Issues in Cas30Controller.php (master) - Issues in master - simplesamlphp/simplesamlphp-module-casserver - Measure and Improve Code Quality continuously with Scrutinizer

Issues (31)

Security Analysis not enabled

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

Header Injection

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Controller/Cas30Controller.php (1 issue)

Severity

Unknown 1

<?php

declare(strict_types=1);

namespace SimpleSAML\Module\casserver\Controller;

use Exception;
use RuntimeException;
use SimpleSAML\Configuration;
use SimpleSAML\Logger;
use SimpleSAML\Module\casserver\Cas\Protocol\Cas20;
use SimpleSAML\Module\casserver\Cas\Protocol\SamlValidateResponder;
use SimpleSAML\Module\casserver\Cas\TicketValidator;
use SimpleSAML\Module\casserver\Controller\Traits\UrlTrait;
use SimpleSAML\Module\casserver\Http\XmlResponse;
use SimpleSAML\SAML11\Exception\ProtocolViolationException;
use SimpleSAML\SAML11\XML\samlp\Request as SamlRequest;
use SimpleSAML\SOAP\XML\env_200106\Envelope;
use SimpleSAML\XML\DOMDocumentFactory;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Attribute\AsController;
use Symfony\Component\HttpKernel\Attribute\MapQueryParameter;

use function is_array;

#[AsController]
class Cas30Controller
{
    use UrlTrait;

    /** @var \SimpleSAML\Logger */
    protected Logger $logger;

    /** @var \SimpleSAML\Configuration */
    protected Configuration $casConfig;

    /** @var \SimpleSAML\Module\casserver\Cas\Protocol\Cas20 */
    protected Cas20 $cas20Protocol;

    /** @var \SimpleSAML\Module\casserver\Cas\TicketValidator */
    protected TicketValidator $ticketValidator;

    /** @var \SimpleSAML\Module\casserver\Cas\Protocol\SamlValidateResponder */
    protected SamlValidateResponder $validateResponder;

    /**
     * @param \SimpleSAML\Configuration $sspConfig
     * @param \SimpleSAML\Configuration|null $casConfig
     * @param \SimpleSAML\Module\casserver\Cas\TicketValidator|null $ticketValidator
     *
     * @throws \Exception
     */
    public function __construct(
        private readonly Configuration $sspConfig,
        ?Configuration $casConfig = null,
        ?TicketValidator $ticketValidator = null,
    ) {
        // We are using this work around in order to bypass Symfony's autowiring for cas configuration. Since
        // the configuration class is the same, it loads the ssp configuration twice. Still, we need the constructor
        // argument in order to facilitate testin.
        $this->casConfig = ($casConfig === null || $casConfig === $sspConfig)
            ? Configuration::getConfig('module_casserver.php') : $casConfig;
        $this->cas20Protocol = new Cas20($this->casConfig);
        $this->ticketValidator   = $ticketValidator ?? new TicketValidator($this->casConfig);
        $this->validateResponder = new SamlValidateResponder();
    }


    /**
     * POST /casserver/samlValidate?TARGET=
     * Host: cas.example.com
     * Content-Length: 491
     * Content-Type: text/xml
     *
     * @param \Symfony\Component\HttpFoundation\Request $request
     * @param string $TARGET  URL encoded service identifier of the back-end service.
     *
     * @throw SimpleSAML\SAML11\Exception\ProtocolViolationException
     * @throw SimpleSAML\XML\Exception\MissingAttributeException
     * @throw \RuntimeException
     * @return \SimpleSAML\Module\casserver\Http\XmlResponse
     * @link https://apereo.github.io/cas/7.1.x/protocol/CAS-Protocol-Specification.html#42-samlvalidate-cas-30
     */
    public function samlValidate(
        Request $request,
        #[MapQueryParameter] string $TARGET,
    ): XmlResponse {
        $postBody = $request->getContent();
        if (empty($postBody)) {
            throw new RuntimeException('samlValidate expects a soap body.');
        }

