Project: Wordpress Plugin WP-Stateless – Google Cloud Storage 2.3.2

Vulnerability: #9253651 (2020-04-26 11:09:23)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::file_get_contents
Risk _ENV
/home/redeemer/phpsourcerer/src/PhpSourcerer/Simulator/Stubs/Standard.php:110 (show/hide source)
Threat level 0

Callstack:

Google\Auth\CredentialsLoader::fromWellKnownFile /wp-stateless/lib/Google/vendor/google/auth/src/CredentialsLoader.php:102 (show/hide source)
82       * The well known path is OS dependent:
83       * - windows: %APPDATA%/gcloud/application_default_credentials.json
84       * - others: $HOME/.config/gcloud/application_default_credentials.json
85       *
86       * If the file does not exists, this returns null.
87       *
88       * @return array JSON key | null
89       */
90      public static function fromWellKnownFile()
91      {
92          $rootEnv = self::isOnWindows() ? 'APPDATA' : 'HOME';
93          $path = [getenv($rootEnv)];
94          if (!self::isOnWindows()) {
95              $path[] = self::NON_WINDOWS_WELL_KNOWN_PATH_BASE;
96          }
97          $path[] = self::WELL_KNOWN_PATH;
98          $path = implode(DIRECTORY_SEPARATOR, $path);
99          if (!file_exists($path)) {
100              return;
101          }
102 $jsonKey = file_get_contents($path);
103 return json_decode($jsonKey, true); 104 }
Google\Auth\ApplicationDefaultCredentials::getCredentials /wp-stateless/lib/Google/vendor/google/auth/src/ApplicationDefaultCredentials.php:145 (show/hide source)
125       * this does not fallback to the Compute Engine defaults.
126       *
127       * @param string|array scope the scope of the access request, expressed
128       *   either as an Array or as a space-delimited String.
129       * @param callable $httpHandler callback which delivers psr7 request
130       * @param array $cacheConfig configuration for the cache when it's present
131       * @param CacheItemPoolInterface $cache
132       *
133       * @return CredentialsLoader
134       *
135       * @throws DomainException if no implementation can be obtained.
136       */
137      public static function getCredentials(
138          $scope = null,
139          callable $httpHandler = null,
140          array $cacheConfig = null,
141          CacheItemPoolInterface $cache = null
142      ) {
143          $creds = null;
144          $jsonKey = CredentialsLoader::fromEnv()
145 ?: CredentialsLoader::fromWellKnownFile();
146 147 if (!is_null($jsonKey)) {
wpCloud\StatelessMedia\Google_Client\Google_Client::createApplicationDefaultCredentials /wp-stateless/lib/Google/src/Google/Client.php:1088 (show/hide source)
1068  
1069      return new Client($options);
1070    }
1071  
1072    private function createApplicationDefaultCredentials()
1073    {
1074      $scopes = $this->prepareScopes();
1075      $sub = $this->config['subject'];
1076      $signingKey = $this->config['signing_key'];
1077  
1078      // create credentials using values supplied in setAuthConfig
1079      if ($signingKey) {
1080        $serviceAccountCredentials = array(
1081          'client_id' => $this->config['client_id'],
1082          'client_email' => $this->config['client_email'],
1083          'private_key' => $signingKey,
1084          'type' => 'service_account',
1085        );
1086        $credentials = CredentialsLoader::makeCredentials($scopes, $serviceAccountCredentials);
1087      } else {
1088 $credentials = ApplicationDefaultCredentials::getCredentials($scopes);
1089 } 1090
wpCloud\StatelessMedia\Google_Client\Google_Client::authorize /wp-stateless/lib/Google/src/Google/Client.php:365 (show/hide source)
345     * set in the Google API Client object
346     *
347     * @param GuzzleHttp\ClientInterface $http the http client object.
348     * @return GuzzleHttp\ClientInterface the http client object
349     */
350    public function authorize(ClientInterface $http = null)
351    {
352      $credentials = null;
353      $token = null;
354      $scopes = null;
355      if (null === $http) {
356        $http = $this->getHttpClient();
357      }
358  
359      // These conditionals represent the decision tree for authentication
360      //   1.  Check for Application Default Credentials
361      //   2.  Check for API Key
362      //   3a. Check for an Access Token
363      //   3b. If access token exists but is expired, try to refresh it
364      if ($this->isUsingApplicationDefaultCredentials()) {
365 $credentials = $this->createApplicationDefaultCredentials();
366 } elseif ($token = $this->getAccessToken()) { 367 $scopes = $this->prepareScopes();
wpCloud\StatelessMedia\Google_Client\Google_Client::execute /wp-stateless/lib/Google/src/Google/Client.php:797 (show/hide source)
777    }
778  
779    /**
780     * Helper method to execute deferred HTTP requests.
781     *
782     * @param $request Psr\Http\Message\RequestInterface|Google_Http_Batch
783     * @throws Google_Exception
784     * @return object of the type of the expected class or Psr\Http\Message\ResponseInterface.
785     */
786    public function execute(RequestInterface $request, $expectedClass = null)
787    {
788      $request = $request->withHeader(
789          'User-Agent',
790          $this->config['application_name']
791          . " " . self::USER_AGENT_SUFFIX
792          . $this->getLibraryVersion()
793      );
794  
795      // call the authorize method
796      // this is where most of the grunt work is done
797 $http = $this->authorize();
798 799 return Google_Http_REST::execute($http, $request, $expectedClass, $this->config['retry']);
wpCloud\StatelessMedia\Google_Client\Google_Http_MediaFileUpload::makePutRequest /wp-stateless/lib/Google/src/Google/Http/MediaFileUpload.php:164 (show/hide source)
144    /**
145     * Return the HTTP result code from the last call made.
146     * @return int code
147     */
148    public function getHttpResultCode()
149    {
150      return $this->httpResultCode;
151    }
152  
153    /**
154    * Sends a PUT-Request to google drive and parses the response,
155    * setting the appropiate variables from the response()
156    *
157    * @param Google_Http_Request $httpRequest the Reuqest which will be send
158    *
159    * @return false|mixed false when the upload is unfinished or the decoded http response
160    *
161    */
162    private function makePutRequest(RequestInterface $request)
163    {
164 $response = $this->client->execute($request);
165 $this->httpResultCode = $response->getStatusCode(); 166
wpCloud\StatelessMedia\Google_Client\Google_Http_MediaFileUpload::nextChunk /wp-stateless/lib/Google/src/Google/Http/MediaFileUpload.php:141 (show/hide source)
121      $resumeUri = $this->getResumeUri();
122  
123      if (false == $chunk) {
124        $chunk = substr($this->data, $this->progress, $this->chunkSize);
125      }
126  
127      $lastBytePos = $this->progress + strlen($chunk) - 1;
128      $headers = array(
129        'content-range' => "bytes $this->progress-$lastBytePos/$this->size",
130        'content-length' => strlen($chunk),
131        'expect' => '',
132      );
133  
134      $request = new Request(
135          'PUT',
136          $resumeUri,
137          $headers,
138          Psr7\stream_for($chunk)
139      );
140  
141 return $this->makePutRequest($request);
142 } 143