Issues in User.php (master) - Issues in master - sergeymakinen/yii2-jwt-user - Measure and Improve Code Quality continuously with Scrutinizer

Issues (1)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/User.php (1 issue)

Labels

Bug 1

Severity

Major 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * JWT powered User for Yii 2
 *
 * @see       https://github.com/sergeymakinen/yii2-jwt-user
 * @copyright Copyright (c) 2016-2017 Sergey Makinen (https://makinen.ru)
 * @license   https://github.com/sergeymakinen/yii2-jwt-user/blob/master/LICENSE MIT License
 */

namespace sergeymakinen\yii\jwtuser;

use Lcobucci\JWT\Builder;
use Lcobucci\JWT\Parser;
use Lcobucci\JWT\Signer\Hmac\Sha256;
use Lcobucci\JWT\Token;
use Lcobucci\JWT\ValidationData;
use yii\base\InvalidValueException;
use yii\web\Cookie;
use yii\web\IdentityInterface;

/**
 * User class with a JWT cookie as a backend.
 *
 * @see https://jwt.io
 * @see https://tools.ietf.org/html/rfc7519
 * @see \yii\web\User
 */
class User extends \yii\web\User
{
    /**
     * @var string JWT sign key. Must be random and secret.
     * @see https://tools.ietf.org/html/rfc7519#section-11
     * @since 3.0
     */
    public $key;

    /**
     * @var bool whether to use a [[IdentityInterface::getAuthKey()]] value to validate a token.
     * @since 3.0
     */
    public $useAuthKey = true;

    /**
     * @var bool whether to append a [[IdentityInterface::getAuthKey()]] value to the sign key or store it as a claim.
     * @since 3.0
     */
    public $appendAuthKey = false;

    /**
     * @var \Closure|string JWT audience claim ("aud").
     * @see https://tools.ietf.org/html/rfc7519#section-4.1.3
     * @since 1.1
     */
    public $audience;

    /**
     * @var \Closure|string JWT issuer claim ("iss").
     * @see https://tools.ietf.org/html/rfc7519#section-4.1.1
     * @since 3.0
     */
    public $issuer;

    /**
     * @inheritDoc
     */
    protected function renewIdentityCookie()
    {
        try {
            /** @var IdentityInterface $identity */
            /** @var Token $token */
            list($identity, $token) = $this->getIdentityAndTokenFromCookie();
            if ($identity === null) {
                return;
            }
        } catch (\Exception $e) {
            if ($e instanceof InvalidValueException) {
                throw $e;
            }

            return;
        }
        $now = time();
        $builder = $this->createBuilderFromToken($token)
            ->setNotBefore($now);
        if ($token->hasClaim('exp')) {
            $builder->setExpiration($now + ($token->getClaim('exp') - $token->getClaim('nbf')));
        }
        $this->sendToken($builder, $identity);
    }

    /**
     * @inheritDoc
     */
    protected function sendIdentityCookie($identity, $duration)
    {
        $now = time();
        $builder = (new Builder())
            ->setIssuedAt($now)
            ->setNotBefore($now)
            ->setId($identity->getId());
        if ($duration > 0) {
            $builder->setExpiration($now + $duration);
        }
        $issuer = $this->getPrincipal($this->issuer);
        if ($issuer !== null) {
            $builder->setIssuer($issuer);
        }
        $audience = $this->getPrincipal($this->audience);
        if ($audience !== null) {
            $builder->setAudience($audience);
        }
        if ($this->useAuthKey && !$this->appendAuthKey) {
            $builder->set('authKey', $identity->getAuthKey());
        }
        $this->sendToken($builder, $identity);
    }

    /**
     * @inheritDoc
     */
    protected function getIdentityAndDurationFromCookie()
    {
        try {
            /** @var IdentityInterface $identity */
            /** @var Token $token */
            list($identity, $token) = $this->getIdentityAndTokenFromCookie();
        } catch (\Exception $e) {
            if ($e instanceof InvalidValueException) {
                throw $e;
            }

            $ip = \Yii::$app->getRequest()->getUserIP();
            $error = lcfirst($e->getMessage());
            \Yii::warning("Invalid JWT cookie from $ip: $error", __METHOD__);
            $this->removeIdentityCookie();
            return null;
        }
        if ($identity === null) {
            $this->removeIdentityCookie();
            return null;
        }

        return ['identity' => $identity, 'duration' => $token->hasClaim('exp') ? $token->getClaim('exp') - $token->getClaim('nbf') : 0];
    }

    /**
     * @return array|null
     */
    private function getIdentityAndTokenFromCookie()
    {
        $value = \Yii::$app->getRequest()->getCookies()->getValue($this->identityCookie['name']);
        if ($value === null) {
            return null;
        }

