This project does not seem to handle request data directly as such no vulnerable execution paths were found.
include
, or for example
via PHP's auto-loading mechanism.
These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
1 | <?php |
||
2 | |||
3 | namespace Kunstmaan\NodeBundle\Helper; |
||
4 | |||
5 | use Doctrine\ORM\EntityManagerInterface; |
||
6 | use Kunstmaan\AdminBundle\Entity\BaseUser; |
||
7 | use Kunstmaan\AdminBundle\Helper\CloneHelper; |
||
8 | use Kunstmaan\AdminBundle\Helper\Security\Acl\Permission\PermissionMap; |
||
9 | use Kunstmaan\NodeBundle\Entity\DuplicateSubPageInterface; |
||
10 | use Kunstmaan\NodeBundle\Entity\HasNodeInterface; |
||
11 | use Kunstmaan\NodeBundle\Entity\Node; |
||
12 | use Kunstmaan\NodeBundle\Entity\PageInterface; |
||
13 | use Kunstmaan\NodeBundle\Event\Events; |
||
14 | use Kunstmaan\NodeBundle\Event\PreNodeDuplicateEvent; |
||
15 | use Kunstmaan\NodeBundle\Event\PostNodeDuplicateEvent; |
||
16 | use Symfony\Component\EventDispatcher\EventDispatcherInterface; |
||
17 | use Symfony\Component\EventDispatcher\LegacyEventDispatcherProxy; |
||
18 | use Symfony\Component\Security\Acl\Domain\RoleSecurityIdentity; |
||
19 | use Symfony\Component\Security\Acl\Model\AclProviderInterface; |
||
20 | use Symfony\Component\Security\Acl\Model\EntryInterface; |
||
21 | use Symfony\Component\Security\Acl\Model\ObjectIdentityRetrievalStrategyInterface; |
||
22 | use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface; |
||
23 | use Symfony\Component\Security\Core\Exception\AccessDeniedException; |
||
24 | |||
25 | class PageCloningHelper |
||
26 | { |
||
27 | /** @var EntityManagerInterface */ |
||
28 | private $em; |
||
29 | |||
30 | /** @var CloneHelper */ |
||
31 | private $cloneHelper; |
||
32 | |||
33 | /** @var AclProviderInterface */ |
||
34 | private $aclProvider; |
||
35 | |||
36 | /** @var ObjectIdentityRetrievalStrategyInterface */ |
||
37 | private $identityRetrievalStrategy; |
||
38 | |||
39 | /** @var AuthorizationCheckerInterface */ |
||
40 | private $authorizationCheckerInterface; |
||
41 | |||
42 | /** @var EventDispatcherInterface */ |
||
43 | private $eventDispatcherInterface; |
||
44 | |||
45 | public function __construct(EntityManagerInterface $em, CloneHelper $cloneHelper, AclProviderInterface $aclProvider, ObjectIdentityRetrievalStrategyInterface $identityRetrivalStrategy, AuthorizationCheckerInterface $authorizationChecker, EventDispatcherInterface $eventDispatcher) |
||
46 | { |
||
47 | $this->em = $em; |
||
48 | $this->cloneHelper = $cloneHelper; |
||
49 | $this->aclProvider = $aclProvider; |
||
50 | $this->identityRetrievalStrategy = $identityRetrivalStrategy; |
||
51 | $this->authorizationCheckerInterface = $authorizationChecker; |
||
52 | $this->eventDispatcherInterface = $eventDispatcher; |
||
53 | } |
||
54 | |||
55 | /** |
||
56 | * @throws AccessDeniedException |
||
57 | */ |
||
58 | public function duplicateWithChildren($id, string $locale, BaseUser $user, string $title = null): Node |
||
59 | { |
||
60 | /* @var Node $parentNode */ |
||
61 | $originalNode = $this->em->getRepository('KunstmaanNodeBundle:Node')->find($id); |
||
62 | |||
63 | $this->denyAccessUnlessGranted(PermissionMap::PERMISSION_EDIT, $originalNode); |
||
64 | |||
65 | $this->dispatch(new PreNodeDuplicateEvent($originalNode), Events::PRE_DUPLICATE_WITH_CHILDREN); |
||
66 | |||
67 | $newPage = $this->clonePage($originalNode, $locale, $title); |
||
68 | $nodeNewPage = $this->createNodeStructureForNewPage($originalNode, $newPage, $user, $locale); |
