Issues in ClientCommand.php (master) - Issues in master - rinvex/laravel-oauth - Measure and Improve Code Quality continuously with Scrutinizer

Issues (71)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Console/Commands/ClientCommand.php (1 issue)

Labels

Documentation 1

Severity

Minor 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

declare(strict_types=1);

namespace Rinvex\Oauth\Console\Commands;

use Illuminate\Support\Str;
use Illuminate\Console\Command;
use Rinvex\Oauth\Models\Client;
use Rinvex\Support\Traits\ArtisanCanValidateAnswers;

class ClientCommand extends Command
{
    use ArtisanCanValidateAnswers;

    /**
     * The name and signature of the console command.
     *
     * @var string
     */
    protected $signature = 'rinvex:oauth:client
            {--client_credentials : Create a client credentials grant client}
            {--personal_access : Create a personal access client}
            {--password : Create a password grant client}
            {--name= : The name of the client}
            {--user_type= : The name of the user type}
            {--redirect_uri= : The URI to redirect to after authorization }
            {--user_id= : The user ID the client should be assigned to }
            {--public : Create a public client (Auth code grant type only) }';

    /**
     * The console command description.
     *
     * @var string
     */
    protected $description = 'Create a client for issuing access tokens';

    /**
     * Execute the console command.
     *
     * @return void
     */
    public function handle()
    {
        if ($this->option('personal_access')) {
            $this->createPersonalAccessClient();
        } elseif ($this->option('password')) {
            $this->createPasswordClient();
        } elseif ($this->option('client_credentials')) {
            $this->createClientCredentialsClient();
        } else {
            $this->createAuthorizationCodeClient();
        }
    }

    /**
     * Create a new personal access client.
     *
     * @return void
     */
    protected function createPersonalAccessClient()
    {
        $this->alert('Create Personal Access Client');

        $name = $this->option('name') ?: $this->askValid('What should we name the client?', 'name', 'required|string|strip_tags');
        $userId = $this->option('user_id') ?: $this->askValid('Which user ID should the client be assigned to?', 'user_id', 'required|integer');
        $redirect = $this->option('redirect_uri') ?: $this->askValid('Where should we redirect the request after authorization?', 'redirect_uri', 'required|string|url|max:1500', url('/auth/callback'));

        $userTypes = array_map('Str::singular', array_keys(config('auth.providers')));
        $userType = $this->option('user_type') ?: $this->choice(
            'Which user type should this client use to retrieve users?',
            $userTypes,
            in_array('users', $userTypes) ? 'users' : null
        );

        $client = app('rinvex.oauth.client')->create([
            'user_id' => $userId,
            'name' => $name,
            'secret' => Str::random(40),
            'user_type' => $userType,
            'redirect' => $redirect,
            'grant_type' => 'personal_access',
        ]);

        $this->info('Personal access client created successfully.');

        $this->outputClientDetails($client);
    }

    /**
     * Create a new password grant client.
     *
     * @return void
     */
    protected function createPasswordClient()
    {
        $this->alert('Create Password Client');

        $name = $this->option('name') ?: $this->askValid('What should we name the client?', 'name', 'required|string|strip_tags');
        $userId = $this->option('user_id') ?: $this->askValid('Which user ID should the client be assigned to?', 'user_id', 'required|integer');
        $redirect = $this->option('redirect_uri') ?: $this->askValid('Where should we redirect the request after authorization?', 'redirect_uri', 'required|string|url|max:1500', url('/auth/callback'));

        $userTypes = array_map('Str::singular', array_keys(config('auth.providers')));
        $userType = $this->option('user_type') ?: $this->choice(
            'Which user type should this client use to retrieve users?',
            $userTypes,
            in_array('users', $userTypes) ? 'users' : null
        );

        $client = app('rinvex.oauth.client')->create([
            'user_id' => $userId,
            'name' => $name,
            'secret' => Str::random(40),
            'user_type' => $userType,
            'redirect' => $redirect,
            'grant_type' => 'password',
        ]);

