Issues in JsonDecoder.php (master) - Issues in master - webmozart/json - Measure and Improve Code Quality continuously with Scrutinizer

Issues (20)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/JsonDecoder.php (6 issues)

Labels

Severity

Informational 6

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/*
 * This file is part of the Webmozart JSON package.
 *
 * (c) Bernhard Schussek <[email protected]>
 *
 * For the full copyright and license information, please view the LICENSE
 * file that was distributed with this source code.
 */

namespace Webmozart\Json;

use Seld\JsonLint\JsonParser;
use Seld\JsonLint\ParsingException;

/**
 * Decodes JSON strings/files and validates against a JSON schema.
 *
 * @since  1.0
 *
 * @author Bernhard Schussek <[email protected]>
 */
class JsonDecoder
{
    /**
     * Decode a JSON value as PHP object.
     */
    const OBJECT = 0;

    /**
     * Decode a JSON value as associative array.
     */
    const ASSOC_ARRAY = 1;

    /**
     * Decode a JSON value as float.
     */
    const FLOAT = 2;

    /**
     * Decode a JSON value as string.
     */
    const STRING = 3;

    /**
     * @var JsonValidator
     */
    private $validator;

    /**
     * @var int
     */
    private $objectDecoding = self::OBJECT;

    /**
     * @var int
     */
    private $bigIntDecoding = self::FLOAT;

    /**
     * @var int
     */
    private $maxDepth = 512;

    /**
     * Creates a new decoder.
     *
     * @param null|JsonValidator $validator
     */
    public function __construct(JsonValidator $validator = null)
    {
        $this->validator = $validator ?: new JsonValidator();
    }

    /**
     * Decodes and validates a JSON string.
     *
     * If a schema is passed, the decoded object is validated against that
     * schema. The schema may be passed as file path or as object returned from
     * `JsonDecoder::decodeFile($schemaFile)`.
     *
     * You can adjust the decoding with {@link setObjectDecoding()},
     * {@link setBigIntDecoding()} and {@link setMaxDepth()}.
     *
     * Schema validation is not supported when objects are decoded as
     * associative arrays.
     *
     * @param string        $json   The JSON string
     * @param string|object $schema The schema file or object

     *
     * @return mixed The decoded value
     *
     * @throws DecodingFailedException   If the JSON string could not be decoded
     * @throws ValidationFailedException If the decoded string fails schema
     *                                   validation
     * @throws InvalidSchemaException    If the schema is invalid
     */
    public function decode($json, $schema = null)
    {
        if (self::ASSOC_ARRAY === $this->objectDecoding && null !== $schema) {
            throw new \InvalidArgumentException(
                'Schema validation is not supported when objects are decoded '.
                'as associative arrays. Call '.
                'JsonDecoder::setObjectDecoding(JsonDecoder::JSON_OBJECT) to fix.'
            );
        }

        $decoded = $this->decodeJson($json);

        if (null !== $schema) {
            $errors = $this->validator->validate($decoded, $schema);

            if (count($errors) > 0) {
                throw ValidationFailedException::fromErrors($errors);
            }
        }

        return $decoded;
    }

    /**
     * Decodes and validates a JSON file.
     *
     * @param string        $path   The path to the JSON file
     * @param string|object $schema The schema file or object

     *
     * @return mixed The decoded file
     *
     * @throws FileNotFoundException     If the file was not found
     * @throws DecodingFailedException   If the file could not be decoded
     * @throws ValidationFailedException If the decoded file fails schema
     *                                   validation
     * @throws InvalidSchemaException    If the schema is invalid
     *
     * @see decode
     */
    public function decodeFile($path, $schema = null)
    {
        if (!file_exists($path)) {
            throw new FileNotFoundException(sprintf(
                'The file %s does not exist.',
                $path
            ));
        }

        $errorMessage = null;
        $errorCode = 0;

        set_error_handler(function ($errno, $errstr) use (&$errorMessage, &$errorCode) {
            $errorMessage = $errstr;
            $errorCode = $errno;
        });

