Issues (52)

Security Analysis    not enabled

This project does not seem to handle request data directly as such no vulnerable execution paths were found.

  File Inclusion
File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.
  Regex Injection
Regex Injection enables an attacker to execute arbitrary code in your PHP process.
  SQL Injection
SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.
  Response Splitting
Response Splitting can be used to send arbitrary responses.
  File Manipulation
File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.
  Object Injection
Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.
  File Exposure
File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.
  XML Injection
XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.
  Code Injection
Code Injection enables an attacker to execute arbitrary code on the server.
  Variable Injection
Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.
  XPath Injection
XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.
  Other Vulnerability
This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.
  Command Injection
Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.
  LDAP Injection
LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.
  Cross-Site Scripting
Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.
  Header Injection
Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

include/license/class-bd-license.php (1 issue)

Severity
1
<?php
2
/**
3
 * Addon license related functions.
4
 *
5
 * @since      5.0
6
 *
7
 * @author     Sudar
8
 *
9
 * @package    BulkDelete\License
10
 */
11
defined( 'ABSPATH' ) || exit; // Exit if accessed directly
12
13
class BD_License {
14
	/**
15
	 * Output addon page content.
16
	 *
17
	 * @since 5.0
18
	 * @static
19
	 */
20
	public static function display_addon_page() {
21
		if ( ! class_exists( 'WP_List_Table' ) ) {
22
			require_once ABSPATH . WPINC . '/class-wp-list-table.php';
23
		}
24
25
		if ( ! class_exists( 'License_List_Table' ) ) {
26
			require_once Bulk_Delete::$PLUGIN_DIR . '/include/license/class-license-list-table.php';
27
		}
28
29
		$license_list_table = new License_List_Table();
30
		$license_list_table->prepare_items();
31
?>
32
        <div class="wrap">
33
            <h2><?php _e( 'Addon Licenses', 'bulk-delete' );?></h2>
34
            <?php settings_errors(); ?>
35
            <form method="post" action="options.php">
36
<?php
37
		$license_list_table->display();
38
		do_action( 'bd_license_form' );
39
		bd_display_available_addon_list();
40
?>
41
            </form>
42
        </div>
43
<?php
44
		/**
45
		 * Runs just before displaying the footer text in the "Addon" admin page.
46
		 *
47
		 * This action is primarily for adding extra content in the footer of "Addon" admin page.
48
		 *
49
		 * @since 5.0
50
		 */
51
		do_action( 'bd_admin_footer_addon_page' );
52
	}
53
54
	/**
55
	 * Display License form.
56
	 *
57
	 * @since 5.0
58
	 * @static
59
	 */
60
	public static function display_activate_license_form() {
61
		$bd = BULK_DELETE();
62
		if ( isset( $bd->display_activate_license_form ) && true === $bd->display_activate_license_form ) {
63
			// This prints out all hidden setting fields
64
			settings_fields( Bulk_Delete::SETTING_OPTION_GROUP );
65
			do_settings_sections( Bulk_Delete::ADDON_PAGE_SLUG );
66
			submit_button( __( 'Activate License', 'bulk-delete' ) );
67
		}
68
	}
69
70
	/**
71
	 * Check if an addon has a valid license or not.
72
	 *
73
	 * @since  5.0
74
	 * @static
75
	 *
76
	 * @param string $addon_name Addon Name
77
	 * @param string $addon_code Addon short Name
78
	 *
79
	 * @return bool True if addon has a valid license, False otherwise
80
	 */
81
	public static function has_valid_license( $addon_name, $addon_code ) {
82
		$key          = Bulk_Delete::LICENSE_CACHE_KEY_PREFIX . $addon_code;
83
		$license_data = get_option( $key, false );
84
85
		if ( ! $license_data ) {
86
			// if data about license is not present, then fetch it.
87
			// ideally this should not happen
88
			$licenses = get_option( Bulk_Delete::SETTING_OPTION_NAME );
89
			if ( is_array( $licenses ) && key_exists( $addon_code, $licenses ) ) {
90
				$license_data = BD_EDD_API_Wrapper::check_license( $addon_name, $licenses[ $addon_code ] );
91
				update_option( $key, $license_data );
92
			}
93
		}
94
95
		// TODO Encapsulate below code into a separate function
96
		if ( $license_data && is_array( $license_data ) && key_exists( 'validity', $license_data ) ) {
97
			if ( 'valid' == $license_data['validity'] ) {
98
				if ( strtotime( 'now' ) < strtotime( $license_data['expires'] ) ) {
99
					return true;
100
				} else {
101
					$license_data['validity'] = 'expired';
102
					update_option( $key, $license_data );
103
				}
104
			}
105
		}
106
107
		return false;
108
	}
109
110
	/**
111
	 * Get the list of all licenses information to be displayed in the license page.
112
	 *
113
	 * @since 5.0
114
	 * @static
115
	 *
116
	 * @return array $license_data License information
117
	 */
118
	public static function get_licenses() {
119
		$licenses     = get_option( Bulk_Delete::SETTING_OPTION_NAME );
120
		$license_data = array();
121
122
		if ( is_array( $licenses ) ) {
123
			foreach ( $licenses as $addon_code => $license ) {
124
				$license_data[ $addon_code ] = self::get_license( $addon_code );
125
			}
126
		}
127
128
		return $license_data;
129
	}
130
131
	/**
132
	 * Retrieve license information about an addon.
133
	 *
134
	 * @since  5.0
135
	 * @static
136
	 *
137
	 * @param string $addon_code Addon short name
138
	 *
139
	 * @return object $license_data License information
140
	 */
141
	public static function get_license( $addon_code ) {
142
		$key          = Bulk_Delete::LICENSE_CACHE_KEY_PREFIX . $addon_code;
143
		$license_data = get_option( $key, false );
144
145
		if ( $license_data && is_array( $license_data ) && key_exists( 'validity', $license_data ) ) {
146
			if ( 'valid' == $license_data['validity'] ) {
147
				if ( strtotime( 'now' ) < strtotime( $license_data['expires'] ) ) {
0 ignored issues
show
This if statement is empty and can be removed.