        $this->info('Password grant client created successfully.');

        $this->outputClientDetails($client);
    }

    /**
     * Create a client credentials grant client.
     *
     * @return void
     */
    protected function createClientCredentialsClient()
    {
        $this->alert('Create Client Credentials Client');

        $name = $this->option('name') ?: $this->askValid('What should we name the client?', 'name', 'required|string|strip_tags');
        $userId = $this->option('user_id') ?: $this->askValid('Which user ID should the client be assigned to?', 'user_id', 'required|integer');

        $userTypes = array_map('Str::singular', array_keys(config('auth.providers')));
        $userType = $this->option('user_type') ?: $this->choice(
            'Which user type should this client use to retrieve users?',
            $userTypes,
            in_array('users', $userTypes) ? 'users' : null
        );

        $client = app('rinvex.oauth.client')->create([
            'user_id' => $userId,
            'name' => $name,
            'secret' => Str::random(40),
            'user_type' => $userType,
            'redirect' => null,
            'grant_type' => 'client_credentials',
        ]);

        $this->info('New client created successfully.');

        $this->outputClientDetails($client);
    }

    /**
     * Create a authorization code client.
     *
     * @return void
     */
    protected function createAuthorizationCodeClient()
    {
        $this->alert('Create Authorization Code Client');

        $name = $this->option('name') ?: $this->askValid('What should we name the client?', 'name', 'required|string|strip_tags');
        $userId = $this->option('user_id') ?: $this->askValid('Which user ID should the client be assigned to?', 'user_id', 'required|integer');
        $redirect = $this->option('redirect_uri') ?: $this->askValid('Where should we redirect the request after authorization?', 'redirect_uri', 'required|string|url|max:1500', url('/auth/callback'));

        $userTypes = array_map('Str::singular', array_keys(config('auth.providers')));
        $userType = $this->option('user_type') ?: $this->choice(
            'Which user type should this client use to retrieve users?',
            $userTypes,
            in_array('users', $userTypes) ? 'users' : null
        );

        $client = app('rinvex.oauth.client')->create([
            'user_id' => $userId,
            'name' => $name,
            'secret' => ! $this->option('public') ? Str::random(40) : null,
            'user_type' => $userType,
            'redirect' => $redirect,
            'grant_type' => 'authorization_code',
        ]);

        $this->info('New client created successfully.');

        $this->outputClientDetails($client);
    }

    /**
     * Output the client's ID and secret key.
     *
     * @param \Rinvex\Oauth\Models\Client $client
     *
     * @return void
     */
    protected function outputClientDetails(Client $client)
    {
        $this->line('<comment>Here is your new client secret. This is the only time it will be shown so don\'t lose it!</comment>');
        $this->line('');

        $this->line('<comment>Client ID:</comment> '.$client->getRouteKey());
        $this->line('<comment>Client secret:</comment> '.$client->plainSecret);
<?php

/**
 * @property int $x
 * @property int $y
 * @property string $text
 */
class MyLabel
{
    private $properties;

    private $allowedProperties = array('x', 'y', 'text');

    public function __get($name)
    {
        if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) {
            return $properties[$name];
        } else {
            return null;
        }
    }

    public function __set($name, $value)
    {
        if (in_array($name, $this->allowedProperties)) {
            $properties[$name] = $value;
        } else {
            throw new \LogicException("Property $name is not defined.");
        }
    }

