Issues in Postmark.php (master) - Issues in master - unyx/notify - Measure and Improve Code Quality continuously with Scrutinizer

Issues (50)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

transports/mail/drivers/Postmark.php (12 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php namespace nyx\notify\transports\mail\drivers;

// Internal dependencies
use nyx\notify\transports\mail;
.
|-- OtherDir
|   |-- Bar.php
|   `-- Foo.php
`-- SomeDir
    `-- Foo.php

/**
 * Postmark Mail Driver
 *
 * @package     Nyx\Notify
 * @version     0.1.0
 * @author      Michal Chojnacki <[email protected]>
 * @copyright   2012-2017 Nyx Dev Team
 * @link        https://github.com/unyx/nyx
 */
class Postmark implements mail\interfaces\Driver
{
    /**
     * The traits of a Postmark Mail Driver instance.
     */
    use traits\CountsRecipients;

    /**
     * @var string  The API key used to authorize requests to Postmark's API.
     */
    protected $key;

    /**
     * @var \GuzzleHttp\ClientInterface The underlying HTTP Client instance.
     */
    protected $client;

    /**
     * Creates a new Postmark Mail Driver instance.
     *
     * @param   \GuzzleHttp\ClientInterface $client     The HTTP Client to use.
     * @param   string                      $key        The API key to be used to authorize requests to Postmark's API.
     */
    public function __construct(\GuzzleHttp\ClientInterface $client, string $key)
    {
        $this->key    = $key;
        $this->client = $client;
    }

    /**
     * {@inheritdoc}
     */
    public function send(\Swift_Mime_Message $message, &$failures = null)

    {
        $this->client->request('POST','https://api.postmarkapp.com/email', [
            'headers' => [
                'X-Postmark-Server-Token' => $this->key
            ],
            'json' => $this->messageToPayload($message),
        ]);

        return $this->countRecipients($message);
    }

    /**
     * Converts a MIME Message to an array payload in a structure understood by Postmark's "email" endpoint.
     *
     * @param   \Swift_Mime_Message $message    The Message to convert.
     * @return  array                           The resulting payload.
     */
    protected function messageToPayload(\Swift_Mime_Message $message) : array

    {
        $payload = [
            'Subject' => $message->getSubject()
        ];

        $this->processHeaders($message, $payload);
        $this->processAddresses($message, $payload);
        $this->processMimeEntities($message, $payload);
        $this->processAttachments($message, $payload);

        return $payload;
    }

    /**
     * Processes the MIME headers of a MIME Message into the payload structure passed in by reference.
     *
     * @param   \Swift_Mime_Message $message    The MIME Message to process.
     * @param   array&              $payload    A reference to the payload structure.

     */
    protected function processHeaders(\Swift_Mime_Message $message, array &$payload)
    {
        if (!$headers = $message->getHeaders()->getAll()) {
            return;
        }

        $payload['Headers'] = [];

        /** @var \Swift_Mime_Header $header */
        foreach ($headers as $header) {

            // Omit headers which are handled elsewhere.
            if (in_array($fieldName = $header->getFieldName(), ['Subject', 'Content-Type', 'MIME-Version', 'Date', 'From', 'To'])) {

                continue;
            }

            if ($header instanceof \Swift_Mime_Headers_UnstructuredHeader || $header instanceof \Swift_Mime_Headers_OpenDKIMHeader) {

                // Special treatment for the 'X-PM-Tag' header if it's available, which we'll pass into the payload
                // directly.
                if ($fieldName === 'X-PM-Tag'){
                    $payload["Tag"] = $header->getValue();
                } else {
                    $payload['Headers'][] = [
                        "Name"  => $fieldName,
                        "Value" => $header->getValue()
                    ];
                }

                continue;
            }

            // All other headers are handled in the same fashion.
            $payload['Headers'][] = [
                "Name"  => $fieldName,
                "Value" => $header->getFieldBody()
            ];

            // @see http://developer.postmarkapp.com/developer-send-smtp.html
            if ($fieldName === 'Message-ID') {
                $payload['Headers'][] = [
                    "Name"  => 'X-PM-KeepID',
                    "Value" => 'true'
                ];
            }
        }
    }

    /**
     * Processes the fields containing e-mail addresses (from, to, cc, etc.) in the MIME Message into
     * the payload structure passed in by reference.
     *
     * @param   \Swift_Mime_Message $message    The MIME Message to process.
     * @param   array&              $payload    A reference to the payload structure.

