Issues in class-wc-stripe-intent-controller.php (master) - Issues in master - woocommerce/woocommerce-gateway-stripe - Measure and Improve Code Quality continuously with Scrutinizer

Issues (197)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

includes/class-wc-stripe-intent-controller.php (2 issues)

Labels

Duplication 2

Severity

Informational 2

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
if ( ! defined( 'ABSPATH' ) ) {
	exit;
}

/**
 * WC_Stripe_Intent_Controller class.
 *
 * Handles in-checkout AJAX calls, related to Payment Intents.
 */
class WC_Stripe_Intent_Controller {
	/**
	 * Holds an instance of the gateway class.
	 *
	 * @since 4.2.0
	 * @var WC_Gateway_Stripe
	 */
	protected $gateway;

	/**
	 * Class constructor, adds the necessary hooks.
	 *
	 * @since 4.2.0
	 */
	public function __construct() {
		add_action( 'wc_ajax_wc_stripe_verify_intent', array( $this, 'verify_intent' ) );
		add_action( 'wc_ajax_wc_stripe_create_setup_intent', array( $this, 'create_setup_intent' ) );
	}

	/**
	 * Returns an instantiated gateway.
	 *
	 * @since 4.2.0
	 * @return WC_Gateway_Stripe
	 */
	protected function get_gateway() {
		if ( ! isset( $this->gateway ) ) {
			if ( class_exists( 'WC_Subscriptions_Order' ) && function_exists( 'wcs_create_renewal_order' ) ) {
				$class_name = 'WC_Stripe_Subs_Compat';
			} else {
				$class_name = 'WC_Gateway_Stripe';
			}

			$this->gateway = new $class_name();
		}

		return $this->gateway;
	}

	/**
	 * Loads the order from the current request.
	 *
	 * @since 4.2.0
	 * @throws WC_Stripe_Exception An exception if there is no order ID or the order does not exist.
	 * @return WC_Order
	 */
	protected function get_order_from_request() {
		if ( ! isset( $_GET['nonce'] ) || ! wp_verify_nonce( sanitize_key( $_GET['nonce'] ), 'wc_stripe_confirm_pi' ) ) {

			throw new WC_Stripe_Exception( 'missing-nonce', __( 'CSRF verification failed.', 'woocommerce-gateway-stripe' ) );
		}

		// Load the order ID.
		$order_id = null;
		if ( isset( $_GET['order'] ) && absint( $_GET['order'] ) ) {
			$order_id = absint( $_GET['order'] );
		}

		// Retrieve the order.
		$order = wc_get_order( $order_id );

		if ( ! $order ) {
			throw new WC_Stripe_Exception( 'missing-order', __( 'Missing order ID for payment confirmation', 'woocommerce-gateway-stripe' ) );
		}

		return $order;
	}

	/**
	 * Handles successful PaymentIntent authentications.
	 *
	 * @since 4.2.0
	 */
	public function verify_intent() {
		global $woocommerce;

		$gateway = $this->get_gateway();

		try {
			$order = $this->get_order_from_request();
		} catch ( WC_Stripe_Exception $e ) {
			/* translators: Error message text */
			$message = sprintf( __( 'Payment verification error: %s', 'woocommerce-gateway-stripe' ), $e->getLocalizedMessage() );
			wc_add_notice( esc_html( $message ), 'error' );

			$redirect_url = $woocommerce->cart->is_empty()
				? get_permalink( wc_get_page_id( 'shop' ) )
				: wc_get_checkout_url();

			$this->handle_error( $e, $redirect_url );
		}

		try {
			$gateway->verify_intent_after_checkout( $order );

			if ( ! isset( $_GET['is_ajax'] ) ) {
				$redirect_url = isset( $_GET['redirect_to'] ) // wpcs: csrf ok.
					? esc_url_raw( wp_unslash( $_GET['redirect_to'] ) ) // wpcs: csrf ok.
					: $gateway->get_return_url( $order );

				wp_safe_redirect( $redirect_url );
			}

			exit;
		} catch ( WC_Stripe_Exception $e ) {
			$this->handle_error( $e, $gateway->get_return_url( $order ) );
		}
	}

