Project: Wordpress Plugin WP-Stateless – Google Cloud Storage 2.3.2

Vulnerability: #9253654 (2020-04-26 11:09:30)

Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::file_exists
Risk _ENV
/home/redeemer/phpsourcerer/src/PhpSourcerer/Simulator/Stubs/Standard.php:110 (show/hide source)
Threat level 0

Callstack:

Google\Auth\CredentialsLoader::fromWellKnownFile /wp-stateless/lib/Google/vendor/google/auth/src/CredentialsLoader.php:99 (show/hide source)
79      /**
80       * Load a JSON key from a well known path.
81       *
82       * The well known path is OS dependent:
83       * - windows: %APPDATA%/gcloud/application_default_credentials.json
84       * - others: $HOME/.config/gcloud/application_default_credentials.json
85       *
86       * If the file does not exists, this returns null.
87       *
88       * @return array JSON key | null
89       */
90      public static function fromWellKnownFile()
91      {
92          $rootEnv = self::isOnWindows() ? 'APPDATA' : 'HOME';
93          $path = [getenv($rootEnv)];
94          if (!self::isOnWindows()) {
95              $path[] = self::NON_WINDOWS_WELL_KNOWN_PATH_BASE;
96          }
97          $path[] = self::WELL_KNOWN_PATH;
98          $path = implode(DIRECTORY_SEPARATOR, $path);
99 if (!file_exists($path)) {
100 return; 101 }
Google\Auth\ApplicationDefaultCredentials::getCredentials /wp-stateless/lib/Google/vendor/google/auth/src/ApplicationDefaultCredentials.php:145 (show/hide source)
125       * this does not fallback to the Compute Engine defaults.
126       *
127       * @param string|array scope the scope of the access request, expressed
128       *   either as an Array or as a space-delimited String.
129       * @param callable $httpHandler callback which delivers psr7 request
130       * @param array $cacheConfig configuration for the cache when it's present
131       * @param CacheItemPoolInterface $cache
132       *
133       * @return CredentialsLoader
134       *
135       * @throws DomainException if no implementation can be obtained.
136       */
137      public static function getCredentials(
138          $scope = null,
139          callable $httpHandler = null,
140          array $cacheConfig = null,
141          CacheItemPoolInterface $cache = null
142      ) {
143          $creds = null;
144          $jsonKey = CredentialsLoader::fromEnv()
145 ?: CredentialsLoader::fromWellKnownFile();
146 147 if (!is_null($jsonKey)) {
wpCloud\StatelessMedia\Google_Client\Google_Client::createApplicationDefaultCredentials /wp-stateless/lib/Google/src/Google/Client.php:1088 (show/hide source)
1068  
1069      return new Client($options);
1070    }
1071  
1072    private function createApplicationDefaultCredentials()
1073    {
1074      $scopes = $this->prepareScopes();
1075      $sub = $this->config['subject'];
1076      $signingKey = $this->config['signing_key'];
1077  
1078      // create credentials using values supplied in setAuthConfig
1079      if ($signingKey) {
1080        $serviceAccountCredentials = array(
1081          'client_id' => $this->config['client_id'],
1082          'client_email' => $this->config['client_email'],
1083          'private_key' => $signingKey,
1084          'type' => 'service_account',
1085        );
1086        $credentials = CredentialsLoader::makeCredentials($scopes, $serviceAccountCredentials);
1087      } else {
1088 $credentials = ApplicationDefaultCredentials::getCredentials($scopes);
1089 } 1090
wpCloud\StatelessMedia\Google_Client\Google_Client::authorize /wp-stateless/lib/Google/src/Google/Client.php:365 (show/hide source)
345     * set in the Google API Client object
346     *
347     * @param GuzzleHttp\ClientInterface $http the http client object.
348     * @return GuzzleHttp\ClientInterface the http client object
349     */
350    public function authorize(ClientInterface $http = null)
351    {
352      $credentials = null;
353      $token = null;
354      $scopes = null;
355      if (null === $http) {
356        $http = $this->getHttpClient();
357      }
358  
359      // These conditionals represent the decision tree for authentication
360      //   1.  Check for Application Default Credentials
361      //   2.  Check for API Key
362      //   3a. Check for an Access Token
363      //   3b. If access token exists but is expired, try to refresh it
364      if ($this->isUsingApplicationDefaultCredentials()) {
365 $credentials = $this->createApplicationDefaultCredentials();
366 } elseif ($token = $this->getAccessToken()) { 367 $scopes = $this->prepareScopes();
wpCloud\StatelessMedia\Google_Client\Google_Client::execute /wp-stateless/lib/Google/src/Google/Client.php:797 (show/hide source)
777    }
778  
779    /**
780     * Helper method to execute deferred HTTP requests.
781     *
782     * @param $request Psr\Http\Message\RequestInterface|Google_Http_Batch
783     * @throws Google_Exception
784     * @return object of the type of the expected class or Psr\Http\Message\ResponseInterface.
785     */
786    public function execute(RequestInterface $request, $expectedClass = null)
787    {
788      $request = $request->withHeader(
789          'User-Agent',
790          $this->config['application_name']
791          . " " . self::USER_AGENT_SUFFIX
792          . $this->getLibraryVersion()
793      );
794  
795      // call the authorize method
796      // this is where most of the grunt work is done
797 $http = $this->authorize();
798 799 return Google_Http_REST::execute($http, $request, $expectedClass, $this->config['retry']);
wpCloud\StatelessMedia\Google_Client\Google_Http_MediaFileUpload::fetchResumeUri /wp-stateless/lib/Google/src/Google/Http/MediaFileUpload.php:308 (show/hide source)
288  
289      return $this->resumeUri;
290    }
291  
292    private function fetchResumeUri()
293    {
294      $body = $this->request->getBody();
295      if ($body) {
296        $headers = array(
297          'content-type' => 'application/json; charset=UTF-8',
298          'content-length' => $body->getSize(),
299          'x-upload-content-type' => $this->mimeType,
300          'x-upload-content-length' => $this->size,
301          'expect' => '',
302        );
303        foreach ($headers as $key => $value) {
304          $this->request = $this->request->withHeader($key, $value);
305        }
306      }
307  
308 $response = $this->client->execute($this->request, false);
309 $location = $response->getHeaderLine('location'); 310 $code = $response->getStatusCode();
wpCloud\StatelessMedia\Google_Client\Google_Http_MediaFileUpload::getResumeUri /wp-stateless/lib/Google/src/Google/Http/MediaFileUpload.php:286 (show/hide source)
266     * @param $meta
267     * @return string
268     * @visible for testing
269     */
270    public function getUploadType($meta)
271    {
272      if ($this->resumable) {
273        return self::UPLOAD_RESUMABLE_TYPE;
274      }
275  
276      if (false == $meta && $this->data) {
277        return self::UPLOAD_MEDIA_TYPE;
278      }
279  
280      return self::UPLOAD_MULTIPART_TYPE;
281    }
282  
283    public function getResumeUri()
284    {
285      if (null === $this->resumeUri) {
286 $this->resumeUri = $this->fetchResumeUri();
287 } 288