        $content = file_get_contents($path);

        restore_error_handler();

        if (null !== $errorMessage) {

            if (false !== $pos = strpos($errorMessage, '): ')) {
                // cut "file_get_contents(%path%):" to make message more readable
                $errorMessage = substr($errorMessage, $pos + 3);
            }

            throw new IOException(sprintf(
                'Could not read %s: %s (%s)',
                $path,
                $errorMessage,
                $errorCode
            ), $errorCode);
        }

        try {
            return $this->decode($content, $schema);
        } catch (DecodingFailedException $e) {
            // Add the file name to the exception
            throw new DecodingFailedException(sprintf(
                'An error happened while decoding %s: %s',
                $path,
                $e->getMessage()
            ), $e->getCode(), $e);
        } catch (ValidationFailedException $e) {
            // Add the file name to the exception
            throw new ValidationFailedException(sprintf(
                "Validation of %s failed:\n%s",
                $path,
                $e->getErrorsAsString()
            ), $e->getErrors(), $e->getCode(), $e);
        } catch (InvalidSchemaException $e) {
            // Add the file name to the exception
            throw new InvalidSchemaException(sprintf(
                'An error happened while decoding %s: %s',
                $path,
                $e->getMessage()
            ), $e->getCode(), $e);
        }
    }

    /**
     * Returns the maximum recursion depth.
     *
     * A depth of zero means that objects are not allowed. A depth of one means
     * only one level of objects or arrays is allowed.
     *
     * @return int The maximum recursion depth
     */
    public function getMaxDepth()
    {
        return $this->maxDepth;
    }

    /**
     * Sets the maximum recursion depth.
     *
     * If the depth is exceeded during decoding, an {@link DecodingnFailedException}
     * will be thrown.
     *
     * A depth of zero means that objects are not allowed. A depth of one means
     * only one level of objects or arrays is allowed.
     *
     * @param int $maxDepth The maximum recursion depth
     *
     * @throws \InvalidArgumentException If the depth is not an integer greater
     *                                   than or equal to zero
     */
    public function setMaxDepth($maxDepth)

    {
        if (!is_int($maxDepth)) {
            throw new \InvalidArgumentException(sprintf(
                'The maximum depth should be an integer. Got: %s',
                is_object($maxDepth) ? get_class($maxDepth) : gettype($maxDepth)
            ));
        }

        if ($maxDepth < 1) {
            throw new \InvalidArgumentException(sprintf(
                'The maximum depth should 1 or greater. Got: %s',
                $maxDepth
            ));
        }

        $this->maxDepth = $maxDepth;
    }

    /**
     * Returns the decoding of JSON objects.
     *
     * @return int One of the constants {@link JSON_OBJECT} and {@link ASSOC_ARRAY}
     */
    public function getObjectDecoding()
    {
        return $this->objectDecoding;
    }

    /**
     * Sets the decoding of JSON objects.
     *
     * By default, JSON objects are decoded as instances of {@link \stdClass}.
     *
     * @param int $decoding One of the constants {@link JSON_OBJECT} and {@link ASSOC_ARRAY}
     *
     * @throws \InvalidArgumentException If the passed decoding is invalid
     */
    public function setObjectDecoding($decoding)

    {
        if (self::OBJECT !== $decoding && self::ASSOC_ARRAY !== $decoding) {
            throw new \InvalidArgumentException(sprintf(
                'Expected JsonDecoder::JSON_OBJECT or JsonDecoder::ASSOC_ARRAY. '.
                'Got: %s',
                $decoding
            ));
        }

        $this->objectDecoding = $decoding;
    }

    /**
     * Returns the decoding of big integers.
     *
     * @return int One of the constants {@link FLOAT} and {@link JSON_STRING}
     */
    public function getBigIntDecoding()
    {
        return $this->bigIntDecoding;
    }

    /**
     * Sets the decoding of big integers.
     *
     * By default, big integers are decoded as floats.
     *
     * @param int $decoding One of the constants {@link FLOAT} and {@link JSON_STRING}
     *
     * @throws \InvalidArgumentException If the passed decoding is invalid
     */
    public function setBigIntDecoding($decoding)

    {
        if (self::FLOAT !== $decoding && self::STRING !== $decoding) {
            throw new \InvalidArgumentException(sprintf(
                'Expected JsonDecoder::FLOAT or JsonDecoder::JSON_STRING. '.
                'Got: %s',
                $decoding
            ));
        }

        $this->bigIntDecoding = $decoding;
    }

    private function decodeJson($json)
    {
        $assoc = self::ASSOC_ARRAY === $this->objectDecoding;

        if (PHP_VERSION_ID >= 50400 && !defined('JSON_C_VERSION')) {
            $options = self::STRING === $this->bigIntDecoding ? JSON_BIGINT_AS_STRING : 0;