	/**
	 * Handles exceptions during intent verification.
	 *
	 * @since 4.2.0
	 * @param WC_Stripe_Exception $e           The exception that was thrown.
	 * @param string              $redirect_url An URL to use if a redirect is needed.
	 */
	protected function handle_error( $e, $redirect_url ) {
		// Log the exception before redirecting.
		$message = sprintf( 'PaymentIntent verification exception: %s', $e->getLocalizedMessage() );
		WC_Stripe_Logger::log( $message );

		// `is_ajax` is only used for PI error reporting, a response is not expected.
		if ( isset( $_GET['is_ajax'] ) ) {
			exit;
		}

		wp_safe_redirect( $redirect_url );
		exit;
	}

	/**
	 * Creates a Setup Intent through AJAX while adding cards.
	 */
	public function create_setup_intent() {
		if (
			! is_user_logged_in()
			|| ! isset( $_POST['stripe_source_id'] )
			|| ! isset( $_POST['nonce'] )
		) {
			return;
		}

		try {
			$source_id = wc_clean( $_POST['stripe_source_id'] );

			// 1. Verify.
			if (

				! wp_verify_nonce( sanitize_key( $_POST['nonce'] ), 'wc_stripe_create_si' )
				|| ! preg_match( '/^src_.*$/', $source_id )
			) {
				throw new Exception( __( 'Unable to verify your request. Please reload the page and try again.', 'woocommerce-gateway-stripe' ) );
			}


			// 2. Load the customer ID (and create a customer eventually).
			$customer = new WC_Stripe_Customer( wp_get_current_user()->ID );

			// 3. Attach the source to the customer (Setup Intents require that).
			$source_object = $customer->attach_source( $source_id );
			if ( is_wp_error( $source_object ) ) {
				throw new Exception( $source_object->get_error_message() );
			}

			// 4. Generate the setup intent
			$setup_intent = WC_Stripe_API::request(
				[
					'customer'       => $customer->get_id(),
					'confirm'        => 'true',
					'payment_method' => $source_id,
				],
				'setup_intents'
			);

			if ( $setup_intent->error ) {
				$error_response_message = print_r( $setup_intent, true );
				WC_Stripe_Logger::log("Failed create Setup Intent while saving a card.");
				WC_Stripe_Logger::log("Response: $error_response_message");
				throw new Exception( __( 'Your card could not be set up for future usage.', 'woocommerce-gateway-stripe' ) );
			}

			// 5. Respond.
			if ( 'requires_action' === $setup_intent->status ) {
				$response = [
					'status'        => 'requires_action',
					'client_secret' => $setup_intent->client_secret,
				];
			} elseif ( 'requires_payment_method' === $setup_intent->status
				|| 'requires_confirmation' === $setup_intent->status
				|| 'canceled' === $setup_intent->status ) {
				// These statuses should not be possible, as such we return an error.
				$response = [
					'status' => 'error',
					'error'  => [
						'type'    => 'setup_intent_error',
						'message' => __( 'Failed to save payment method.', 'woocommerce-gateway-stripe' ),
					],
				];
			} else {
				// This should only be reached when status is `processing` or `succeeded`, which are
				// the only statuses that we haven't explicitly handled.
				$response = [
					'status' => 'success',
				];
			}
		} catch ( Exception $e ) {
			$response = [
				'status' => 'error',
				'error'  => array(
					'type'    => 'setup_intent_error',
					'message' => $e->getMessage(),
				),
			];
		}

		echo wp_json_encode( $response );
		exit;
	}
}

new WC_Stripe_Intent_Controller();


