Issues in YouTubeProvider.php (master) - Issues in master - sonata-project/SonataMediaBundle - Measure and Improve Code Quality continuously with Scrutinizer

Issues (234)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Provider/YouTubeProvider.php (1 issue)

Labels

Severity

Major 1

Grégoire Paris 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

declare(strict_types=1);

/*
 * This file is part of the Sonata Project package.
 *
 * (c) Thomas Rabaix <[email protected]>
 *
 * For the full copyright and license information, please view the LICENSE
 * file that was distributed with this source code.
 */

namespace Sonata\MediaBundle\Provider;

use Buzz\Browser;
use Gaufrette\Filesystem;
use Sonata\MediaBundle\CDN\CDNInterface;
use Sonata\MediaBundle\Generator\GeneratorInterface;
use Sonata\MediaBundle\Metadata\MetadataBuilderInterface;
use Sonata\MediaBundle\Model\MediaInterface;
use Sonata\MediaBundle\Thumbnail\ThumbnailInterface;
use Symfony\Component\HttpFoundation\RedirectResponse;

/**
 * @final since sonata-project/media-bundle 3.21.0
 */
class YouTubeProvider extends BaseVideoProvider
{
    /**
     * @var bool
     */
    protected $html5;

    /**
     * @param string                   $name
     * @param MetadataBuilderInterface $metadata
     * @param bool                     $html5
     */
    public function __construct($name, Filesystem $filesystem, CDNInterface $cdn, GeneratorInterface $pathGenerator, ThumbnailInterface $thumbnail, Browser $browser, ?MetadataBuilderInterface $metadata = null, $html5 = false)
    {
        parent::__construct($name, $filesystem, $cdn, $pathGenerator, $thumbnail, $browser, $metadata);
        $this->html5 = $html5;
    }

    public function getProviderMetadata()
    {
        return new Metadata(
            $this->getName(),
            $this->getName().'.description',
            null,
            'SonataMediaBundle',
            ['class' => 'fa fa-youtube']
        );
    }

    public function getHelperProperties(MediaInterface $media, $format, $options = [])
    {
        // Override html5 value if $options['html5'] is a boolean
        if (!isset($options['html5'])) {
            $options['html5'] = $this->html5;
        }

        // documentation : http://code.google.com/apis/youtube/player_parameters.html

        $default_player_url_parameters = [
            //Values: 0 or 1. Default is 1. Sets whether the player should load related
            // videos once playback of the initial video starts. Related videos are
            // displayed in the "genie menu" when the menu button is pressed. The player
            // search functionality will be disabled if rel is set to 0.
            'rel' => 0,

            // Values: 0 or 1. Default is 0. Sets whether or not the initial video will autoplay
            // when the player loads.
            'autoplay' => 0,

            // Values: 0 or 1. Default is 0. In the case of a single video player, a setting of 1
            // will cause the player to play the initial video again and again. In the case of a
            // playlist player (or custom player), the player will play the entire playlist and
            // then start again at the first video.
            'loop' => 0,

            // Values: 0 or 1. Default is 0. Setting this to 1 will enable the Javascript API.
            // For more information on the Javascript API and how to use it, see the JavaScript
            // API documentation.
            'enablejsapi' => 0,

            // Value can be any alphanumeric string. This setting is used in conjunction with the
            // JavaScript API. See the JavaScript API documentation for details.
            'playerapiid' => null,

            // Values: 0 or 1. Default is 0. Setting to 1 will disable the player keyboard controls.
            // Keyboard controls are as follows:
            //      Spacebar: Play / Pause
            //      Arrow Left: Jump back 10% in the current video
            //      Arrow Right: Jump ahead 10% in the current video
            //      Arrow Up: Volume up
            //      Arrow Down: Volume Down
            'disablekb' => 0,

            // Values: 0 or 1. Default is 0. Setting to 1 enables the "Enhanced Genie Menu". This
            // behavior causes the genie menu (if present) to appear when the user's mouse enters
            // the video display area, as opposed to only appearing when the menu button is pressed.
            'egm' => 0,

            // Values: 0 or 1. Default is 0. Setting to 1 enables a border around the entire video
            // player. The border's primary color can be set via the color1 parameter, and a
            // secondary color can be set by the color2 parameter.
            'border' => 0,