        $token = (new Parser())->parse($value);
        if ($this->useAuthKey && $this->appendAuthKey) {
            $identity = $this->getIdentityFromToken($token);
            if ($identity === null) {
                return null;
            }

            $this->assertSignature($token, $identity);
            $this->assertClaims($token);
        } else {
            $this->assertSignature($token);
            $this->assertClaims($token);
            $identity = $this->getIdentityFromToken($token);
            if ($identity === null) {
                return null;
            }
        }
        return [$identity, $token];
    }

    /**
     * @param \Closure|string|null $value
     * @return string|null
     */
    private function getPrincipal($value)
    {
        if (is_string($value)) {
            return $value;
        }

        if ($value instanceof \Closure) {
            return $value();
        }

        return \Yii::$app->getRequest()->getHostInfo();
    }

    /**
     * @param IdentityInterface|null $identity
     * @return string
     */
    private function getKey(IdentityInterface $identity = null)
    {
        $key = (string) $this->key;
        if ($this->useAuthKey && $this->appendAuthKey) {
            $key .= $identity->getAuthKey();
function someFunction(A $objectMaybe = null)
{
    if ($objectMaybe instanceof A) {
        $objectMaybe->doSomething();
    }
}
        }
        if ($key === '') {
            throw new InvalidValueException('Sign key cannot be empty.');
        }

        return $key;
    }

    /**
     * @param Token $token
     * @param IdentityInterface|null $identity
     */
    private function assertSignature(Token $token, IdentityInterface $identity = null)
    {
        $key = $identity === null ? $this->getKey() : $this->getKey($identity);
        if (!$token->verify(new Sha256(), $key)) {
            throw new \InvalidArgumentException('Invalid signature');
        }
    }

    /**
     * @param Token $token
     */
    private function assertClaims(Token $token)
    {
        $validationData = new ValidationData(time());
        $issuer = $this->getPrincipal($this->issuer);
        if ($issuer !== null) {
            $validationData->setIssuer($issuer);
        }
        $audience = $this->getPrincipal($this->audience);
        if ($audience !== null) {
            $validationData->setAudience($audience);
        }
        if (!$token->validate($validationData)) {
            throw new \InvalidArgumentException('Invalid claims');
        }
    }

    /**
     * @param Token $token
     * @return IdentityInterface|null
     */
    private function getIdentityFromToken(Token $token)
    {
        /* @var $class IdentityInterface */
        $class = $this->identityClass;
        $id = $token->getClaim('jti');
        $identity = $class::findIdentity($id);
        if ($identity === null) {
            return null;
        }

        if (!$identity instanceof IdentityInterface) {
            throw new InvalidValueException("$class::findIdentity() must return an object implementing IdentityInterface.");
        }

        if ($this->useAuthKey && !$this->appendAuthKey) {
            $authKey = $token->getClaim('authKey');
            if (!$identity->validateAuthKey($authKey)) {
                \Yii::warning("Invalid auth key attempted for user '$id': $authKey", __METHOD__);
                return null;
            }
        }

        return $identity;
    }

    /**
     * @param Token $token
     * @return Builder
     */
    private function createBuilderFromToken(Token $token)
    {
        $builder = new Builder();
        foreach (array_keys($token->getClaims()) as $name) {
            $builder->set($name, $token->getClaim($name));
        }
        return $builder;
    }

    /**
     * @param Builder $builder
     * @param IdentityInterface $identity
     */
    private function sendToken(Builder $builder, IdentityInterface $identity)
    {
        $cookie = new Cookie($this->identityCookie);
        $cookie->expire = $builder->getToken()->getClaim('exp', '0');
        $cookie->value = (string) $builder
            ->sign(new Sha256(), $this->getKey($identity))
            ->getToken();
        \Yii::$app->getResponse()->getCookies()->add($cookie);
    }
}


