Issues in SecurityUserDao.php (1.0) - Issues in 1.0 - thecodingmachine/security.daos.tdbm - Measure and Improve Code Quality continuously with Scrutinizer

Issues (7)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/DAO/SecurityUserDao.php (5 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/*
 * This file has been automatically generated by TDBM.
 * DO NOT edit this file, as it might be overwritten.
 * If you need to perform changes, edit the UserDao class instead!
 */

namespace Mouf\Security\DAO;

use Mouf\Database\TDBM\TDBMService;
use Mouf\Security\Password\Api\ForgotYourPasswordDao;
use Mouf\Security\Password\Exception\EmailNotFoundException;
use Mouf\Security\Password\Exception\TokenNotFoundException;
use Mouf\Security\UserManagement\Api\UserListDao;
use Mouf\Security\UserService\UserDaoInterface;
use Mouf\Security\UserService\UserInterface;
use Porpaginas\Result;

/**
 * This class provides a TDBM implementation of the UserDaoInterface.
 */
class SecurityUserDao implements UserDaoInterface, ForgotYourPasswordDao, UserListDao
{
    /**
     * @var TDBMService
     */
    protected $tdbmService;

    /**
     * Sets the TDBM service used by this DAO.
     *
     * @param TDBMService $tdbmService
     */
    public function __construct(TDBMService $tdbmService)
    {
        $this->tdbmService = $tdbmService;
    }

    /**
     * Returns a user from its login and its password, or null if the login or credentials are false.
     *
     * @param string $login
     * @param string $password
     *
     * @return UserInterface
     */
    public function getUserByCredentials($login, $password)
    {
        $user = $this->findOne(['login' => $login]);
        if ($user === null) {
            return;
        }

        if (password_verify($password, $user->getPassword())) {
            return $user;
        } else {
            return;
        }
    }

    /**
     * Returns a user from its token.
     *
     * @param string $token
     *
     * @return UserInterface
     */
    public function getUserByToken($token)
    {
        $user = $this->findOne(['token' => $token]);
        if ($user === null) {
            throw TokenNotFoundException::notFound($token);
        }

        return $user;
    }

    /**
     * Discards a token.
     *
     * @param string $token
     */
    public function discardToken($token)
    {
        $user = $this->getUserByToken($token);
        $user->setToken(null);

        $this->tdbmService->save($user);

    }

    /**
     * Returns a user from its ID.
     *
     * @param string $id
     *
     * @return UserInterface
     */
    public function getUserById($id)
    {
        return $this->tdbmService->findObjectByPk('users', ['id' => $id], [], false);
    }

    /**
     * Returns a user from its login.
     *
     * @param string $login
     *
     * @return UserInterface
     */
    public function getUserByLogin($login)
    {
        return $this->findOne(['login' => $login]);
    }

    /**
     * Get a single UserBean specified by its filters.
     *
     * @param mixed $filter     The filter bag (see TDBMService::findObjects for complete description)
     * @param array $parameters The parameters associated with the filter
     *
     * @return UserInterface|null
     */
    private function findOne($filter = null, array $parameters = [])
    {
        return $this->tdbmService->findObject('users', $filter, $parameters);
    }

    /**
     * Sets $token for user whose mail is $email, stores the token in database.
     * Throws an EmailNotFoundException if the email is not part of the database.
     *
     * @param string $email
     *
     * @throws \Mouf\Security\Password\Api\EmailNotFoundException
     */
    public function setToken(string $email, string $token)
    {
        $user = $this->findOne(['email' => $email]);

        if ($user === null) {
            throw EmailNotFoundException::notFound($email);
        }

        $user->setToken($token);

        $this->tdbmService->save($user);
    }

    /**
     * Sets the password matching to $token and discards $token.
     * Throws an TokenNotFoundException if the token is not part of the database.
     *
     * @param string $token
     * @param string $password
     *
     * @throws \Mouf\Security\Password\Api\TokenNotFoundException
     */
    public function setPasswordAndDiscardToken(string $token, string $password)
    {
        $user = $this->getUserByToken($token);
        $user->setPassword($password);