1		<?php
2		if ( ! defined( 'ABSPATH' ) ) {
3		exit;
4		}
5
6		/**
7		* WC_Stripe_Intent_Controller class.
8		*
9		* Handles in-checkout AJAX calls, related to Payment Intents.
10		*/
11		class WC_Stripe_Intent_Controller {
12		/**
13		* Holds an instance of the gateway class.
14		*
15		* @since 4.2.0
16		* @var WC_Gateway_Stripe
17		*/
18		protected $gateway;
19
20		/**
21		* Class constructor, adds the necessary hooks.
22		*
23		* @since 4.2.0
24		*/
25		public function __construct() {
26		add_action( 'wc_ajax_wc_stripe_verify_intent', array( $this, 'verify_intent' ) );
27		add_action( 'wc_ajax_wc_stripe_create_setup_intent', array( $this, 'create_setup_intent' ) );
28		}
29
30		/**
31		* Returns an instantiated gateway.
32		*
33		* @since 4.2.0
34		* @return WC_Gateway_Stripe
35		*/
36		protected function get_gateway() {
37		if ( ! isset( $this->gateway ) ) {
38		if ( class_exists( 'WC_Subscriptions_Order' ) && function_exists( 'wcs_create_renewal_order' ) ) {
39		$class_name = 'WC_Stripe_Subs_Compat';
40		} else {
41		$class_name = 'WC_Gateway_Stripe';
42		}
43
44		$this->gateway = new $class_name();
45		}
46
47		return $this->gateway;
48		}
49
50		/**
51		* Loads the order from the current request.
52		*
53		* @since 4.2.0
54		* @throws WC_Stripe_Exception An exception if there is no order ID or the order does not exist.
55		* @return WC_Order
56		*/
57		protected function get_order_from_request() {
58	View Code Duplication	if ( ! isset( $_GET['nonce'] ) \|\| ! wp_verify_nonce( sanitize_key( $_GET['nonce'] ), 'wc_stripe_confirm_pi' ) ) {
		0 ignored issues – show Duplication introduced 2020-12-15 15:21 UTC by Report Bug Copy Issue Report Show Similar Issues like this This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
59		throw new WC_Stripe_Exception( 'missing-nonce', __( 'CSRF verification failed.', 'woocommerce-gateway-stripe' ) );
60		}
61
62		// Load the order ID.
63		$order_id = null;
64		if ( isset( $_GET['order'] ) && absint( $_GET['order'] ) ) {
65		$order_id = absint( $_GET['order'] );
66		}
67
68		// Retrieve the order.
69		$order = wc_get_order( $order_id );
70
71		if ( ! $order ) {
72		throw new WC_Stripe_Exception( 'missing-order', __( 'Missing order ID for payment confirmation', 'woocommerce-gateway-stripe' ) );
73		}
74
75		return $order;
76		}
77
78		/**
79		* Handles successful PaymentIntent authentications.
80		*
81		* @since 4.2.0
82		*/
83		public function verify_intent() {
84		global $woocommerce;
85
86		$gateway = $this->get_gateway();
87
88		try {
89		$order = $this->get_order_from_request();
90		} catch ( WC_Stripe_Exception $e ) {
91		/* translators: Error message text */
92		$message = sprintf( __( 'Payment verification error: %s', 'woocommerce-gateway-stripe' ), $e->getLocalizedMessage() );
93		wc_add_notice( esc_html( $message ), 'error' );
94
95		$redirect_url = $woocommerce->cart->is_empty()
96		? get_permalink( wc_get_page_id( 'shop' ) )
97		: wc_get_checkout_url();
98
99		$this->handle_error( $e, $redirect_url );
100		}
101
102		try {
103		$gateway->verify_intent_after_checkout( $order );
104
105		if ( ! isset( $_GET['is_ajax'] ) ) {
106		$redirect_url = isset( $_GET['redirect_to'] ) // wpcs: csrf ok.
107		? esc_url_raw( wp_unslash( $_GET['redirect_to'] ) ) // wpcs: csrf ok.
108		: $gateway->get_return_url( $order );
109
110		wp_safe_redirect( $redirect_url );
111		}
112
113		exit;
114		} catch ( WC_Stripe_Exception $e ) {
115		$this->handle_error( $e, $gateway->get_return_url( $order ) );
116		}
117		}
118
119		/**
120		* Handles exceptions during intent verification.
121		*
122		* @since 4.2.0
123		* @param WC_Stripe_Exception $e The exception that was thrown.
124		* @param string $redirect_url An URL to use if a redirect is needed.
