Issues in APIRequestBuilder.php (develop) - Issues in develop - timw4mail/HummingBirdAnimeClient - Measure and Improve Code Quality continuously with Scrutinizer

Issues (287)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/API/APIRequestBuilder.php (9 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php declare(strict_types=1);
/**
 * Anime List Client
 *
 * An API client for Kitsu and MyAnimeList to manage anime and manga watch lists
 *
 * PHP version 7
 *
 * @package     AnimeListClient
 * @author      Timothy J. Warren <[email protected]>
 * @copyright   2015 - 2017  Timothy J. Warren
 * @license     http://www.opensource.org/licenses/mit-license.html  MIT License
 * @version     4.0
 * @link        https://github.com/timw4mail/HummingBirdAnimeClient
 */

namespace Aviat\AnimeClient\API;

use Amp;
use Amp\Artax\{
	Client,
	FormBody,
	Request
};
use Aviat\Ion\Di\ContainerAware;
use Aviat\Ion\Json;
use InvalidArgumentException;
use Psr\Log\LoggerAwareTrait;

/**
 * Wrapper around Artex to make it easier to build API requests
 */
class APIRequestBuilder {
	use LoggerAwareTrait;

	/**
	 * Url prefix for making url requests
	 * @var string
	 */
	protected $baseUrl = '';

	/**
	 * Url path of the request
	 * @var string
	 */
	protected $path = '';

	/**
	 * Query string for the request
	 * @var string
	 */
	protected $query = '';

	/**
	 * Default request headers
	 * @var array
	 */
	protected $defaultHeaders = [];

	/**
	 * Valid HTTP request methos
	 * @var array
	 */
	protected $validMethods = ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'];

	/**
	 * The current request
	 * @var \Amp\Promise
	 */
	protected $request;

	/**
	 * Set an authorization header
	 *
	 * @param string $type The type of authorization, eg, basic, bearer, etc.
	 * @param string $value The authorization value
	 * @return self
	 */
	public function setAuth(string $type, string $value): self
	{
		$authString = ucfirst($type) . ' ' . $value;
		$this->setHeader('Authorization', $authString);

		return $this;
	}

	/**
	 * Set a basic authentication header
	 *
	 * @param string $username
	 * @param string $password
	 * @return self
	 */
	public function setBasicAuth(string $username, string $password): self
	{
		$this->setAuth('basic', base64_encode($username . ':' . $password));
		return $this;
	}

	/**
	 * Set the request body
	 *
	 * @param FormBody|string $body
	 * @return self
	 */
	public function setBody($body): self
	{
		$this->request->setBody($body);

		return $this;
	}

	/**
	 * Set body as form fields
	 *
	 * @param array $fields Mapping of field names to values
	 * @return self
	 */
	public function setFormFields(array $fields): self
	{
		$this->setHeader("Content-Type", "application/x-www-form-urlencoded");
		$body = (new FormBody)->addFields($fields);
		$this->setBody($body);
function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
		return $this;
	}

	/**
	 * Set a request header
	 *
	 * @param string $name
	 * @param string $value
	 * @return self
	 */
	public function setHeader(string $name, string $value): self
	{
		$this->request->setHeader($name, $value);

		return $this;
	}

	/**
	 * Set multiple request headers
	 *
	 * name => value
	 *
	 * @param array $headers
	 * @return self
	 */
	public function setHeaders(array $headers): self
	{
		foreach ($headers as $name => $value)
		{
			$this->setHeader($name, $value);
		}

		return $this;
	}

	/**
	 * Set the request body
	 *
	 * @param mixed $body
	 * @return self
	 */
	public function setJsonBody($body): self
	{
		$requestBody = ( ! is_scalar($body))
			? Json::encode($body)
			: $body;
		
		return $this->setBody($requestBody);
	}

	/**
	 * Append a query string in array format
	 *
	 * @param array $params
	 * @return self
	 */
	public function setQuery(array $params): self
	{
		$this->query = http_build_query($params);
		return $this;
	}

	/**
	 * Return the promise for the current request
	 *
	 * @return \Amp\Promise
	 */
	public function getFullRequest()
	{
		$this->buildUri();

		if ($this->logger)
		{
			$this->logger->debug('API Request', [
				'request_url' => $this->request->getUri(),

				'request_headers' => $this->request->getAllHeaders(),

				'request_body' => $this->request->getBody()

			]);
		}

		return $this->request;
	}

	/**
	 * Create a new http request
	 *
	 * @param string $type
	 * @param string $uri
	 * @return self
	 */
	public function newRequest(string $type, string $uri): self
	{
		if ( ! in_array($type, $this->validMethods))
		{
			throw new InvalidArgumentException('Invalid HTTP methods');
		}

		$this->resetState();

		$this->request

			->setMethod($type)
			->setProtocol('1.1');