This check looks for the bodies of if statements that have no statements or where all statements have been commented out. This may be the result of changes for debugging or the code may simply be obsolete.

These if bodies can be removed. If you have an empty if but statements in the else branch, consider inverting the condition.

if (rand(1, 6) > 3) {
//print "Check failed";
} else {
    print "Check succeeded";
}

could be turned into

if (rand(1, 6) <= 3) {
    print "Check succeeded";
}

This is much more concise to read.

Loading history...
148
					// valid license
149
				} else {
150
					$license_data['validity'] = 'expired';
151
					update_option( $key, $license_data );
152
				}
153
			}
154
		}
155
156
		return $license_data;
157
	}
158
159
	/**
160
	 * Get license code of an addon.
161
	 *
162
	 * @since 5.0
163
	 * @static
164
	 *
165
	 * @param string $addon_code Addon code
166
	 *
167
	 * @return bool|string License code of the addon, False otherwise
168
	 */
169
	public static function get_license_code( $addon_code ) {
170
		$licenses = get_option( Bulk_Delete::SETTING_OPTION_NAME );
171
172
		if ( is_array( $licenses ) && key_exists( $addon_code, $licenses ) ) {
173
			return $licenses[ $addon_code ];
174
		}
175
		else {
176
			return false;
177
		}
178
	}
179
180
	/**
181
	 * Deactivate license.
182
	 *
183
	 * @since 5.0
184
	 * @static
185
	 */
186
	public static function deactivate_license() {
187
		$msg          = array( 'msg' => '', 'type' => 'error' );
188
		$addon_code   = $_GET['addon-code'];
189
		$license_data = self::get_license( $addon_code );
190
191
		$license      = $license_data['license'];
192
		$addon_name   = $license_data['addon-name'];
193
194
		$deactivated  = BD_EDD_API_Wrapper::deactivate_license( $addon_name, $license );
195
196
		if ( $deactivated ) {
197
			self::delete_license_from_cache( $addon_code );
198
			$msg['msg']  = sprintf( __( 'The license key for "%s" addon was successfully deactivated', 'bulk-delete' ), $addon_name );
199
			$msg['type'] = 'updated';
200
		} else {
201
			self::validate_license( $addon_code, $addon_name );
202
			$msg['msg'] = sprintf( __( 'There was some problem while trying to deactivate license key for "%s" addon. Kindly try again', 'bulk-delete' ), $addon_name );
203
		}
204
205
		add_settings_error(
206
			Bulk_Delete::ADDON_PAGE_SLUG,
207
			'license-deactivation',
208
			$msg['msg'],
209
			$msg['type']
210
		);
211
	}
212
213
	/**
214
	 * Delete license.
215
	 *
216
	 * @since 5.0
217
	 * @static
218
	 */
219
	public static function delete_license() {
220
		$msg          = array( 'msg' => '', 'type' => 'updated' );
221
		$addon_code   = $_GET['addon-code'];
222
223
		self::delete_license_from_cache( $addon_code );
224
225
		$msg['msg']  = __( 'The license key was successfully deleted', 'bulk-delete' );
226
227
		add_settings_error(
228
			Bulk_Delete::ADDON_PAGE_SLUG,
229
			'license-deleted',
230
			$msg['msg'],
231
			$msg['type']
232
		);
233
	}
234
235
	/**
236
	 * Delete license information from cache.
237
	 *
238
	 * @since 5.0
239
	 * @static
240
	 *
241
	 * @param string $addon_code Addon code
242
	 */
243
	private static function delete_license_from_cache( $addon_code ) {
244
		$key = Bulk_Delete::LICENSE_CACHE_KEY_PREFIX . $addon_code;
245
		delete_option( $key );
246
247
		$licenses = get_option( Bulk_Delete::SETTING_OPTION_NAME );
248
249
		if ( is_array( $licenses ) && key_exists( $addon_code, $licenses ) ) {
250
			unset( $licenses[ $addon_code ] );
251
		}
252
		update_option( Bulk_Delete::SETTING_OPTION_NAME, $licenses );
253
	}
254
255
	/**
256
	 * Activate license.
257
	 *
258
	 * @since  5.0
259
	 * @static
260
	 *
