Issues in AbstractContainer.php (feature/php83) - Issues in feature/php83 - simplesamlphp/saml2 - Measure and Improve Code Quality continuously with Scrutinizer

Issues (476)

Security Analysis no request data

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

Header Injection

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Compat/AbstractContainer.php (4 issues)

Labels

Bug 4

Severity

Major 4

<?php

declare(strict_types=1);

namespace SimpleSAML\SAML2\Compat;

use Psr\Clock\ClockInterface;
use Psr\Log\LoggerInterface;
use SimpleSAML\SAML2\Assert\Assert;
use SimpleSAML\SAML2\XML\ExtensionPointInterface;
use SimpleSAML\XML\AbstractElement;
use SimpleSAML\XML\ElementInterface;
use SimpleSAML\XMLSchema\Type\QNameValue;
filter:
    dependency_paths: ["lib/*"]
use SimpleSAML\XMLSecurity\Alg\Encryption\EncryptionAlgorithmFactory;
filter:
    dependency_paths: ["lib/*"]
use SimpleSAML\XMLSecurity\Alg\KeyTransport\KeyTransportAlgorithmFactory;
filter:
    dependency_paths: ["lib/*"]
use SimpleSAML\XMLSecurity\Alg\Signature\SignatureAlgorithmFactory;
filter:
    dependency_paths: ["lib/*"]

use function array_key_exists;
use function constant;

abstract class AbstractContainer
{
    /** @var array */
    protected array $registry = [];

    /** @var array */
    protected array $extRegistry = [];

    /** @var array|null */
    protected ?array $blacklistedEncryptionAlgorithms = [
        EncryptionAlgorithmFactory::DEFAULT_BLACKLIST,
        KeyTransportAlgorithmFactory::DEFAULT_BLACKLIST,
        SignatureAlgorithmFactory::DEFAULT_BLACKLIST,
    ];


    /**
     * Get the list of algorithms that are blacklisted for any encryption operation.
     *
     * @return string[]|null An array with all algorithm identifiers that are blacklisted, or null if we want to use the
     * defaults.
     */
    public function getBlacklistedEncryptionAlgorithms(): ?array
    {
        return $this->blacklistedEncryptionAlgorithms;
    }


    /**
     * Register a class that can handle a given element.
     *
     * @param string $class The class name of a class extending AbstractElement
     */
    public function registerElementHandler(string $class): void
    {
        Assert::subclassOf($class, AbstractElement::class);
        $key = '{' . constant($class::NS) . '}' . AbstractElement::getClassName($class);
        $this->registry[$key] = $class;
    }


    /**
     * Register a class that can handle given extension points of the standard.
     *
     * @param string $class The class name of a class extending AbstractElement or implementing ExtensionPointInterface.
     */
    public function registerExtensionHandler(string $class): void
    {
        Assert::subclassOf($class, ExtensionPointInterface::class);
        $key = '{' . $class::getXsiTypeNamespaceURI() . '}' . $class::getXsiTypeName();
        $this->extRegistry[$key] = $class;
    }


    /**
     * Search for a class that implements an element in the given $namespace.
     *
     * Such classes must have been registered previously by calling registerExtensionHandler(), and they must
     * extend \SimpleSAML\XML\AbstractElement.
     *
     * @param \SimpleSAML\XMLSchema\Type\QNameValue $qName The qualified name of the element.
     *
     * @return string|null The fully-qualified name of a class extending \SimpleSAML\XML\AbstractElement and
     *   implementing support for the given element, or null if no such class has been registered before.
     */
    public function getElementHandler(QNameValue $qName): ?string
    {
        $key = '{' . $qName->getNameSpaceURI()->getValue() . '}' . $qName->getLocalName()->getValue();
        if (array_key_exists($key, $this->registry) === true) {
            Assert::implementsInterface($this->registry[$key], ElementInterface::class);
            return $this->registry[$key];
        }