            // Values: Any RGB value in hexadecimal format. color1 is the primary border color, and
            // color2 is the video control bar background color and secondary border color.
            'color1' => null,
            'color2' => null,

            // Values: 0 or 1. Default is 0. Setting to 1 enables the fullscreen button. This has no
            // effect on the Chromeless Player. Note that you must include some extra arguments to
           // your embed code for this to work.
            'fs' => 1,

            // Values: A positive integer. This parameter causes the player to begin playing the video
            // at the given number of seconds from the start of the video. Note that similar to the
            // seekTo function, the player will look for the closest keyframe to the time you specify.
            // This means sometimes the play head may seek to just before the requested time, usually
            // no more than ~2 seconds
            'start' => 0,

            // Values: 0 or 1. Default is 0. Setting to 1 enables HD playback by default. This has no
            // effect on the Chromeless Player. This also has no effect if an HD version of the video
            // is not available. If you enable this option, keep in mind that users with a slower
            // connection may have an sub-optimal experience unless they turn off HD. You should ensure
            // your player is large enough to display the video in its native resolution.
            'hd' => 1,

            // Values: 0 or 1. Default is 1. Setting to 0 disables the search box from displaying when
            // the video is minimized. Note that if the rel parameter is set to 0 then the search box
            // will also be disabled, regardless of the value of showsearch.
            'showsearch' => 0,

            // Values: 0 or 1. Default is 1. Setting to 0 causes the player to not display information
            // like the video title and rating before the video starts playing.
            'showinfo' => 0,

            // Values: 1 or 3. Default is 1. Setting to 1 will cause video annotations to be shown by
            // default, whereas setting to 3 will cause video annotation to not be shown by default.
            'iv_load_policy' => 1,

            // Values: 1. Default is based on user preference. Setting to 1 will cause closed captions
            // to be shown by default, even if the user has turned captions off.
            'cc_load_policy' => 1,

            // Values: 'window' or 'opaque' or 'transparent'.
            // When wmode=window, the Flash movie is not rendered in the page.
            // When wmode=opaque, the Flash movie is rendered as part of the page.
            // When wmode=transparent, the Flash movie is rendered as part of the page.
            'wmode' => 'window',
        ];

        $default_player_parameters = [
            // Values: 0 or 1. Default is 0. Setting to 1 enables a border around the entire video
            // player. The border's primary color can be set via the color1 parameter, and a
            // secondary color can be set by the color2 parameter.
            'border' => $default_player_url_parameters['border'],

            // Values: 'allowfullscreen' or empty. Default is 'allowfullscreen'. Setting to empty value disables
            //  the fullscreen button.
            'allowFullScreen' => '1' === $default_player_url_parameters['fs'] ? true : false,


            // The allowScriptAccess parameter in the code is needed to allow the player SWF to call
            // functions on the containing HTML page, since the player is hosted on a different domain
            // from the HTML page.
            'allowScriptAccess' => $options['allowScriptAccess'] ?? 'always',

            // Values: 'window' or 'opaque' or 'transparent'.
            // When wmode=window, the Flash movie is not rendered in the page.
            // When wmode=opaque, the Flash movie is rendered as part of the page.
            // When wmode=transparent, the Flash movie is rendered as part of the page.
            'wmode' => $default_player_url_parameters['wmode'],
        ];

        $player_url_parameters = array_merge($default_player_url_parameters, $options['player_url_parameters'] ?? []);

        $box = $this->getBoxHelperProperties($media, $format, $options);

        $player_parameters = array_merge($default_player_parameters, $options['player_parameters'] ?? [], [
            'width' => $box->getWidth(),
            'height' => $box->getHeight(),
        ]);

        $params = [
            'html5' => $options['html5'],
            'player_url_parameters' => http_build_query($player_url_parameters),
            'player_parameters' => $player_parameters,
        ];

        return $params;
    }

    public function updateMetadata(MediaInterface $media, $force = false): void
    {
        $url = sprintf('https://www.youtube.com/oembed?url=%s&format=json', $this->getReferenceUrl($media));

        try {
            $metadata = $this->getMetadata($media, $url);
        } catch (\RuntimeException $e) {
            $media->setEnabled(false);
            $media->setProviderStatus(MediaInterface::STATUS_ERROR);

            return;
        }

        $media->setProviderMetadata($metadata);

        if ($force) {
            $media->setName($metadata['title']);
            $media->setAuthorName($metadata['author_name']);
        }

