Issues in Otp.php (master) - Issues in master - vuongxuongminh/yii2-mfa - Measure and Improve Code Quality continuously with Scrutinizer

Issues (9)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Otp.php (2 issues)

Labels

Severity

Major 2

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * @link https://github.com/vuongxuongminh/yii2-mfa
 * @copyright Copyright (c) 2019 Vuong Xuong Minh
 * @license [New BSD License](http://www.opensource.org/licenses/bsd-license.php)
 */

namespace vxm\mfa;

use yii\base\BaseObject;
use yii\base\NotSupportedException;

use OTPHP\HOTP;
use OTPHP\TOTP;

use ParagonIE\ConstantTime\Base32;

/**
 * Class Otp support generate and validate by given secret key.
 *
 * @author Vuong Minh <[email protected]>
 * @since 1.0.0
 */
class Otp extends BaseObject
{
    /**
     * TOTP is a time based one-time password. It lives only for a few seconds (the period). You just have to be sure that the clock of your server and your device are synchronized. This is the most common OTP.
     */
    const TOTP = 0;

    /**
     * HOTP is a counter based one-time password. Every time a password is used, the counter is updated. You have to verify that the server and the device are synchronized.
     */
    const HOTP = 1;

    /**
     * @var string type of otp
     *
     * @see self::HOTP
     * @see self::TOTP
     */
    public $type = self::TOTP;

    /**
     * @var int otp digits. Default the number is 6
     */
    public $digits = 6;

    /**
     * @var string digest algorithm. Default is 'sha1' you can use any algorithm listed by hash_algos(). Note that most applications only support md5, sha1, sha256 and sha512.
     */
    public $digest = 'sha1';

    /**
     * @var string the template of qr code uri server. Please note that this URI MUST contain a placeholder {PROVISIONING_URI} for the OTP Provisioning URI.
     */
    public $qrCodeUriTemplate = 'https://chart.googleapis.com/chart?chs=200x200&chld=M|0&cht=qr&chl={PROVISIONING_URI}';

    /**
     * Generate an otp digits.
     *
     * @param string $secretKey the secret key use to generate an otp
     * @return string an otp generated by secret key given.
     *
     * @throws NotSupportedException
     */
    public function generate(string $secretKey)
    {
        return $this->createInstance($secretKey)->now();
    }

    /**
     * Validate an otp digits.
     *
     * @param string $secretKey the secret key use to validate an otp.
     * @param string $otp need to verify
     * @return bool weather an otp given is valid
     *
     * @throws NotSupportedException
     */
    public function validate(string $secretKey, string $otp)
    {
        return $this->createInstance($secretKey)->verify($otp);
    }

    /**
     * Get qr code for authenticator like google authenticator.
     *
     * @param string $secretKey the secret key an authenticator use to generating an otp.
     * @param array $params list of information use to show on an authenticator app.
     *
     * Example:
     * ```php
     * ['issuer' => 'VXM', 'label' => '[email protected]', 'image' => 'https://google.com']
     * ```
     * @return string the qr code uri
     * @throws NotSupportedException
     */
    public function getQrCodeUri(string $secretKey, array $params)
    {
        $instance = $this->createInstance($secretKey);

        foreach ($params as $param => $value) {
            $instance->setParameter($param, $value);
        }

        return $instance->getQrCodeUri($this->qrCodeUriTemplate);
    }

    /**
     * Create an otp instance.
     *
     * @param string $secretKey the secret key use to create an otp instance.
     *
     * @return HOTP|TOTP an object instance for generate and validate otp.
     * @throws NotSupportedException
     */
    protected function createInstance(string $secretKey)
    {
        $secretKey = Base32::encodeUpper($secretKey);

        if ($this->type === self::TOTP) {

            return TOTP::create($secretKey, 30, $this->digest, $this->digits);
        } elseif ($this->type === self::HOTP) {

            return HOTP::create($secretKey, 0, $this->digest, $this->digits);
        } else {
            throw new NotSupportedException("An otp type: `{$this->type}` is not supported!");
        }
    }