     */
    protected function processAddresses(\Swift_Mime_Message $message, array &$payload)
    {
        $payload['From'] = $this->emailsToString($message->getFrom());
        $payload['To']   = $this->emailsToString($message->getTo());

        if ($cc = $message->getCc()) {
            $payload['Cc'] = $this->emailsToString($cc);
        }

        if ($bcc = $message->getBcc()) {
            $payload['Bcc'] = $this->emailsToString($bcc);
        }

        if ($replyTo = $message->getReplyTo()) {
            $payload['ReplyTo'] = $this->emailsToString($replyTo);
        }
    }

    /**
     * Converts an array of e-mail addresses into a string compliant with Postmark's API's format.
     *
     * @param   array   $emails     The e-mail addresses to convert.
     * @return  string
     */
    protected function emailsToString(array $emails) : string
    {
        $addresses = [];

        foreach ($emails as $email => $name) {
            $addresses[] = $name ? '"' . str_replace('"', '\\"', $name) . "\" <{$email}>" : $email;
        }

        return implode(',', $addresses);
    }

    /**
     * Processes the MIME entities in the MIME Message into the payload structure passed in by reference.
     *
     * @param   \Swift_Mime_Message $message    The MIME Message to process.
     * @param   array&              $payload    A reference to the payload structure.

     */
    protected function processMimeEntities(\Swift_Mime_Message $message, array &$payload)
    {
        switch ($message->getContentType()) {
            case 'text/html':
            case 'multipart/alternative':
            case 'multipart/mixed':

                $payload['HtmlBody'] = $message->getBody();

                if ($plain = $this->getMimePart($message, 'text/plain')) {
                    $payload['TextBody'] = $plain->getBody();
                }

                break;

            default:

                $payload['TextBody'] = $message->getBody();

                if ($html = $this->getMimePart($message, 'text/html')) {
                    $payload['HtmlBody'] = $html->getBody();
                }
        }
    }

    /**
     * Returns the MIME part of the specified content type contained in the given MIME message, if it's present.
     *
     * @param   \Swift_Mime_Message     $message    The MIME Message to process.
     * @param   string                  $mimeType   The content type the part to return must be of.
     * @return  \Swift_Mime_MimeEntity
     */
    protected function getMimePart(\Swift_Mime_Message $message, string $mimeType)

    {
        foreach ($message->getChildren() as $part) {
            if (0 === strpos($part->getContentType(), $mimeType) && !$part instanceof \Swift_Mime_Attachment) {
                return $part;
            }
        }
    }

    /**
     * Processes the attachments in the MIME Message into the payload structure passed in by reference.
     *
     * @param   \Swift_Mime_Message $message    The MIME Message to process.
     * @param   array&              $payload    A reference to the payload structure.

     */
    protected function processAttachments(\Swift_Mime_Message $message, array &$payload)

    {
        if (!$children = $message->getChildren()) {
            return;
        }

        $payload['Attachments'] = [];

        foreach ($children as $attachment) {

            // Omit all entities that aren't actually attachments.
            if (!$attachment instanceof \Swift_Mime_Attachment) {
                continue;
            }

            $data = [
                'Name'        => $attachment->getFilename(),
                'Content'     => base64_encode($attachment->getBody()),
                'ContentType' => $attachment->getContentType()
            ];

            if ($attachment->getDisposition() !== 'attachment' && null !== $attachment->getId()) {
                $data['ContentID'] = 'cid:'.$attachment->getId();
            }

