This project does not seem to handle request data directly as such no vulnerable execution paths were found.
include
, or for example
via PHP's auto-loading mechanism.
These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
1 | <?php |
||
2 | |||
3 | /* |
||
4 | * This file is part of the tmilos/jose-jwt package. |
||
5 | * |
||
6 | * (c) Milos Tomic <[email protected]> |
||
7 | * |
||
8 | * This source file is subject to the MIT license that is bundled |
||
9 | * with this source code in the file LICENSE. |
||
10 | */ |
||
11 | |||
12 | namespace Tmilos\JoseJwt; |
||
13 | |||
14 | use Tmilos\JoseJwt\Context\Context; |
||
15 | use Tmilos\JoseJwt\Error\IntegrityException; |
||
16 | use Tmilos\JoseJwt\Error\JoseJwtException; |
||
17 | use Tmilos\JoseJwt\Util\StringUtils; |
||
18 | use Tmilos\JoseJwt\Util\UrlSafeB64Encoder; |
||
19 | |||
20 | class Jwt |
||
21 | { |
||
22 | private function __construct() |
||
23 | { |
||
24 | } |
||
25 | |||
26 | /** |
||
27 | * @param Context $context |
||
28 | * @param array|object $payload |
||
29 | * @param string|resource $key |
||
30 | * @param string $jwsAlgorithm |
||
31 | * @param array $extraHeaders |
||
32 | * |
||
33 | * @return string |
||
34 | */ |
||
35 | public static function encode(Context $context, $payload, $key, $jwsAlgorithm, $extraHeaders = []) |
||
36 | { |
||
37 | $header = array_merge([ |
||
38 | 'alg' => '', |
||
39 | 'typ' => 'JWT', |
||
40 | ], $extraHeaders); |
||
41 | |||
42 | $hashAlgorithm = $context->jwsAlgorithms()->get($jwsAlgorithm); |
||
43 | if (null == $hashAlgorithm) { |
||
44 | throw new JoseJwtException(sprintf('Unknown algorithm "%s"', $jwsAlgorithm)); |
||
45 | } |
||
46 | |||
47 | $header['alg'] = $jwsAlgorithm; |
||
48 | |||
49 | $payloadString = StringUtils::payload2string($payload, $context->jsonMapper()); |
||
50 | |||
51 | $signingInput = implode('.', [ |
||
52 | UrlSafeB64Encoder::encode(json_encode($header)), |
||
53 | UrlSafeB64Encoder::encode($payloadString), |
||
54 | ]); |
||
55 | |||
56 | $signature = $hashAlgorithm->sign($signingInput, $key); |
||
0 ignored issues
–
show
|
|||
57 | $signature = UrlSafeB64Encoder::encode($signature); |
||
58 | |||
59 | return $signingInput.'.'.$signature; |
||
60 | } |
||
61 | |||
62 | /** |
||
63 | * @param Context $context |
||
64 | * @param string $token |
||
65 | * @param string|resource $key |
||
66 | * |
||
67 | * @return array |
||
68 | */ |
||
69 | public static function decode(Context $context, $token, $key) |
||
70 | { |
||
71 | if (empty($token) || trim($token) === '') { |
||
72 | throw new JoseJwtException('Incoming token expected to be in compact serialization form, but is empty'); |
||
73 | } |
||
74 | |||
75 | $parts = explode('.', $token); |
||
76 | if (count($parts) == 5) { |
||
77 | return Jwe::decode($context, $token, $key); |
||
0 ignored issues
–
show
The return type of
return \Tmilos\JoseJwt\J...context, $token, $key); (string ) is incompatible with the return type documented by Tmilos\JoseJwt\Jwt::decode of type array .
