Issues in PlanCreate.php (master) - Issues in master - shapintv/stripe - Measure and Improve Code Quality continuously with Scrutinizer

Issues (93)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Configuration/PlanCreate.php (4 issues)

Labels

Duplication 4

Severity

Informational 4

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

declare(strict_types=1);

/*
 * This software may be modified and distributed under the terms
 * of the MIT license. See the LICENSE file for details.
 */

namespace Shapin\Stripe\Configuration;

use Shapin\Stripe\Model\Plan\Plan;
use Symfony\Component\Config\Definition\Builder\TreeBuilder;
use Symfony\Component\Config\Definition\ConfigurationInterface;

class PlanCreate implements ConfigurationInterface
{
    public function getConfigTreeBuilder()
    {
        $treeBuilder = new TreeBuilder('shapin_stripe');
        $rootNode = $treeBuilder->getRootNode();

        $rootNode
            ->children()
                ->scalarNode('id')
                    ->info('An identifier randomly generated by Stripe. Used to identify this plan when subscribing a customer. You can optionally override this ID, but the ID must be unique across all plans in your Stripe account. You can, however, use the same plan ID in both live and test modes.')
                ->end()
                ->scalarNode('currency')
                    ->isRequired()
                    ->info('Three-letter ISO currency code, in lowercase. Must be a supported currency.')
                ->end()
                ->enumNode('interval')
                    ->isRequired()
                    ->values([Plan::INTERVAL_DAY, Plan::INTERVAL_WEEK, Plan::INTERVAL_MONTH, Plan::INTERVAL_YEAR])
                    ->info('Specifies billing frequency. Either day, week, month or year.')
                ->end()
                ->scalarNode('existing_product')
                    ->info('The product whose pricing the created plan will represent. This can either be the ID of an existing product, or a dictionary containing fields used to create a service product.')
                ->end()
                ->arrayNode('product')
                    ->children()
                        ->scalarNode('id')
                            ->info('The identifier for the product. Must be unique. If not provided, an identifier will be randomly generated.')
                        ->end()
                        ->scalarNode('name')
                            ->isRequired()
                            ->info('The product’s name, meant to be displayable to the customer.')
                        ->end()
                        ->booleanNode('active')
                            ->info('Whether to immediately capture the charge. When false, the charge issues an authorization (or pre-authorization), and will need to be captured later. Uncaptured charges expire in seven days. For more information, see the authorizing charges and settling later documentation.')
                        ->end()
                        ->arrayNode('metadata')
                            ->scalarPrototype()->end()
                            ->info('Set of key-value pairs that you can attach to an object. This can be useful for storing additional information about the object in a structured format. Individual keys can be unset by posting an empty value to them. All keys can be unset by posting an empty value to metadata.')
                        ->end()
                        ->scalarNode('statement_descriptor')
                            ->info('An arbitrary string to be displayed on your customer’s credit card statement. This may be up to 22 characters. The statement description may not include <>”’ characters, and will appear on your customer’s statement in capital letters. Non-ASCII characters are automatically stripped. While most banks display this information consistently, some may display it incorrectly or not at all. It must contain at least one letter.')
                        ->end()
                        ->scalarNode('unit_label')
                            ->info('A label that represents units of this product, such as seat(s), in Stripe and on customers’ receipts and invoices. Only available on products of type=service.')
                        ->end()
                    ->end()
                    ->info('The product whose pricing the created plan will represent. This can either be the ID of an existing product, or a dictionary containing fields used to create a service product.')
                ->end()
                ->booleanNode('active')
                    ->info('Whether to immediately capture the charge. When false, the charge issues an authorization (or pre-authorization), and will need to be captured later. Uncaptured charges expire in seven days. For more information, see the authorizing charges and settling later documentation.')
                ->end()
                ->enumNode('aggregate_usage')
                    ->values([Plan::AGGREGATE_USAGE_SUM, Plan::AGGREGATE_USAGE_LAST_DURING_PERIOD, Plan::AGGREGATE_USAGE_LAST_EVER, Plan::AGGREGATE_USAGE_MAX])
