1 | <?php |
||||
2 | |||||
3 | namespace Pronamic\WordPress\Pay\Gateways\Ingenico; |
||||
4 | |||||
5 | /** |
||||
6 | * Title: Ingenico security class |
||||
7 | * Description: |
||||
8 | * Copyright: Copyright (c) 2005 - 2016 |
||||
9 | * Company: Pronamic |
||||
10 | * |
||||
11 | * @author Remco Tolsma |
||||
12 | * @version 2.0.0 |
||||
13 | */ |
||||
14 | class Security { |
||||
15 | /** |
||||
16 | * The Ogone calculations parameters in |
||||
17 | * |
||||
18 | * @var array |
||||
19 | */ |
||||
20 | private static $calculations_parameters_in; |
||||
21 | |||||
22 | /** |
||||
23 | * The Ogone calucations parameters out |
||||
24 | * |
||||
25 | * @var array |
||||
26 | */ |
||||
27 | private static $calculations_parameters_out; |
||||
28 | |||||
29 | /** |
||||
30 | * Get calculations parameters in |
||||
31 | */ |
||||
32 | 3 | public static function get_calculations_parameters_in() { |
|||
33 | 3 | if ( ! isset( self::$calculations_parameters_in ) ) { |
|||
34 | 1 | self::$calculations_parameters_in = array(); |
|||
35 | |||||
36 | 1 | $file = dirname( __FILE__ ) . '/../data/calculations-parameters-sha-in.txt'; |
|||
37 | 1 | if ( is_readable( $file ) ) { |
|||
38 | 1 | self::$calculations_parameters_in = file( $file, FILE_IGNORE_NEW_LINES ); |
|||
0 ignored issues
–
show
|
|||||
39 | } |
||||
40 | } |
||||
41 | |||||
42 | 3 | return self::$calculations_parameters_in; |
|||
43 | } |
||||
44 | |||||
45 | /** |
||||
46 | * Get calculations parameters in |
||||
47 | */ |
||||
48 | 2 | public static function get_calculations_parameters_out() { |
|||
49 | 2 | if ( ! isset( self::$calculations_parameters_out ) ) { |
|||
50 | 1 | self::$calculations_parameters_out = array(); |
|||
51 | |||||
52 | 1 | $file = dirname( __FILE__ ) . '/../data/calculations-parameters-sha-out.txt'; |
|||
53 | 1 | if ( is_readable( $file ) ) { |
|||
54 | 1 | self::$calculations_parameters_out = file( $file, FILE_IGNORE_NEW_LINES ); |
|||
0 ignored issues
–
show
It seems like
file($file, Pronamic\Wor...\FILE_IGNORE_NEW_LINES) can also be of type false . However, the property $calculations_parameters_out is declared as type array . Maybe add an additional type check?
Our type inference engine has found a suspicous assignment of a value to a property. This check raises an issue when a value that can be of a mixed type is assigned to a property that is type hinted more strictly. For example, imagine you have a variable Either this assignment is in error or a type check should be added for that assignment. class Id
{
public $id;
public function __construct($id)
{
$this->id = $id;
}
}
class Account
{
/** @var Id $id */
public $id;
}
$account_id = false;
if (starsAreRight()) {
$account_id = new Id(42);
}
$account = new Account();
if ($account instanceof Id)
{
$account->id = $account_id;
}
Loading history...