}


1		<?php
2		/**
3		* @link https://github.com/vuongxuongminh/yii2-mfa
4		* @copyright Copyright (c) 2019 Vuong Xuong Minh
5		* @license [New BSD License](http://www.opensource.org/licenses/bsd-license.php)
6		*/
7
8		namespace vxm\mfa;
9
10		use yii\base\BaseObject;
11		use yii\base\NotSupportedException;
12
13		use OTPHP\HOTP;
14		use OTPHP\TOTP;
15
16		use ParagonIE\ConstantTime\Base32;
17
18		/**
19		* Class Otp support generate and validate by given secret key.
20		*
21		* @author Vuong Minh <[email protected]>
22		* @since 1.0.0
23		*/
24		class Otp extends BaseObject
25		{
26		/**
27		* TOTP is a time based one-time password. It lives only for a few seconds (the period). You just have to be sure that the clock of your server and your device are synchronized. This is the most common OTP.
28		*/
29		const TOTP = 0;
30
31		/**
32		* HOTP is a counter based one-time password. Every time a password is used, the counter is updated. You have to verify that the server and the device are synchronized.
33		*/
34		const HOTP = 1;
35
36		/**
37		* @var string type of otp
38		*
39		* @see self::HOTP
40		* @see self::TOTP
41		*/
42		public $type = self::TOTP;
43
44		/**
45		* @var int otp digits. Default the number is 6
46		*/
47		public $digits = 6;
48
49		/**
50		* @var string digest algorithm. Default is 'sha1' you can use any algorithm listed by hash_algos(). Note that most applications only support md5, sha1, sha256 and sha512.
51		*/
52		public $digest = 'sha1';
53
54		/**
55		* @var string the template of qr code uri server. Please note that this URI MUST contain a placeholder {PROVISIONING_URI} for the OTP Provisioning URI.
56		*/
57		public $qrCodeUriTemplate = 'https://chart.googleapis.com/chart?chs=200x200&chld=M\|0&cht=qr&chl={PROVISIONING_URI}';
58
59		/**
60		* Generate an otp digits.
61		*
62		* @param string $secretKey the secret key use to generate an otp
63		* @return string an otp generated by secret key given.
64		*
65		* @throws NotSupportedException
66		*/
67	4	public function generate(string $secretKey)
68		{
69	4	return $this->createInstance($secretKey)->now();
70		}
71
72		/**
73		* Validate an otp digits.
74		*
75		* @param string $secretKey the secret key use to validate an otp.
76		* @param string $otp need to verify
77		* @return bool weather an otp given is valid
78		*
79		* @throws NotSupportedException
80		*/
81	3	public function validate(string $secretKey, string $otp)
82		{
83	3	return $this->createInstance($secretKey)->verify($otp);
84		}
85
86		/**
87		* Get qr code for authenticator like google authenticator.
88		*
89		* @param string $secretKey the secret key an authenticator use to generating an otp.
90		* @param array $params list of information use to show on an authenticator app.
91		*
92		* Example:
93		* ```php
94		* ['issuer' => 'VXM', 'label' => '[email protected]', 'image' => 'https://google.com']
95		* ```
96		* @return string the qr code uri
97		* @throws NotSupportedException
98		*/
99	3	public function getQrCodeUri(string $secretKey, array $params)
100		{
101	3	$instance = $this->createInstance($secretKey);
102
103	3	foreach ($params as $param => $value) {
104	2	$instance->setParameter($param, $value);
105		}
106
107	3	return $instance->getQrCodeUri($this->qrCodeUriTemplate);
108		}
109
110		/**
111		* Create an otp instance.
112		*
113		* @param string $secretKey the secret key use to create an otp instance.
114		*
115		* @return HOTP\|TOTP an object instance for generate and validate otp.
116		* @throws NotSupportedException
117		*/
118	8	protected function createInstance(string $secretKey)
119		{
120	8	$secretKey = Base32::encodeUpper($secretKey);
121
122	8	if ($this->type === self::TOTP) {
		0 ignored issues – show Unused Code Bug introduced 2019-04-09 18:04 UTC by Report Bug Copy Issue Report Show Similar Issues like this The strict comparison `===` seems to always evaluate to `false` as the types of `$this->type` (`string`) and `self::TOTP` (`integer`) can never be identical. Maybe you want to use a loose comparison `==` instead? Loading history...
123	8	return TOTP::create($secretKey, 30, $this->digest, $this->digits);
124		} elseif ($this->type === self::HOTP) {
		0 ignored issues – show Unused Code Bug introduced 2019-04-09 18:04 UTC by Report Bug Copy Issue Report Show Similar Issues like this The strict comparison `===` seems to always evaluate to `false` as the types of `$this->type` (`string`) and `self::HOTP` (`integer`) can never be identical. Maybe you want to use a loose comparison `==` instead? Loading history...
125		return HOTP::create($secretKey, 0, $this->digest, $this->digits);
126		} else {
127		throw new NotSupportedException("An otp type: `{$this->type}` is not supported!");
128		}
129		}
130
131		}
132

vuongxuongminh / yii2-mfa

Issues (9)

Security Analysis not enabled

src/Otp.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like