ODataController::getIsDumping() - Code Metrics - Inspection of "Add capability to set dump requests from config fi..." - Algo-Web/POData-Laravel - Measure and Improve Code Quality continuously with Scrutinizer

Test Setup Failed

Push — master ( c52cc2...15cb66 )

by Alex

created 2017-06-14 08:17 UTC

ODataController::getIsDumping() A

↳ Parent: ODataController

Complexity

Conditions	1
Paths	1

Size

Total Lines	4
Code Lines	2

Duplication

Lines	0
Ratio	0 %

Code Coverage

Tests	0
CRAP Score	2

Importance

Changes

Metric	Value
c	0
b	0
f	0
dl	0
loc	4
ccs	0
cts	0
cp	0
rs	10
cc	1
eloc	2
nc	1
nop	0
crap	2

<?php

namespace AlgoWeb\PODataLaravel\Controllers;

use Illuminate\Http\Request;
use Illuminate\Http\Response;
use AlgoWeb\PODataLaravel\Controllers\Controller as BaseController;
use Illuminate\Support\Facades\App;
use Illuminate\Support\Facades\Storage;
use POData\OperationContext\ServiceHost as ServiceHost;
use POData\SimpleDataService as DataService;
use POData\OperationContext\Web\Illuminate\IlluminateOperationContext as OperationContextAdapter;
use voku\helper\AntiXSS;

class ODataController extends BaseController
{
    /**
     * Display a listing of the resource.
     *
     * @return \Illuminate\Http\Response
     */
    public function index(Request $request, $dump = false)
    {
        $dump = $dump || $this->getIsDumping();
        //$antiXss = new AntiXSS();

        $op = new OperationContextAdapter($request);
        $host = new ServiceHost($op, $request);
        $host->setServiceUri("/odata.svc/");

        $query = App::make('odataquery');
        $meta = App::make('metadata');

        $service = new DataService($query, $meta, $host);
        $service->handleRequest();

        $odataResponse = $op->outgoingResponse();

        if (true === $dump) {
            // iff XTest header is set, containing class and method name
            // dump outgoing odataResponse, metadata, and incoming request
            $xTest = $request->header('XTest');
            $xTest = (null !== $xTest) ? $xTest : $request->method() . ";" . str_replace("/", "-", $request->path());
            if (null != $xTest) {
                $cerealRequest = serialize($request);
                $cerealMeta = serialize($meta);
                $cerealResponse = serialize($odataResponse);
                Storage::put($xTest.'request', $cerealRequest);
                Storage::put($xTest.'metadata', $cerealMeta);
                Storage::put($xTest.'response', $cerealResponse);
            }
        }

        $content = $odataResponse->getStream();
        //$content = $antiXss->xss_clean($content);

        $headers = $odataResponse->getHeaders();
        $responseCode = $headers[\POData\Common\ODataConstants::HTTPRESPONSE_HEADER_STATUS_CODE];
        $responseCode = isset($responseCode) ? intval($responseCode) : 200;
        $response = new Response($content, $responseCode);
// for HTML
$sanitized = htmlentities($tainted, ENT_QUOTES);

// for URLs
$sanitized = urlencode($tainted);
        $response->setStatusCode($headers["Status"]);

        foreach ($headers as $headerName => $headerValue) {
            if (!is_null($headerValue)) {
                $response->headers->set($headerName, $headerValue);
            }
        }
        return $response;
    }

    /**
     * @return mixed
     */
    protected function getIsDumping()
    {
        return true === env('APP_DUMP_REQUESTS', false);
    }
}