1		<?php
2		/**
3		* JWT powered User for Yii 2
4		*
5		* @see https://github.com/sergeymakinen/yii2-jwt-user
6		* @copyright Copyright (c) 2016-2017 Sergey Makinen (https://makinen.ru)
7		* @license https://github.com/sergeymakinen/yii2-jwt-user/blob/master/LICENSE MIT License
8		*/
9
10		namespace sergeymakinen\yii\jwtuser;
11
12		use Lcobucci\JWT\Builder;
13		use Lcobucci\JWT\Parser;
14		use Lcobucci\JWT\Signer\Hmac\Sha256;
15		use Lcobucci\JWT\Token;
16		use Lcobucci\JWT\ValidationData;
17		use yii\base\InvalidValueException;
18		use yii\web\Cookie;
19		use yii\web\IdentityInterface;
20
21		/**
22		* User class with a JWT cookie as a backend.
23		*
24		* @see https://jwt.io
25		* @see https://tools.ietf.org/html/rfc7519
26		* @see \yii\web\User
27		*/
28		class User extends \yii\web\User
29		{
30		/**
31		* @var string JWT sign key. Must be random and secret.
32		* @see https://tools.ietf.org/html/rfc7519#section-11
33		* @since 3.0
34		*/
35		public $key;
36
37		/**
38		* @var bool whether to use a [[IdentityInterface::getAuthKey()]] value to validate a token.
39		* @since 3.0
40		*/
41		public $useAuthKey = true;
42
43		/**
44		* @var bool whether to append a [[IdentityInterface::getAuthKey()]] value to the sign key or store it as a claim.
45		* @since 3.0
46		*/
47		public $appendAuthKey = false;
48
49		/**
50		* @var \Closure\|string JWT audience claim ("aud").
51		* @see https://tools.ietf.org/html/rfc7519#section-4.1.3
52		* @since 1.1
53		*/
54		public $audience;
55
56		/**
57		* @var \Closure\|string JWT issuer claim ("iss").
58		* @see https://tools.ietf.org/html/rfc7519#section-4.1.1
59		* @since 3.0
60		*/
61		public $issuer;
62
63		/**
64		* @inheritDoc
65		*/
66	432	protected function renewIdentityCookie()
67		{
68		try {
69		/** @var IdentityInterface $identity */
70		/** @var Token $token */
71	432	list($identity, $token) = $this->getIdentityAndTokenFromCookie();
72	216	if ($identity === null) {
73	216	return;
74		}
75	216	} catch (\Exception $e) {
76	216	if ($e instanceof InvalidValueException) {
77		throw $e;
78		}
79
80	216	return;
81		}
82	216	$now = time();
83	216	$builder = $this->createBuilderFromToken($token)
84	216	->setNotBefore($now);
85	216	if ($token->hasClaim('exp')) {
86	162	$builder->setExpiration($now + ($token->getClaim('exp') - $token->getClaim('nbf')));
87		}
88	216	$this->sendToken($builder, $identity);
89	216	}
90
91		/**
92		* @inheritDoc
93		*/
94	432	protected function sendIdentityCookie($identity, $duration)
95		{
96	432	$now = time();
97	432	$builder = (new Builder())
98	432	->setIssuedAt($now)
99	432	->setNotBefore($now)
100	432	->setId($identity->getId());
101	432	if ($duration > 0) {
102	324	$builder->setExpiration($now + $duration);
103		}
104	432	$issuer = $this->getPrincipal($this->issuer);
105	432	if ($issuer !== null) {
106	432	$builder->setIssuer($issuer);
107		}
108	432	$audience = $this->getPrincipal($this->audience);
109	432	if ($audience !== null) {
110	432	$builder->setAudience($audience);
111		}
112	432	if ($this->useAuthKey && !$this->appendAuthKey) {
113	144	$builder->set('authKey', $identity->getAuthKey());
114		}
115	432	$this->sendToken($builder, $identity);
116	432	}
117
118		/**
119		* @inheritDoc
120		*/
121	768	protected function getIdentityAndDurationFromCookie()
122		{
123		try {
124		/** @var IdentityInterface $identity */
125		/** @var Token $token */
126	768	list($identity, $token) = $this->getIdentityAndTokenFromCookie();
127	748	} catch (\Exception $e) {
128	748	if ($e instanceof InvalidValueException) {
129		throw $e;
130		}
131
132	748	$ip = \Yii::$app->getRequest()->getUserIP();
133	748	$error = lcfirst($e->getMessage());
134	748	\Yii::warning("Invalid JWT cookie from $ip: $error", __METHOD__);
135	748	$this->removeIdentityCookie();
136	748	return null;
137		}
138	20	if ($identity === null) {
139	4	$this->removeIdentityCookie();
140	4	return null;
141		}
142
143	16	return ['identity' => $identity, 'duration' => $token->hasClaim('exp') ? $token->getClaim('exp') - $token->getClaim('nbf') : 0];
144		}
145
146		/**
147		* @return array\|null
148		*/
149	1974	private function getIdentityAndTokenFromCookie()
150		{
151	1974	$value = \Yii::$app->getRequest()->getCookies()->getValue($this->identityCookie['name']);
152	1974	if ($value === null) {
153	1	return null;
154		}
155
156	1973	$token = (new Parser())->parse($value);
157	1973	if ($this->useAuthKey && $this->appendAuthKey) {
158	657	$identity = $this->getIdentityFromToken($token);
159	657	if ($identity === null) {