}
    }
}


1			<?php
2
3			declare(strict_types=1);
4
5			namespace Rinvex\Oauth\Console\Commands;
6
7			use Illuminate\Support\Str;
8			use Illuminate\Console\Command;
9			use Rinvex\Oauth\Models\Client;
10			use Rinvex\Support\Traits\ArtisanCanValidateAnswers;
11
12			class ClientCommand extends Command
13			{
14			use ArtisanCanValidateAnswers;
15
16			/**
17			* The name and signature of the console command.
18			*
19			* @var string
20			*/
21			protected $signature = 'rinvex:oauth:client
22			{--client_credentials : Create a client credentials grant client}
23			{--personal_access : Create a personal access client}
24			{--password : Create a password grant client}
25			{--name= : The name of the client}
26			{--user_type= : The name of the user type}
27			{--redirect_uri= : The URI to redirect to after authorization }
28			{--user_id= : The user ID the client should be assigned to }
29			{--public : Create a public client (Auth code grant type only) }';
30
31			/**
32			* The console command description.
33			*
34			* @var string
35			*/
36			protected $description = 'Create a client for issuing access tokens';
37
38			/**
39			* Execute the console command.
40			*
41			* @return void
42			*/
43			public function handle()
44			{
45			if ($this->option('personal_access')) {
46			$this->createPersonalAccessClient();
47			} elseif ($this->option('password')) {
48			$this->createPasswordClient();
49			} elseif ($this->option('client_credentials')) {
50			$this->createClientCredentialsClient();
51			} else {
52			$this->createAuthorizationCodeClient();
53			}
54			}
55
56			/**
57			* Create a new personal access client.
58			*
59			* @return void
60			*/
61			protected function createPersonalAccessClient()
62			{
63			$this->alert('Create Personal Access Client');
64
65			$name = $this->option('name') ?: $this->askValid('What should we name the client?', 'name', 'required\|string\|strip_tags');
66			$userId = $this->option('user_id') ?: $this->askValid('Which user ID should the client be assigned to?', 'user_id', 'required\|integer');
67			$redirect = $this->option('redirect_uri') ?: $this->askValid('Where should we redirect the request after authorization?', 'redirect_uri', 'required\|string\|url\|max:1500', url('/auth/callback'));
68
69			$userTypes = array_map('Str::singular', array_keys(config('auth.providers')));
70			$userType = $this->option('user_type') ?: $this->choice(
71			'Which user type should this client use to retrieve users?',
72			$userTypes,
73			in_array('users', $userTypes) ? 'users' : null
74			);
75
76			$client = app('rinvex.oauth.client')->create([
77			'user_id' => $userId,
78			'name' => $name,
79			'secret' => Str::random(40),
80			'user_type' => $userType,
81			'redirect' => $redirect,
82			'grant_type' => 'personal_access',
83			]);
84
85			$this->info('Personal access client created successfully.');
86
87			$this->outputClientDetails($client);
88			}
89
90			/**
91			* Create a new password grant client.
92			*
93			* @return void
94			*/
95			protected function createPasswordClient()
96			{
97			$this->alert('Create Password Client');
98
99			$name = $this->option('name') ?: $this->askValid('What should we name the client?', 'name', 'required\|string\|strip_tags');
100			$userId = $this->option('user_id') ?: $this->askValid('Which user ID should the client be assigned to?', 'user_id', 'required\|integer');
101			$redirect = $this->option('redirect_uri') ?: $this->askValid('Where should we redirect the request after authorization?', 'redirect_uri', 'required\|string\|url\|max:1500', url('/auth/callback'));
102
103			$userTypes = array_map('Str::singular', array_keys(config('auth.providers')));
104			$userType = $this->option('user_type') ?: $this->choice(
105			'Which user type should this client use to retrieve users?',
106			$userTypes,
107			in_array('users', $userTypes) ? 'users' : null
108			);
109
110			$client = app('rinvex.oauth.client')->create([
111			'user_id' => $userId,
112			'name' => $name,
113			'secret' => Str::random(40),
114			'user_type' => $userType,
115			'redirect' => $redirect,
116			'grant_type' => 'password',
117			]);
118
119			$this->info('Password grant client created successfully.');
120
121			$this->outputClientDetails($client);
122			}
123
124			/**
125			* Create a client credentials grant client.
126			*
127			* @return void
128			*/
129			protected function createClientCredentialsClient()
130			{
131			$this->alert('Create Client Credentials Client');