        $user->setToken(null);

        $this->tdbmService->save($user);

    }

    /**
     * Returns a list of users, as a Porpaginas result.
     * This list can be filtered based on the $filters array, that can be really anything based on the filters you implement.
     *
     * @param array $filters
     * @param $orderBy
     * @param $direction
     * @return Result
     */
    public function search(array $filters, $orderBy, $direction) : Result
    {
        $sql = null;
        $parameters = [];
        if (isset($filters['q'])) {
            $sql = 'login LIKE :login';
            $parameters = [
                'login' => '%'.$filters['q'].'%'
            ];
        }

        return $this->tdbmService->findObjects('users', $sql, $parameters);
    }
}


1			<?php
2
3			/*
4			* This file has been automatically generated by TDBM.
5			* DO NOT edit this file, as it might be overwritten.
6			* If you need to perform changes, edit the UserDao class instead!
7			*/
8
9			namespace Mouf\Security\DAO;
10
11			use Mouf\Database\TDBM\TDBMService;
12			use Mouf\Security\Password\Api\ForgotYourPasswordDao;
13			use Mouf\Security\Password\Exception\EmailNotFoundException;
14			use Mouf\Security\Password\Exception\TokenNotFoundException;
15			use Mouf\Security\UserManagement\Api\UserListDao;
16			use Mouf\Security\UserService\UserDaoInterface;
17			use Mouf\Security\UserService\UserInterface;
18			use Porpaginas\Result;
19
20			/**
21			* This class provides a TDBM implementation of the UserDaoInterface.
22			*/
23			class SecurityUserDao implements UserDaoInterface, ForgotYourPasswordDao, UserListDao
24			{
25			/**
26			* @var TDBMService
27			*/
28			protected $tdbmService;
29
30			/**
31			* Sets the TDBM service used by this DAO.
32			*
33			* @param TDBMService $tdbmService
34			*/
35			public function __construct(TDBMService $tdbmService)
36			{
37			$this->tdbmService = $tdbmService;
38			}
39
40			/**
41			* Returns a user from its login and its password, or null if the login or credentials are false.
42			*
43			* @param string $login
44			* @param string $password
45			*
46			* @return UserInterface
47			*/
48			public function getUserByCredentials($login, $password)
49			{
50			$user = $this->findOne(['login' => $login]);
51			if ($user === null) {
52			return;
53			}
54
55			if (password_verify($password, $user->getPassword())) {
56			return $user;
57			} else {
58			return;
59			}
60			}
61
62			/**
63			* Returns a user from its token.
64			*
65			* @param string $token
66			*
67			* @return UserInterface
68			*/
69			public function getUserByToken($token)
70			{
71			$user = $this->findOne(['token' => $token]);
72			if ($user === null) {
73			throw TokenNotFoundException::notFound($token);
74			}
75
76			return $user;
77			}
78
79			/**
80			* Discards a token.
81			*
82			* @param string $token
83			*/
84			public function discardToken($token)
85			{
86			$user = $this->getUserByToken($token);
87			$user->setToken(null);
			0 ignored issues – show Bug introduced 2016-07-25 16:39 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `setToken()` does not seem to exist on `object<Mouf\Security\UserService\UserInterface>`. This check looks for calls to methods that do not seem to exist on a given type. It looks for the method on the type itself as well as in inherited classes or implemented interfaces. This is most likely a typographical error or the method has been renamed. Loading history...
88			$this->tdbmService->save($user);
			0 ignored issues – show Compatibility introduced 2016-07-25 16:39 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$user` of type `object<Mouf\Security\UserService\UserInterface>` is not a sub-type of `object<Mouf\Database\TDBM\AbstractTDBMObject>`. It seems like you assume a concrete implementation of the interface `Mouf\Security\UserService\UserInterface` to be always present. This check looks for parameters that are defined as one type in their type hint or doc comment but seem to be used as a narrower type, i.e an implementation of an interface or a subclass. Consider changing the type of the parameter or doing an instanceof check before assuming your parameter is of the expected type. Loading history...
89			}
90
91			/**
92			* Returns a user from its ID.
93			*
94			* @param string $id
95			*
96			* @return UserInterface
97			*/
98			public function getUserById($id)
99			{
100			return $this->tdbmService->findObjectByPk('users', ['id' => $id], [], false);