            $decoded = json_decode($json, $assoc, $this->maxDepth, $options);
        } else {
            $decoded = json_decode($json, $assoc, $this->maxDepth);
        }

        // Data could not be decoded
        if (null === $decoded && 'null' !== $json) {
            $parser = new JsonParser();
            $e = $parser->lint($json);

            if ($e instanceof ParsingException) {
                throw new DecodingFailedException(sprintf(
                    'The JSON data could not be decoded: %s.',
                    $e->getMessage()
                ), 0, $e);
            }

            // $e is null if json_decode() failed, but the linter did not find
            // any problems. Happens for example when the max depth is exceeded.
            throw new DecodingFailedException(sprintf(
                'The JSON data could not be decoded: %s.',
                JsonError::getLastErrorMessage()
            ), json_last_error());
        }

        return $decoded;
    }
}


1			<?php
2
3			/*
4			* This file is part of the Webmozart JSON package.
5			*
6			* (c) Bernhard Schussek <[email protected]>
7			*
8			* For the full copyright and license information, please view the LICENSE
9			* file that was distributed with this source code.
10			*/
11
12			namespace Webmozart\Json;
13
14			use Seld\JsonLint\JsonParser;
15			use Seld\JsonLint\ParsingException;
16
17			/**
18			* Decodes JSON strings/files and validates against a JSON schema.
19			*
20			* @since 1.0
21			*
22			* @author Bernhard Schussek <[email protected]>
23			*/
24			class JsonDecoder
25			{
26			/**
27			* Decode a JSON value as PHP object.
28			*/
29			const OBJECT = 0;
30
31			/**
32			* Decode a JSON value as associative array.
33			*/
34			const ASSOC_ARRAY = 1;
35
36			/**
37			* Decode a JSON value as float.
38			*/
39			const FLOAT = 2;
40
41			/**
42			* Decode a JSON value as string.
43			*/
44			const STRING = 3;
45
46			/**
47			* @var JsonValidator
48			*/
49			private $validator;
50
51			/**
52			* @var int
53			*/
54			private $objectDecoding = self::OBJECT;
55
56			/**
57			* @var int
58			*/
59			private $bigIntDecoding = self::FLOAT;
60
61			/**
62			* @var int
63			*/
64			private $maxDepth = 512;
65
66			/**
67			* Creates a new decoder.
68			*
69			* @param null\|JsonValidator $validator
70			*/
71	36		public function __construct(JsonValidator $validator = null)
72			{
73	36		$this->validator = $validator ?: new JsonValidator();
74	36		}
75
76			/**
77			* Decodes and validates a JSON string.
78			*
79			* If a schema is passed, the decoded object is validated against that
80			* schema. The schema may be passed as file path or as object returned from
81			* `JsonDecoder::decodeFile($schemaFile)`.
82			*
83			* You can adjust the decoding with {@link setObjectDecoding()},
84			* {@link setBigIntDecoding()} and {@link setMaxDepth()}.
85			*
86			* Schema validation is not supported when objects are decoded as
87			* associative arrays.
88			*
89			* @param string $json The JSON string
90			* @param string\|object $schema The schema file or object
			0 ignored issues – show Documentation introduced 2015-12-11 17:38 UTC by Report Bug Copy Issue Report Show Similar Issues like this Should the type for parameter `$schema` not be `string\|object\|null`? This check looks for `@param` annotations where the type inferred by our type inference engine differs from the declared type. It makes a suggestion as to what type it considers more descriptive. Most often this is a case of a parameter that can be null in addition to its declared types. Loading history...
91			*
92			* @return mixed The decoded value
93			*
94			* @throws DecodingFailedException If the JSON string could not be decoded
95			* @throws ValidationFailedException If the decoded string fails schema
96			* validation
97			* @throws InvalidSchemaException If the schema is invalid
98			*/
99	26		public function decode($json, $schema = null)
100			{
101	26		if (self::ASSOC_ARRAY === $this->objectDecoding && null !== $schema) {
102	1		throw new \InvalidArgumentException(
103			'Schema validation is not supported when objects are decoded '.
104			'as associative arrays. Call '.