        $media->setHeight($metadata['height']);
        $media->setWidth($metadata['width']);
        $media->setContentType('video/x-flv');
    }

    public function getDownloadResponse(MediaInterface $media, $format, $mode, array $headers = [])
    {
        return new RedirectResponse($this->getReferenceUrl($media), 302, $headers);
    }

    /**
     * Get provider reference url.
     *
     * @return string
     */
    public function getReferenceUrl(MediaInterface $media)
    {
        return sprintf('https://www.youtube.com/watch?v=%s', $media->getProviderReference());
    }

    protected function fixBinaryContent(MediaInterface $media): void
    {
        if (!$media->getBinaryContent()) {
            return;
        }

        if (11 === \strlen($media->getBinaryContent())) {
            return;
        }

        if (preg_match("/^(?:http(?:s)?:\/\/)?(?:www\.)?(?:m\.)?(?:youtu\.be\/|youtube\.com\/(?:(?:watch)?\?(?:.*&)?v(?:i)?=|(?:embed|v|vi|user)\/))([^\#\?&\"'>]+)/", $media->getBinaryContent(), $matches)) {
            $media->setBinaryContent($matches[1]);
        }
    }

    protected function doTransform(MediaInterface $media): void
    {
        $this->fixBinaryContent($media);

        if (!$media->getBinaryContent()) {
            return;
        }

        $media->setProviderName($this->name);
        $media->setProviderStatus(MediaInterface::STATUS_OK);
        $media->setProviderReference($media->getBinaryContent());