101			}
102
103			/**
104			* Returns a user from its login.
105			*
106			* @param string $login
107			*
108			* @return UserInterface
109			*/
110			public function getUserByLogin($login)
111			{
112			return $this->findOne(['login' => $login]);
113			}
114
115			/**
116			* Get a single UserBean specified by its filters.
117			*
118			* @param mixed $filter The filter bag (see TDBMService::findObjects for complete description)
119			* @param array $parameters The parameters associated with the filter
120			*
121			* @return UserInterface\|null
122			*/
123			private function findOne($filter = null, array $parameters = [])
124			{
125			return $this->tdbmService->findObject('users', $filter, $parameters);
126			}
127
128			/**
129			* Sets $token for user whose mail is $email, stores the token in database.
130			* Throws an EmailNotFoundException if the email is not part of the database.
131			*
132			* @param string $email
133			*
134			* @throws \Mouf\Security\Password\Api\EmailNotFoundException
135			*/
136			public function setToken(string $email, string $token)
137			{
138			$user = $this->findOne(['email' => $email]);
139
140			if ($user === null) {
141			throw EmailNotFoundException::notFound($email);
142			}
143
144			$user->setToken($token);
145
146			$this->tdbmService->save($user);
147			}
148
149			/**
150			* Sets the password matching to $token and discards $token.
151			* Throws an TokenNotFoundException if the token is not part of the database.
152			*
153			* @param string $token
154			* @param string $password
155			*
156			* @throws \Mouf\Security\Password\Api\TokenNotFoundException
157			*/
158			public function setPasswordAndDiscardToken(string $token, string $password)
159			{
160			$user = $this->getUserByToken($token);
161			$user->setPassword($password);
			0 ignored issues – show Bug introduced 2016-07-25 16:39 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `setPassword()` does not seem to exist on `object<Mouf\Security\UserService\UserInterface>`. This check looks for calls to methods that do not seem to exist on a given type. It looks for the method on the type itself as well as in inherited classes or implemented interfaces. This is most likely a typographical error or the method has been renamed. Loading history...
162			$user->setToken(null);
			0 ignored issues – show Bug introduced 2016-07-25 16:39 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `setToken()` does not seem to exist on `object<Mouf\Security\UserService\UserInterface>`. This check looks for calls to methods that do not seem to exist on a given type. It looks for the method on the type itself as well as in inherited classes or implemented interfaces. This is most likely a typographical error or the method has been renamed. Loading history...
163			$this->tdbmService->save($user);
			0 ignored issues – show Compatibility introduced 2016-07-25 16:39 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$user` of type `object<Mouf\Security\UserService\UserInterface>` is not a sub-type of `object<Mouf\Database\TDBM\AbstractTDBMObject>`. It seems like you assume a concrete implementation of the interface `Mouf\Security\UserService\UserInterface` to be always present. This check looks for parameters that are defined as one type in their type hint or doc comment but seem to be used as a narrower type, i.e an implementation of an interface or a subclass. Consider changing the type of the parameter or doing an instanceof check before assuming your parameter is of the expected type. Loading history...
164			}
165
166			/**
167			* Returns a list of users, as a Porpaginas result.
168			* This list can be filtered based on the $filters array, that can be really anything based on the filters you implement.
169			*
170			* @param array $filters
171			* @param $orderBy
172			* @param $direction
173			* @return Result
174			*/
175			public function search(array $filters, $orderBy, $direction) : Result
176			{
177			$sql = null;
178			$parameters = [];
179			if (isset($filters['q'])) {
180			$sql = 'login LIKE :login';
181			$parameters = [
182			'login' => '%'.$filters['q'].'%'
183			];
184			}
185
186			return $this->tdbmService->findObjects('users', $sql, $parameters);
187			}
188			}
189

thecodingmachine / security.daos.tdbm

Issues (7)

Security Analysis no request data

src/DAO/SecurityUserDao.php (5 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like