Issues in Dispatcher.php (master) - Issues in master - FloKnapp/faulancer - Measure and Improve Code Quality continuously with Scrutinizer

Issues (56)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Controller/Dispatcher.php (2 issues)

Labels

Duplication 2

Severity

Informational 2

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace Faulancer\Controller;

use Faulancer\Event\Observer;
use Faulancer\Event\Type\OnDispatch;
use Faulancer\Exception\IncompatibleResponseException;
use Faulancer\Http\Http;
use Faulancer\Http\JsonResponse;
use Faulancer\Http\Request;
use Faulancer\Http\Response;
use Faulancer\Exception\MethodNotFoundException;
use Faulancer\Service\AuthenticatorService;
use Faulancer\Service\Config;
use Faulancer\ServiceLocator\ServiceLocator;
use Faulancer\Session\SessionManager;

/**
 * Class Dispatcher | Dispatcher.php
 *
 * @package Faulancer\AbstractController
 * @author Florian Knapp <[email protected]>
 */
class Dispatcher
{

    /**
     * The current request object
     *
     * @var Request
     */
    protected $request;

    /**
     * The configuration object
     *
     * @var Config
     */
    protected $config;

    /**
     * user, api
     *
     * @var string
     */
    protected $requestType = 'default';

    /**
     * Dispatcher constructor.
     *
     * @param Request $request
     * @param Config  $config
     */
    public function __construct(Request $request, Config $config)
    {
        $this->request = $request;
        $this->config  = $config;
    }

    /**
     * Bootstrap for every route call
     *
     * @return Response|JsonResponse|mixed
     * @throws MethodNotFoundException
     * @throws IncompatibleResponseException
     */
    public function dispatch()
    {
        // Check for core assets path
        if ($assets = $this->_resolveAssetsPath()) {
            return $assets;
        }

        Observer::instance()->trigger(new OnDispatch($this));

        $this->_setLanguageFromUri();

        if (strpos($this->request->getPath(), '/api') === 0) {
            $this->requestType = 'api';
        }

        list($class, $action, $permission, $payload) = $this->_getRoute($this->request->getPath());

        /** @var Controller $class */
        $class   = new $class($this->request);

        if (!empty($permission)) {

            /** @var AuthenticatorService $authenticator */
            $authenticator = ServiceLocator::instance()->get(AuthenticatorService::class);
            $isPermitted   = $authenticator->isPermitted($permission);

            if ($isPermitted === null) {

                return ServiceLocator::instance()->get(Http::class)->redirect($this->config->get('auth:authUrl'));

            } else if ($isPermitted === false) {

                $errorController = $this->config->get('customErrorController');
                return (new $errorController($this->request))->notPermittedAction();

            }

        }

        if (!method_exists($class, $action)) {

            throw new MethodNotFoundException(
                'Class "' . get_class($class) . '" doesn\'t have the method ' . $action
            );

        }

        $payload = array_map('strip_tags', $payload);
        $payload = array_map('htmlspecialchars', $payload);

        $response = call_user_func_array([$class, $action], $payload);

        if (!$response instanceof Response) {
            throw new IncompatibleResponseException('No valid response returned.');
        }

        return $response;

    }

    /**
     * @return bool
     */
    private function _setLanguageFromUri()
    {
        if ($this->request->getParam('lang') !== null) {

            $serviceLocator = ServiceLocator::instance();

            /** @var SessionManager $sessionManager */
            $sessionManager = $serviceLocator->get(SessionManager::class);
            $sessionManager->set('language', $this->request->getParam('lang'));

            return true;

        }

        return false;
    }

    /**
     * @return bool|string
     */
    private function _resolveAssetsPath()
    {
        $matches = [];

        if (preg_match('/(?<style>css)|(?<script>js)/', $this->request->getPath(), $matches)) {

            $file = $this->request->getPath();

            if (strpos($file, 'core') !== false) {

                $path = str_replace('/core', '', $file);

                if ($matches['style'] === 'css') {
                    return $this->sendCssFileHeader($path);
                } else if ($matches['script'] === 'js') {
                    return $this->sendJsFileHeader($path);
                }