1			<?php
2
3			namespace AlgoWeb\PODataLaravel\Controllers;
4
5			use Illuminate\Http\Request;
6			use Illuminate\Http\Response;
7			use AlgoWeb\PODataLaravel\Controllers\Controller as BaseController;
8			use Illuminate\Support\Facades\App;
9			use Illuminate\Support\Facades\Storage;
10			use POData\OperationContext\ServiceHost as ServiceHost;
11			use POData\SimpleDataService as DataService;
12			use POData\OperationContext\Web\Illuminate\IlluminateOperationContext as OperationContextAdapter;
13			use voku\helper\AntiXSS;
14
15			class ODataController extends BaseController
16			{
17			/**
18			* Display a listing of the resource.
19			*
20			* @return \Illuminate\Http\Response
21			*/
22			public function index(Request $request, $dump = false)
23			{
24			$dump = $dump \|\| $this->getIsDumping();
25			//$antiXss = new AntiXSS();
			0 ignored issues – show Unused Code Comprehensibility introduced 2017-06-14 08:21 UTC by Report Bug Copy Issue Report `50%` of this comment could be valid code. Did you maybe forget this after debugging? Sometimes obsolete code just ends up commented out instead of removed. In this case it is better to remove the code once you have checked you do not need it. The code might also have been commented out for debugging purposes. In this case it is vital that someone uncomments it again or your project may behave in very unexpected ways in production. This check looks for comments that seem to be mostly valid code and reports them. Loading history...
26			$op = new OperationContextAdapter($request);
27			$host = new ServiceHost($op, $request);
28			$host->setServiceUri("/odata.svc/");
29
30			$query = App::make('odataquery');
31			$meta = App::make('metadata');
32
33			$service = new DataService($query, $meta, $host);
34			$service->handleRequest();
35
36			$odataResponse = $op->outgoingResponse();
37
38			if (true === $dump) {
39			// iff XTest header is set, containing class and method name
40			// dump outgoing odataResponse, metadata, and incoming request
41			$xTest = $request->header('XTest');
42			$xTest = (null !== $xTest) ? $xTest : $request->method() . ";" . str_replace("/", "-", $request->path());
43			if (null != $xTest) {
44			$cerealRequest = serialize($request);
45			$cerealMeta = serialize($meta);
46			$cerealResponse = serialize($odataResponse);
47			Storage::put($xTest.'request', $cerealRequest);
48			Storage::put($xTest.'metadata', $cerealMeta);
49			Storage::put($xTest.'response', $cerealResponse);
50			}
51			}
52
53			$content = $odataResponse->getStream();
54			//$content = $antiXss->xss_clean($content);
			0 ignored issues – show Unused Code Comprehensibility introduced 2017-03-22 15:08 UTC by Report Bug Copy Issue Report `64%` of this comment could be valid code. Did you maybe forget this after debugging? Sometimes obsolete code just ends up commented out instead of removed. In this case it is better to remove the code once you have checked you do not need it. The code might also have been commented out for debugging purposes. In this case it is vital that someone uncomments it again or your project may behave in very unexpected ways in production. This check looks for comments that seem to be mostly valid code and reports them. Loading history...
55			$headers = $odataResponse->getHeaders();
56			$responseCode = $headers[\POData\Common\ODataConstants::HTTPRESPONSE_HEADER_STATUS_CODE];
57			$responseCode = isset($responseCode) ? intval($responseCode) : 200;
58			$response = new Response($content, $responseCode);
			0 ignored issues – show Security Cross-Site Scripting introduced 2017-05-20 08:01 UTC by Report Bug Copy Issue Report `$content` can contain request data and is used in output context(s) leading to a potential security vulnerability. 9 paths for user data to reach this point 1. Path: Fetching key `HTTP_HOST` from `$_SERVER` in src/POData/OperationContext/SimpleRequestAdapter.php on line 23 Fetching key `HTTP_HOST` from `$_SERVER` in vendor/src/POData/OperationContext/SimpleRequestAdapter.php on line 23 SimpleRequestAdapter::getRawUrl() returns tainted data, and ServiceHost::$_absoluteRequestUriAsString is assigned in vendor/src/POData/OperationContext/ServiceHost.php on line 121 Tainted property ServiceHost::$_absoluteRequestUriAsString is read, and `$this->_absoluteRequestUriAsString` is passed to Url::__construct() in vendor/src/POData/OperationContext/ServiceHost.php on line 124 Url::$_urlAsString is assigned in vendor/src/POData/Common/Url.php on line 52 Tainted property Url::$_urlAsString is read in vendor/src/POData/Common/Url.php on line 62 Url::getUrlAsString() returns tainted data, and `$this->getRequest()->getRequestUrl()->getUrlAsString()` is passed to ObjectModelSerializerBase::getNextLinkUri() in vendor/src/POData/ObjectModel/ObjectModelSerializer.php on line 161 `$absoluteUri` is passed through rtrim(), and ODataLink::$url is assigned in vendor/src/POData/ObjectModel/ObjectModelSerializerBase.php on line 435 Tainted property ODataLink::$url is read, and `$nextPageLinkUri->url` is passed to JsonWriter::writeValue() in vendor/src/POData/Writers/Json/JsonODataV2Writer.php on line 153 `$value` is passed to JsonWriter::_writeCore() in vendor/src/POData/Writers/Json/JsonWriter.php on line 138 `$text` is passed to IndentedTextWriter::writeValue() in vendor/src/POData/Writers/Json/JsonWriter.php on line 231 `$value` is passed to IndentedTextWriter::_write() in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 59 IndentedTextWriter::$result is assigned in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 143 Tainted property IndentedTextWriter::$result is read in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 122 IndentedTextWriter::getResult() returns tainted data in vendor/src/POData/Writers/Json/JsonWriter.php on line 276 JsonWriter::getJsonOutput() returns tainted data in vendor/src/POData/Writers/Json/JsonODataV1Writer.php on line 432 JsonODataV1Writer::serializeException() returns tainted data, and `$responseBody` is assigned in vendor/src/POData/Common/ErrorHandler.php on line 63 `$responseBody` is passed to OutgoingResponse::setStream() in vendor/src/POData/Common/ErrorHandler.php on line 