132
133			$name = $this->option('name') ?: $this->askValid('What should we name the client?', 'name', 'required\|string\|strip_tags');
134			$userId = $this->option('user_id') ?: $this->askValid('Which user ID should the client be assigned to?', 'user_id', 'required\|integer');
135
136			$userTypes = array_map('Str::singular', array_keys(config('auth.providers')));
137			$userType = $this->option('user_type') ?: $this->choice(
138			'Which user type should this client use to retrieve users?',
139			$userTypes,
140			in_array('users', $userTypes) ? 'users' : null
141			);
142
143			$client = app('rinvex.oauth.client')->create([
144			'user_id' => $userId,
145			'name' => $name,
146			'secret' => Str::random(40),
147			'user_type' => $userType,
148			'redirect' => null,
149			'grant_type' => 'client_credentials',
150			]);
151
152			$this->info('New client created successfully.');
153
154			$this->outputClientDetails($client);
155			}
156
157			/**
158			* Create a authorization code client.
159			*
160			* @return void
161			*/
162			protected function createAuthorizationCodeClient()
163			{
164			$this->alert('Create Authorization Code Client');
165
166			$name = $this->option('name') ?: $this->askValid('What should we name the client?', 'name', 'required\|string\|strip_tags');
167			$userId = $this->option('user_id') ?: $this->askValid('Which user ID should the client be assigned to?', 'user_id', 'required\|integer');
168			$redirect = $this->option('redirect_uri') ?: $this->askValid('Where should we redirect the request after authorization?', 'redirect_uri', 'required\|string\|url\|max:1500', url('/auth/callback'));
169
170			$userTypes = array_map('Str::singular', array_keys(config('auth.providers')));
171			$userType = $this->option('user_type') ?: $this->choice(
172			'Which user type should this client use to retrieve users?',
173			$userTypes,
174			in_array('users', $userTypes) ? 'users' : null
175			);
176
177			$client = app('rinvex.oauth.client')->create([
178			'user_id' => $userId,
179			'name' => $name,
180			'secret' => ! $this->option('public') ? Str::random(40) : null,
181			'user_type' => $userType,
182			'redirect' => $redirect,
183			'grant_type' => 'authorization_code',
184			]);
185
186			$this->info('New client created successfully.');
187
188			$this->outputClientDetails($client);
189			}
190
191			/**
192			* Output the client's ID and secret key.
193			*
194			* @param \Rinvex\Oauth\Models\Client $client
195			*
196			* @return void
197			*/
198			protected function outputClientDetails(Client $client)
199			{
200			$this->line('<comment>Here is your new client secret. This is the only time it will be shown so don\'t lose it!</comment>');
201			$this->line('');
202
203			$this->line('<comment>Client ID:</comment> '.$client->getRouteKey());
204			$this->line('<comment>Client secret:</comment> '.$client->plainSecret);
			0 ignored issues – show Documentation introduced 2021-06-19 20:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this The property `$plainSecret` is declared protected in `Rinvex\Oauth\Models\Client`. Since you implemented `__get()`, maybe consider adding a @property or @property-read annotation. This makes it easier for IDEs to provide auto-completion. Since your code implements the magic setter `_set`, this function will be called for any write access on an undefined variable. You can add the `@property` annotation to your class or interface to document the existence of this variable. <?php /** * @property int $x * @property int $y * @property string $text */ class MyLabel { private $properties; private $allowedProperties = array('x', 'y', 'text'); public function __get($name) { if (isset($properties[$name]) && in_array($name, $this->allowedProperties)) { return $properties[$name]; } else { return null; } } public function __set($name, $value) { if (in_array($name, $this->allowedProperties)) { $properties[$name] = $value; } else { throw new \LogicException("Property $name is not defined."); } } } Since the property has write access only, you can use the @property-write annotation instead. Of course, you may also just have mistyped another name, in which case you should fix the error. See also the PhpDoc documentation for @property. Loading history...
205			}
206			}
207

rinvex / laravel-oauth

Issues (71)

Security Analysis not enabled

src/Console/Commands/ClientCommand.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like