            $payload['Attachments'][] = $data;
        }
    }
}


1		<?php namespace nyx\notify\transports\mail\drivers;
2
3		// Internal dependencies
4		use nyx\notify\transports\mail;
		0 ignored issues – show Bug introduced 2016-11-18 03:14 UTC by Report Bug Copy Issue Report Show Similar Issues like this This use statement conflicts with another class in this namespace, `nyx\notify\transports\mail\drivers\mail`. Let’s assume that you have a directory layout like this: . \|-- OtherDir \| \|-- Bar.php \| `-- Foo.php `-- SomeDir `-- Foo.php and let’s assume the following content of `Bar.php`: // Bar.php namespace OtherDir; use SomeDir\Foo; // This now conflicts the class OtherDir\Foo If both files `OtherDir/Foo.php` and `SomeDir/Foo.php` are loaded in the same runtime, you will see a PHP error such as the following: PHP Fatal error: Cannot use SomeDir\Foo as Foo because the name is already in use in OtherDir/Foo.php However, as `OtherDir/Foo.php` does not necessarily have to be loaded and the error is only triggered if it is loaded before `OtherDir/Bar.php`, this problem might go unnoticed for a while. In order to prevent this error from surfacing, you must import the namespace with a different alias: // Bar.php namespace OtherDir; use SomeDir\Foo as SomeDirFoo; // There is no conflict anymore. Loading history...
5
6		/**
7		* Postmark Mail Driver
8		*
9		* @package Nyx\Notify
10		* @version 0.1.0
11		* @author Michal Chojnacki <[email protected]>
12		* @copyright 2012-2017 Nyx Dev Team
13		* @link https://github.com/unyx/nyx
14		*/
15		class Postmark implements mail\interfaces\Driver
16		{
17		/**
18		* The traits of a Postmark Mail Driver instance.
19		*/
20		use traits\CountsRecipients;
21
22		/**
23		* @var string The API key used to authorize requests to Postmark's API.
24		*/
25		protected $key;
26
27		/**
28		* @var \GuzzleHttp\ClientInterface The underlying HTTP Client instance.
29		*/
30		protected $client;
31
32		/**
33		* Creates a new Postmark Mail Driver instance.
34		*
35		* @param \GuzzleHttp\ClientInterface $client The HTTP Client to use.
36		* @param string $key The API key to be used to authorize requests to Postmark's API.
37		*/
38		public function __construct(\GuzzleHttp\ClientInterface $client, string $key)
39		{
40		$this->key = $key;
41		$this->client = $client;
42		}
43
44		/**
45		* {@inheritdoc}
46		*/
47	View Code Duplication	public function send(\Swift_Mime_Message $message, &$failures = null)
		0 ignored issues – show Duplication introduced 2016-11-18 03:14 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
48		{
49		$this->client->request('POST','https://api.postmarkapp.com/email', [
50		'headers' => [
51		'X-Postmark-Server-Token' => $this->key
52		],
53		'json' => $this->messageToPayload($message),
54		]);
55
56		return $this->countRecipients($message);
57		}
58
59		/**
60		* Converts a MIME Message to an array payload in a structure understood by Postmark's "email" endpoint.
61		*
62		* @param \Swift_Mime_Message $message The Message to convert.
63		* @return array The resulting payload.
64		*/
65	View Code Duplication	protected function messageToPayload(\Swift_Mime_Message $message) : array
		0 ignored issues – show Duplication introduced 2016-11-18 03:14 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
66		{
67		$payload = [
68		'Subject' => $message->getSubject()
69		];
70
71		$this->processHeaders($message, $payload);
72		$this->processAddresses($message, $payload);
73		$this->processMimeEntities($message, $payload);
74		$this->processAttachments($message, $payload);
75
76		return $payload;
77		}
78
79		/**
80		* Processes the MIME headers of a MIME Message into the payload structure passed in by reference.
81		*
82		* @param \Swift_Mime_Message $message The MIME Message to process.
83		* @param array& $payload A reference to the payload structure.