66 OutgoingResponse::$_stream is assigned in vendor/src/POData/OperationContext/Web/OutgoingResponse.php on line 205 Tainted property OutgoingResponse::$_stream is read in vendor/src/POData/OperationContext/Web/OutgoingResponse.php on line 195 OutgoingResponse::getStream() returns tainted data, and `$content` is assigned in src/Controllers/ODataController.php on line 53 2. Path: `$this->parameters['HTTP_AUTHORIZATION']` seems to return tainted data, and `$authorizationHeader` is assigned in ServerBag.php on line 62 `$this->parameters['HTTP_AUTHORIZATION']` seems to return tainted data, and `$authorizationHeader` is assigned in vendor/ServerBag.php on line 62 ParameterBag::$parameters is assigned in vendor/ServerBag.php on line 77 Tainted property ParameterBag::$parameters is read in vendor/ParameterBag.php on line 88 ParameterBag::get() returns tainted data in vendor/Request.php on line 1007 Request::getPort() returns tainted data, and `$port` is assigned in vendor/Request.php on line 1070 Request::getHttpHost() returns tainted data in vendor/Request.php on line 1103 Request::getSchemeAndHttpHost() returns tainted data in vendor/Request.php on line 1119 Request::getUri() returns tainted data, and `$this->getUri()` is passed through preg_replace(), and `preg_replace('/\\?./', '', $this->getUri())` is passed through rtrim() in vendor/src/Illuminate/Http/Request.php on line 99 Request::url() returns tainted data in vendor/src/Illuminate/Http/Request.php on line 113 Request::fullUrl() returns tainted data, and IncomingIlluminateRequest::$rawUrl is assigned in vendor/src/POData/OperationContext/Web/Illuminate/IncomingIlluminateRequest.php on line 73 Tainted property IncomingIlluminateRequest::$rawUrl is read in vendor/src/POData/OperationContext/Web/Illuminate/IncomingIlluminateRequest.php on line 75 IncomingIlluminateRequest::getRawUrl() returns tainted data, and ServiceHost::$_absoluteRequestUriAsString is assigned in vendor/src/POData/OperationContext/ServiceHost.php on line 121 Tainted property ServiceHost::$_absoluteRequestUriAsString is read, and `$this->_absoluteRequestUriAsString` is passed to Url::__construct() in vendor/src/POData/OperationContext/ServiceHost.php on line 124 Url::$_urlAsString is assigned in vendor/src/POData/Common/Url.php on line 52 Tainted property Url::$_urlAsString is read in vendor/src/POData/Common/Url.php on line 62 Url::getUrlAsString() returns tainted data, and `$this->getRequest()->getRequestUrl()->getUrlAsString()` is passed to ObjectModelSerializerBase::getNextLinkUri() in vendor/src/POData/ObjectModel/ObjectModelSerializer.php on line 161 `$absoluteUri` is passed through rtrim(), and ODataLink::$url is assigned in vendor/src/POData/ObjectModel/ObjectModelSerializerBase.php on line 435 Tainted property ODataLink::$url is read, and `$nextPageLinkUri->url` is passed to JsonWriter::writeValue() in vendor/src/POData/Writers/Json/JsonODataV2Writer.php on line 153 `$value` is passed to JsonWriter::_writeCore() in vendor/src/POData/Writers/Json/JsonWriter.php on line 138 `$text` is passed to IndentedTextWriter::writeValue() in vendor/src/POData/Writers/Json/JsonWriter.php on line 231 `$value` is passed to IndentedTextWriter::_write() in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 59 IndentedTextWriter::$result is assigned in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 143 Tainted property IndentedTextWriter::$result is read in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 122 IndentedTextWriter::getResult() returns tainted data in vendor/src/POData/Writers/Json/JsonWriter.php on line 276 JsonWriter::getJsonOutput() returns tainted data in vendor/src/POData/Writers/Json/JsonODataV1Writer.php on line 432 JsonODataV1Writer::serializeException() returns tainted data, and `$responseBody` is assigned in vendor/src/POData/Common/ErrorHandler.php on line 63 `$responseBody` is passed to OutgoingResponse::setStream() in vendor/src/POData/Common/ErrorHandler.php on line 66 OutgoingResponse::$_stream is assigned in vendor/src/POData/OperationContext/Web/OutgoingResponse.php on line 205 Tainted property OutgoingResponse::$_stream is read in vendor/src/POData/OperationContext/Web/OutgoingResponse.php on line 195 OutgoingResponse::getStream() returns tainted data, and `$content` is assigned in src/Controllers/ODataController.php on line 53 3. Path:* Read from `$_POST,` and `$_POST` is passed to Request::createRequestFromFactory() in Request.php on line 317 Read from `$_POST,` and `$_POST` is passed to Request::createRequestFromFactory() in vendor/Request.php on line 317 `$request` is passed to Request::__construct() in vendor/Request.php on line 2012 `$request` is passed to Request::initialize() in vendor/Request.php on line 258 `$request` is passed to ParameterBag::__construct() in vendor/Request.php on line 276 ParameterBag::$parameters is assigned in vendor/ParameterBag.php on line 35 Tainted property ParameterBag::$parameters is read in vendor/ParameterBag.php on line 88 ParameterBag::get() returns tainted data in vendor/Request.php on line 1007 Request::getPort() returns tainted data, and `$port` is assigned in vendor/Request.php on line 1070 Request::getHttpHost() returns tainted data in vendor/Request.php on line 1103 Request::getSchemeAndHttpHost() returns tainted data in vendor/Request.php on line 1119 Request::getUri() returns tainted data, and `$this->getUri()` is passed through preg_replace(), and `preg_replace('/\\?./', '', $this->getUri())` is passed through rtrim() in vendor/src/Illuminate/Http/Request.php on line 99 Request::url() returns tainted data in vendor/src/Illuminate/Http/Request.php on line 113 Request::fullUrl() returns tainted data, and IncomingIlluminateRequest::$rawUrl is assigned in vendor/src/POData/OperationContext/Web/Illuminate/IncomingIlluminateRequest.php on line 73 Tainted property IncomingIlluminateRequest::$rawUrl is read in vendor/src/POData/OperationContext/Web/Illuminate/IncomingIlluminateRequest.php on line 75 IncomingIlluminateRequest::getRawUrl() returns tainted data, and ServiceHost::$_absoluteRequestUriAsString is assigned in vendor/src/POData/OperationContext/ServiceHost.php on line 121 