261
	 * @param string $addon_name Addon name
262
	 * @param string $addon_code Addon code
263
	 * @param string $license    License code
264
	 *
265
	 * @return bool $valid      True if valid, False otherwise
266
	 */
267
	public static function activate_license( $addon_name, $addon_code, $license ) {
268
		$license_data = BD_EDD_API_Wrapper::activate_license( $addon_name, $license );
269
		$valid        = false;
270
		$msg          = array(
271
			'msg'  => sprintf( __( 'There was some problem in contacting our store to activate the license key for "%s" addon', 'bulk-delete' ), $addon_name ),
272
			'type' => 'error',
273
		);
274
275
		if ( $license_data && is_array( $license_data ) && key_exists( 'validity', $license_data ) ) {
276
			if ( 'valid' == $license_data['validity'] ) {
277
				$key                        = Bulk_Delete::LICENSE_CACHE_KEY_PREFIX . $addon_code;
278
				$license_data['addon-code'] = $addon_code;
279
				update_option( $key, $license_data );
280
281
				$msg['msg']  = sprintf( __( 'The license key for "%s" addon was successfully activated. The addon will get updates automatically till the license key is valid.', 'bulk-delete' ), $addon_name );
282
				$msg['type'] = 'updated';
283
				$valid       = true;
284
			} else {
285
				if ( key_exists( 'error', $license_data ) ) {
286
					switch ( $license_data['error'] ) {
287
						case 'no_activations_left':
288
							$msg['msg'] = sprintf( __( 'The license key for "%s" addon doesn\'t have any more activations left. Kindly buy a new license.', 'bulk-delete' ), $addon_name );
289
							break;
290
291
						case 'revoked':
292
							$msg['msg'] = sprintf( __( 'The license key for "%s" addon is revoked. Kindly buy a new license.', 'bulk-delete' ), $addon_name );
293
							break;
294
295
						case 'expired':
296
							$msg['msg'] = sprintf( __( 'The license key for "%s" addon has expired. Kindly buy a new license.', 'bulk-delete' ), $addon_name );
297
							break;
298
299
						default:
300
							$msg['msg'] = sprintf( __( 'The license key for "%s" addon is invalid', 'bulk-delete' ), $addon_name );
301
							break;
302
					}
303
				}
304
			}
305
		}
306
307
		add_settings_error(
308
			Bulk_Delete::ADDON_PAGE_SLUG,
309
			'license-activation',
310
			$msg['msg'],
311
			$msg['type']
312
		);
313
314
		if ( ! $valid && isset( $key ) ) {
315
			delete_option( $key );
316
		}
317
318
		return $valid;
319
	}
320
321
	/**
322
	 * Validate the license for the given addon.
323
	 *
324
	 * @since 5.0
325
	 * @static
326
	 *
327
	 * @param string $addon_code Addon code
328
	 * @param string $addon_name Addon name
329
	 */
330
	public static function validate_license( $addon_code, $addon_name ) {
331
		$key = Bulk_Delete::LICENSE_CACHE_KEY_PREFIX . $addon_code;
332
333
		$license_data = false;
334
335
		$licenses = get_option( Bulk_Delete::SETTING_OPTION_NAME );
336
		if ( is_array( $licenses ) && key_exists( $addon_code, $licenses ) ) {
337
			$license_data = BD_EDD_API_Wrapper::check_license( $addon_name, $licenses[ $addon_code ] );
338
			if ( $license_data ) {
339
				$license_data['addon-code'] = $addon_code;
340
				$license_data['addon-name'] = $license_data['item_name'];
341
				update_option( $key, $license_data );
342
			} else {
343
				delete_option( $key );
344
			}
345
		}
346
347
		if ( $license_data && is_array( $license_data ) && key_exists( 'validity', $license_data ) ) {
348
			if ( 'valid' == $license_data['validity'] ) {
349
				if ( strtotime( 'now' ) > strtotime( $license_data['expires'] ) ) {
350
					$license_data['validity'] = 'expired';
351
					update_option( $key, $license_data );
352
				}
353
			}
354
		}
355
	}
356
}
357