        return null;
    }


    /**
     * Search for a class that implements a custom element type.
     *
     * Such classes must have been registered previously by calling registerExtensionHandler(), and they must
     * implement \SimpleSAML\SAML11\XML\saml\ExtensionPointInterface.
     *
     * @param \SimpleSAML\XMLSchema\Type\QNameValue $qName The qualified name of the extension.
     * @return string|null The fully-qualified name of a class implementing
     *   \SimpleSAML\SAML11\XML\saml\ExtensionPointInterface or null if no such class has been registered before.
     */
    public function getExtensionHandler(QNameValue $qName): ?string
    {
        $key = '{' . $qName->getNameSpaceURI()->getValue() . '}' . $qName->getLocalName()->getValue();
        if (array_key_exists($key, $this->extRegistry) === true) {
            Assert::implementsInterface($this->extRegistry[$key], ExtensionPointInterface::class);
            return $this->extRegistry[$key];
        }

        return null;
    }


    /**
     * Set the list of algorithms that are blacklisted for any encryption operation.
     *
     * @param string[]|null $algos An array with all algorithm identifiers that are blacklisted,
     *   or null if we want to use the defaults.
     */
    abstract public function setBlacklistedAlgorithms(?array $algos): void;


    /**
     * Get a PSR-3 compatible logger.
     * @return \Psr\Log\LoggerInterface
     */
    abstract public function getLogger(): LoggerInterface;


    /**
     * Log an incoming message to the debug log.
     *
     * Type can be either:
     * - **in** XML received from third party
     * - **out** XML that will be sent to third party
     * - **encrypt** XML that is about to be encrypted
     * - **decrypt** XML that was just decrypted
     *
     * @param \DOMElement|string $message
     */
    abstract public function debugMessage($message, string $type): void;


    /**
     * Trigger the user to perform a POST to the given URL with the given data.
     */
    abstract public function getPOSTRedirectURL(string $url, array $data = []): string;


    /**
     * This function retrieves the path to a directory where temporary files can be saved.
     *
     * @return string Path to a temporary directory, without a trailing directory separator.
     *
     * @throws \Exception If the temporary directory cannot be created or it exists and does not belong
     * to the current user.
     */
    abstract public function getTempDir(): string;


    /**
     * Atomically write a file.
     *
     * This is a helper function for writing data atomically to a file. It does this by writing the file data to a
     * temporary file, then renaming it to the required file name.
     *
     * @param string $filename The path to the file we want to write to.
     * @param string $data The data we should write to the file.
     * @param int|null $mode The permissions to apply to the file. Defaults to 0600.
     */
    abstract public function writeFile(string $filename, string $data, ?int $mode = null): void;


    /**
     * Get the system clock, using UTC for a timezone
     */
    abstract public function getClock(): ClockInterface;
}


