Vulnerability: SafeCurl::Execute() "Check if called statically" check seems brittle, can cause explicit $options to be disregarded

[justinsteven]

safecurl/src/fin1te/SafeCurl/SafeCurl.php

Lines 109 to 119 in a7c3d70

	public static function execute($url, $curlHandle = null, Options $options = null) {
	//Check if we've been called staticly or not
	if (isset($this) && get_class($this) == __CLASS__) {
	$safeCurl = $this;
	//Get the cURL handle, if it wasn't passed in
	if (!is_resource($curlHandle) || get_resource_type($curlHandle) != 'curl') {
	$curlHandle = $this->getCurlHandle();
	}
	} else {
	$safeCurl = new SafeCurl($curlHandle, $options);
	}

This "Check if called statically" check is brittle in my testing.

For example, the following PHPUnit test fails:

    public function testSafeCurlThrowsOnNonWhitelistedDomain() {
        $curlHandle = curl_init();
        $options = new Options();
        $options->setList('whitelist', array('www.google.com'), 'domain');
        $safeCurl = new SafeCurl($curlHandle, $options);
        $this->expectException(InvalidDomainException::Class);
        $safeCurl->execute('http://www.gstatic.com/generate_204', $curlHandle);
    }

Failed asserting that exception of type "fin1te\SafeCurl\Exception\InvalidURLException\InvalidDomainException" is thrown.

The "else" branch in the "Check if I'm being called statically" conditional is being taken. There's something wrong with the check when it's done from the context of a PHPUnit test. Perhaps this is related to the comments in https://stackoverflow.com/a/1858577 and it could happen in other PHP contexts as well?

As such, a temporary SafeCurl is being created. Since I'm passing a curlHandle to execute() the creation succeeds. Since I'm not passing an Options to execute() the creation uses a default Options object which doesn't have my explicit whitelist set.

This causes the HTTP request to succeed, when it should fail because "www.gstatic.com" is not on the whitelist.