            }

        }

        return false;
    }

    /**
     * @param $file
     * @return string
     * @codeCoverageIgnore
     */
    public function sendCssFileHeader($file)
    {
        header('Content-Type: text/css');
        echo file_get_contents(__DIR__ . '/../../public/assets' . $file);
        exit(0);
    }

    /**
     * @param $file
     * @return string
     * @codeCoverageIgnore
     */
    public function sendJsFileHeader($file)
    {
        header('Content-Type: text/javascript');
        echo file_get_contents(__DIR__ . '/../../public/assets' . $file);
        exit(0);
    }

    /**
     * Get data for specific route path
     *
     * @param string $path
     *
     * @return array
     * @throws MethodNotFoundException
     */
    private function _getRoute($path)
    {
        if (strpos($this->request->getPath(), '/api') === 0) {
            $routes = $this->config->get('routes:rest');
        } else {
            $routes = $this->config->get('routes');
        }

        foreach ($routes as $name => $data) {

            if ($target = $this->_getDirectMatch($path, $data)) {
                return $target;
            } else if ($target = $this->_getVariableMatch($path, $data)) {
                return $target;
            }

        }

        throw new MethodNotFoundException('No matching route for path "' . $path . '" found');
    }

    /**
     * Determines if we have a direct/static route match
     *
     * @param string $uri  The request uri
     * @param array  $data The result from ClassParser
     *
     * @return array
     * @throws MethodNotFoundException
     */
    private function _getDirectMatch($uri, array $data) :array
    {
        if (!empty($data['path']) && $uri === $data['path']) {

            if ($this->requestType === 'default' && in_array($this->request->getMethod(), $data['method'] ?? ['GET'])) {

                return [
                    $data['controller'],
                    $data['action'] . 'Action',
                    $data['permission'] ?? null,
                    []
                ];

            } else if ($this->requestType === 'api') {


                return [
                    $data['controller'],
                    $this->_getRestfulAction(),
                    $data['permission'] ?? null,
                    []
                ];

            }

            throw new MethodNotFoundException('Non valid request method available.');

        }

        return [];
    }

    /**
     * Determines if we have a variable route match
     *
     * @param string $uri
     * @param array  $data
     *
     * @return array
     */
    private function _getVariableMatch($uri, array $data) :array
    {
        if (empty($data['path']) || $data['path'] === '/') {
            return [];
        }

        $var   = [];
        $regex = str_replace(['/', '___'], ['\/', '+'], $data['path']);

        if (preg_match('|^' . $regex . '$|', $uri, $var)) {

            array_splice($var, 0, 1);

            if ($this->requestType === 'default'  && in_array($this->request->getMethod(), $data['method'])) {

                return [
                    $data['controller'],
                    $data['action'] . 'Action',
                    $data['permission'] ?? null,
                    $var
                ];

            } else if ($this->requestType === 'api') {


                return [
                    $data['controller'],
                    $this->_getRestfulAction(),
                    $data['permission'] ?? null,
                    $var
                ];

            }

        }

        return [];
    }
    

    /**
     * @return string
     * @codeCoverageIgnore
     */
    private function _getRestfulAction()
    {
        $method = strtoupper($this->request->getMethod());

        switch ($method) {

            case 'GET':
                return 'get';

            case 'POST':
                return 'create';

            case 'PUT':
                return 'update';

            case 'DELETE':
                return 'delete';

            case 'PATCH':
                return 'update';

            default:
                return 'get';