                    ->info('Specifies a usage aggregation strategy for plans of usage_type=metered. Allowed values are sum for summing up all usage during a period, last_during_period for picking the last usage record reported within a period, last_ever for picking the last usage record ever (across period bounds) or max which picks the usage record with the maximum reported usage during a period. Defaults to sum.')
                ->end()
                ->integerNode('amount')
                    ->info('A positive integer in cents (or 0 for a free plan) representing how much to charge on a recurring basis.')
                ->end()
                ->enumNode('billing_scheme')
                    ->values([Plan::BILLING_SCHEME_PER_UNIT, Plan::BILLING_SCHEME_TIERED])
                    ->info('Describes how to compute the price per period. Either per_unit or tiered. per_unit indicates that the fixed amount (specified in amount) will be charged per unit in quantity (for plans with usage_type=licensed), or per unit of total usage (for plans with usage_type=metered). tiered indicates that the unit pricing will be computed using a tiering strategy as defined using the tiers and tiers_mode attributes.')
                ->end()
                ->integerNode('interval_count')
                    ->info('The number of intervals between subscription billings. For example, interval=month and interval_count=3 bills every 3 months. Maximum of one year interval allowed (1 year, 12 months, or 52 weeks).')
                ->end()
                ->arrayNode('metadata')
                    ->scalarPrototype()->end()
                    ->info('Set of key-value pairs that you can attach to an object. This can be useful for storing additional information about the object in a structured format. Individual keys can be unset by posting an empty value to them. All keys can be unset by posting an empty value to metadata.')
                ->end()
                ->scalarNode('nickname')
                    ->info('A brief description of the plan, hidden from customers.')
                ->end()
                ->arrayNode('tiers')
                    ->children()
                        ->scalarNode('up_to')
                            ->isRequired()
                            ->info('Specifies the upper bound of this tier. The lower bound of a tier is the upper bound of the previous tier adding one. Use inf to define a fallback tier.')
                        ->end()
                        ->integerNode('flat_amount')
                            ->info('The flat billing amount for an entire tier, regardless of the number of units in the tier.')
                        ->end()
                        ->integerNode('unit_amount')
                            ->info('The per unit billing amount for each individual unit for which this tier applies.')
                        ->end()
                    ->end()
                    ->info('Each element represents a pricing tier. This parameter requires billing_scheme to be set to tiered. See also the documentation for billing_scheme. ')
                ->end()
                ->enumNode('tiers_mode')
                    ->values([Plan::TIERS_MODE_GRADUATED, Plan::TIERS_MODE_VOLUME])
                    ->info('Defines if the tiering price should be graduated or volume based. In volume-based tiering, the maximum quantity within a period determines the per unit price, in graduated tiering pricing can successively change as the quantity grows.')
                ->end()
                ->arrayNode('transform_usage')
                    ->arrayPrototype()
                        ->children()
                            ->integerNode('divide_by')
                                ->isRequired()
                                ->info('Divide usage by this number.')
                            ->end()
                            ->enumNode('round')
                                ->values([Plan::ROUND_UP, Plan::ROUND_DOWN])
                                ->isRequired()
                                ->info('After division, either round the result up or down.')
                            ->end()
                        ->end()
                    ->end()
                    ->info('Apply a transformation to the reported usage or set quantity before computing the billed price. Cannot be combined with tiers.')
                ->end()
                ->integerNode('trial_period_days')
                    ->info('Default number of trial days when subscribing a customer to this plan using trial_from_plan=true.')
                ->end()
                ->enumNode('usage_type')
                    ->values([Plan::USAGE_TYPE_METERED, Plan::USAGE_TYPE_LICENSED])
                    ->info('Configures how the quantity per period should be determined, can be either metered or licensed. licensed will automatically bill the quantity set for a plan when adding it to a subscription, metered will aggregate the total usage based on usage records. Defaults to licensed.')
                ->end()
            ->end()
        ;