Tainted property ServiceHost::$_absoluteRequestUriAsString is read, and `$this->_absoluteRequestUriAsString` is passed to Url::__construct() in vendor/src/POData/OperationContext/ServiceHost.php on line 124 Url::$_urlAsString is assigned in vendor/src/POData/Common/Url.php on line 52 Tainted property Url::$_urlAsString is read in vendor/src/POData/Common/Url.php on line 62 Url::getUrlAsString() returns tainted data, and `$this->getRequest()->getRequestUrl()->getUrlAsString()` is passed to ObjectModelSerializerBase::getNextLinkUri() in vendor/src/POData/ObjectModel/ObjectModelSerializer.php on line 161 `$absoluteUri` is passed through rtrim(), and ODataLink::$url is assigned in vendor/src/POData/ObjectModel/ObjectModelSerializerBase.php on line 435 Tainted property ODataLink::$url is read, and `$nextPageLinkUri->url` is passed to JsonWriter::writeValue() in vendor/src/POData/Writers/Json/JsonODataV2Writer.php on line 153 `$value` is passed to JsonWriter::_writeCore() in vendor/src/POData/Writers/Json/JsonWriter.php on line 138 `$text` is passed to IndentedTextWriter::writeValue() in vendor/src/POData/Writers/Json/JsonWriter.php on line 231 `$value` is passed to IndentedTextWriter::_write() in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 59 IndentedTextWriter::$result is assigned in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 143 Tainted property IndentedTextWriter::$result is read in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 122 IndentedTextWriter::getResult() returns tainted data in vendor/src/POData/Writers/Json/JsonWriter.php on line 276 JsonWriter::getJsonOutput() returns tainted data in vendor/src/POData/Writers/Json/JsonODataV1Writer.php on line 432 JsonODataV1Writer::serializeException() returns tainted data, and `$responseBody` is assigned in vendor/src/POData/Common/ErrorHandler.php on line 63 `$responseBody` is passed to OutgoingResponse::setStream() in vendor/src/POData/Common/ErrorHandler.php on line 66 OutgoingResponse::$_stream is assigned in vendor/src/POData/OperationContext/Web/OutgoingResponse.php on line 205 Tainted property OutgoingResponse::$_stream is read in vendor/src/POData/OperationContext/Web/OutgoingResponse.php on line 195 OutgoingResponse::getStream() returns tainted data, and `$content` is assigned in src/Controllers/ODataController.php on line 53 4. Path:* Read from `$_SERVER,` and `$server` is assigned in Request.php on line 307 Read from `$_SERVER,` and `$server` is assigned in vendor/Request.php on line 307 `$server` is passed to Request::createRequestFromFactory() in vendor/Request.php on line 317 `$server` is passed to Request::__construct() in vendor/Request.php on line 2012 `$server` is passed to Request::initialize() in vendor/Request.php on line 258 `$server` is passed to ParameterBag::__construct() in vendor/Request.php on line 281 ParameterBag::$parameters is assigned in vendor/ParameterBag.php on line 35 Tainted property ParameterBag::$parameters is read in vendor/ParameterBag.php on line 88 ParameterBag::get() returns tainted data in vendor/Request.php on line 1007 Request::getPort() returns tainted data, and `$port` is assigned in vendor/Request.php on line 1070 Request::getHttpHost() returns tainted data in vendor/Request.php on line 1103 Request::getSchemeAndHttpHost() returns tainted data in vendor/Request.php on line 1119 Request::getUri() returns tainted data, and `$this->getUri()` is passed through preg_replace(), and `preg_replace('/\\?./', '', $this->getUri())` is passed through rtrim() in vendor/src/Illuminate/Http/Request.php on line 99 Request::url() returns tainted data in vendor/src/Illuminate/Http/Request.php on line 113 Request::fullUrl() returns tainted data, and IncomingIlluminateRequest::$rawUrl is assigned in vendor/src/POData/OperationContext/Web/Illuminate/IncomingIlluminateRequest.php on line 73 Tainted property IncomingIlluminateRequest::$rawUrl is read in vendor/src/POData/OperationContext/Web/Illuminate/IncomingIlluminateRequest.php on line 75 IncomingIlluminateRequest::getRawUrl() returns tainted data, and ServiceHost::$_absoluteRequestUriAsString is assigned in vendor/src/POData/OperationContext/ServiceHost.php on line 121 Tainted property ServiceHost::$_absoluteRequestUriAsString is read, and `$this->_absoluteRequestUriAsString` is passed to Url::__construct() in vendor/src/POData/OperationContext/ServiceHost.php on line 124 Url::$_urlAsString is assigned in vendor/src/POData/Common/Url.php on line 52 Tainted property Url::$_urlAsString is read in vendor/src/POData/Common/Url.php on line 62 Url::getUrlAsString() returns tainted data, and `$this->getRequest()->getRequestUrl()->getUrlAsString()` is passed to ObjectModelSerializerBase::getNextLinkUri() in vendor/src/POData/ObjectModel/ObjectModelSerializer.php on line 161 `$absoluteUri` is passed through rtrim(), and ODataLink::$url is assigned in vendor/src/POData/ObjectModel/ObjectModelSerializerBase.php on line 435 Tainted property ODataLink::$url is read, and `$nextPageLinkUri->url` is passed to JsonWriter::writeValue() in vendor/src/POData/Writers/Json/JsonODataV2Writer.php on line 153 `$value` is passed to JsonWriter::_writeCore() in vendor/src/POData/Writers/Json/JsonWriter.php on line 138 `$text` is passed to IndentedTextWriter::writeValue() in vendor/src/POData/Writers/Json/JsonWriter.php on line 231 `$value` is passed to IndentedTextWriter::_write() in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 59 IndentedTextWriter::$result is assigned in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 143 Tainted property IndentedTextWriter::$result is read in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 122 IndentedTextWriter::getResult() returns tainted data in vendor/src/POData/Writers/Json/JsonWriter.php on line 276 JsonWriter::getJsonOutput() returns tainted data in vendor/src/POData/Writers/Json/JsonODataV1Writer.php on line 432 JsonODataV1Writer::serializeException() returns tainted data, and `$responseBody` is assigned in vendor/src/POData/Common/ErrorHandler.php on line 63 `$responseBody` is passed to OutgoingResponse::setStream() in vendor/src/POData/Common/ErrorHandler.php on line 66 OutgoingResponse::$_stream