If you return a value from a function or method, it should be a sub-type of the type that is given by the parent type f.e. an interface, or abstract method. This is more formally defined by the Lizkov substitution principle, and guarantees that classes that depend on the parent type can use any instance of a child type interchangably. This principle also belongs to the SOLID principles for object oriented design. Let’s take a look at an example: class Author {
private $name;
public function __construct($name) {
$this->name = $name;
}
public function getName() {
return $this->name;
}
}
abstract class Post {
public function getAuthor() {
return 'Johannes';
}
}
class BlogPost extends Post {
public function getAuthor() {
return new Author('Johannes');
}
}
class ForumPost extends Post { /* ... */ }
function my_function(Post $post) {
echo strtoupper($post->getAuthor());
}
Our function ![]() |
|||
78 | } |
||
79 | |||
80 | $decodedParts = []; |
||
81 | foreach ($parts as $part) { |
||
82 | $decodedParts[] = UrlSafeB64Encoder::decode($part); |
||
83 | } |
||
84 | $header = json_decode($decodedParts[0], true); |
||
85 | if (null == $header) { |
||
86 | throw new JoseJwtException('Invalid header'); |
||
87 | } |
||
88 | |||
89 | // signed or plain JWT |
||
90 | $signedInput = $parts[0].'.'.$parts[1]; |
||
91 | $algorithmId = $header['alg']; |
||
92 | $algorithm = $context->jwsAlgorithms()->get($algorithmId); |
||
93 | if (null === $algorithm) { |
||
94 | throw new JoseJwtException(sprintf('Invalid algorithm "%s"', $algorithmId)); |
||
95 | } |
||
96 | |||
97 | if (false === $algorithm->verify($decodedParts[2], $signedInput, $key)) { |
||
0 ignored issues
–
show
It seems like
$key defined by parameter $key on line 69 can also be of type resource ; however, Tmilos\JoseJwt\Jws\JwsAlgorithm::verify() does only seem to accept string , maybe add an additional type check?
This check looks at variables that have been passed in as parameters and are passed out again to other methods. If the outgoing method call has stricter type requirements than the method itself, an issue is raised. An additional type check may prevent trouble. ![]() |
|||
98 | throw new IntegrityException('Invalid signature'); |
||
99 | } |
||
100 | |||
101 | return json_decode($decodedParts[1], true); |
||
102 | } |
||
103 | |||
104 | /** |
||
105 | * @param $token |
||
106 | * |
||
107 | * @return array |
||
108 | */ |
||
109 | View Code Duplication | public static function header($token) |
|
0 ignored issues
–
show
This method seems to be duplicated in your project.
Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. ![]() |
|||
110 | { |
||
111 | if (null === $token || trim($token) === '') { |
||
112 | throw new JoseJwtException('Incoming token expected to be in compact serialization form, but is empty'); |
||
113 | } |
||
114 | |||
115 | $parts = explode('.', $token); |
||
116 | if (count($parts) != 3 && count($parts) != 5) { |
||
117 | throw new JoseJwtException('Invalid JWT'); |
||
118 | } |
||
119 | |||
120 | $header = json_decode(UrlSafeB64Encoder::decode($parts[0]), true); |
||
121 | if (null == $header) { |
||
122 | throw new JoseJwtException('Invalid header'); |
||
123 | } |
||
124 | |||
125 | return $header; |
||
126 | } |
||
127 | |||
128 | /** |
||
129 | * @param $token |
||
130 | * |
||
131 | * @return array |
||
132 | */ |
||
133 | View Code Duplication | public static function payload($token) |
|
0 ignored issues
–
show
This method seems to be duplicated in your project.
Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. ![]() |
|||
134 | { |
||
135 | if (null === $token || trim($token) === '') { |
||
136 | throw new JoseJwtException('Incoming token expected to be in compact serialization form, but is empty'); |
||
137 | } |
||
138 | |||
139 | $parts = explode('.', $token); |
||
140 | if (count($parts) != 3) { |
||
141 | throw new JoseJwtException('Invalid JWT'); |
||
142 | } |
||
143 | |||
144 | $payload = json_decode(UrlSafeB64Encoder::decode($parts[1]), true); |
||
145 | if (null == $payload) { |
||
146 | throw new JoseJwtException('Invalid payload'); |
||
147 | } |
||
148 | |||
149 | return $payload; |
||
150 | } |
||
151 | } |
||
152 |
This check looks at variables that have been passed in as parameters and are passed out again to other methods.
If the outgoing method call has stricter type requirements than the method itself, an issue is raised.
An additional type check may prevent trouble.