        }
    }

}

1		<?php
2
3		namespace Faulancer\Controller;
4
5		use Faulancer\Event\Observer;
6		use Faulancer\Event\Type\OnDispatch;
7		use Faulancer\Exception\IncompatibleResponseException;
8		use Faulancer\Http\Http;
9		use Faulancer\Http\JsonResponse;
10		use Faulancer\Http\Request;
11		use Faulancer\Http\Response;
12		use Faulancer\Exception\MethodNotFoundException;
13		use Faulancer\Service\AuthenticatorService;
14		use Faulancer\Service\Config;
15		use Faulancer\ServiceLocator\ServiceLocator;
16		use Faulancer\Session\SessionManager;
17
18		/**
19		* Class Dispatcher \| Dispatcher.php
20		*
21		* @package Faulancer\AbstractController
22		* @author Florian Knapp <[email protected]>
23		*/
24		class Dispatcher
25		{
26
27		/**
28		* The current request object
29		*
30		* @var Request
31		*/
32		protected $request;
33
34		/**
35		* The configuration object
36		*
37		* @var Config
38		*/
39		protected $config;
40
41		/**
42		* user, api
43		*
44		* @var string
45		*/
46		protected $requestType = 'default';
47
48		/**
49		* Dispatcher constructor.
50		*
51		* @param Request $request
52		* @param Config $config
53		*/
54		public function __construct(Request $request, Config $config)
55		{
56		$this->request = $request;
57		$this->config = $config;
58		}
59
60		/**
61		* Bootstrap for every route call
62		*
63		* @return Response\|JsonResponse\|mixed
64		* @throws MethodNotFoundException
65		* @throws IncompatibleResponseException
66		*/
67		public function dispatch()
68		{
69		// Check for core assets path
70		if ($assets = $this->_resolveAssetsPath()) {
71		return $assets;
72		}
73
74		Observer::instance()->trigger(new OnDispatch($this));
75
76		$this->_setLanguageFromUri();
77
78		if (strpos($this->request->getPath(), '/api') === 0) {
79		$this->requestType = 'api';
80		}
81
82		list($class, $action, $permission, $payload) = $this->_getRoute($this->request->getPath());
83
84		/** @var Controller $class */
85		$class = new $class($this->request);
86
87		if (!empty($permission)) {
88
89		/** @var AuthenticatorService $authenticator */
90		$authenticator = ServiceLocator::instance()->get(AuthenticatorService::class);
91		$isPermitted = $authenticator->isPermitted($permission);
92
93		if ($isPermitted === null) {
94
95		return ServiceLocator::instance()->get(Http::class)->redirect($this->config->get('auth:authUrl'));
96
97		} else if ($isPermitted === false) {
98
99		$errorController = $this->config->get('customErrorController');
100		return (new $errorController($this->request))->notPermittedAction();
101
102		}
103
104		}
105
106		if (!method_exists($class, $action)) {
107
108		throw new MethodNotFoundException(
109		'Class "' . get_class($class) . '" doesn\'t have the method ' . $action
110		);
111
112		}
113
114		$payload = array_map('strip_tags', $payload);
115		$payload = array_map('htmlspecialchars', $payload);
116
117		$response = call_user_func_array([$class, $action], $payload);
118
119		if (!$response instanceof Response) {
120		throw new IncompatibleResponseException('No valid response returned.');
121		}
122
123		return $response;
124
125		}
126
127		/**
128		* @return bool
129		*/
130		private function _setLanguageFromUri()
131		{
132		if ($this->request->getParam('lang') !== null) {
133
134		$serviceLocator = ServiceLocator::instance();
135
136		/** @var SessionManager $sessionManager */
137		$sessionManager = $serviceLocator->get(SessionManager::class);
138		$sessionManager->set('language', $this->request->getParam('lang'));
139
140		return true;
141
142		}
143
144		return false;
145		}
146
147		/**
148		* @return bool\|string
149		*/
150		private function _resolveAssetsPath()
151		{
152		$matches = [];
153
154		if (preg_match('/(?<style>css)\|(?<script>js)/', $this->request->getPath(), $matches)) {
155
156		$file = $this->request->getPath();
157
158		if (strpos($file, 'core') !== false) {
159
160		$path = str_replace('/core', '', $file);
161
162		if ($matches['style'] === 'css') {
163		return $this->sendCssFileHeader($path);
164		} else if ($matches['script'] === 'js') {
165		return $this->sendJsFileHeader($path);
166		}
167
168		}
169
170		}
171
172		return false;
173		}
174
175		/**
176		* @param $file
177		* @return string