is assigned in vendor/src/POData/OperationContext/Web/OutgoingResponse.php on line 205 Tainted property OutgoingResponse::$_stream is read in vendor/src/POData/OperationContext/Web/OutgoingResponse.php on line 195 OutgoingResponse::getStream() returns tainted data, and `$content` is assigned in src/Controllers/ODataController.php on line 53 5. Path:* Fetching key `HTTP_CONTENT_LENGTH` from `$_SERVER,` and `$server` is assigned in Request.php on line 310 Fetching key `HTTP_CONTENT_LENGTH` from `$_SERVER,` and `$server` is assigned in vendor/Request.php on line 310 `$server` is passed to Request::createRequestFromFactory() in vendor/Request.php on line 317 `$server` is passed to Request::__construct() in vendor/Request.php on line 2012 `$server` is passed to Request::initialize() in vendor/Request.php on line 258 `$server` is passed to ParameterBag::__construct() in vendor/Request.php on line 281 ParameterBag::$parameters is assigned in vendor/ParameterBag.php on line 35 Tainted property ParameterBag::$parameters is read in vendor/ParameterBag.php on line 88 ParameterBag::get() returns tainted data in vendor/Request.php on line 1007 Request::getPort() returns tainted data, and `$port` is assigned in vendor/Request.php on line 1070 Request::getHttpHost() returns tainted data in vendor/Request.php on line 1103 Request::getSchemeAndHttpHost() returns tainted data in vendor/Request.php on line 1119 Request::getUri() returns tainted data, and `$this->getUri()` is passed through preg_replace(), and `preg_replace('/\\?./', '', $this->getUri())` is passed through rtrim() in vendor/src/Illuminate/Http/Request.php on line 99 Request::url() returns tainted data in vendor/src/Illuminate/Http/Request.php on line 113 Request::fullUrl() returns tainted data, and IncomingIlluminateRequest::$rawUrl is assigned in vendor/src/POData/OperationContext/Web/Illuminate/IncomingIlluminateRequest.php on line 73 Tainted property IncomingIlluminateRequest::$rawUrl is read in vendor/src/POData/OperationContext/Web/Illuminate/IncomingIlluminateRequest.php on line 75 IncomingIlluminateRequest::getRawUrl() returns tainted data, and ServiceHost::$_absoluteRequestUriAsString is assigned in vendor/src/POData/OperationContext/ServiceHost.php on line 121 Tainted property ServiceHost::$_absoluteRequestUriAsString is read, and `$this->_absoluteRequestUriAsString` is passed to Url::__construct() in vendor/src/POData/OperationContext/ServiceHost.php on line 124 Url::$_urlAsString is assigned in vendor/src/POData/Common/Url.php on line 52 Tainted property Url::$_urlAsString is read in vendor/src/POData/Common/Url.php on line 62 Url::getUrlAsString() returns tainted data, and `$this->getRequest()->getRequestUrl()->getUrlAsString()` is passed to ObjectModelSerializerBase::getNextLinkUri() in vendor/src/POData/ObjectModel/ObjectModelSerializer.php on line 161 `$absoluteUri` is passed through rtrim(), and ODataLink::$url is assigned in vendor/src/POData/ObjectModel/ObjectModelSerializerBase.php on line 435 Tainted property ODataLink::$url is read, and `$nextPageLinkUri->url` is passed to JsonWriter::writeValue() in vendor/src/POData/Writers/Json/JsonODataV2Writer.php on line 153 `$value` is passed to JsonWriter::_writeCore() in vendor/src/POData/Writers/Json/JsonWriter.php on line 138 `$text` is passed to IndentedTextWriter::writeValue() in vendor/src/POData/Writers/Json/JsonWriter.php on line 231 `$value` is passed to IndentedTextWriter::_write() in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 59 IndentedTextWriter::$result is assigned in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 143 Tainted property IndentedTextWriter::$result is read in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 122 IndentedTextWriter::getResult() returns tainted data in vendor/src/POData/Writers/Json/JsonWriter.php on line 276 JsonWriter::getJsonOutput() returns tainted data in vendor/src/POData/Writers/Json/JsonODataV1Writer.php on line 432 JsonODataV1Writer::serializeException() returns tainted data, and `$responseBody` is assigned in vendor/src/POData/Common/ErrorHandler.php on line 63 `$responseBody` is passed to OutgoingResponse::setStream() in vendor/src/POData/Common/ErrorHandler.php on line 66 OutgoingResponse::$_stream is assigned in vendor/src/POData/OperationContext/Web/OutgoingResponse.php on line 205 Tainted property OutgoingResponse::$_stream is read in vendor/src/POData/OperationContext/Web/OutgoingResponse.php on line 195 OutgoingResponse::getStream() returns tainted data, and `$content` is assigned in src/Controllers/ODataController.php on line 53 6. Path:* Fetching key `HTTP_CONTENT_TYPE` from `$_SERVER,` and `$server` is assigned in Request.php on line 313 Fetching key `HTTP_CONTENT_TYPE` from `$_SERVER,` and `$server` is assigned in vendor/Request.php on line 313 `$server` is passed to Request::createRequestFromFactory() in vendor/Request.php on line 317 `$server` is passed to Request::__construct() in vendor/Request.php on line 2012 `$server` is passed to Request::initialize() in vendor/Request.php on line 258 `$server` is passed to ParameterBag::__construct() in vendor/Request.php on line 281 ParameterBag::$parameters is assigned in vendor/ParameterBag.php on line 35 Tainted property ParameterBag::$parameters is read in vendor/ParameterBag.php on line 88 ParameterBag::get() returns tainted data in vendor/Request.php on line 1007 Request::getPort() returns tainted data, and `$port` is assigned in vendor/Request.php on line 1070 Request::getHttpHost() returns tainted data in vendor/Request.php on line 1103 Request::getSchemeAndHttpHost() returns tainted data in vendor/Request.php on line 1119 Request::getUri() returns tainted data, and `$this->getUri()` is passed through preg_replace(), and `preg_replace('/\\?./', '', $this->getUri())` is passed through rtrim() in vendor/src/Illuminate/Http/Request.php on line 99 Request::url() returns tainted data in vendor/src/Illuminate/Http/Request.php on line 113 Request::fullUrl() returns tainted data, and IncomingIlluminateRequest::$rawUrl is assigned in vendor/src/POData/OperationContext/Web/Illuminate/IncomingIlluminateRequest.php on line 73 Tainted