        // SAML request values
        //
        // samlp:Request
        //  - RequestID [REQUIRED] - unique identifier for the request
        //  - IssueInstant [REQUIRED] - timestamp of the request
        // samlp:AssertionArtifact [REQUIRED] - the valid CAS Service

        $documentBody = DOMDocumentFactory::fromString($postBody);
        $envelope = Envelope::fromXML($documentBody->documentElement);

        // The SOAP Envelope must have only one ticket
        $elements = $envelope->getBody()->getElements();
        if (count($elements) > 1 || count($elements) < 1) {
            throw new ProtocolViolationException('samlValidate expects a soap body with only one ticket.');
        }

        // Request Element
        $samlpRequestParsed = SamlRequest::fromXML($elements[0]->getXML());
        // Assertion Artifact Element
        $assertionArtifactParsed = $samlpRequestParsed->getRequest()[0];

        $ticketId = $assertionArtifactParsed->getContent();
        Logger::debug('samlvalidate: Checking ticket ' . $ticketId);

        try {
            // validateAndDeleteTicket might throw a CasException. In order to avoid third party modules
            // dependencies, we will catch and rethrow the Exception.
            $ticket = $this->ticketValidator->validateAndDeleteTicket($ticketId, $TARGET);
        } catch (Exception $e) {
            throw new RuntimeException($e->getMessage());
        }

        if (!is_array($ticket)) {

            throw new RuntimeException('Error loading ticket');
        }

        $response = $this->validateResponder->convertToSaml($ticket);
        $soap = $this->validateResponder->wrapInSoap($response);

        return new XmlResponse(
            (string)$soap,
            Response::HTTP_OK,
        );
    }
}


