Issues in _api.js (master) - Issues in master - silverstripe/deploynaut - Measure and Improve Code Quality continuously with Scrutinizer

Issues (524)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

js/_api.js (2 issues)

Severity

Unknown 2

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

// polyfills
require('babel-polyfill');
var fetch = require('isomorphic-fetch');

export function ServerError(message, status) {
	this.name = "ServerError";
	this.message = message;
	this.status = status;
}
ServerError.prototype = Object.create(Error.prototype);
ServerError.prototype.constructor = ServerError;
ServerError.prototype.toString = function () {
	return "Error " + this.status + " - " + this.message;
};

export function ApiError(message, status) {
	this.name = "ApiError";
	this.message = message;
	this.status = status;
}
ApiError.prototype = Object.create(Error.prototype);
ApiError.prototype.constructor = ApiError;
ApiError.prototype.toString = function () {
	return "Error " + this.status + " - " + this.message;
};

// SETUP_API is a cross dispatcher action that stores information recieved
// from the backend dispatcher so that the api class can dip into the store and
// find the correct endpoints depending on the apiNamespace
export const SETUP_API = 'SETUP_API';
export function setupAPI(dispatchers, api_auth) {
	return {
		type: SETUP_API,
		dispatchers: dispatchers,
		auth: api_auth
	};
}

/**
 *
 * @param time
 * @returns {Promise}
 */
function sleep(time) {
	return new Promise((resolve) => setTimeout(resolve, time));

}

/**
 * apiName is used to find the correct endpoint from the state store under
 * `store.api.dispatchers.${apiName}`
 *
 * @param name - string name of the api, used for finding the api endpoint
 * @returns {{call: call, waitForSuccess: waitForSuccess}}
 */
export function create(name) {

	const apiName = name;

	function call(getState, uri, method, payload) {

		var options = {
			credentials: 'same-origin',
			method: method,
			headers: {
				Accept: 'application/json'
			}
		};

		let fullURI = "";
		// check if uri is a relative or full uri
		if (uri.indexOf('://') > 0 || uri.indexOf('//') === 0) {
			fullURI = uri;
		} else {
			fullURI = `${getState().api.dispatchers[apiName]}${uri}`;
		}

		// post actions are the only actions that could possible change the state
		// and should therefore be protected by CSRF. GET/HEAD operations are
		// prefered to actions that doesn't change state.
		if (method.toLowerCase() === "post") {
			options.body = new FormData();

			const tokenName = `${getState().api.auth.name}`;
			const tokenValue = `${getState().api.auth.value}`;

			options.body.append(tokenName, tokenValue);

			var data = payload || {};
			Object.keys(data).forEach(function(key) {
				options.body.append(key, payload[key]);
			});
		}

		return fetch(fullURI, options)
			.then(function(response) {

				// the http response is in the 200 >=  <= 299 range
				if (response.ok) {
					// If the response is to login, such as the user session has timed out, then
					// reload the current page so they can login again.
					if (/Security\/login/.test(response.url)) {
						return location.reload();
					}

					return response.json().then(json => json);
				}
				// if the status code is outside of 200 - 299 we try to parse
				// the error that can either be some unexpected error or a nicer
				// API error response

				// this is unexpected, so just throw it without trying to parse
				// the body of the response
				if (response.status >= 500) {
					const err = new ServerError(response.statusText, response.status);
					console.error(err); // eslint-disable-line no-console
					throw err;
				}

				// try parsing the content of the page in hope that there is a
				// nice json formatted error message
				return response.json()
					.then(function(json) {
						if (json.message) {
							throw new ApiError(json.message, json.status_code || response.status);
						}
						// there isn't a custom error message, so fallback to
						// the HTTP response
						throw new ApiError(response.statusText, response.status);
					})
					.catch(function(err) {
						console.error(err); // eslint-disable-line no-console
						if (err.name === 'ApiError') {
							throw err;
						}
						// if we got here the, response body couldn't be parsed
						// as JSON at all, use the HTTP response data
						throw new ApiError(response.statusText, response.status);
					});
			});
	}

	function waitForSuccess(getState, uri, retryInterval, callback) {
		var retry = retryInterval || 100;
		if (retry > 5000) {
			retry = 5000;
		}
		return call(getState, uri, 'get').then(data => {

			if (callback) {
				callback(data);
			}
			switch (data.status) {
				case 'Completed':
				case 'Complete':
				case 'Failed':
				case 'Submitted':
					return data;
				default:
					return sleep(retry).then(() => waitForSuccess(getState, uri, 2 * retry, callback));
			}
		});
	}