||
69 | |||
70 | $this->dispatch(new PostNodeDuplicateEvent($originalNode, $nodeNewPage, $newPage), Events::POST_DUPLICATE_WITH_CHILDREN); |
||
71 | |||
72 | $this->cloneChildren($originalNode, $newPage, $user, $locale); |
||
73 | |||
74 | return $nodeNewPage; |
||
75 | } |
||
76 | |||
77 | private function denyAccessUnlessGranted($attributes, $subject = null, $message = 'Access Denied.') |
||
78 | { |
||
79 | if (!$this->authorizationCheckerInterface->isGranted($attributes, $subject)) { |
||
80 | $exception = new AccessDeniedException(); |
||
81 | $exception->setAttributes($attributes); |
||
82 | $exception->setSubject($subject); |
||
83 | |||
84 | throw $exception; |
||
85 | } |
||
86 | } |
||
87 | |||
88 | public function clonePage(Node $originalNode, $locale, $title = null) |
||
89 | { |
||
90 | $originalNodeTranslations = $originalNode->getNodeTranslation($locale, true); |
||
91 | $originalRef = $originalNodeTranslations->getPublicNodeVersion()->getRef($this->em); |
||
92 | |||
93 | $newPage = $this->cloneHelper->deepCloneAndSave($originalRef); |
||
94 | |||
95 | if ($title !== null) { |
||
96 | $newPage->setTitle($title); |
||
97 | } |
||
98 | |||
99 | //set the parent |
||
100 | $parentNodeTranslation = $originalNode->getParent()->getNodeTranslation($locale, true); |
||
101 | $parent = $parentNodeTranslation->getPublicNodeVersion()->getRef($this->em); |
||
102 | $newPage->setParent($parent); |
||
103 | |||
104 | $this->em->persist($newPage); |
||
105 | $this->em->flush(); |
||
106 | |||
107 | return $newPage; |
||
108 | } |
||
109 | |||
110 | private function createNodeStructureForNewPage(Node $originalNode, HasNodeInterface $newPage, BaseUser $user, string $locale): Node |
||
111 | { |
||
112 | /* @var Node $nodeNewPage */ |
||
113 | $nodeNewPage = $this->em->getRepository('KunstmaanNodeBundle:Node')->createNodeFor($newPage, $locale, $user); |
||
114 | |||
115 | if ($newPage->isStructureNode()) { |
||
116 | $nodeTranslation = $nodeNewPage->getNodeTranslation($locale, true); |
||
117 | $nodeTranslation->setSlug(''); |
||
118 | $this->em->persist($nodeTranslation); |
||
0 ignored issues
–
show
|
|||
119 | } |
||
120 | $this->em->flush(); |
||
121 | |||
122 | $this->updateAcl($originalNode, $nodeNewPage); |
||
123 | |||
124 | return $nodeNewPage; |
||
125 | } |
||
126 | |||
127 | View Code Duplication | private function updateAcl($originalNode, $nodeNewPage): void |
|
128 | { |
||
129 | $originalIdentity = $this->identityRetrievalStrategy->getObjectIdentity($originalNode); |
||
130 | $originalAcl = $this->aclProvider->findAcl($originalIdentity); |
||
131 | |||
132 | $newIdentity = $this->identityRetrievalStrategy->getObjectIdentity($nodeNewPage); |
||
133 | $newAcl = $this->aclProvider->createAcl($newIdentity); |
||
0 ignored issues
–
show
It seems like you code against a concrete implementation and not the interface
Symfony\Component\Securi...el\AclProviderInterface as the method createAcl() does only exist in the following implementations of said interface: Symfony\Component\Securi...Dbal\MutableAclProvider .
Let’s take a look at an example: interface User
{
/** @return string */
public function getPassword();
}
class MyUser implements User
{
public function getPassword()
{
// return something
}
public function getDisplayName()
{
// return some name.
}
}
class AuthSystem
{
public function authenticate(User $user)
{
$this->logger->info(sprintf('Authenticating %s.', $user->getDisplayName()));
// do something.