178		* @codeCoverageIgnore
179		*/
180		public function sendCssFileHeader($file)
181		{
182		header('Content-Type: text/css');
183		echo file_get_contents(__DIR__ . '/../../public/assets' . $file);
184		exit(0);
185		}
186
187		/**
188		* @param $file
189		* @return string
190		* @codeCoverageIgnore
191		*/
192		public function sendJsFileHeader($file)
193		{
194		header('Content-Type: text/javascript');
195		echo file_get_contents(__DIR__ . '/../../public/assets' . $file);
196		exit(0);
197		}
198
199		/**
200		* Get data for specific route path
201		*
202		* @param string $path
203		*
204		* @return array
205		* @throws MethodNotFoundException
206		*/
207		private function _getRoute($path)
208		{
209		if (strpos($this->request->getPath(), '/api') === 0) {
210		$routes = $this->config->get('routes:rest');
211		} else {
212		$routes = $this->config->get('routes');
213		}
214
215		foreach ($routes as $name => $data) {
216
217		if ($target = $this->_getDirectMatch($path, $data)) {
218		return $target;
219		} else if ($target = $this->_getVariableMatch($path, $data)) {
220		return $target;
221		}
222
223		}
224
225		throw new MethodNotFoundException('No matching route for path "' . $path . '" found');
226		}
227
228		/**
229		* Determines if we have a direct/static route match
230		*
231		* @param string $uri The request uri
232		* @param array $data The result from ClassParser
233		*
234		* @return array
235		* @throws MethodNotFoundException
236		*/
237		private function _getDirectMatch($uri, array $data) :array
238		{
239		if (!empty($data['path']) && $uri === $data['path']) {
240
241		if ($this->requestType === 'default' && in_array($this->request->getMethod(), $data['method'] ?? ['GET'])) {
242
243		return [
244		$data['controller'],
245		$data['action'] . 'Action',
246		$data['permission'] ?? null,
247		[]
248		];
249
250	View Code Duplication	} else if ($this->requestType === 'api') {
		0 ignored issues – show Duplication introduced 2017-06-07 21:14 UTC by Report Bug Copy Issue Report Show Similar Issues like this This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
251
252		return [
253		$data['controller'],
254		$this->_getRestfulAction(),
255		$data['permission'] ?? null,
256		[]
257		];
258
259		}
260
261		throw new MethodNotFoundException('Non valid request method available.');
262
263		}
264
265		return [];
266		}
267
268		/**
269		* Determines if we have a variable route match
270		*
271		* @param string $uri
272		* @param array $data
273		*
274		* @return array
275		*/
276		private function _getVariableMatch($uri, array $data) :array
277		{
278		if (empty($data['path']) \|\| $data['path'] === '/') {
279		return [];
280		}
281
282		$var = [];
283		$regex = str_replace(['/', '___'], ['\/', '+'], $data['path']);
284
285		if (preg_match('\|^' . $regex . '$\|', $uri, $var)) {
286
287		array_splice($var, 0, 1);
288
289		if ($this->requestType === 'default' && in_array($this->request->getMethod(), $data['method'])) {
290
291		return [
292		$data['controller'],
293		$data['action'] . 'Action',
294		$data['permission'] ?? null,
295		$var
296		];
297
298	View Code Duplication	} else if ($this->requestType === 'api') {
		0 ignored issues – show Duplication introduced 2017-06-07 21:14 UTC by Report Bug Copy Issue Report Show Similar Issues like this This code seems to be duplicated across your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
299
300		return [
301		$data['controller'],
302		$this->_getRestfulAction(),
303		$data['permission'] ?? null,
304		$var
305		];
306
307		}
308
309		}
310
311		return [];
312		}
313
314
315		/**
316		* @return string
317		* @codeCoverageIgnore
318		*/
319		private function _getRestfulAction()
320		{
321		$method = strtoupper($this->request->getMethod());
322
323		switch ($method) {
324
325		case 'GET':
326		return 'get';
327
328		case 'POST':
329		return 'create';
330
331		case 'PUT':
332		return 'update';
333
334		case 'DELETE':
335		return 'delete';
336
337		case 'PATCH':
338		return 'update';
339
340		default:
341		return 'get';
342
343		}
344		}
345
346		}

FloKnapp / faulancer

Issues (56)

Security Analysis not enabled

src/Controller/Dispatcher.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like