125		*/
126		protected function handle_error( $e, $redirect_url ) {
127		// Log the exception before redirecting.
128		$message = sprintf( 'PaymentIntent verification exception: %s', $e->getLocalizedMessage() );
129		WC_Stripe_Logger::log( $message );
130
131		// `is_ajax` is only used for PI error reporting, a response is not expected.
132		if ( isset( $_GET['is_ajax'] ) ) {
133		exit;
134		}
135
136		wp_safe_redirect( $redirect_url );
137		exit;
138		}
139
140		/**
141		* Creates a Setup Intent through AJAX while adding cards.
142		*/
143		public function create_setup_intent() {
144		if (
145		! is_user_logged_in()
146		\|\| ! isset( $_POST['stripe_source_id'] )
147		\|\| ! isset( $_POST['nonce'] )
148		) {
149		return;
150		}
151
152		try {
153		$source_id = wc_clean( $_POST['stripe_source_id'] );
154
155		// 1. Verify.
156	View Code Duplication	if (
		0 ignored issues – show Duplication introduced 2020-12-15 15:21 UTC by Report Bug Copy Issue Report Show Similar Issues like this This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
157		! wp_verify_nonce( sanitize_key( $_POST['nonce'] ), 'wc_stripe_create_si' )
158		\|\| ! preg_match( '/^src_.*$/', $source_id )
159		) {
160		throw new Exception( __( 'Unable to verify your request. Please reload the page and try again.', 'woocommerce-gateway-stripe' ) );
161		}
162
163
164		// 2. Load the customer ID (and create a customer eventually).
165		$customer = new WC_Stripe_Customer( wp_get_current_user()->ID );
166
167		// 3. Attach the source to the customer (Setup Intents require that).
168		$source_object = $customer->attach_source( $source_id );
169		if ( is_wp_error( $source_object ) ) {
170		throw new Exception( $source_object->get_error_message() );
171		}
172
173		// 4. Generate the setup intent
174		$setup_intent = WC_Stripe_API::request(
175		[
176		'customer' => $customer->get_id(),
177		'confirm' => 'true',
178		'payment_method' => $source_id,
179		],
180		'setup_intents'
181		);
182
183		if ( $setup_intent->error ) {
184		$error_response_message = print_r( $setup_intent, true );
185		WC_Stripe_Logger::log("Failed create Setup Intent while saving a card.");
186		WC_Stripe_Logger::log("Response: $error_response_message");
187		throw new Exception( __( 'Your card could not be set up for future usage.', 'woocommerce-gateway-stripe' ) );
188		}
189
190		// 5. Respond.
191		if ( 'requires_action' === $setup_intent->status ) {
192		$response = [
193		'status' => 'requires_action',
194		'client_secret' => $setup_intent->client_secret,
195		];
196		} elseif ( 'requires_payment_method' === $setup_intent->status
197		\|\| 'requires_confirmation' === $setup_intent->status
198		\|\| 'canceled' === $setup_intent->status ) {
199		// These statuses should not be possible, as such we return an error.
200		$response = [
201		'status' => 'error',
202		'error' => [
203		'type' => 'setup_intent_error',
204		'message' => __( 'Failed to save payment method.', 'woocommerce-gateway-stripe' ),
205		],
206		];
207		} else {
208		// This should only be reached when status is `processing` or `succeeded`, which are
209		// the only statuses that we haven't explicitly handled.
210		$response = [
211		'status' => 'success',
212		];
213		}
214		} catch ( Exception $e ) {
215		$response = [
216		'status' => 'error',
217		'error' => array(
218		'type' => 'setup_intent_error',
219		'message' => $e->getMessage(),
220		),
221		];
222		}
223
224		echo wp_json_encode( $response );
225		exit;
226		}
227		}
228
229		new WC_Stripe_Intent_Controller();
230

woocommerce / woocommerce-gateway-stripe

Issues (197)

Security Analysis not enabled

includes/class-wc-stripe-intent-controller.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like