Issues in class-wc-admin-api-keys.php (master) - Issues in master - woothemes/woocommerce - Measure and Improve Code Quality continuously with Scrutinizer

Issues (1182)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

includes/admin/class-wc-admin-api-keys.php (3 issues)

Labels

Duplication 3

Severity

Informational 3

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
/**
 * WooCommerce Admin API Keys Class
 *
 * @author   WooThemes
 * @category Admin
 * @package  WooCommerce/Admin
 * @version  2.4.0
 */

if ( ! defined( 'ABSPATH' ) ) {
	exit;
}

/**
 * WC_Admin_API_Keys.
 */
class WC_Admin_API_Keys {

	/**
	 * Initialize the API Keys admin actions.
	 */
	public function __construct() {
		add_action( 'admin_init', array( $this, 'actions' ) );
	}

	/**
	 * Check if is API Keys settings page.
	 *
	 * @return bool
	 */
	private function is_api_keys_settings_page() {

		return isset( $_GET['page'] )
			&& 'wc-settings' == $_GET['page']
			&& isset( $_GET['tab'] )
			&& 'api' == $_GET['tab']
			&& isset( $_GET['section'] )
			&& 'keys' == isset( $_GET['section'] );
	}

	/**
	 * Page output.
	 */
	public static function page_output() {
		// Hide the save button
		$GLOBALS['hide_save_button'] = true;

		if ( isset( $_GET['create-key'] ) || isset( $_GET['edit-key'] ) ) {
			$key_id   = isset( $_GET['edit-key'] ) ? absint( $_GET['edit-key'] ) : 0;
			$key_data = self::get_key_data( $key_id );

			include( 'settings/views/html-keys-edit.php' );
		} else {
			self::table_list_output();
		}
	}

	/**
	 * Table list output.
	 */
	private static function table_list_output() {

		echo '<h2>' . __( 'Keys/Apps', 'woocommerce' ) . ' <a href="' . esc_url( admin_url( 'admin.php?page=wc-settings&tab=api&section=keys&create-key=1' ) ) . '" class="add-new-h2">' . __( 'Add Key', 'woocommerce' ) . '</a></h2>';

		$keys_table_list = new WC_Admin_API_Keys_Table_List();
		$keys_table_list->prepare_items();

		echo '<input type="hidden" name="page" value="wc-settings" />';
		echo '<input type="hidden" name="tab" value="api" />';
		echo '<input type="hidden" name="section" value="keys" />';

		$keys_table_list->views();
		$keys_table_list->search_box( __( 'Search Key', 'woocommerce' ), 'key' );
		$keys_table_list->display();
	}

	/**
	 * Get key data.
	 *
	 * @param  int $key_id
	 * @return array
	 */
	private static function get_key_data( $key_id ) {
		global $wpdb;

		$empty = array(
			'key_id'        => 0,
			'user_id'       => '',
			'description'   => '',
			'permissions'   => '',
			'truncated_key' => '',
			'last_access'   => ''
		);

		if ( 0 == $key_id ) {
			return $empty;
		}

		$key = $wpdb->get_row( $wpdb->prepare( "
			SELECT key_id, user_id, description, permissions, truncated_key, last_access
			FROM {$wpdb->prefix}woocommerce_api_keys
			WHERE key_id = %d
		", $key_id ), ARRAY_A );

		if ( is_null( $key ) ) {
			return $empty;
		}

		return $key;
	}

	/**
	 * API Keys admin actions.
	 */
	public function actions() {
		if ( $this->is_api_keys_settings_page() ) {
			// Revoke key
			if ( isset( $_GET['revoke-key'] ) ) {
				$this->revoke_key();
			}

			// Bulk actions
			if ( isset( $_GET['action'] ) && isset( $_GET['key'] ) ) {
				$this->bulk_actions();
			}
		}
	}

	/**
	 * Notices.
	 */
	public static function notices() {
		if ( isset( $_GET['revoked'] ) && 1 == $_GET['revoked'] ) {
			WC_Admin_Settings::add_message( __( 'API Key revoked successfully.', 'woocommerce' ) );
		}
	}