1			<?php
2
3			declare(strict_types=1);
4
5			namespace SimpleSAML\Module\casserver\Controller;
6
7			use Exception;
8			use RuntimeException;
9			use SimpleSAML\Configuration;
10			use SimpleSAML\Logger;
11			use SimpleSAML\Module\casserver\Cas\Protocol\Cas20;
12			use SimpleSAML\Module\casserver\Cas\Protocol\SamlValidateResponder;
13			use SimpleSAML\Module\casserver\Cas\TicketValidator;
14			use SimpleSAML\Module\casserver\Controller\Traits\UrlTrait;
15			use SimpleSAML\Module\casserver\Http\XmlResponse;
16			use SimpleSAML\SAML11\Exception\ProtocolViolationException;
17			use SimpleSAML\SAML11\XML\samlp\Request as SamlRequest;
18			use SimpleSAML\SOAP\XML\env_200106\Envelope;
19			use SimpleSAML\XML\DOMDocumentFactory;
20			use Symfony\Component\HttpFoundation\Request;
21			use Symfony\Component\HttpFoundation\Response;
22			use Symfony\Component\HttpKernel\Attribute\AsController;
23			use Symfony\Component\HttpKernel\Attribute\MapQueryParameter;
24
25			use function is_array;
26
27			#[AsController]
28			class Cas30Controller
29			{
30			use UrlTrait;
31
32			/** @var \SimpleSAML\Logger */
33			protected Logger $logger;
34
35			/** @var \SimpleSAML\Configuration */
36			protected Configuration $casConfig;
37
38			/** @var \SimpleSAML\Module\casserver\Cas\Protocol\Cas20 */
39			protected Cas20 $cas20Protocol;
40
41			/** @var \SimpleSAML\Module\casserver\Cas\TicketValidator */
42			protected TicketValidator $ticketValidator;
43
44			/** @var \SimpleSAML\Module\casserver\Cas\Protocol\SamlValidateResponder */
45			protected SamlValidateResponder $validateResponder;
46
47			/**
48			* @param \SimpleSAML\Configuration $sspConfig
49			* @param \SimpleSAML\Configuration\|null $casConfig
50			* @param \SimpleSAML\Module\casserver\Cas\TicketValidator\|null $ticketValidator
51			*
52			* @throws \Exception
53			*/
54			public function __construct(
55			private readonly Configuration $sspConfig,
56			?Configuration $casConfig = null,
57			?TicketValidator $ticketValidator = null,
58			) {
59			// We are using this work around in order to bypass Symfony's autowiring for cas configuration. Since
60			// the configuration class is the same, it loads the ssp configuration twice. Still, we need the constructor
61			// argument in order to facilitate testin.
62			$this->casConfig = ($casConfig === null \|\| $casConfig === $sspConfig)
63			? Configuration::getConfig('module_casserver.php') : $casConfig;
64			$this->cas20Protocol = new Cas20($this->casConfig);
65			$this->ticketValidator = $ticketValidator ?? new TicketValidator($this->casConfig);
66			$this->validateResponder = new SamlValidateResponder();
67			}
68
69
70			/**
71			* POST /casserver/samlValidate?TARGET=
72			* Host: cas.example.com
73			* Content-Length: 491
74			* Content-Type: text/xml
75			*
76			* @param \Symfony\Component\HttpFoundation\Request $request
77			* @param string $TARGET URL encoded service identifier of the back-end service.
78			*
79			* @throw SimpleSAML\SAML11\Exception\ProtocolViolationException
80			* @throw SimpleSAML\XML\Exception\MissingAttributeException
81			* @throw \RuntimeException
82			* @return \SimpleSAML\Module\casserver\Http\XmlResponse
83			* @link https://apereo.github.io/cas/7.1.x/protocol/CAS-Protocol-Specification.html#42-samlvalidate-cas-30
84			*/
85			public function samlValidate(
86			Request $request,
87			#[MapQueryParameter] string $TARGET,
88			): XmlResponse {
89			$postBody = $request->getContent();
90			if (empty($postBody)) {
91			throw new RuntimeException('samlValidate expects a soap body.');
92			}
93
94			// SAML request values
95			//
96			// samlp:Request
97			// - RequestID [REQUIRED] - unique identifier for the request
98			// - IssueInstant [REQUIRED] - timestamp of the request
99			// samlp:AssertionArtifact [REQUIRED] - the valid CAS Service
100
101			$documentBody = DOMDocumentFactory::fromString($postBody);
102			$envelope = Envelope::fromXML($documentBody->documentElement);
103
104			// The SOAP Envelope must have only one ticket
105			$elements = $envelope->getBody()->getElements();
106			if (count($elements) > 1 \|\| count($elements) < 1) {
107			throw new ProtocolViolationException('samlValidate expects a soap body with only one ticket.');
108			}
109
110			// Request Element
111			$samlpRequestParsed = SamlRequest::fromXML($elements[0]->getXML());
112			// Assertion Artifact Element
113			$assertionArtifactParsed = $samlpRequestParsed->getRequest()[0];
114
115			$ticketId = $assertionArtifactParsed->getContent();
116			Logger::debug('samlvalidate: Checking ticket ' . $ticketId);
117
118			try {
119			// validateAndDeleteTicket might throw a CasException. In order to avoid third party modules
120			// dependencies, we will catch and rethrow the Exception.
121			$ticket = $this->ticketValidator->validateAndDeleteTicket($ticketId, $TARGET);
122			} catch (Exception $e) {
123			throw new RuntimeException($e->getMessage());
124			}
125
126			if (!is_array($ticket)) {
			0 ignored issues – show introduced 2024-11-26 18:02 UTC by Report Bug Copy Issue Report Show Similar Issues like this The condition `is_array($ticket)` is always `true`. Loading history...
127			throw new RuntimeException('Error loading ticket');
128			}
129
130			$response = $this->validateResponder->convertToSaml($ticket);
131			$soap = $this->validateResponder->wrapInSoap($response);
132
133			return new XmlResponse(
134			(string)$soap,
135			Response::HTTP_OK,
136			);
137			}
138			}
139

simplesamlphp / simplesamlphp-module-casserver

Issues (31)

Security Analysis not enabled

src/Controller/Cas30Controller.php (1 issue)

Severity

Introduced By

Duplication Side-by-Side

Filter issues like