        $this->updateMetadata($media, true);
    }
}


1			<?php
2
3			declare(strict_types=1);
4
5			/*
6			* This file is part of the Sonata Project package.
7			*
8			* (c) Thomas Rabaix <[email protected]>
9			*
10			* For the full copyright and license information, please view the LICENSE
11			* file that was distributed with this source code.
12			*/
13
14			namespace Sonata\MediaBundle\Provider;
15
16			use Buzz\Browser;
17			use Gaufrette\Filesystem;
18			use Sonata\MediaBundle\CDN\CDNInterface;
19			use Sonata\MediaBundle\Generator\GeneratorInterface;
20			use Sonata\MediaBundle\Metadata\MetadataBuilderInterface;
21			use Sonata\MediaBundle\Model\MediaInterface;
22			use Sonata\MediaBundle\Thumbnail\ThumbnailInterface;
23			use Symfony\Component\HttpFoundation\RedirectResponse;
24
25			/**
26			* @final since sonata-project/media-bundle 3.21.0
27			*/
28			class YouTubeProvider extends BaseVideoProvider
29			{
30			/**
31			* @var bool
32			*/
33			protected $html5;
34
35			/**
36			* @param string $name
37			* @param MetadataBuilderInterface $metadata
38			* @param bool $html5
39			*/
40			public function __construct($name, Filesystem $filesystem, CDNInterface $cdn, GeneratorInterface $pathGenerator, ThumbnailInterface $thumbnail, Browser $browser, ?MetadataBuilderInterface $metadata = null, $html5 = false)
41			{
42			parent::__construct($name, $filesystem, $cdn, $pathGenerator, $thumbnail, $browser, $metadata);
43			$this->html5 = $html5;
44			}
45
46			public function getProviderMetadata()
47			{
48			return new Metadata(
49			$this->getName(),
50			$this->getName().'.description',
51			null,
52			'SonataMediaBundle',
53			['class' => 'fa fa-youtube']
54			);
55			}
56
57			public function getHelperProperties(MediaInterface $media, $format, $options = [])
58			{
59			// Override html5 value if $options['html5'] is a boolean
60			if (!isset($options['html5'])) {
61			$options['html5'] = $this->html5;
62			}
63
64			// documentation : http://code.google.com/apis/youtube/player_parameters.html
65
66			$default_player_url_parameters = [
67			//Values: 0 or 1. Default is 1. Sets whether the player should load related
68			// videos once playback of the initial video starts. Related videos are
69			// displayed in the "genie menu" when the menu button is pressed. The player
70			// search functionality will be disabled if rel is set to 0.
71			'rel' => 0,
72
73			// Values: 0 or 1. Default is 0. Sets whether or not the initial video will autoplay
74			// when the player loads.
75			'autoplay' => 0,
76
77			// Values: 0 or 1. Default is 0. In the case of a single video player, a setting of 1
78			// will cause the player to play the initial video again and again. In the case of a
79			// playlist player (or custom player), the player will play the entire playlist and
80			// then start again at the first video.
81			'loop' => 0,
82
83			// Values: 0 or 1. Default is 0. Setting this to 1 will enable the Javascript API.
84			// For more information on the Javascript API and how to use it, see the JavaScript
85			// API documentation.
86			'enablejsapi' => 0,
87
88			// Value can be any alphanumeric string. This setting is used in conjunction with the
89			// JavaScript API. See the JavaScript API documentation for details.
90			'playerapiid' => null,
91
92			// Values: 0 or 1. Default is 0. Setting to 1 will disable the player keyboard controls.
93			// Keyboard controls are as follows:
94			// Spacebar: Play / Pause
95			// Arrow Left: Jump back 10% in the current video
96			// Arrow Right: Jump ahead 10% in the current video
97			// Arrow Up: Volume up
98			// Arrow Down: Volume Down
99			'disablekb' => 0,
100
101			// Values: 0 or 1. Default is 0. Setting to 1 enables the "Enhanced Genie Menu". This
102			// behavior causes the genie menu (if present) to appear when the user's mouse enters
103			// the video display area, as opposed to only appearing when the menu button is pressed.
104			'egm' => 0,
105
106			// Values: 0 or 1. Default is 0. Setting to 1 enables a border around the entire video
107			// player. The border's primary color can be set via the color1 parameter, and a
108			// secondary color can be set by the color2 parameter.
109			'border' => 0,
110
111			// Values: Any RGB value in hexadecimal format. color1 is the primary border color, and
112			// color2 is the video control bar background color and secondary border color.
113			'color1' => null,
114			'color2' => null,
115
116			// Values: 0 or 1. Default is 0. Setting to 1 enables the fullscreen button. This has no
117			// effect on the Chromeless Player. Note that you must include some extra arguments to
118			// your embed code for this to work.
119			'fs' => 1,
120
121			// Values: A positive integer. This parameter causes the player to begin playing the video
122			// at the given number of seconds from the start of the video. Note that similar to the
123			// seekTo function, the player will look for the closest keyframe to the time you specify.
124			// This means sometimes the play head may seek to just before the requested time, usually
125			// no more than ~2 seconds
126			'start' => 0,
127
128			// Values: 0 or 1. Default is 0. Setting to 1 enables HD playback by default. This has no
129			// effect on the Chromeless Player. This also has no effect if an HD version of the video
130			// is not available. If you enable this option, keep in mind that users with a slower
131			// connection may have an sub-optimal experience unless they turn off HD. You should ensure
132			// your player is large enough to display the video in its native resolution.
133			'hd' => 1,
134
135			// Values: 0 or 1. Default is 1. Setting to 0 disables the search box from displaying when