105	1		'JsonDecoder::setObjectDecoding(JsonDecoder::JSON_OBJECT) to fix.'
106			);
107			}
108
109	25		$decoded = $this->decodeJson($json);
110
111	21		if (null !== $schema) {
112	7		$errors = $this->validator->validate($decoded, $schema);
113
114	6		if (count($errors) > 0) {
115	4		throw ValidationFailedException::fromErrors($errors);
116			}
117			}
118
119	16		return $decoded;
120			}
121
122			/**
123			* Decodes and validates a JSON file.
124			*
125			* @param string $path The path to the JSON file
126			* @param string\|object $schema The schema file or object
			0 ignored issues – show Documentation introduced 2016-08-10 07:53 UTC by Report Bug Copy Issue Report Show Similar Issues like this Should the type for parameter `$schema` not be `string\|object\|null`? This check looks for `@param` annotations where the type inferred by our type inference engine differs from the declared type. It makes a suggestion as to what type it considers more descriptive. Most often this is a case of a parameter that can be null in addition to its declared types. Loading history...
127			*
128			* @return mixed The decoded file
129			*
130			* @throws FileNotFoundException If the file was not found
131			* @throws DecodingFailedException If the file could not be decoded
132			* @throws ValidationFailedException If the decoded file fails schema
133			* validation
134			* @throws InvalidSchemaException If the schema is invalid
135			*
136			* @see decode
137			*/
138	7		public function decodeFile($path, $schema = null)
139			{
140	7		if (!file_exists($path)) {
141	1		throw new FileNotFoundException(sprintf(
142	1		'The file %s does not exist.',
143			$path
144			));
145			}
146
147	6		$errorMessage = null;
148	6		$errorCode = 0;
149
150	6		set_error_handler(function ($errno, $errstr) use (&$errorMessage, &$errorCode) {
151	1		$errorMessage = $errstr;
152	1		$errorCode = $errno;
153	6		});
154
155	6		$content = file_get_contents($path);
156
157	6		restore_error_handler();
158
159	6	View Code Duplication	if (null !== $errorMessage) {
			0 ignored issues – show Duplication introduced 2015-12-11 17:38 UTC by Report Bug Copy Issue Report Show Similar Issues like this This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
160	1		if (false !== $pos = strpos($errorMessage, '): ')) {
161			// cut "file_get_contents(%path%):" to make message more readable
162	1		$errorMessage = substr($errorMessage, $pos + 3);
163			}
164
165	1		throw new IOException(sprintf(
166	1		'Could not read %s: %s (%s)',
167			$path,
168			$errorMessage,
169			$errorCode
170			), $errorCode);
171			}
172
173			try {
174	5		return $this->decode($content, $schema);
175	4		} catch (DecodingFailedException $e) {
176			// Add the file name to the exception
177	1		throw new DecodingFailedException(sprintf(
178	1		'An error happened while decoding %s: %s',
179			$path,
180	1		$e->getMessage()
181	1		), $e->getCode(), $e);
182	3		} catch (ValidationFailedException $e) {
183			// Add the file name to the exception
184	2		throw new ValidationFailedException(sprintf(
185	2		"Validation of %s failed:\n%s",
186			$path,
187	2		$e->getErrorsAsString()
188	2		), $e->getErrors(), $e->getCode(), $e);
189	1		} catch (InvalidSchemaException $e) {
190			// Add the file name to the exception
191	1		throw new InvalidSchemaException(sprintf(
192	1		'An error happened while decoding %s: %s',
193			$path,
194	1		$e->getMessage()
195	1		), $e->getCode(), $e);
196			}
197			}
198
199			/**
200			* Returns the maximum recursion depth.
201			*
202			* A depth of zero means that objects are not allowed. A depth of one means
203			* only one level of objects or arrays is allowed.
204			*
205			* @return int The maximum recursion depth
206			*/
207			public function getMaxDepth()
208			{
209			return $this->maxDepth;
210			}
211
212			/**
213			* Sets the maximum recursion depth.
214			*
215			* If the depth is exceeded during decoding, an {@link DecodingnFailedException}
216			* will be thrown.
217			*
218			* A depth of zero means that objects are not allowed. A depth of one means
219			* only one level of objects or arrays is allowed.
220			*
221			* @param int $maxDepth The maximum recursion depth
222			*