        $rootNode
            ->validate()
                ->ifTrue(function ($v) {

                    return isset($v['billing_scheme']) && Plan::BILLING_SCHEME_PER_UNIT === $v['billing_scheme'] && !isset($v['amount']);
                })
                ->thenInvalid('"amount" is required when using  "per_unit" bill scheme.')
            ->end()
            ->validate()
                ->ifTrue(function ($v) {

                    return isset($v['billing_scheme']) && Plan::BILLING_SCHEME_TIERED === $v['billing_scheme'] && !isset($v['tiers']);
                })
                ->thenInvalid('"tiers" is required when using  "tiered" bill scheme.')
            ->end()
            ->validate()
                ->ifTrue(function ($v) {

                    return isset($v['tiers']) && (!isset($v['billing_scheme']) || Plan::BILLING_SCHEME_TIERED !== $v['billing_scheme']);
                })
                ->thenInvalid('"tiers" requires using  "tiered" bill scheme.')
            ->end()
            ->validate()
                ->ifTrue(function ($v) {

                    return isset($v['billing_scheme']) && Plan::BILLING_SCHEME_TIERED === $v['billing_scheme'] && !isset($v['tiers_mode']);
                })
                ->thenInvalid('"tiers_mode" is required when using  "tiered" bill scheme.')
            ->end()
            ->validate()
            ->ifTrue(function ($v) {
                return isset($v['tiers']) && isset($v['transform_usage']) && null !== $v['tiers'] && !empty($v['transform_usage']);
            })
                ->thenInvalid('"transform_usage" cannot be combined with "tiers".')
            ->end()
            ->validate()
                ->ifTrue(function ($v) {
                    return !isset($v['existing_product']) && !isset($v['product']);
                })
                ->thenInvalid('You must specify either "existing_product" or "product" node.')
            ->end()
            ->validate()
                ->ifTrue(function ($v) {
                    return isset($v['existing_product']) && isset($v['product']);
                })
                ->thenInvalid('You cannot specify both "existing_product" and "product" node.')
            ->end()
        ;

        return $treeBuilder;
    }
}


1			<?php
2
3			declare(strict_types=1);
4
5			/*
6			* This software may be modified and distributed under the terms
7			* of the MIT license. See the LICENSE file for details.
8			*/
9
10			namespace Shapin\Stripe\Configuration;
11
12			use Shapin\Stripe\Model\Plan\Plan;
13			use Symfony\Component\Config\Definition\Builder\TreeBuilder;
14			use Symfony\Component\Config\Definition\ConfigurationInterface;
15
16			class PlanCreate implements ConfigurationInterface
17			{
18	6		public function getConfigTreeBuilder()
19			{
20	6		$treeBuilder = new TreeBuilder('shapin_stripe');
21	6		$rootNode = $treeBuilder->getRootNode();
22
23			$rootNode
24	6		->children()
25	6		->scalarNode('id')
26	6		->info('An identifier randomly generated by Stripe. Used to identify this plan when subscribing a customer. You can optionally override this ID, but the ID must be unique across all plans in your Stripe account. You can, however, use the same plan ID in both live and test modes.')
27	6		->end()
28	6		->scalarNode('currency')
29	6		->isRequired()
30	6		->info('Three-letter ISO currency code, in lowercase. Must be a supported currency.')
31	6		->end()
32	6		->enumNode('interval')
33	6		->isRequired()
34	6		->values([Plan::INTERVAL_DAY, Plan::INTERVAL_WEEK, Plan::INTERVAL_MONTH, Plan::INTERVAL_YEAR])
35	6		->info('Specifies billing frequency. Either day, week, month or year.')
36	6		->end()
37	6		->scalarNode('existing_product')
38	6		->info('The product whose pricing the created plan will represent. This can either be the ID of an existing product, or a dictionary containing fields used to create a service product.')
39	6		->end()
40	6		->arrayNode('product')
41	6		->children()
42	6		->scalarNode('id')
43	6		->info('The identifier for the product. Must be unique. If not provided, an identifier will be randomly generated.')
44	6		->end()
45	6		->scalarNode('name')
46	6		->isRequired()
47	6		->info('The product’s name, meant to be displayable to the customer.')
48	6		->end()
49	6		->booleanNode('active')
50	6		->info('Whether to immediately capture the charge. When false, the charge issues an authorization (or pre-authorization), and will need to be captured later. Uncaptured charges expire in seven days. For more information, see the authorizing charges and settling later documentation.')
51	6		->end()
52	6		->arrayNode('metadata')
53	6		->scalarPrototype()->end()
54	6		->info('Set of key-value pairs that you can attach to an object. This can be useful for storing additional information about the object in a structured format. Individual keys can be unset by posting an empty value to them. All keys can be unset by posting an empty value to metadata.')
55	6		->end()
56	6		->scalarNode('statement_descriptor')
57	6		->info('An arbitrary string to be displayed on your customer’s credit card statement. This may be up to 22 characters. The statement description may not include <>”’ characters, and will appear on your customer’s statement in capital letters. Non-ASCII characters are automatically stripped. While most banks display this information consistently, some may display it incorrectly or not at all. It must contain at least one letter.')
58	6		->end()
59	6		->scalarNode('unit_label')
60	6		->info('A label that represents units of this product, such as seat(s), in Stripe and on customers’ receipts and invoices. Only available on products of type=service.')
61	6		->end()
62	6		->end()
63	6		->info('The product whose pricing the created plan will represent. This can either be the ID of an existing product, or a dictionary containing fields used to create a service product.')
64	6		->end()
65	6		->booleanNode('active')
66	6		->info('Whether to immediately capture the charge. When false, the charge issues an authorization (or pre-authorization), and will need to be captured later. Uncaptured charges expire in seven days. For more information, see the authorizing charges and settling later documentation.')
67	6		->end()
68	6		->enumNode('aggregate_usage')
69	6		->values([Plan::AGGREGATE_USAGE_SUM, Plan::AGGREGATE_USAGE_LAST_DURING_PERIOD, Plan::AGGREGATE_USAGE_LAST_EVER, Plan::AGGREGATE_USAGE_MAX])
70	6		->info('Specifies a usage aggregation strategy for plans of usage_type=metered. Allowed values are sum for summing up all usage during a period, last_during_period for picking the last usage record reported within a period, last_ever for picking the last usage record ever (across period bounds) or max which picks the usage record with the maximum reported usage during a period. Defaults to sum.')
71	6		->end()
72	6		->integerNode('amount')
73	6		->info('A positive integer in cents (or 0 for a free plan) representing how much to charge on a recurring basis.')
74	6		->end()
75	6		->enumNode('billing_scheme')
76	6		->values([Plan::BILLING_SCHEME_PER_UNIT, Plan::BILLING_SCHEME_TIERED])
77	6		->info('Describes how to compute the price per period. Either per_unit or tiered. per_unit indicates that the fixed amount (specified in amount) will be charged per unit in quantity (for plans with usage_type=licensed), or per unit of total usage (for plans with usage_type=metered). tiered indicates that the unit pricing will be computed using a tiering strategy as defined using the tiers and tiers_mode attributes.')
78	6		->end()
79	6		->integerNode('interval_count')
80	6		->info('The number of intervals between subscription billings. For example, interval=month and interval_count=3 bills every 3 months. Maximum of one year interval allowed (1 year, 12 months, or 52 weeks).')
81	6		->end()
82	6		->arrayNode('metadata')
83	6		->scalarPrototype()->end()
84	6		->info('Set of key-value pairs that you can attach to an object. This can be useful for storing additional information about the object in a structured format. Individual keys can be unset by posting an empty value to them. All keys can be unset by posting an empty value to metadata.')
85	6		->end()
86	6		->scalarNode('nickname')
87	6		->info('A brief description of the plan, hidden from customers.')
88	6		->end()
89	6		->arrayNode('tiers')
90	6		->children()
91	6		->scalarNode('up_to')
92	6		->isRequired()
93	6		->info('Specifies the upper bound of this tier. The lower bound of a tier is the upper bound of the previous tier adding one. Use inf to define a fallback tier.')
94	6		->end()
95	6		->integerNode('flat_amount')
96	6		->info('The flat billing amount for an entire tier, regardless of the number of units in the tier.')
97	6		->end()
98	6		->integerNode('unit_amount')
99	6		->info('The per unit billing amount for each individual unit for which this tier applies.')
100	6		->end()
101	6		->end()
102	6		->info('Each element represents a pricing tier. This parameter requires billing_scheme to be set to tiered. See also the documentation for billing_scheme. ')
103	6		->end()
104	6		->enumNode('tiers_mode')
105	6		->values([Plan::TIERS_MODE_GRADUATED, Plan::TIERS_MODE_VOLUME])
106	6		->info('Defines if the tiering price should be graduated or volume based. In volume-based tiering, the maximum quantity within a period determines the per unit price, in graduated tiering pricing can successively change as the quantity grows.')
107	6		->end()
108	6		->arrayNode('transform_usage')
109	6		->arrayPrototype()
110	6		->children()
111	6		->integerNode('divide_by')
112	6		->isRequired()
113	6		->info('Divide usage by this number.')
114	6		->end()
115	6		->enumNode('round')
116	6		->values([Plan::ROUND_UP, Plan::ROUND_DOWN])
117	6		->isRequired()
118	6		->info('After division, either round the result up or down.')
119	6		->end()
120	6		->end()
121	6		->end()
122	6		->info('Apply a transformation to the reported usage or set quantity before computing the billed price. Cannot be combined with tiers.')
123	6		->end()
124	6		->integerNode('trial_period_days')
125	6		->info('Default number of trial days when subscribing a customer to this plan using trial_from_plan=true.')
126	6		->end()
127	6		->enumNode('usage_type')
128	6		->values([Plan::USAGE_TYPE_METERED, Plan::USAGE_TYPE_LICENSED])
129	6		->info('Configures how the quantity per period should be determined, can be either metered or licensed. licensed will automatically bill the quantity set for a plan when adding it to a subscription, metered will aggregate the total usage based on usage records. Defaults to licensed.')
130	6		->end()
131	6		->end()
132			;
133
134			$rootNode
135	6		->validate()
136		View Code Duplication	->ifTrue(function ($v) {
			0 ignored issues – show Duplication introduced 2019-02-05 12:15 UTC by Report Bug Copy Issue Report Show Similar Issues like this This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
137	6		return isset($v['billing_scheme']) && Plan::BILLING_SCHEME_PER_UNIT === $v['billing_scheme'] && !isset($v['amount']);
138	6		})
139	6		->thenInvalid('"amount" is required when using "per_unit" bill scheme.')
140	6		->end()
141	6		->validate()
142		View Code Duplication	->ifTrue(function ($v) {
			0 ignored issues – show Duplication introduced 2019-02-05 12:15 UTC by Report Bug Copy Issue Report Show Similar Issues like this This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
143	5		return isset($v['billing_scheme']) && Plan::BILLING_SCHEME_TIERED === $v['billing_scheme'] && !isset($v['tiers']);
144	6		})
145	6		->thenInvalid('"tiers" is required when using "tiered" bill scheme.')
146	6		->end()
147	6		->validate()
148		View Code Duplication	->ifTrue(function ($v) {
			0 ignored issues – show Duplication introduced 2019-02-05 12:15 UTC by Report Bug Copy Issue Report Show Similar Issues like this This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
149	4		return isset($v['tiers']) && (!isset($v['billing_scheme']) \|\| Plan::BILLING_SCHEME_TIERED !== $v['billing_scheme']);
150	6		})
151	6		->thenInvalid('"tiers" requires using "tiered" bill scheme.')
152	6		->end()
153	6		->validate()
154		View Code Duplication	->ifTrue(function ($v) {
			0 ignored issues – show Duplication introduced 2019-02-05 12:15 UTC by Report Bug Copy Issue Report Show Similar Issues like this This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
155	3		return isset($v['billing_scheme']) && Plan::BILLING_SCHEME_TIERED === $v['billing_scheme'] && !isset($v['tiers_mode']);
156	6		})
157	6		->thenInvalid('"tiers_mode" is required when using "tiered" bill scheme.')
158	6		->end()
159	6		->validate()
160			->ifTrue(function ($v) {
161	2		return isset($v['tiers']) && isset($v['transform_usage']) && null !== $v['tiers'] && !empty($v['transform_usage']);
162	6		})
163	6		->thenInvalid('"transform_usage" cannot be combined with "tiers".')
164	6		->end()
165	6		->validate()
166			->ifTrue(function ($v) {
167	2		return !isset($v['existing_product']) && !isset($v['product']);
168	6		})
169	6		->thenInvalid('You must specify either "existing_product" or "product" node.')
170	6		->end()
171	6		->validate()
172			->ifTrue(function ($v) {
173	1		return isset($v['existing_product']) && isset($v['product']);
174	6		})
175	6		->thenInvalid('You cannot specify both "existing_product" and "product" node.')
176	6		->end()
177			;
178
179	6		return $treeBuilder;
180			}
181			}
182

shapintv / stripe

Issues (93)

Security Analysis no request data

src/Configuration/PlanCreate.php (4 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like