		0 ignored issues – show Documentation introduced 2016-11-18 03:14 UTC by Report Bug Copy Issue Report Show Similar Issues like this The doc-type `array&` could not be parsed: Unknown type name "array&" at position 0. (view supported doc-types) This check marks PHPDoc comments that could not be parsed by our parser. To see which comment annotations we can parse, please refer to our documentation on supported doc-types. Loading history...
84		*/
85		protected function processHeaders(\Swift_Mime_Message $message, array &$payload)
86		{
87		if (!$headers = $message->getHeaders()->getAll()) {
88		return;
89		}
90
91		$payload['Headers'] = [];
92
93		/** @var \Swift_Mime_Header $header */
94		foreach ($headers as $header) {
95
96		// Omit headers which are handled elsewhere.
97	View Code Duplication	if (in_array($fieldName = $header->getFieldName(), ['Subject', 'Content-Type', 'MIME-Version', 'Date', 'From', 'To'])) {
		0 ignored issues – show Duplication introduced 2016-11-18 03:14 UTC by Report Bug Copy Issue Report Show Similar Issues like this This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
98		continue;
99		}
100
101		if ($header instanceof \Swift_Mime_Headers_UnstructuredHeader \|\| $header instanceof \Swift_Mime_Headers_OpenDKIMHeader) {
102
103		// Special treatment for the 'X-PM-Tag' header if it's available, which we'll pass into the payload
104		// directly.
105		if ($fieldName === 'X-PM-Tag'){
106		$payload["Tag"] = $header->getValue();
107		} else {
108		$payload['Headers'][] = [
109		"Name" => $fieldName,
110		"Value" => $header->getValue()
111		];
112		}
113
114		continue;
115		}
116
117		// All other headers are handled in the same fashion.
118		$payload['Headers'][] = [
119		"Name" => $fieldName,
120		"Value" => $header->getFieldBody()
121		];
122
123		// @see http://developer.postmarkapp.com/developer-send-smtp.html
124		if ($fieldName === 'Message-ID') {
125		$payload['Headers'][] = [
126		"Name" => 'X-PM-KeepID',
127		"Value" => 'true'
128		];
129		}
130		}
131		}
132
133		/**
134		* Processes the fields containing e-mail addresses (from, to, cc, etc.) in the MIME Message into
135		* the payload structure passed in by reference.
136		*
137		* @param \Swift_Mime_Message $message The MIME Message to process.
138		* @param array& $payload A reference to the payload structure.
		0 ignored issues – show Documentation introduced 2016-11-18 03:14 UTC by Report Bug Copy Issue Report Show Similar Issues like this The doc-type `array&` could not be parsed: Unknown type name "array&" at position 0. (view supported doc-types) This check marks PHPDoc comments that could not be parsed by our parser. To see which comment annotations we can parse, please refer to our documentation on supported doc-types. Loading history...
139		*/
140		protected function processAddresses(\Swift_Mime_Message $message, array &$payload)
141		{
142		$payload['From'] = $this->emailsToString($message->getFrom());
143		$payload['To'] = $this->emailsToString($message->getTo());
144
145		if ($cc = $message->getCc()) {
146		$payload['Cc'] = $this->emailsToString($cc);
147		}
148
149		if ($bcc = $message->getBcc()) {
150		$payload['Bcc'] = $this->emailsToString($bcc);
151		}
152
153		if ($replyTo = $message->getReplyTo()) {
154		$payload['ReplyTo'] = $this->emailsToString($replyTo);
155		}
156		}
157
158		/**
159		* Converts an array of e-mail addresses into a string compliant with Postmark's API's format.
160		*
161		* @param array $emails The e-mail addresses to convert.
162		* @return string
163		*/
164		protected function emailsToString(array $emails) : string
165		{
166		$addresses = [];
167
168		foreach ($emails as $email => $name) {
169		$addresses[] = $name ? '"' . str_replace('"', '\\"', $name) . "\" <{$email}>" : $email;
170		}
171
172		return implode(',', $addresses);
173		}
174
175		/**
176		* Processes the MIME entities in the MIME Message into the payload structure passed in by reference.
177		*
178		* @param \Swift_Mime_Message $message The MIME Message to process.
179		* @param array& $payload A reference to the payload structure.