		$this->path = $uri;

		if ( ! empty($this->defaultHeaders))
		{
			$this->setHeaders($this->defaultHeaders);
		}

		return $this;
	}

	/**
	 * Create the full request url
	 *
	 * @return void
	 */
	private function buildUri()
	{
		$url = (strpos($this->path, '//') !== FALSE)
			? $this->path
			: $this->baseUrl . $this->path;

		if ( ! empty($this->query))
		{
			$url .= '?' . $this->query;
		}

		$this->request->setUri($url);

	}

	/**
	 * Reset the class state for a new request
	 *
	 * @return void
	 */
	private function resetState()
	{
		$this->path = '';
		$this->query = '';
		$this->request = new Request();

	}
}

1			<?php declare(strict_types=1);
2			/**
3			* Anime List Client
4			*
5			* An API client for Kitsu and MyAnimeList to manage anime and manga watch lists
6			*
7			* PHP version 7
8			*
9			* @package AnimeListClient
10			* @author Timothy J. Warren <[email protected]>
11			* @copyright 2015 - 2017 Timothy J. Warren
12			* @license http://www.opensource.org/licenses/mit-license.html MIT License
13			* @version 4.0
14			* @link https://github.com/timw4mail/HummingBirdAnimeClient
15			*/
16
17			namespace Aviat\AnimeClient\API;
18
19			use Amp;
20			use Amp\Artax\{
21			Client,
22			FormBody,
23			Request
24			};
25			use Aviat\Ion\Di\ContainerAware;
26			use Aviat\Ion\Json;
27			use InvalidArgumentException;
28			use Psr\Log\LoggerAwareTrait;
29
30			/**
31			* Wrapper around Artex to make it easier to build API requests
32			*/
33			class APIRequestBuilder {
34			use LoggerAwareTrait;
35
36			/**
37			* Url prefix for making url requests
38			* @var string
39			*/
40			protected $baseUrl = '';
41
42			/**
43			* Url path of the request
44			* @var string
45			*/
46			protected $path = '';
47
48			/**
49			* Query string for the request
50			* @var string
51			*/
52			protected $query = '';
53
54			/**
55			* Default request headers
56			* @var array
57			*/
58			protected $defaultHeaders = [];
59
60			/**
61			* Valid HTTP request methos
62			* @var array
63			*/
64			protected $validMethods = ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS'];
65
66			/**
67			* The current request
68			* @var \Amp\Promise
69			*/
70			protected $request;
71
72			/**
73			* Set an authorization header
74			*
75			* @param string $type The type of authorization, eg, basic, bearer, etc.
76			* @param string $value The authorization value
77			* @return self
78			*/
79			public function setAuth(string $type, string $value): self
80			{
81			$authString = ucfirst($type) . ' ' . $value;
82			$this->setHeader('Authorization', $authString);
83
84			return $this;
85			}
86
87			/**
88			* Set a basic authentication header
89			*
90			* @param string $username
91			* @param string $password
92			* @return self
93			*/
94			public function setBasicAuth(string $username, string $password): self
95			{
96			$this->setAuth('basic', base64_encode($username . ':' . $password));
97			return $this;
98			}
99
100			/**
101			* Set the request body
102			*
103			* @param FormBody\|string $body
104			* @return self
105			*/
106			public function setBody($body): self
107			{
108			$this->request->setBody($body);
			0 ignored issues – show Bug introduced 2017-02-08 01:51 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `setBody()` does not seem to exist on `object<Amp\Promise>`. This check looks for calls to methods that do not seem to exist on a given type. It looks for the method on the type itself as well as in inherited classes or implemented interfaces. This is most likely a typographical error or the method has been renamed. Loading history...
109			return $this;
110			}
111
112			/**
113			* Set body as form fields
114			*
115			* @param array $fields Mapping of field names to values
116			* @return self
117			*/
118			public function setFormFields(array $fields): self
119			{
120			$this->setHeader("Content-Type", "application/x-www-form-urlencoded");
121			$body = (new FormBody)->addFields($fields);
122			$this->setBody($body);
			0 ignored issues – show Documentation introduced 2017-02-13 19:31 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$body` is of type `object<Amp\Artax\FormBody>`, but the function expects a `object<FormBody>\|string`. It seems like the type of the argument is not accepted by the function/method which you are calling. In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug. We suggest to add an explicit type cast like in the following example: function acceptsInteger($int) { } $x = '123'; // string "123" // Instead of acceptsInteger($x); // we recommend to use acceptsInteger((integer) $x); Loading history...
123			return $this;
124			}
125
126			/**
127			* Set a request header
128			*
129			* @param string $name
130			* @param string $value
131			* @return self
132			*/
133			public function setHeader(string $name, string $value): self
134			{
135			$this->request->setHeader($name, $value);
			0 ignored issues – show Bug introduced 2017-02-08 01:51 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `setHeader()` does not seem to exist on `object<Amp\Promise>`. This check looks for calls to methods that do not seem to exist on a given type. It looks for the method on the type itself as well as in inherited classes or implemented interfaces. This is most likely a typographical error or the method has been renamed. Loading history...
136			return $this;
137			}
138
139			/**
140			* Set multiple request headers
141			*
142			* name => value
143			*
144			* @param array $headers
