firebase with a PATH request
     * HTTP 200: Ok
     *
     * @param string $path Path
     * @param mixed $data Data
     * @param array $options Options
     *
     * @return array Response
     */
    public function update($path, $data, $options = array())
    {
        return $this->_writeData($path, $data, 'PATCH', $options);
    }

    /**
     * Reading data from Firebase
     * HTTP 200: Ok
     *
     * @param string $path Path
     * @param array $options Options
     *
     * @return array Response
     */
    public function get($path, $options = array())

    {
        try {
            $ch = $this->_getCurlHandler($path, 'GET', $options);
            $return = $this->_my_curl_exec($ch);
        } catch (Exception $e) {
            $return = null;
        }
        return $return;
    }

    /**
     * Deletes data from Firebase
     * HTTP 204: Ok
     *
     * @param string $path Path
     * @param array $options Options
     *
     * @return array Response
     */
    public function delete($path, $options = array())

    {
        try {
            $ch = $this->_getCurlHandler($path, 'DELETE', $options);
            $return = $this->_my_curl_exec($ch);
        } catch (Exception $e) {
            $return = null;
        }
        return $return;
    }

    /**
     * Returns with Initialized CURL Handler
     *
     * @param string $path Path
     * @param string $mode Mode
     * @param array $options Options
     *
     * @return resource Curl Handler
     */
    private function _getCurlHandler($path, $mode, $options = array())
    {
        $url = $this->_getJsonPath($path, $options);
        $ch = $this->_curlHandler;
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_TIMEOUT, $this->_timeout);
        curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $this->_timeout);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $mode);
        return $ch;
    }

    /**
     * @param string $path
     */
    private function _writeData($path, $data, $method = 'PUT', $options = array())
    {
        $jsonData = json_encode($data);
        $header = array(
            'Content-Type: application/json',
            'Content-Length: ' . strlen($jsonData)
        );
        try {
            $ch = $this->_getCurlHandler($path, $method, $options);
            curl_setopt($ch, CURLOPT_HTTPHEADER, $header);
            curl_setopt($ch, CURLOPT_POSTFIELDS, $jsonData);
            $return = $this->_my_curl_exec($ch);
        } catch (Exception $e) {
            $return = null;
        }
        return $return;
    }

    // своя функция curl_exec, которая вручную обрабатывает 'location redirect'.
    // это нужно, т.к. на сервере отключен CURLOPT_FOLLOWLOCATION
    // решение частично отсюда http://stackoverflow.com/a/6918742/136559

    /**
     * @param resource $curl
     */
    private function _my_curl_exec($curl)
    {
        $html = curl_exec($curl);
        $status = curl_getinfo($curl);

        if ($status['http_code'] === 301 || $status['http_code'] === 302) {
            list($header) = explode("\r\n\r\n", $html, 2);
            $matches = array();
            preg_match("/(Location:|URI:)[^(\n)]*/", $header, $matches);
            $url = trim(str_replace($matches[1], '', $matches[0]));
            $url_parsed = parse_url($url);
            if (isset($url_parsed)) {
                curl_setopt($curl, CURLOPT_URL, $url);
                return $this->_my_curl_exec($curl);
            }
            return '';
        }
        return $html;
    }