1			<?php
2
3			declare(strict_types=1);
4
5			namespace SimpleSAML\SAML2\Compat;
6
7			use Psr\Clock\ClockInterface;
8			use Psr\Log\LoggerInterface;
9			use SimpleSAML\SAML2\Assert\Assert;
10			use SimpleSAML\SAML2\XML\ExtensionPointInterface;
11			use SimpleSAML\XML\AbstractElement;
12			use SimpleSAML\XML\ElementInterface;
13			use SimpleSAML\XMLSchema\Type\QNameValue;
			0 ignored issues – show Bug introduced 2025-12-21 20:45 UTC by Report Bug Copy Issue Report Show Similar Issues like this The type `SimpleSAML\XMLSchema\Type\QNameValue` was not found. Maybe you did not declare it correctly or list all dependencies? The issue could also be caused by a filter entry in the build configuration. If the path has been excluded in your configuration, e.g. `excluded_paths: ["lib/"]`, you can move it to the dependency path list as follows: filter: dependency_paths: ["lib/"] For further information see https://scrutinizer-ci.com/docs/tools/php/php-scrutinizer/#list-dependency-paths Loading history...
14			use SimpleSAML\XMLSecurity\Alg\Encryption\EncryptionAlgorithmFactory;
			0 ignored issues – show Bug introduced 2025-12-21 20:45 UTC by Report Bug Copy Issue Report Show Similar Issues like this The type `SimpleSAML\XMLSecurity\A...ryptionAlgorithmFactory` was not found. Maybe you did not declare it correctly or list all dependencies? The issue could also be caused by a filter entry in the build configuration. If the path has been excluded in your configuration, e.g. `excluded_paths: ["lib/"]`, you can move it to the dependency path list as follows: filter: dependency_paths: ["lib/"] For further information see https://scrutinizer-ci.com/docs/tools/php/php-scrutinizer/#list-dependency-paths Loading history...
15			use SimpleSAML\XMLSecurity\Alg\KeyTransport\KeyTransportAlgorithmFactory;
			0 ignored issues – show Bug introduced 2025-12-21 20:45 UTC by Report Bug Copy Issue Report Show Similar Issues like this The type `SimpleSAML\XMLSecurity\A...ansportAlgorithmFactory` was not found. Maybe you did not declare it correctly or list all dependencies? The issue could also be caused by a filter entry in the build configuration. If the path has been excluded in your configuration, e.g. `excluded_paths: ["lib/"]`, you can move it to the dependency path list as follows: filter: dependency_paths: ["lib/"] For further information see https://scrutinizer-ci.com/docs/tools/php/php-scrutinizer/#list-dependency-paths Loading history...
16			use SimpleSAML\XMLSecurity\Alg\Signature\SignatureAlgorithmFactory;
			0 ignored issues – show Bug introduced 2025-12-21 20:45 UTC by Report Bug Copy Issue Report Show Similar Issues like this The type `SimpleSAML\XMLSecurity\A...gnatureAlgorithmFactory` was not found. Maybe you did not declare it correctly or list all dependencies? The issue could also be caused by a filter entry in the build configuration. If the path has been excluded in your configuration, e.g. `excluded_paths: ["lib/"]`, you can move it to the dependency path list as follows: filter: dependency_paths: ["lib/"] For further information see https://scrutinizer-ci.com/docs/tools/php/php-scrutinizer/#list-dependency-paths Loading history...
17
18			use function array_key_exists;
19			use function constant;
20
21			abstract class AbstractContainer
22			{
23			/** @var array */
24			protected array $registry = [];
25
26			/** @var array */
27			protected array $extRegistry = [];
28
29			/** @var array\|null */
30			protected ?array $blacklistedEncryptionAlgorithms = [
31			EncryptionAlgorithmFactory::DEFAULT_BLACKLIST,
32			KeyTransportAlgorithmFactory::DEFAULT_BLACKLIST,
33			SignatureAlgorithmFactory::DEFAULT_BLACKLIST,
34			];
35
36
37			/**
38			* Get the list of algorithms that are blacklisted for any encryption operation.
39			*
40			* @return string[]\|null An array with all algorithm identifiers that are blacklisted, or null if we want to use the
41			* defaults.
42			*/
43			public function getBlacklistedEncryptionAlgorithms(): ?array
44			{
45			return $this->blacklistedEncryptionAlgorithms;
46			}
47
48
49			/**
50			* Register a class that can handle a given element.
51			*
52			* @param string $class The class name of a class extending AbstractElement
53			*/
54			public function registerElementHandler(string $class): void
55			{
56			Assert::subclassOf($class, AbstractElement::class);
57			$key = '{' . constant($class::NS) . '}' . AbstractElement::getClassName($class);
58			$this->registry[$key] = $class;
59			}
60
61
62			/**
63			* Register a class that can handle given extension points of the standard.
64			*
65			* @param string $class The class name of a class extending AbstractElement or implementing ExtensionPointInterface.
66			*/