|
|||||
55 | } |
||||
56 | } |
||||
57 | |||||
58 | 2 | return self::$calculations_parameters_out; |
|||
59 | } |
||||
60 | |||||
61 | /** |
||||
62 | * Get request data |
||||
63 | * |
||||
64 | * @return array |
||||
65 | */ |
||||
66 | public static function get_request_data() { |
||||
67 | $data = array(); |
||||
68 | |||||
69 | if ( isset( $_SERVER['REQUEST_METHOD'] ) ) { // WPCS: input var ok. |
||||
70 | switch ( $_SERVER['REQUEST_METHOD'] ) { // WPCS: input var ok. |
||||
71 | case 'GET': |
||||
72 | // @todo see how we can improve security around this |
||||
73 | $data = $_GET; // WPCS: input var ok, CSRF ok. |
||||
74 | |||||
75 | break; |
||||
76 | case 'POST': |
||||
77 | // @todo see how we can improve security around this |
||||
78 | $data = $_POST; // WPCS: input var ok, CSRF ok. |
||||
79 | |||||
80 | break; |
||||
81 | } |
||||
82 | } |
||||
83 | |||||
84 | return $data; |
||||
85 | } |
||||
86 | |||||
87 | /** |
||||
88 | * Get calculation fields. |
||||
89 | * |
||||
90 | * @param array $calculation_fields Calculation fields. |
||||
91 | * @param array $fields Fields. |
||||
92 | * |
||||
93 | * @return array |
||||
94 | */ |
||||
95 | 3 | public static function get_calculation_fields( $calculation_fields, $fields ) { |
|||
96 | 3 | $calculation_fields = array_flip( $calculation_fields ); |
|||
97 | |||||
98 | 3 | return array_intersect_key( $fields, $calculation_fields ); |
|||
99 | } |
||||
100 | |||||
101 | /** |
||||
102 | * Get signature. |
||||
103 | * |
||||
104 | * @param array $fields Fields. |
||||
105 | * @param string $passphrase Pass phrase. |
||||
106 | * @param string $hash_algorithm Hashing algorithm. |
||||
107 | * |
||||
108 | * @return string |
||||
109 | */ |
||||
110 | 3 | public static function get_signature( $fields, $passphrase, $hash_algorithm ) { |
|||
111 | // This string is constructed by concatenating the values of the fields sent with the order (sorted |
||||
112 | // alphabetically, in the format ‘parameter=value’), separated by a passphrase. |
||||
113 | 3 | $string = ''; |
|||
114 | |||||
115 | // All parameters need to be put alphabetically. |
||||
116 | 3 | ksort( $fields ); |
|||
117 | |||||
118 | // Loop. |
||||
119 | 3 | foreach ( $fields as $name => $value ) { |
|||
120 | 3 | $value = (string) $value; |
|||
121 | |||||
122 | // Use of empty will fail, value can be string '0'. |
||||
123 | 3 | if ( strlen( $value ) > 0 ) { |
|||
124 | 2 | $name = strtoupper( $name ); |
|||
125 | |||||
126 | 2 | $string .= $name . '=' . $value . $passphrase; |
|||
127 | } |
||||
128 | } |
||||
129 | |||||
130 | // Hash. |
||||
131 | 3 | $result = hash( $hash_algorithm, $string ); |
|||
132 | |||||
133 | // String to uppercase. |
||||
134 | 3 | $result = strtoupper( $result ); |
|||
135 | |||||
136 | 3 | return $result; |
|||
137 | } |
||||
138 | |||||
139 | /** |
||||
140 | * Sign data. |
||||
141 | * |
||||
142 | * @param Data $data Data. |
||||
143 | * @param string $pass_phrase Pass phrase. |
||||
144 | * @param string $hash_algorithm Hashing algorithm. |
||||
145 | */ |
||||
146 | public static function sign_data( Data $data, $pass_phrase, $hash_algorithm ) { |
||||
147 | $calculation_fields = self::get_calculations_parameters_in(); |
||||
148 | |||||
149 | $fields = self::get_calculation_fields( $calculation_fields, $data->get_fields() ); |
||||
0 ignored issues
–
show
It seems like
$calculation_fields can also be of type false ; however, parameter $calculation_fields of Pronamic\WordPress\Pay\G...et_calculation_fields() does only seem to accept array , maybe add an additional type check?
(
Ignorable by Annotation
)
If this is a false-positive, you can also ignore this issue in your code via the
Loading history...
|
|||||
150 | |||||
151 | $signature = self::get_signature( $fields, $pass_phrase, $hash_algorithm ); |
||||
152 | |||||
153 | $data->set_field( 'SHASign', $signature ); |
||||
154 | } |
||||
155 | } |
||||
156 |
Our type inference engine has found a suspicous assignment of a value to a property. This check raises an issue when a value that can be of a mixed type is assigned to a property that is type hinted more strictly.
For example, imagine you have a variable
$accountId
that can either hold an Id object or false (if there is no account id yet). Your code now assigns that value to theid
property of an instance of theAccount
class. This class holds a proper account, so the id value must no longer be false.Either this assignment is in error or a type check should be added for that assignment.