}


1		<?php
		0 ignored issues – show Coding Style Compatibility introduced 2016-08-17 19:51 UTC by Report Bug Copy Issue Report Show Similar Issues like this For compatibility and reusability of your code, PSR1 recommends that a file should introduce either new symbols (like classes, functions, etc.) or have side-effects (like outputting something, or including other files), but not both at the same time. The first symbol is defined on line 23 and the first side effect is on line 4. The PSR-1: Basic Coding Standard recommends that a file should either introduce new symbols, that is classes, functions, constants or similar, or have side effects. Side effects are anything that executes logic, like for example printing output, changing ini settings or writing to a file. The idea behind this recommendation is that merely auto-loading a class should not change the state of an application. It also promotes a cleaner style of programming and makes your code less prone to errors, because the logic is not spread out all over the place. To learn more about the PSR-1, please see the PHP-FIG site on the PSR-1. Loading history...
2		namespace Firebase;
3
4		require_once __DIR__ . '/firebaseInterface.php';
5
6		use \Exception;
7
8
9		/**
10		* Firebase PHP Client Library
11		*
12		* @author Tamas Kalman <[email protected]>
13		* @url https://github.com/ktamas77/firebase-php/
14		* @link https://www.firebase.com/docs/rest-api.html
15		*/
16
17		/**
18		* Firebase PHP Class
19		*
20		* @author Tamas Kalman <[email protected]>
21		* @link https://www.firebase.com/docs/rest-api.html
22		*/
23		class FirebaseLib implements FirebaseInterface
24		{
25		private $_baseURI;
26		private $_timeout;
27		private $_token;
28		private $_curlHandler;
29
30		/**
31		* Constructor
32		*
33		* @param string $baseURI
34		* @param string $token
35		*/
36		function __construct($baseURI = '', $token = '')
		0 ignored issues – show Best Practice introduced 2016-08-17 19:51 UTC by Report Bug Copy Issue Report Show Similar Issues like this It is generally recommended to explicitly declare the visibility for methods. Adding explicit visibility (`private`, `protected`, or `public`) is generally recommend to communicate to other developers how, and from where this method is intended to be used. Loading history...
37		{
38		if ($baseURI == '') {
39		trigger_error('You must provide a baseURI variable.', E_USER_ERROR);
40		}
41
42		if (!extension_loaded('curl')) {
43		trigger_error('Extension CURL is not loaded.', E_USER_ERROR);
44		}
45
46		$this->setBaseURI($baseURI);
47		$this->setTimeOut(10);
48		$this->setToken($token);
49		$this->initCurlHandler();
50		}
51
52		/**
53		* Initializing the CURL handler
54		*
55		* @return void
56		*/
57		public function initCurlHandler()
58		{
59		$this->_curlHandler = curl_init();
60		}
61
62		/**
63		* Closing the CURL handler
64		*
65		* @return void
66		*/
67		public function closeCurlHandler()
68		{
69		curl_close($this->_curlHandler);
70		}
71
72		/**
73		* Sets Token
74		*
75		* @param string $token Token
76		*
77		* @return void
78		*/
79		public function setToken($token)
80		{
81		$this->_token = $token;
82		}
83
84		/**
85		* Sets Base URI, ex: http://yourcompany.firebase.com/youruser
86		*
87		* @param string $baseURI Base URI
88		*
89		* @return void
90		*/
91		public function setBaseURI($baseURI)
92		{
93		$baseURI .= (substr($baseURI, -1) == '/' ? '' : '/');
94		$this->_baseURI = $baseURI;
95		}
96
97		/**
98		* Returns with the normalized JSON absolute path
99		*
100		* @param string $path Path
101		* @param array $options Options
102		* @return string
103		*/
104		private function _getJsonPath($path, $options = array())
105		{
106		$url = $this->_baseURI;
107		if ($this->_token !== '') {
108		$options['auth'] = $this->_token;
109		}
110		$path = ltrim($path, '/');
111		return $url . $path . '.json?' . http_build_query($options);
112		}
113
114		/**
115		* Sets REST call timeout in seconds
116		*
117		* @param integer $seconds Seconds to timeout
118		*
119		* @return void
120		*/
121		public function setTimeOut($seconds)
122		{
123		$this->_timeout = $seconds;
124		}
125
126		/**
127		* Writing data into Firebase with a PUT request
128		* HTTP 200: Ok
129		*
130		* @param string $path Path
131		* @param mixed $data Data
132		* @param array $options Options
133		*
134		* @return array Response
135		*/
136		public function set($path, $data, $options = array())