		0 ignored issues – show Documentation introduced 2016-11-18 03:14 UTC by Report Bug Copy Issue Report Show Similar Issues like this The doc-type `array&` could not be parsed: Unknown type name "array&" at position 0. (view supported doc-types) This check marks PHPDoc comments that could not be parsed by our parser. To see which comment annotations we can parse, please refer to our documentation on supported doc-types. Loading history...
180		*/
181		protected function processMimeEntities(\Swift_Mime_Message $message, array &$payload)
182		{
183		switch ($message->getContentType()) {
184		case 'text/html':
185		case 'multipart/alternative':
186	View Code Duplication	case 'multipart/mixed':
		0 ignored issues – show Duplication introduced 2016-11-18 03:14 UTC by Report Bug Copy Issue Report Show Similar Issues like this This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
187		$payload['HtmlBody'] = $message->getBody();
188
189		if ($plain = $this->getMimePart($message, 'text/plain')) {
190		$payload['TextBody'] = $plain->getBody();
191		}
192
193		break;
194
195	View Code Duplication	default:
		0 ignored issues – show Duplication introduced 2016-11-18 03:14 UTC by Report Bug Copy Issue Report Show Similar Issues like this This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
196		$payload['TextBody'] = $message->getBody();
197
198		if ($html = $this->getMimePart($message, 'text/html')) {
199		$payload['HtmlBody'] = $html->getBody();
200		}
201		}
202		}
203
204		/**
205		* Returns the MIME part of the specified content type contained in the given MIME message, if it's present.
206		*
207		* @param \Swift_Mime_Message $message The MIME Message to process.
208		* @param string $mimeType The content type the part to return must be of.
209		* @return \Swift_Mime_MimeEntity
210		*/
211	View Code Duplication	protected function getMimePart(\Swift_Mime_Message $message, string $mimeType)
		0 ignored issues – show Duplication introduced 2016-11-18 03:14 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
212		{
213		foreach ($message->getChildren() as $part) {
214		if (0 === strpos($part->getContentType(), $mimeType) && !$part instanceof \Swift_Mime_Attachment) {
215		return $part;
216		}
217		}
218		}
219
220		/**
221		* Processes the attachments in the MIME Message into the payload structure passed in by reference.
222		*
223		* @param \Swift_Mime_Message $message The MIME Message to process.
224		* @param array& $payload A reference to the payload structure.
		0 ignored issues – show Documentation introduced 2016-11-18 03:14 UTC by Report Bug Copy Issue Report Show Similar Issues like this The doc-type `array&` could not be parsed: Unknown type name "array&" at position 0. (view supported doc-types) This check marks PHPDoc comments that could not be parsed by our parser. To see which comment annotations we can parse, please refer to our documentation on supported doc-types. Loading history...
225		*/
226	View Code Duplication	protected function processAttachments(\Swift_Mime_Message $message, array &$payload)
		0 ignored issues – show Duplication introduced 2016-11-18 03:14 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
227		{
228		if (!$children = $message->getChildren()) {
229		return;
230		}
231
232		$payload['Attachments'] = [];
233
234		foreach ($children as $attachment) {
235
236		// Omit all entities that aren't actually attachments.
237		if (!$attachment instanceof \Swift_Mime_Attachment) {
238		continue;
239		}
240
241		$data = [
242		'Name' => $attachment->getFilename(),
243		'Content' => base64_encode($attachment->getBody()),
244		'ContentType' => $attachment->getContentType()
245		];
246
247		if ($attachment->getDisposition() !== 'attachment' && null !== $attachment->getId()) {
248		$data['ContentID'] = 'cid:'.$attachment->getId();
249		}
250
251		$payload['Attachments'][] = $data;
252		}
253		}
254		}
255

unyx / notify

Issues (50)

Security Analysis no request data

transports/mail/drivers/Postmark.php (12 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like