67			public function registerExtensionHandler(string $class): void
68			{
69			Assert::subclassOf($class, ExtensionPointInterface::class);
70			$key = '{' . $class::getXsiTypeNamespaceURI() . '}' . $class::getXsiTypeName();
71			$this->extRegistry[$key] = $class;
72			}
73
74
75			/**
76			* Search for a class that implements an element in the given $namespace.
77			*
78			* Such classes must have been registered previously by calling registerExtensionHandler(), and they must
79			* extend \SimpleSAML\XML\AbstractElement.
80			*
81			* @param \SimpleSAML\XMLSchema\Type\QNameValue $qName The qualified name of the element.
82			*
83			* @return string\|null The fully-qualified name of a class extending \SimpleSAML\XML\AbstractElement and
84			* implementing support for the given element, or null if no such class has been registered before.
85			*/
86			public function getElementHandler(QNameValue $qName): ?string
87			{
88			$key = '{' . $qName->getNameSpaceURI()->getValue() . '}' . $qName->getLocalName()->getValue();
89			if (array_key_exists($key, $this->registry) === true) {
90			Assert::implementsInterface($this->registry[$key], ElementInterface::class);
91			return $this->registry[$key];
92			}
93
94			return null;
95			}
96
97
98			/**
99			* Search for a class that implements a custom element type.
100			*
101			* Such classes must have been registered previously by calling registerExtensionHandler(), and they must
102			* implement \SimpleSAML\SAML11\XML\saml\ExtensionPointInterface.
103			*
104			* @param \SimpleSAML\XMLSchema\Type\QNameValue $qName The qualified name of the extension.
105			* @return string\|null The fully-qualified name of a class implementing
106			* \SimpleSAML\SAML11\XML\saml\ExtensionPointInterface or null if no such class has been registered before.
107			*/
108			public function getExtensionHandler(QNameValue $qName): ?string
109			{
110			$key = '{' . $qName->getNameSpaceURI()->getValue() . '}' . $qName->getLocalName()->getValue();
111			if (array_key_exists($key, $this->extRegistry) === true) {
112			Assert::implementsInterface($this->extRegistry[$key], ExtensionPointInterface::class);
113			return $this->extRegistry[$key];
114			}
115
116			return null;
117			}
118
119
120			/**
121			* Set the list of algorithms that are blacklisted for any encryption operation.
122			*
123			* @param string[]\|null $algos An array with all algorithm identifiers that are blacklisted,
124			* or null if we want to use the defaults.
125			*/
126			abstract public function setBlacklistedAlgorithms(?array $algos): void;
127
128
129			/**
130			* Get a PSR-3 compatible logger.
131			* @return \Psr\Log\LoggerInterface
132			*/
133			abstract public function getLogger(): LoggerInterface;
134
135
136			/**
137			* Log an incoming message to the debug log.
138			*
139			* Type can be either:
140			* - in XML received from third party
141			* - out XML that will be sent to third party
142			* - encrypt XML that is about to be encrypted
143			* - decrypt XML that was just decrypted
144			*
145			* @param \DOMElement\|string $message
146			*/
147			abstract public function debugMessage($message, string $type): void;
148
149
150			/**
151			* Trigger the user to perform a POST to the given URL with the given data.
152			*/
153			abstract public function getPOSTRedirectURL(string $url, array $data = []): string;
154
155
156			/**
157			* This function retrieves the path to a directory where temporary files can be saved.
158			*
159			* @return string Path to a temporary directory, without a trailing directory separator.
160			*
161			* @throws \Exception If the temporary directory cannot be created or it exists and does not belong
162			* to the current user.
163			*/
164			abstract public function getTempDir(): string;
165
166
167			/**
168			* Atomically write a file.
169			*
170			* This is a helper function for writing data atomically to a file. It does this by writing the file data to a
171			* temporary file, then renaming it to the required file name.
172			*
173			* @param string $filename The path to the file we want to write to.
174			* @param string $data The data we should write to the file.
175			* @param int\|null $mode The permissions to apply to the file. Defaults to 0600.
176			*/
177			abstract public function writeFile(string $filename, string $data, ?int $mode = null): void;
178
179
180			/**
181			* Get the system clock, using UTC for a timezone
182			*/
183			abstract public function getClock(): ClockInterface;
184			}
185

simplesamlphp / saml2

Issues (476)

Security Analysis no request data

src/Compat/AbstractContainer.php (4 issues)

Labels

Severity

Introduced By

Duplication Side-by-Side

Filter issues like