145			* @return self
146			*/
147			public function setHeaders(array $headers): self
148			{
149			foreach ($headers as $name => $value)
150			{
151			$this->setHeader($name, $value);
152			}
153
154			return $this;
155			}
156
157			/**
158			* Set the request body
159			*
160			* @param mixed $body
161			* @return self
162			*/
163			public function setJsonBody($body): self
164			{
165			$requestBody = ( ! is_scalar($body))
166			? Json::encode($body)
167			: $body;
168
169			return $this->setBody($requestBody);
170			}
171
172			/**
173			* Append a query string in array format
174			*
175			* @param array $params
176			* @return self
177			*/
178			public function setQuery(array $params): self
179			{
180			$this->query = http_build_query($params);
181			return $this;
182			}
183
184			/**
185			* Return the promise for the current request
186			*
187			* @return \Amp\Promise
188			*/
189			public function getFullRequest()
190			{
191			$this->buildUri();
192
193			if ($this->logger)
194			{
195			$this->logger->debug('API Request', [
196			'request_url' => $this->request->getUri(),
			0 ignored issues – show Bug introduced 2017-02-13 19:31 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `getUri()` does not seem to exist on `object<Amp\Promise>`. This check looks for calls to methods that do not seem to exist on a given type. It looks for the method on the type itself as well as in inherited classes or implemented interfaces. This is most likely a typographical error or the method has been renamed. Loading history...
197			'request_headers' => $this->request->getAllHeaders(),
			0 ignored issues – show Bug introduced 2017-02-13 19:31 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `getAllHeaders()` does not seem to exist on `object<Amp\Promise>`. This check looks for calls to methods that do not seem to exist on a given type. It looks for the method on the type itself as well as in inherited classes or implemented interfaces. This is most likely a typographical error or the method has been renamed. Loading history...
198			'request_body' => $this->request->getBody()
			0 ignored issues – show Bug introduced 2017-02-13 19:31 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `getBody()` does not seem to exist on `object<Amp\Promise>`. This check looks for calls to methods that do not seem to exist on a given type. It looks for the method on the type itself as well as in inherited classes or implemented interfaces. This is most likely a typographical error or the method has been renamed. Loading history...
199			]);
200			}
201
202			return $this->request;
203			}
204
205			/**
206			* Create a new http request
207			*
208			* @param string $type
209			* @param string $uri
210			* @return self
211			*/
212			public function newRequest(string $type, string $uri): self
213			{
214			if ( ! in_array($type, $this->validMethods))
215			{
216			throw new InvalidArgumentException('Invalid HTTP methods');
217			}
218
219			$this->resetState();
220
221			$this->request
			0 ignored issues – show Bug introduced 2017-02-08 01:51 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `setMethod()` does not seem to exist on `object<Amp\Promise>`. This check looks for calls to methods that do not seem to exist on a given type. It looks for the method on the type itself as well as in inherited classes or implemented interfaces. This is most likely a typographical error or the method has been renamed. Loading history...
222			->setMethod($type)
223			->setProtocol('1.1');
224
225			$this->path = $uri;
226
227			if ( ! empty($this->defaultHeaders))
228			{
229			$this->setHeaders($this->defaultHeaders);
230			}
231
232			return $this;
233			}
234
235			/**
236			* Create the full request url
237			*
238			* @return void
239			*/
240			private function buildUri()
241			{
242			$url = (strpos($this->path, '//') !== FALSE)
243			? $this->path
244			: $this->baseUrl . $this->path;
245
246			if ( ! empty($this->query))
247			{
248			$url .= '?' . $this->query;
249			}
250
251			$this->request->setUri($url);
			0 ignored issues – show Bug introduced 2017-02-08 01:51 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `setUri()` does not seem to exist on `object<Amp\Promise>`. This check looks for calls to methods that do not seem to exist on a given type. It looks for the method on the type itself as well as in inherited classes or implemented interfaces. This is most likely a typographical error or the method has been renamed. Loading history...
252			}
253
254			/**
255			* Reset the class state for a new request
256			*
257			* @return void
258			*/
259			private function resetState()
260			{
261			$this->path = '';
262			$this->query = '';
263			$this->request = new Request();
			0 ignored issues – show Documentation Bug introduced 2017-02-08 01:51 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `new \Amp\Artax\Request()` of type `object<Amp\Artax\Request>` is incompatible with the declared type `object<Amp\Promise>` of property `$request`. Our type inference engine has found an assignment to a property that is incompatible with the declared type of that property. Either this assignment is in error or the assigned type should be added to the documentation/type hint for that property.. Loading history...
264			}
265			}

timw4mail / HummingBirdAnimeClient

Issues (287)

Security Analysis not enabled

src/API/APIRequestBuilder.php (9 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like