property IncomingIlluminateRequest::$rawUrl is read in vendor/src/POData/OperationContext/Web/Illuminate/IncomingIlluminateRequest.php on line 75 IncomingIlluminateRequest::getRawUrl() returns tainted data, and ServiceHost::$_absoluteRequestUriAsString is assigned in vendor/src/POData/OperationContext/ServiceHost.php on line 121 Tainted property ServiceHost::$_absoluteRequestUriAsString is read, and `$this->_absoluteRequestUriAsString` is passed to Url::__construct() in vendor/src/POData/OperationContext/ServiceHost.php on line 124 Url::$_urlAsString is assigned in vendor/src/POData/Common/Url.php on line 52 Tainted property Url::$_urlAsString is read in vendor/src/POData/Common/Url.php on line 62 Url::getUrlAsString() returns tainted data, and `$this->getRequest()->getRequestUrl()->getUrlAsString()` is passed to ObjectModelSerializerBase::getNextLinkUri() in vendor/src/POData/ObjectModel/ObjectModelSerializer.php on line 161 `$absoluteUri` is passed through rtrim(), and ODataLink::$url is assigned in vendor/src/POData/ObjectModel/ObjectModelSerializerBase.php on line 435 Tainted property ODataLink::$url is read, and `$nextPageLinkUri->url` is passed to JsonWriter::writeValue() in vendor/src/POData/Writers/Json/JsonODataV2Writer.php on line 153 `$value` is passed to JsonWriter::_writeCore() in vendor/src/POData/Writers/Json/JsonWriter.php on line 138 `$text` is passed to IndentedTextWriter::writeValue() in vendor/src/POData/Writers/Json/JsonWriter.php on line 231 `$value` is passed to IndentedTextWriter::_write() in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 59 IndentedTextWriter::$result is assigned in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 143 Tainted property IndentedTextWriter::$result is read in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 122 IndentedTextWriter::getResult() returns tainted data in vendor/src/POData/Writers/Json/JsonWriter.php on line 276 JsonWriter::getJsonOutput() returns tainted data in vendor/src/POData/Writers/Json/JsonODataV1Writer.php on line 432 JsonODataV1Writer::serializeException() returns tainted data, and `$responseBody` is assigned in vendor/src/POData/Common/ErrorHandler.php on line 63 `$responseBody` is passed to OutgoingResponse::setStream() in vendor/src/POData/Common/ErrorHandler.php on line 66 OutgoingResponse::$_stream is assigned in vendor/src/POData/OperationContext/Web/OutgoingResponse.php on line 205 Tainted property OutgoingResponse::$_stream is read in vendor/src/POData/OperationContext/Web/OutgoingResponse.php on line 195 OutgoingResponse::getStream() returns tainted data, and `$content` is assigned in src/Controllers/ODataController.php on line 53 7. Path:* `$server['HTTP_HOST']` seems to return tainted data, and `$server` is assigned in Request.php on line 383 `$server['HTTP_HOST']` seems to return tainted data, and `$server` is assigned in vendor/Request.php on line 383 `$server` is assigned in vendor/Request.php on line 431 `$server` is assigned in vendor/Request.php on line 432 `$server` is passed to Request::createRequestFromFactory() in vendor/Request.php on line 434 `$server` is passed to Request::__construct() in vendor/Request.php on line 2012 `$server` is passed to Request::initialize() in vendor/Request.php on line 258 `$server` is passed to ParameterBag::__construct() in vendor/Request.php on line 281 ParameterBag::$parameters is assigned in vendor/ParameterBag.php on line 35 Tainted property ParameterBag::$parameters is read in vendor/ParameterBag.php on line 88 ParameterBag::get() returns tainted data in vendor/Request.php on line 1007 Request::getPort() returns tainted data, and `$port` is assigned in vendor/Request.php on line 1070 Request::getHttpHost() returns tainted data in vendor/Request.php on line 1103 Request::getSchemeAndHttpHost() returns tainted data in vendor/Request.php on line 1119 Request::getUri() returns tainted data, and `$this->getUri()` is passed through preg_replace(), and `preg_replace('/\\?./', '', $this->getUri())` is passed through rtrim() in vendor/src/Illuminate/Http/Request.php on line 99 Request::url() returns tainted data in vendor/src/Illuminate/Http/Request.php on line 113 Request::fullUrl() returns tainted data, and IncomingIlluminateRequest::$rawUrl is assigned in vendor/src/POData/OperationContext/Web/Illuminate/IncomingIlluminateRequest.php on line 73 Tainted property IncomingIlluminateRequest::$rawUrl is read in vendor/src/POData/OperationContext/Web/Illuminate/IncomingIlluminateRequest.php on line 75 IncomingIlluminateRequest::getRawUrl() returns tainted data, and ServiceHost::$_absoluteRequestUriAsString is assigned in vendor/src/POData/OperationContext/ServiceHost.php on line 121 Tainted property ServiceHost::$_absoluteRequestUriAsString is read, and `$this->_absoluteRequestUriAsString` is passed to Url::__construct() in vendor/src/POData/OperationContext/ServiceHost.php on line 124 Url::$_urlAsString is assigned in vendor/src/POData/Common/Url.php on line 52 Tainted property Url::$_urlAsString is read in vendor/src/POData/Common/Url.php on line 62 Url::getUrlAsString() returns tainted data, and `$this->getRequest()->getRequestUrl()->getUrlAsString()` is passed to ObjectModelSerializerBase::getNextLinkUri() in vendor/src/POData/ObjectModel/ObjectModelSerializer.php on line 161 `$absoluteUri` is passed through rtrim(), and ODataLink::$url is assigned in vendor/src/POData/ObjectModel/ObjectModelSerializerBase.php on line 435 Tainted property ODataLink::$url is read, and `$nextPageLinkUri->url` is passed to JsonWriter::writeValue() in vendor/src/POData/Writers/Json/JsonODataV2Writer.php on line 153 `$value` is passed to JsonWriter::_writeCore() in vendor/src/POData/Writers/Json/JsonWriter.php on line 138 `$text` is passed to IndentedTextWriter::writeValue() in vendor/src/POData/Writers/Json/JsonWriter.php on line 231 `$value` is passed to IndentedTextWriter::_write() in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 59 IndentedTextWriter::$result is assigned in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 143 Tainted property IndentedTextWriter::$result is read in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 122 