137		{
138		return $this->_writeData($path, $data, 'PUT', $options);
139		}
140
141		/**
142		* Pushing data into Firebase with a POST request
143		* HTTP 200: Ok
144		*
145		* @param string $path Path
146		* @param mixed $data Data
147		* @param array $options Options
148		*
149		* @return array Response
150		*/
151		public function push($path, $data, $options = array())
152		{
153		return $this->_writeData($path, $data, 'POST', $options);
154		}
155
156		/**
157		* Updating data into Firebase with a PATH request
158		* HTTP 200: Ok
159		*
160		* @param string $path Path
161		* @param mixed $data Data
162		* @param array $options Options
163		*
164		* @return array Response
165		*/
166		public function update($path, $data, $options = array())
167		{
168		return $this->_writeData($path, $data, 'PATCH', $options);
169		}
170
171		/**
172		* Reading data from Firebase
173		* HTTP 200: Ok
174		*
175		* @param string $path Path
176		* @param array $options Options
177		*
178		* @return array Response
179		*/
180	View Code Duplication	public function get($path, $options = array())
		0 ignored issues – show Duplication introduced 2016-08-17 19:51 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
181		{
182		try {
183		$ch = $this->_getCurlHandler($path, 'GET', $options);
184		$return = $this->_my_curl_exec($ch);
185		} catch (Exception $e) {
186		$return = null;
187		}
188		return $return;
189		}
190
191		/**
192		* Deletes data from Firebase
193		* HTTP 204: Ok
194		*
195		* @param string $path Path
196		* @param array $options Options
197		*
198		* @return array Response
199		*/
200	View Code Duplication	public function delete($path, $options = array())
		0 ignored issues – show Duplication introduced 2016-08-17 19:51 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
201		{
202		try {
203		$ch = $this->_getCurlHandler($path, 'DELETE', $options);
204		$return = $this->_my_curl_exec($ch);
205		} catch (Exception $e) {
206		$return = null;
207		}
208		return $return;
209		}
210
211		/**
212		* Returns with Initialized CURL Handler
213		*
214		* @param string $path Path
215		* @param string $mode Mode
216		* @param array $options Options
217		*
218		* @return resource Curl Handler
219		*/
220		private function _getCurlHandler($path, $mode, $options = array())
221		{
222		$url = $this->_getJsonPath($path, $options);
223		$ch = $this->_curlHandler;
224		curl_setopt($ch, CURLOPT_URL, $url);
225		curl_setopt($ch, CURLOPT_TIMEOUT, $this->_timeout);
226		curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $this->_timeout);
227		curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
228		curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
229		curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $mode);
230		return $ch;
231		}
232
233		/**
234		* @param string $path
235		*/
236		private function _writeData($path, $data, $method = 'PUT', $options = array())
237		{
238		$jsonData = json_encode($data);
239		$header = array(
240		'Content-Type: application/json',
241		'Content-Length: ' . strlen($jsonData)
242		);
243		try {
244		$ch = $this->_getCurlHandler($path, $method, $options);
245		curl_setopt($ch, CURLOPT_HTTPHEADER, $header);
246		curl_setopt($ch, CURLOPT_POSTFIELDS, $jsonData);
247		$return = $this->_my_curl_exec($ch);
248		} catch (Exception $e) {
249		$return = null;
250		}
251		return $return;
252		}
253
254		// своя функция curl_exec, которая вручную обрабатывает 'location redirect'.
255		// это нужно, т.к. на сервере отключен CURLOPT_FOLLOWLOCATION
256		// решение частично отсюда http://stackoverflow.com/a/6918742/136559
257
258		/**
259		* @param resource $curl
260		*/
261		private function _my_curl_exec($curl)
262		{
263		$html = curl_exec($curl);
264		$status = curl_getinfo($curl);
265
266		if ($status['http_code'] === 301 \|\| $status['http_code'] === 302) {
267		list($header) = explode("\r\n\r\n", $html, 2);
268		$matches = array();
269		preg_match("/(Location:\|URI:)[^(\n)]*/", $header, $matches);
270		$url = trim(str_replace($matches[1], '', $matches[0]));
271		$url_parsed = parse_url($url);
272		if (isset($url_parsed)) {
273		curl_setopt($curl, CURLOPT_URL, $url);
274		return $this->_my_curl_exec($curl);
275		}
276		return '';
277		}
278		return $html;
279		}
280
281		}
282

pongo / firebase-php

Issues (27)

Security Analysis no request data

src/firebaseLib.php (4 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like