	/**
	 * Revoke key.
	 */
	private function revoke_key() {
		if ( empty( $_REQUEST['_wpnonce'] ) || ! wp_verify_nonce( $_REQUEST['_wpnonce'], 'revoke' ) ) {
			wp_die( __( 'Action failed. Please refresh the page and retry.', 'woocommerce' ) );
		}

		$key_id = absint( $_GET['revoke-key'] );
		$this->remove_key( $key_id );

		wp_redirect( esc_url_raw( add_query_arg( array( 'revoked' => 1 ), admin_url( 'admin.php?page=wc-settings&tab=api&section=keys' ) ) ) );
		exit();
	}

	/**
	 * Bulk actions.
	 */
	private function bulk_actions() {
		if ( empty( $_REQUEST['_wpnonce'] ) || ! wp_verify_nonce( $_REQUEST['_wpnonce'], 'woocommerce-settings' ) ) {

			wp_die( __( 'Action failed. Please refresh the page and retry.', 'woocommerce' ) );
		}

		$keys = array_map( 'absint', (array) $_GET['key'] );

		if ( 'revoke' == $_GET['action'] ) {
			$this->bulk_revoke_key( $keys );
		}
	}

	/**
	 * Bulk revoke key.
	 *
	 * @param array $keys
	 */
	private function bulk_revoke_key( $keys ) {
		foreach ( $keys as $key_id ) {
			$this->remove_key( $key_id );
		}
	}

	/**
	 * Remove key.
	 *
	 * @param  int $key_id
	 * @return bool
	 */
	private function remove_key( $key_id ) {
		global $wpdb;

		$delete = $wpdb->delete( $wpdb->prefix . 'woocommerce_api_keys', array( 'key_id' => $key_id ), array( '%d' ) );

		return $delete;
	}
}

new WC_Admin_API_Keys();