IndentedTextWriter::getResult() returns tainted data in vendor/src/POData/Writers/Json/JsonWriter.php on line 276 JsonWriter::getJsonOutput() returns tainted data in vendor/src/POData/Writers/Json/JsonODataV1Writer.php on line 432 JsonODataV1Writer::serializeException() returns tainted data, and `$responseBody` is assigned in vendor/src/POData/Common/ErrorHandler.php on line 63 `$responseBody` is passed to OutgoingResponse::setStream() in vendor/src/POData/Common/ErrorHandler.php on line 66 OutgoingResponse::$_stream is assigned in vendor/src/POData/OperationContext/Web/OutgoingResponse.php on line 205 Tainted property OutgoingResponse::$_stream is read in vendor/src/POData/OperationContext/Web/OutgoingResponse.php on line 195 OutgoingResponse::getStream() returns tainted data, and `$content` is assigned in src/Controllers/ODataController.php on line 53 8. Path:* `$this->parameters['PHP_AUTH_USER']` seems to return tainted data, and `$headers` is assigned in ServerBag.php on line 43 `$this->parameters['PHP_AUTH_USER']` seems to return tainted data, and `$headers` is assigned in vendor/ServerBag.php on line 43 `$headers` is assigned in vendor/ServerBag.php on line 44 ServerBag::getHeaders() returns tainted data, and `$this->server->getHeaders()` is passed to HeaderBag::__construct() in vendor/Request.php on line 282 `$values` is assigned in vendor/HeaderBag.php on line 31 `$values` is passed to HeaderBag::set() in vendor/HeaderBag.php on line 32 `(array) $values` is passed through array_values(), and `$values` is assigned in vendor/HeaderBag.php on line 143 HeaderBag::$headers is assigned in vendor/HeaderBag.php on line 146 Tainted property HeaderBag::$headers is read in vendor/HeaderBag.php on line 67 HeaderBag::all() returns tainted data, and `$headers` is assigned in vendor/HeaderBag.php on line 115 HeaderBag::get() returns tainted data, and `$requestUri` is assigned in vendor/Request.php on line 1782 `$requestUri` is passed to ParameterBag::set() in vendor/Request.php on line 1813 ParameterBag::$parameters is assigned in vendor/ParameterBag.php on line 99 Tainted property ParameterBag::$parameters is read in vendor/ParameterBag.php on line 88 ParameterBag::get() returns tainted data in vendor/Request.php on line 1007 Request::getPort() returns tainted data, and `$port` is assigned in vendor/Request.php on line 1070 Request::getHttpHost() returns tainted data in vendor/Request.php on line 1103 Request::getSchemeAndHttpHost() returns tainted data in vendor/Request.php on line 1119 Request::getUri() returns tainted data, and `$this->getUri()` is passed through preg_replace(), and `preg_replace('/\\?./', '', $this->getUri())` is passed through rtrim() in vendor/src/Illuminate/Http/Request.php on line 99 Request::url() returns tainted data in vendor/src/Illuminate/Http/Request.php on line 113 Request::fullUrl() returns tainted data, and IncomingIlluminateRequest::$rawUrl is assigned in vendor/src/POData/OperationContext/Web/Illuminate/IncomingIlluminateRequest.php on line 73 Tainted property IncomingIlluminateRequest::$rawUrl is read in vendor/src/POData/OperationContext/Web/Illuminate/IncomingIlluminateRequest.php on line 75 IncomingIlluminateRequest::getRawUrl() returns tainted data, and ServiceHost::$_absoluteRequestUriAsString is assigned in vendor/src/POData/OperationContext/ServiceHost.php on line 121 Tainted property ServiceHost::$_absoluteRequestUriAsString is read, and `$this->_absoluteRequestUriAsString` is passed to Url::__construct() in vendor/src/POData/OperationContext/ServiceHost.php on line 124 Url::$_urlAsString is assigned in vendor/src/POData/Common/Url.php on line 52 Tainted property Url::$_urlAsString is read in vendor/src/POData/Common/Url.php on line 62 Url::getUrlAsString() returns tainted data, and `$this->getRequest()->getRequestUrl()->getUrlAsString()` is passed to ObjectModelSerializerBase::getNextLinkUri() in vendor/src/POData/ObjectModel/ObjectModelSerializer.php on line 161 `$absoluteUri` is passed through rtrim(), and ODataLink::$url is assigned in vendor/src/POData/ObjectModel/ObjectModelSerializerBase.php on line 435 Tainted property ODataLink::$url is read, and `$nextPageLinkUri->url` is passed to JsonWriter::writeValue() in vendor/src/POData/Writers/Json/JsonODataV2Writer.php on line 153 `$value` is passed to JsonWriter::_writeCore() in vendor/src/POData/Writers/Json/JsonWriter.php on line 138 `$text` is passed to IndentedTextWriter::writeValue() in vendor/src/POData/Writers/Json/JsonWriter.php on line 231 `$value` is passed to IndentedTextWriter::_write() in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 59 IndentedTextWriter::$result is assigned in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 143 Tainted property IndentedTextWriter::$result is read in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 122 IndentedTextWriter::getResult() returns tainted data in vendor/src/POData/Writers/Json/JsonWriter.php on line 276 JsonWriter::getJsonOutput() returns tainted data in vendor/src/POData/Writers/Json/JsonODataV1Writer.php on line 432 JsonODataV1Writer::serializeException() returns tainted data, and `$responseBody` is assigned in vendor/src/POData/Common/ErrorHandler.php on line 63 `$responseBody` is passed to OutgoingResponse::setStream() in vendor/src/POData/Common/ErrorHandler.php on line 66 OutgoingResponse::$_stream is assigned in vendor/src/POData/OperationContext/Web/OutgoingResponse.php on line 205 Tainted property OutgoingResponse::$_stream is read in vendor/src/POData/OperationContext/Web/OutgoingResponse.php on line 195 OutgoingResponse::getStream() returns tainted data, and `$content` is assigned in src/Controllers/ODataController.php on line 53 9. Path:* `$this->parameters['PHP_AUTH_PW']` seems to return tainted data, and `$headers` is assigned in ServerBag.php on line 44 `$this->parameters['PHP_AUTH_PW']` seems to return tainted data, and `$headers` is assigned in vendor/ServerBag.php on line 44 ServerBag::getHeaders() returns tainted data, and `$this->server->getHeaders()` is passed to HeaderBag::__construct() in vendor/Request.php on line 282 `$values` is assigned in vendor/HeaderBag.php on line 31 `$values` is passed to