223			* @throws \InvalidArgumentException If the depth is not an integer greater
224			* than or equal to zero
225			*/
226	6	View Code Duplication	public function setMaxDepth($maxDepth)
			0 ignored issues – show Duplication introduced 2015-12-11 17:38 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
227			{
228	6		if (!is_int($maxDepth)) {
229	1		throw new \InvalidArgumentException(sprintf(
230	1		'The maximum depth should be an integer. Got: %s',
231	1		is_object($maxDepth) ? get_class($maxDepth) : gettype($maxDepth)
232			));
233			}
234
235	5		if ($maxDepth < 1) {
236	1		throw new \InvalidArgumentException(sprintf(
237	1		'The maximum depth should 1 or greater. Got: %s',
238			$maxDepth
239			));
240			}
241
242	4		$this->maxDepth = $maxDepth;
243	4		}
244
245			/**
246			* Returns the decoding of JSON objects.
247			*
248			* @return int One of the constants {@link JSON_OBJECT} and {@link ASSOC_ARRAY}
249			*/
250			public function getObjectDecoding()
251			{
252			return $this->objectDecoding;
253			}
254
255			/**
256			* Sets the decoding of JSON objects.
257			*
258			* By default, JSON objects are decoded as instances of {@link \stdClass}.
259			*
260			* @param int $decoding One of the constants {@link JSON_OBJECT} and {@link ASSOC_ARRAY}
261			*
262			* @throws \InvalidArgumentException If the passed decoding is invalid
263			*/
264	7	View Code Duplication	public function setObjectDecoding($decoding)
			0 ignored issues – show Duplication introduced 2015-12-11 17:38 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
265			{
266	7		if (self::OBJECT !== $decoding && self::ASSOC_ARRAY !== $decoding) {
267	3		throw new \InvalidArgumentException(sprintf(
268			'Expected JsonDecoder::JSON_OBJECT or JsonDecoder::ASSOC_ARRAY. '.
269	3		'Got: %s',
270			$decoding
271			));
272			}
273
274	4		$this->objectDecoding = $decoding;
275	4		}
276
277			/**
278			* Returns the decoding of big integers.
279			*
280			* @return int One of the constants {@link FLOAT} and {@link JSON_STRING}
281			*/
282			public function getBigIntDecoding()
283			{
284			return $this->bigIntDecoding;
285			}
286
287			/**
288			* Sets the decoding of big integers.
289			*
290			* By default, big integers are decoded as floats.
291			*
292			* @param int $decoding One of the constants {@link FLOAT} and {@link JSON_STRING}
293			*
294			* @throws \InvalidArgumentException If the passed decoding is invalid
295			*/
296	5	View Code Duplication	public function setBigIntDecoding($decoding)
			0 ignored issues – show Duplication introduced 2015-12-11 17:38 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
297			{
298	5		if (self::FLOAT !== $decoding && self::STRING !== $decoding) {
299	3		throw new \InvalidArgumentException(sprintf(
300			'Expected JsonDecoder::FLOAT or JsonDecoder::JSON_STRING. '.
301	3		'Got: %s',
302			$decoding
303			));
304			}
305
306	2		$this->bigIntDecoding = $decoding;
307	2		}
308
309	25		private function decodeJson($json)
310			{
311	25		$assoc = self::ASSOC_ARRAY === $this->objectDecoding;
312
313	25		if (PHP_VERSION_ID >= 50400 && !defined('JSON_C_VERSION')) {
314	25		$options = self::STRING === $this->bigIntDecoding ? JSON_BIGINT_AS_STRING : 0;
315
316	25		$decoded = json_decode($json, $assoc, $this->maxDepth, $options);
317			} else {
318			$decoded = json_decode($json, $assoc, $this->maxDepth);
319			}
320
321			// Data could not be decoded
322	25		if (null === $decoded && 'null' !== $json) {
323	4		$parser = new JsonParser();
324	4		$e = $parser->lint($json);
325
326	4		if ($e instanceof ParsingException) {
327			throw new DecodingFailedException(sprintf(
328			'The JSON data could not be decoded: %s.',
329			$e->getMessage()
330			), 0, $e);
331			}
332
333			// $e is null if json_decode() failed, but the linter did not find
334			// any problems. Happens for example when the max depth is exceeded.
335	4		throw new DecodingFailedException(sprintf(
336	4		'The JSON data could not be decoded: %s.',
337	4		JsonError::getLastErrorMessage()
338			), json_last_error());
339			}
340
341	21		return $decoded;
342			}
343			}
344

webmozart / json

Issues (20)

Security Analysis no request data

src/JsonDecoder.php (6 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like