1		<?php
2		/**
3		* WooCommerce Admin API Keys Class
4		*
5		* @author WooThemes
6		* @category Admin
7		* @package WooCommerce/Admin
8		* @version 2.4.0
9		*/
10
11		if ( ! defined( 'ABSPATH' ) ) {
12		exit;
13		}
14
15		/**
16		* WC_Admin_API_Keys.
17		*/
18		class WC_Admin_API_Keys {
19
20		/**
21		* Initialize the API Keys admin actions.
22		*/
23		public function __construct() {
24		add_action( 'admin_init', array( $this, 'actions' ) );
25		}
26
27		/**
28		* Check if is API Keys settings page.
29		*
30		* @return bool
31		*/
32	View Code Duplication	private function is_api_keys_settings_page() {
		0 ignored issues – show Duplication introduced 2015-11-21 02:57 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
33		return isset( $_GET['page'] )
34		&& 'wc-settings' == $_GET['page']
35		&& isset( $_GET['tab'] )
36		&& 'api' == $_GET['tab']
37		&& isset( $_GET['section'] )
38		&& 'keys' == isset( $_GET['section'] );
39		}
40
41		/**
42		* Page output.
43		*/
44		public static function page_output() {
45		// Hide the save button
46		$GLOBALS['hide_save_button'] = true;
47
48		if ( isset( $_GET['create-key'] ) \|\| isset( $_GET['edit-key'] ) ) {
49		$key_id = isset( $_GET['edit-key'] ) ? absint( $_GET['edit-key'] ) : 0;
50		$key_data = self::get_key_data( $key_id );
51
52		include( 'settings/views/html-keys-edit.php' );
53		} else {
54		self::table_list_output();
55		}
56		}
57
58		/**
59		* Table list output.
60		*/
61	View Code Duplication	private static function table_list_output() {
		0 ignored issues – show Duplication introduced 2015-11-21 02:57 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
62		echo '<h2>' . __( 'Keys/Apps', 'woocommerce' ) . ' <a href="' . esc_url( admin_url( 'admin.php?page=wc-settings&tab=api&section=keys&create-key=1' ) ) . '" class="add-new-h2">' . __( 'Add Key', 'woocommerce' ) . '</a></h2>';
63
64		$keys_table_list = new WC_Admin_API_Keys_Table_List();
65		$keys_table_list->prepare_items();
66
67		echo '<input type="hidden" name="page" value="wc-settings" />';
68		echo '<input type="hidden" name="tab" value="api" />';
69		echo '<input type="hidden" name="section" value="keys" />';
70
71		$keys_table_list->views();
72		$keys_table_list->search_box( __( 'Search Key', 'woocommerce' ), 'key' );
73		$keys_table_list->display();
74		}
75
76		/**
77		* Get key data.
78		*
79		* @param int $key_id
80		* @return array
81		*/
82		private static function get_key_data( $key_id ) {
83		global $wpdb;
84
85		$empty = array(
86		'key_id' => 0,
87		'user_id' => '',
88		'description' => '',
89		'permissions' => '',
90		'truncated_key' => '',
91		'last_access' => ''
92		);
93
94		if ( 0 == $key_id ) {
95		return $empty;
96		}
97
98		$key = $wpdb->get_row( $wpdb->prepare( "
99		SELECT key_id, user_id, description, permissions, truncated_key, last_access
100		FROM {$wpdb->prefix}woocommerce_api_keys
101		WHERE key_id = %d
102		", $key_id ), ARRAY_A );
103
104		if ( is_null( $key ) ) {
105		return $empty;
106		}
107
108		return $key;
109		}
110
111		/**
112		* API Keys admin actions.
113		*/
114		public function actions() {
115		if ( $this->is_api_keys_settings_page() ) {
116		// Revoke key
117		if ( isset( $_GET['revoke-key'] ) ) {
118		$this->revoke_key();
119		}
120
121		// Bulk actions
122		if ( isset( $_GET['action'] ) && isset( $_GET['key'] ) ) {
123		$this->bulk_actions();
124		}
125		}
126		}
127
128		/**
129		* Notices.
130		*/
131		public static function notices() {
132		if ( isset( $_GET['revoked'] ) && 1 == $_GET['revoked'] ) {
133		WC_Admin_Settings::add_message( __( 'API Key revoked successfully.', 'woocommerce' ) );
134		}
135		}
136
137		/**
138		* Revoke key.
139		*/
140		private function revoke_key() {
141		if ( empty( $_REQUEST['_wpnonce'] ) \|\| ! wp_verify_nonce( $_REQUEST['_wpnonce'], 'revoke' ) ) {
142		wp_die( __( 'Action failed. Please refresh the page and retry.', 'woocommerce' ) );
143		}
144
145		$key_id = absint( $_GET['revoke-key'] );
146		$this->remove_key( $key_id );
147
148		wp_redirect( esc_url_raw( add_query_arg( array( 'revoked' => 1 ), admin_url( 'admin.php?page=wc-settings&tab=api&section=keys' ) ) ) );
149		exit();
150		}
151
152		/**
153		* Bulk actions.
154		*/
155		private function bulk_actions() {
156	View Code Duplication	if ( empty( $_REQUEST['_wpnonce'] ) \|\| ! wp_verify_nonce( $_REQUEST['_wpnonce'], 'woocommerce-settings' ) ) {
		0 ignored issues – show Duplication introduced 2015-11-21 02:57 UTC by Report Bug Copy Issue Report Show Similar Issues like this This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
157		wp_die( __( 'Action failed. Please refresh the page and retry.', 'woocommerce' ) );
158		}
159
160		$keys = array_map( 'absint', (array) $_GET['key'] );
161
162		if ( 'revoke' == $_GET['action'] ) {
163		$this->bulk_revoke_key( $keys );
164		}
165		}
166
167		/**
168		* Bulk revoke key.
169		*
170		* @param array $keys
171		*/
172		private function bulk_revoke_key( $keys ) {
173		foreach ( $keys as $key_id ) {
174		$this->remove_key( $key_id );
175		}
176		}
177
178		/**
179		* Remove key.
180		*
181		* @param int $key_id
182		* @return bool
183		*/
184		private function remove_key( $key_id ) {
185		global $wpdb;
186
187		$delete = $wpdb->delete( $wpdb->prefix . 'woocommerce_api_keys', array( 'key_id' => $key_id ), array( '%d' ) );
188
189		return $delete;
190		}
191		}
192
193		new WC_Admin_API_Keys();
194

woothemes / woocommerce

Issues (1182)

Security Analysis not enabled

includes/admin/class-wc-admin-api-keys.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like