HeaderBag::set() in vendor/HeaderBag.php on line 32 `(array) $values` is passed through array_values(), and `$values` is assigned in vendor/HeaderBag.php on line 143 HeaderBag::$headers is assigned in vendor/HeaderBag.php on line 146 Tainted property HeaderBag::$headers is read in vendor/HeaderBag.php on line 67 HeaderBag::all() returns tainted data, and `$headers` is assigned in vendor/HeaderBag.php on line 115 HeaderBag::get() returns tainted data, and `$requestUri` is assigned in vendor/Request.php on line 1782 `$requestUri` is passed to ParameterBag::set() in vendor/Request.php on line 1813 ParameterBag::$parameters is assigned in vendor/ParameterBag.php on line 99 Tainted property ParameterBag::$parameters is read in vendor/ParameterBag.php on line 88 ParameterBag::get() returns tainted data in vendor/Request.php on line 1007 Request::getPort() returns tainted data, and `$port` is assigned in vendor/Request.php on line 1070 Request::getHttpHost() returns tainted data in vendor/Request.php on line 1103 Request::getSchemeAndHttpHost() returns tainted data in vendor/Request.php on line 1119 Request::getUri() returns tainted data, and `$this->getUri()` is passed through preg_replace(), and `preg_replace('/\\?./', '', $this->getUri())` is passed through rtrim() in vendor/src/Illuminate/Http/Request.php on line 99 Request::url() returns tainted data in vendor/src/Illuminate/Http/Request.php on line 113 Request::fullUrl() returns tainted data, and IncomingIlluminateRequest::$rawUrl is assigned in vendor/src/POData/OperationContext/Web/Illuminate/IncomingIlluminateRequest.php on line 73 Tainted property IncomingIlluminateRequest::$rawUrl is read in vendor/src/POData/OperationContext/Web/Illuminate/IncomingIlluminateRequest.php on line 75 IncomingIlluminateRequest::getRawUrl() returns tainted data, and ServiceHost::$_absoluteRequestUriAsString is assigned in vendor/src/POData/OperationContext/ServiceHost.php on line 121 Tainted property ServiceHost::$_absoluteRequestUriAsString is read, and `$this->_absoluteRequestUriAsString` is passed to Url::__construct() in vendor/src/POData/OperationContext/ServiceHost.php on line 124 Url::$_urlAsString is assigned in vendor/src/POData/Common/Url.php on line 52 Tainted property Url::$_urlAsString is read in vendor/src/POData/Common/Url.php on line 62 Url::getUrlAsString() returns tainted data, and `$this->getRequest()->getRequestUrl()->getUrlAsString()` is passed to ObjectModelSerializerBase::getNextLinkUri() in vendor/src/POData/ObjectModel/ObjectModelSerializer.php on line 161 `$absoluteUri` is passed through rtrim(), and ODataLink::$url is assigned in vendor/src/POData/ObjectModel/ObjectModelSerializerBase.php on line 435 Tainted property ODataLink::$url is read, and `$nextPageLinkUri->url` is passed to JsonWriter::writeValue() in vendor/src/POData/Writers/Json/JsonODataV2Writer.php on line 153 `$value` is passed to JsonWriter::_writeCore() in vendor/src/POData/Writers/Json/JsonWriter.php on line 138 `$text` is passed to IndentedTextWriter::writeValue() in vendor/src/POData/Writers/Json/JsonWriter.php on line 231 `$value` is passed to IndentedTextWriter::_write() in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 59 IndentedTextWriter::$result is assigned in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 143 Tainted property IndentedTextWriter::$result is read in vendor/src/POData/Writers/Json/IndentedTextWriter.php on line 122 IndentedTextWriter::getResult() returns tainted data in vendor/src/POData/Writers/Json/JsonWriter.php on line 276 JsonWriter::getJsonOutput() returns tainted data in vendor/src/POData/Writers/Json/JsonODataV1Writer.php on line 432 JsonODataV1Writer::serializeException() returns tainted data, and `$responseBody` is assigned in vendor/src/POData/Common/ErrorHandler.php on line 63 `$responseBody` is passed to OutgoingResponse::setStream() in vendor/src/POData/Common/ErrorHandler.php on line 66 OutgoingResponse::$_stream is assigned in vendor/src/POData/OperationContext/Web/OutgoingResponse.php on line 205 Tainted property OutgoingResponse::$_stream is read in vendor/src/POData/OperationContext/Web/OutgoingResponse.php on line 195 OutgoingResponse::getStream() returns tainted data, and `$content` is assigned in src/Controllers/ODataController.php on line 53 Used in output context Response::__construct() uses Response::setContent() ($content) in vendor/Response.php on line 201 Response::setContent() uses property Response::$content for writing in vendor/Response.php on line 412 Property Response::$content is used in echo in vendor/Response.php on line 371 Preventing Cross-Site-Scripting Attacks Cross-Site-Scripting allows an attacker to inject malicious code into your website - in particular Javascript code, and have that code executed with the privileges of a visiting user. This can be used to obtain data, or perform actions on behalf of that visiting user. In order to prevent this, make sure to escape all user-provided data: // for HTML $sanitized = htmlentities($tainted, ENT_QUOTES); // for URLs $sanitized = urlencode($tainted); General Strategies to prevent injection In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values: if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) { throw new \InvalidArgumentException('This input is not allowed.'); } For numeric data, we recommend to explicitly cast* the data: $sanitized = (integer) $tainted; Loading history...
59			$response->setStatusCode($headers["Status"]);
60
61			foreach ($headers as $headerName => $headerValue) {
62			if (!is_null($headerValue)) {
63			$response->headers->set($headerName, $headerValue);
64			}
65			}
66			return $response;
67			}
68
69			/**
70			* @return mixed
71			*/
72			protected function getIsDumping()
73			{
74			return true === env('APP_DUMP_REQUESTS', false);
75			}
76			}
77

Algo-Web / POData-Laravel

Push — master ( c52cc2...15cb66 )

ODataController::getIsDumping() A

Complexity

Size

Duplication

Code Coverage

Importance

9 paths for user data to reach this point

Used in output context

Preventing Cross-Site-Scripting Attacks

General Strategies to prevent injection

Duplication Side-by-Side

Filter issues like