160	1	return null;
161		}
162
163	656	$this->assertSignature($token, $identity);
164	200	$this->assertClaims($token);
165		} else {
166	1317	$this->assertSignature($token);
167	658	$this->assertClaims($token);
168	178	$identity = $this->getIdentityFromToken($token);
169	177	if ($identity === null) {
170	9	return null;
171		}
172		}
173	248	return [$identity, $token];
174		}
175
176		/**
177		* @param \Closure\|string\|null $value
178		* @return string\|null
179		*/
180	1074	private function getPrincipal($value)
181		{
182	1074	if (is_string($value)) {
183	520	return $value;
184		}
185
186	986	if ($value instanceof \Closure) {
187	720	return $value();
188		}
189
190	522	return \Yii::$app->getRequest()->getHostInfo();
191		}
192
193		/**
194		* @param IdentityInterface\|null $identity
195		* @return string
196		*/
197	1973	private function getKey(IdentityInterface $identity = null)
198		{
199	1973	$key = (string) $this->key;
200	1973	if ($this->useAuthKey && $this->appendAuthKey) {
201	656	$key .= $identity->getAuthKey();
		0 ignored issues – show Bug introduced 2017-05-03 19:26 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$identity` is not always an object, but can also be of type `null`. Maybe add an additional type check? If a variable is not always an object, we recommend to add an additional type check to ensure your method call is safe: function someFunction(A $objectMaybe = null) { if ($objectMaybe instanceof A) { $objectMaybe->doSomething(); } } Loading history...
202		}
203	1973	if ($key === '') {
204	3	throw new InvalidValueException('Sign key cannot be empty.');
205		}
206
207	1970	return $key;
208		}
209
210		/**
211		* @param Token $token
212		* @param IdentityInterface\|null $identity
213		*/
214	1973	private function assertSignature(Token $token, IdentityInterface $identity = null)
215		{
216	1973	$key = $identity === null ? $this->getKey() : $this->getKey($identity);
217	1970	if (!$token->verify(new Sha256(), $key)) {
218	1112	throw new \InvalidArgumentException('Invalid signature');
219		}
220	858	}
221
222		/**
223		* @param Token $token
224		*/
225	858	private function assertClaims(Token $token)
226		{
227	858	$validationData = new ValidationData(time());
228	858	$issuer = $this->getPrincipal($this->issuer);
229	858	if ($issuer !== null) {
230	858	$validationData->setIssuer($issuer);
231		}
232	858	$audience = $this->getPrincipal($this->audience);
233	858	if ($audience !== null) {
234	858	$validationData->setAudience($audience);
235		}
236	858	if (!$token->validate($validationData)) {
237	600	throw new \InvalidArgumentException('Invalid claims');
238		}
239	258	}
240
241		/**
242		* @param Token $token
243		* @return IdentityInterface\|null
244		*/
245	834	private function getIdentityFromToken(Token $token)
246		{
247		/* @var $class IdentityInterface */
248	834	$class = $this->identityClass;
249	834	$id = $token->getClaim('jti');
250	834	$identity = $class::findIdentity($id);
251	834	if ($identity === null) {
252	1	return null;
253		}
254
255	833	if (!$identity instanceof IdentityInterface) {
256	1	throw new InvalidValueException("$class::findIdentity() must return an object implementing IdentityInterface.");
257		}
258
259	832	if ($this->useAuthKey && !$this->appendAuthKey) {
260	88	$authKey = $token->getClaim('authKey');
261	88	if (!$identity->validateAuthKey($authKey)) {
262	8	\Yii::warning("Invalid auth key attempted for user '$id': $authKey", __METHOD__);
263	8	return null;
264		}
265		}
266
267	824	return $identity;
268		}
269
270		/**
271		* @param Token $token
272		* @return Builder
273		*/
274	216	private function createBuilderFromToken(Token $token)
275		{
276	216	$builder = new Builder();
277	216	foreach (array_keys($token->getClaims()) as $name) {
278	216	$builder->set($name, $token->getClaim($name));
279		}
280	216	return $builder;
281		}
282
283		/**
284		* @param Builder $builder
285		* @param IdentityInterface $identity
286		*/
287	432	private function sendToken(Builder $builder, IdentityInterface $identity)
288		{
289	432	$cookie = new Cookie($this->identityCookie);
290	432	$cookie->expire = $builder->getToken()->getClaim('exp', '0');
291	432	$cookie->value = (string) $builder
292	432	->sign(new Sha256(), $this->getKey($identity))
293	432	->getToken();
294	432	\Yii::$app->getResponse()->getCookies()->add($cookie);
295	432	}
296		}
297

sergeymakinen / yii2-jwt-user

Issues (1)

Security Analysis no request data

src/User.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like