136			// the video is minimized. Note that if the rel parameter is set to 0 then the search box
137			// will also be disabled, regardless of the value of showsearch.
138			'showsearch' => 0,
139
140			// Values: 0 or 1. Default is 1. Setting to 0 causes the player to not display information
141			// like the video title and rating before the video starts playing.
142			'showinfo' => 0,
143
144			// Values: 1 or 3. Default is 1. Setting to 1 will cause video annotations to be shown by
145			// default, whereas setting to 3 will cause video annotation to not be shown by default.
146			'iv_load_policy' => 1,
147
148			// Values: 1. Default is based on user preference. Setting to 1 will cause closed captions
149			// to be shown by default, even if the user has turned captions off.
150			'cc_load_policy' => 1,
151
152			// Values: 'window' or 'opaque' or 'transparent'.
153			// When wmode=window, the Flash movie is not rendered in the page.
154			// When wmode=opaque, the Flash movie is rendered as part of the page.
155			// When wmode=transparent, the Flash movie is rendered as part of the page.
156			'wmode' => 'window',
157			];
158
159			$default_player_parameters = [
160			// Values: 0 or 1. Default is 0. Setting to 1 enables a border around the entire video
161			// player. The border's primary color can be set via the color1 parameter, and a
162			// secondary color can be set by the color2 parameter.
163			'border' => $default_player_url_parameters['border'],
164
165			// Values: 'allowfullscreen' or empty. Default is 'allowfullscreen'. Setting to empty value disables
166			// the fullscreen button.
167			'allowFullScreen' => '1' === $default_player_url_parameters['fs'] ? true : false,
			0 ignored issues – show Unused Code Bug introduced 2019-01-31 18:22 UTC by Report Bug Copy Issue Report Show Similar Issues like this The strict comparison `===` seems to always evaluate to `false` as the types of `'1'` (`string`) and `$default_player_url_parameters['fs']` (`integer`) can never be identical. Maybe you want to use a loose comparison `==` instead? Loading history...
168
169			// The allowScriptAccess parameter in the code is needed to allow the player SWF to call
170			// functions on the containing HTML page, since the player is hosted on a different domain
171			// from the HTML page.
172			'allowScriptAccess' => $options['allowScriptAccess'] ?? 'always',
173
174			// Values: 'window' or 'opaque' or 'transparent'.
175			// When wmode=window, the Flash movie is not rendered in the page.
176			// When wmode=opaque, the Flash movie is rendered as part of the page.
177			// When wmode=transparent, the Flash movie is rendered as part of the page.
178			'wmode' => $default_player_url_parameters['wmode'],
179			];
180
181			$player_url_parameters = array_merge($default_player_url_parameters, $options['player_url_parameters'] ?? []);
182
183			$box = $this->getBoxHelperProperties($media, $format, $options);
184
185			$player_parameters = array_merge($default_player_parameters, $options['player_parameters'] ?? [], [
186			'width' => $box->getWidth(),
187			'height' => $box->getHeight(),
188			]);
189
190			$params = [
191			'html5' => $options['html5'],
192			'player_url_parameters' => http_build_query($player_url_parameters),
193			'player_parameters' => $player_parameters,
194			];
195
196			return $params;
197			}
198
199			public function updateMetadata(MediaInterface $media, $force = false): void
200			{
201			$url = sprintf('https://www.youtube.com/oembed?url=%s&format=json', $this->getReferenceUrl($media));
202
203			try {
204			$metadata = $this->getMetadata($media, $url);
205			} catch (\RuntimeException $e) {
206			$media->setEnabled(false);
207			$media->setProviderStatus(MediaInterface::STATUS_ERROR);
208
209			return;
210			}
211
212			$media->setProviderMetadata($metadata);
213
214			if ($force) {
215			$media->setName($metadata['title']);
216			$media->setAuthorName($metadata['author_name']);
217			}
218
219			$media->setHeight($metadata['height']);
220			$media->setWidth($metadata['width']);
221			$media->setContentType('video/x-flv');
222			}
223
224			public function getDownloadResponse(MediaInterface $media, $format, $mode, array $headers = [])
225			{
226			return new RedirectResponse($this->getReferenceUrl($media), 302, $headers);
227			}
228
229			/**
230			* Get provider reference url.
231			*
232			* @return string
233			*/
234			public function getReferenceUrl(MediaInterface $media)
235			{
236			return sprintf('https://www.youtube.com/watch?v=%s', $media->getProviderReference());
237			}
238
239			protected function fixBinaryContent(MediaInterface $media): void
240			{
241			if (!$media->getBinaryContent()) {
242			return;
243			}
244
245			if (11 === \strlen($media->getBinaryContent())) {
246			return;
247			}
248
249			if (preg_match("/^(?:http(?:s)?:\/\/)?(?:www\.)?(?:m\.)?(?:youtu\.be\/\|youtube\.com\/(?:(?:watch)?\?(?:.*&)?v(?:i)?=\|(?:embed\|v\|vi\|user)\/))([^\#\?&\"'>]+)/", $media->getBinaryContent(), $matches)) {
250			$media->setBinaryContent($matches[1]);
251			}
252			}
253
254			protected function doTransform(MediaInterface $media): void
255			{
256			$this->fixBinaryContent($media);
257
258			if (!$media->getBinaryContent()) {
259			return;
260			}
261
262			$media->setProviderName($this->name);
263			$media->setProviderStatus(MediaInterface::STATUS_OK);
264			$media->setProviderReference($media->getBinaryContent());
265
266			$this->updateMetadata($media, true);
267			}
268			}
269

sonata-project / SonataMediaBundle

Issues (234)

Security Analysis not enabled

src/Provider/YouTubeProvider.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like