}
}
In the above example, the authenticate() method works fine as long as you just pass instances of MyUser. However, if you now also want to pass a different implementation of User which does not have a getDisplayName() method, the code will break. Available Fixes
Note: PHP Analyzer uses reverse abstract interpretation to narrow down the types
inside the if block in such a case.
Loading history...
|
|||
134 | |||
135 | $aces = $originalAcl->getObjectAces(); |
||
136 | /* @var EntryInterface $ace */ |
||
137 | foreach ($aces as $ace) { |
||
138 | $securityIdentity = $ace->getSecurityIdentity(); |
||
139 | if ($securityIdentity instanceof RoleSecurityIdentity) { |
||
140 | $newAcl->insertObjectAce($securityIdentity, $ace->getMask()); |
||
141 | } |
||
142 | } |
||
143 | $this->aclProvider->updateAcl($newAcl); |
||
0 ignored issues
–
show
It seems like you code against a concrete implementation and not the interface
Symfony\Component\Securi...el\AclProviderInterface as the method updateAcl() does only exist in the following implementations of said interface: Symfony\Component\Securi...Dbal\MutableAclProvider .
Let’s take a look at an example: interface User
{
/** @return string */
public function getPassword();
}
class MyUser implements User
{
public function getPassword()
{
// return something
}
public function getDisplayName()
{
// return some name.
}
}
class AuthSystem
{
public function authenticate(User $user)
{
$this->logger->info(sprintf('Authenticating %s.', $user->getDisplayName()));
// do something.
}
}
In the above example, the authenticate() method works fine as long as you just pass instances of MyUser. However, if you now also want to pass a different implementation of User which does not have a getDisplayName() method, the code will break. Available Fixes
Note: PHP Analyzer uses reverse abstract interpretation to narrow down the types
inside the if block in such a case.
Loading history...
|
|||
144 | } |
||
145 | |||
146 | private function cloneChildren(Node $originalNode, PageInterface $newPage, BaseUser $user, string $locale): void |
||
147 | { |
||
148 | $nodeChildren = $originalNode->getChildren(); |
||
149 | foreach ($nodeChildren as $originalNodeChild) { |
||
150 | $originalNodeTranslations = $originalNodeChild->getNodeTranslation($locale, true); |
||
151 | $originalRef = $originalNodeTranslations->getPublicNodeVersion()->getRef($this->em); |
||
152 | |||
153 | if (!$originalRef instanceof DuplicateSubPageInterface || !$originalRef->skipClone()) { |
||
154 | $this->dispatch(new PreNodeDuplicateEvent($originalNodeChild), Events::PRE_DUPLICATE_WITH_CHILDREN); |
||
155 | $newChildPage = $this->clonePage($originalNodeChild, $locale); |
||
156 | $newChildPage->setParent($newPage); |
||
157 | |||
158 | $newChildNode = $this->createNodeStructureForNewPage($originalNodeChild, $newChildPage, $user, $locale); |
||
159 | $this->dispatch(new PostNodeDuplicateEvent($originalNodeChild, $newChildNode, $newChildPage), Events::POST_DUPLICATE_WITH_CHILDREN); |
||
160 | $this->cloneChildren($originalNodeChild, $newChildPage, $user, $locale); |
||
161 | } |
||
162 | } |
||
163 | } |
||
164 | |||
165 | /** |
||
166 | * @param object $event |
||
167 | * @param string $eventName |
||
168 | * |
||
169 | * @return object |
||
170 | */ |
||
171 | View Code Duplication | private function dispatch($event, string $eventName) |
|
172 | { |
||
173 | if (class_exists(LegacyEventDispatcherProxy::class)) { |
||
174 | $eventDispatcher = LegacyEventDispatcherProxy::decorate($this->eventDispatcherInterface); |
||
175 | |||
176 | return $eventDispatcher->dispatch($event, $eventName); |
||
177 | } |
||
178 | |||
179 | return $this->eventDispatcherInterface->dispatch($eventName, $event); |
||
180 | } |
||
181 | } |
||
182 |
Unless you are absolutely sure that the expression can never be null because of other conditions, we strongly recommend to add an additional type check to your code: