This project does not seem to handle request data directly as such no vulnerable execution paths were found.
include
, or for example
via PHP's auto-loading mechanism.
These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
1 | <?php |
||
2 | |||
3 | namespace Ma27\ApiKeyAuthenticationBundle\Command; |
||
4 | |||
5 | use Doctrine\Common\Collections\ArrayCollection; |
||
6 | use Doctrine\Common\Collections\Criteria; |
||
7 | use Doctrine\Common\Collections\Selectable; |
||
8 | use Doctrine\Common\Persistence\ObjectManager; |
||
9 | use Ma27\ApiKeyAuthenticationBundle\Event\OnApiKeyCleanupErrorEvent; |
||
10 | use Ma27\ApiKeyAuthenticationBundle\Event\OnBeforeSessionCleanupEvent; |
||
11 | use Ma27\ApiKeyAuthenticationBundle\Event\OnSuccessfulCleanupEvent; |
||
12 | use Ma27\ApiKeyAuthenticationBundle\Ma27ApiKeyAuthenticationEvents; |
||
13 | use Ma27\ApiKeyAuthenticationBundle\Service\Auth\AuthenticationHandlerInterface; |
||
14 | use Ma27\ApiKeyAuthenticationBundle\Service\Mapping\ClassMetadata; |
||
15 | use Symfony\Component\Console\Command\Command; |
||
16 | use Symfony\Component\Console\Input\InputInterface; |
||
17 | use Symfony\Component\Console\Output\OutputInterface; |
||
18 | use Symfony\Component\EventDispatcher\EventDispatcherInterface; |
||
19 | |||
20 | /** |
||
21 | * Command which is responsible for the session cleanup. |
||
22 | */ |
||
23 | class SessionCleanupCommand extends Command |
||
24 | { |
||
25 | /** |
||
26 | * @var ObjectManager |
||
27 | */ |
||
28 | private $om; |
||
29 | |||
30 | /** |
||
31 | * @var AuthenticationHandlerInterface |
||
32 | */ |
||
33 | private $handler; |
||
34 | |||
35 | /** |
||
36 | * @var EventDispatcherInterface |
||
37 | */ |
||
38 | private $eventDispatcher; |
||
39 | |||
40 | /** |
||
41 | * @var string |
||
42 | */ |
||
43 | private $modelName; |
||
44 | |||
45 | /** |
||
46 | * @var ClassMetadata |
||
47 | */ |
||
48 | private $classMetadata; |
||
49 | |||
50 | /** |
||
51 | * @var string |
||
52 | */ |
||
53 | private $dateTimeRule; |
||
54 | |||
55 | /** |
||
56 | * Constructor. |
||
57 | * |
||
58 | * @param ObjectManager $om |
||
59 | * @param AuthenticationHandlerInterface $authenticationHandler |
||
60 | * @param EventDispatcherInterface $eventDispatcher |
||
61 | * @param string $modelName |
||
62 | * @param ClassMetadata $classMetadata |
||
63 | * @param string $dateTimeRule |
||
64 | */ |
||
65 | 1 | public function __construct( |
|
66 | ObjectManager $om, |
||
67 | AuthenticationHandlerInterface $authenticationHandler, |
||
68 | EventDispatcherInterface $eventDispatcher, |
||
69 | $modelName, |
||
70 | ClassMetadata $classMetadata, |
||
71 | $dateTimeRule |
||
72 | ) { |
||
73 | 1 | $this->om = $om; |
|
74 | 1 | $this->handler = $authenticationHandler; |
|
75 | 1 | $this->eventDispatcher = $eventDispatcher; |
|
76 | 1 | $this->modelName = (string) $modelName; |
|
77 | 1 | $this->classMetadata = $classMetadata; |
|
78 | 1 | $this->dateTimeRule = (string) $dateTimeRule; |
|
79 | |||
80 | 1 | parent::__construct(); |
|
81 | 1 | } |
|
82 | |||
83 | /** |
||
84 | * {@inheritdoc} |
||
85 | */ |
||
86 | 1 | protected function configure() |
|
87 | { |
||
88 | $this |
||
89 | 1 | ->setName('ma27:auth:session-cleanup') |
|
90 | 1 | ->setDescription('Cleans all outdated sessions') |
|
91 | 1 | ->setHelp(<<<'EOF' |
|
92 | 1 | The <info>ma27:auth:session-cleanup</info> command purges all api keys of users that were inactive for at least 5 days |
|
93 | |||
94 | The usage is pretty simple: |
||
95 | |||
96 | <info>php app/console ma27:auth:session-cleanup</info> |
||
97 | |||
98 | NOTE: you have to enable the cleanup section of that bundle (please review the docs for more information) |
||
99 | |||
100 | <info>It's recommended to use a cronjob that purges old api keys every day/two days</info> |
||
101 | EOF |
||
102 | ); |
||
103 | 1 | } |
|
104 | |||
105 | /** |
||
106 | * {@inheritdoc} |
||
107 | */ |
||
108 | 1 | protected function execute(InputInterface $input, OutputInterface $output) |
|
109 | { |
||
110 | try { |
||
111 | 1 | $filteredUsers = $this->searchUsers(); |
|
112 | 1 | $processedObjects = 0; |
|
113 | |||
114 | 1 | $event = new OnBeforeSessionCleanupEvent($filteredUsers); |
|
115 | 1 | $this->eventDispatcher->dispatch(Ma27ApiKeyAuthenticationEvents::BEFORE_CLEANUP, $event); |
|
116 | |||
117 | // purge filtered users |
||
118 | 1 | foreach ($filteredUsers as $user) { |
|
119 | 1 | $this->handler->removeSession($user, true); |
|
120 | 1 | ++$processedObjects; |
|
121 | } |
||
122 | |||
123 | 1 | $this->displaySuccess($processedObjects, $output); |
|
124 | |||
125 | 1 | $afterEvent = new OnSuccessfulCleanupEvent($filteredUsers); |
|
126 | 1 | $this->eventDispatcher->dispatch(Ma27ApiKeyAuthenticationEvents::CLEANUP_SUCCESS, $afterEvent); |
|
127 | |||
128 | 1 | $this->om->flush(); |
|
129 | } catch (\Exception $ex) { |
||
130 | $this->eventDispatcher->dispatch( |
||
131 | Ma27ApiKeyAuthenticationEvents::CLEANUP_ERROR, |
||
132 | new OnApiKeyCleanupErrorEvent($ex) |
||
133 | ); |
||
134 | |||
135 | throw $ex; |
||
136 | } |
||
137 | |||
138 | 1 | return 0; |
|
139 | } |
||
140 | |||
141 | /** |
||
142 | * Search query for users with outdated api keys. |
||
143 | * |
||
144 | * @return object[] |
||
145 | */ |
||
146 | 1 | private function searchUsers() |
|
147 | { |
||
148 | 1 | $criteria = Criteria::create() |
|
149 | 1 | ->where(Criteria::expr()->lte( |
|
150 | 1 | $this->classMetadata->getPropertyName(ClassMetadata::LAST_ACTION_PROPERTY), |
|
0 ignored issues
–
show
|
|||
151 | 1 | new \DateTime($this->dateTimeRule)) |
|
152 | ) |
||
153 | 1 | ->andWhere( |
|
154 | 1 | Criteria::expr()->neq( |
|
155 | 1 | $this->classMetadata->getPropertyName(ClassMetadata::API_KEY_PROPERTY), |
|
0 ignored issues
–
show
It seems like
$this->classMetadata->ge...data::API_KEY_PROPERTY) targeting Ma27\ApiKeyAuthenticatio...data::getPropertyName() can also be of type null or object<ReflectionProperty> ; however, Doctrine\Common\Collecti...xpressionBuilder::neq() does only seem to accept string , maybe add an additional type check?
This check looks at variables that are passed out again to other methods. If the outgoing method call has stricter type requirements than the method itself, an issue is raised. An additional type check may prevent trouble. ![]() |
|||
156 | 1 | null |
|
157 | ) |
||
158 | ); |
||
159 | |||
160 | 1 | return $this->getUsersByCriteria($criteria); |
|
161 | } |
||
162 | |||
163 | /** |
||
164 | * Outputs the suces after the cleanup. |
||
165 | * |
||
166 | * @param $processed |
||
167 | * @param OutputInterface $output |
||
168 | */ |
||
169 | 1 | private function displaySuccess($processed, OutputInterface $output) |
|
170 | { |
||
171 | 1 | $output->writeln(sprintf('<info>Processed %d items successfully</info>', $processed)); |
|
172 | 1 | } |
|
173 | |||
174 | /** |
||
175 | * Simple utility to query users by a given criteria. |
||
176 | * |
||
177 | * As there's no unified query language defined in doctrine/common, the criteria tool of doctrine/collections |
||
178 | * should help. The ORM and Mongo-ODM support the `Selectable` API which means that they can build native |
||
179 | * DB queries for their database based on a criteria object. The other official implementations PHPCR and CouchDB-ODM |
||
180 | * don't support that, so they have to be evaluated manually. |
||
181 | * |
||
182 | * @param Criteria $criteria |
||
183 | * |
||
184 | * @return object[] |
||
185 | */ |
||
186 | 1 | private function getUsersByCriteria(Criteria $criteria) |
|
187 | { |
||
188 | 1 | $repository = $this->om->getRepository($this->modelName); |
|
189 | |||
190 | 1 | if ($repository instanceof Selectable) { |
|
191 | $filteredUsers = $repository->matching($criteria); |
||
192 | } else { |
||
193 | 1 | $allUsers = new ArrayCollection($repository->findAll()); |
|
194 | 1 | $filteredUsers = $allUsers->matching($criteria); |
|
195 | } |
||
196 | |||
197 | 1 | return $filteredUsers->toArray(); |
|
198 | } |
||
199 | } |
||
200 |
This check looks at variables that are passed out again to other methods.
If the outgoing method call has stricter type requirements than the method itself, an issue is raised.
An additional type check may prevent trouble.