	return {
		call,
		waitForSuccess
	};
}


1			// polyfills
2			require('babel-polyfill');
3			var fetch = require('isomorphic-fetch');
4
5			export function ServerError(message, status) {
6			this.name = "ServerError";
7			this.message = message;
8			this.status = status;
9			}
10			ServerError.prototype = Object.create(Error.prototype);
11			ServerError.prototype.constructor = ServerError;
12			ServerError.prototype.toString = function () {
13			return "Error " + this.status + " - " + this.message;
14			};
15
16			export function ApiError(message, status) {
17			this.name = "ApiError";
18			this.message = message;
19			this.status = status;
20			}
21			ApiError.prototype = Object.create(Error.prototype);
22			ApiError.prototype.constructor = ApiError;
23			ApiError.prototype.toString = function () {
24			return "Error " + this.status + " - " + this.message;
25			};
26
27			// SETUP_API is a cross dispatcher action that stores information recieved
28			// from the backend dispatcher so that the api class can dip into the store and
29			// find the correct endpoints depending on the apiNamespace
30			export const SETUP_API = 'SETUP_API';
31			export function setupAPI(dispatchers, api_auth) {
32			return {
33			type: SETUP_API,
34			dispatchers: dispatchers,
35			auth: api_auth
36			};
37			}
38
39			/**
40			*
41			* @param time
42			* @returns {Promise}
43			*/
44			function sleep(time) {
45			return new Promise((resolve) => setTimeout(resolve, time));
			0 ignored issues – show introduced 2016-09-12 00:23 UTC by Report Bug Copy Issue Report Show Similar Issues like this Unexpected parentheses around single function argument having a body with no curly braces Loading history...
46			}
47
48			/**
49			* apiName is used to find the correct endpoint from the state store under
50			* `store.api.dispatchers.${apiName}`
51			*
52			* @param name - string name of the api, used for finding the api endpoint
53			* @returns {{call: call, waitForSuccess: waitForSuccess}}
54			*/
55			export function create(name) {
56
57			const apiName = name;
58
59			function call(getState, uri, method, payload) {
60
61			var options = {
62			credentials: 'same-origin',
63			method: method,
64			headers: {
65			Accept: 'application/json'
66			}
67			};
68
69			let fullURI = "";
70			// check if uri is a relative or full uri
71			if (uri.indexOf('://') > 0 \|\| uri.indexOf('//') === 0) {
72			fullURI = uri;
73			} else {
74			fullURI = `${getState().api.dispatchers[apiName]}${uri}`;
75			}
76
77			// post actions are the only actions that could possible change the state
78			// and should therefore be protected by CSRF. GET/HEAD operations are
79			// prefered to actions that doesn't change state.
80			if (method.toLowerCase() === "post") {
81			options.body = new FormData();
82
83			const tokenName = `${getState().api.auth.name}`;
84			const tokenValue = `${getState().api.auth.value}`;
85
86			options.body.append(tokenName, tokenValue);
87
88			var data = payload \|\| {};
89			Object.keys(data).forEach(function(key) {
90			options.body.append(key, payload[key]);
91			});
92			}
93
94			return fetch(fullURI, options)
95			.then(function(response) {
96
97			// the http response is in the 200 >= <= 299 range
98			if (response.ok) {
99			// If the response is to login, such as the user session has timed out, then
100			// reload the current page so they can login again.
101			if (/Security\/login/.test(response.url)) {
102			return location.reload();
103			}
104
105			return response.json().then(json => json);
106			}
107			// if the status code is outside of 200 - 299 we try to parse
108			// the error that can either be some unexpected error or a nicer
109			// API error response
110
111			// this is unexpected, so just throw it without trying to parse
112			// the body of the response
113			if (response.status >= 500) {
114			const err = new ServerError(response.statusText, response.status);
115			console.error(err); // eslint-disable-line no-console
116			throw err;
117			}
118
119			// try parsing the content of the page in hope that there is a
120			// nice json formatted error message
121			return response.json()
122			.then(function(json) {
123			if (json.message) {
124			throw new ApiError(json.message, json.status_code \|\| response.status);
125			}
126			// there isn't a custom error message, so fallback to
127			// the HTTP response
128			throw new ApiError(response.statusText, response.status);
129			})
130			.catch(function(err) {
131			console.error(err); // eslint-disable-line no-console
132			if (err.name === 'ApiError') {
133			throw err;
134			}
135			// if we got here the, response body couldn't be parsed
136			// as JSON at all, use the HTTP response data
137			throw new ApiError(response.statusText, response.status);
138			});
139			});
140			}
141
142			function waitForSuccess(getState, uri, retryInterval, callback) {
143			var retry = retryInterval \|\| 100;
144			if (retry > 5000) {
145			retry = 5000;
146			}
147			return call(getState, uri, 'get').then(data => {
			0 ignored issues – show introduced 2016-09-12 00:23 UTC by Report Bug Copy Issue Report Show Similar Issues like this Expected parentheses around arrow function argument having a body with curly braces. Loading history...
148			if (callback) {
149			callback(data);
150			}
151			switch (data.status) {
152			case 'Completed':
153			case 'Complete':
154			case 'Failed':
155			case 'Submitted':
156			return data;
157			default:
158			return sleep(retry).then(() => waitForSuccess(getState, uri, 2 * retry, callback));
159			}
160			});
161			}
162
163			return {
164			call,
165			waitForSuccess
166			};
167			}
168

silverstripe / deploynaut

Issues (524)

Security Analysis not enabled

js/_api.js (2 issues)

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like