Issues in RemoteTemplateFinder.php (develop) - Issues in develop - Schnoop/laravel-remote-template - Measure and Improve Code Quality continuously with Scrutinizer

Issues (1)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/View/RemoteTemplateFinder.php (1 issue)

Labels

Severity

Major 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace Schnoop\RemoteTemplate\View;

use Closure;
use Exception;
use GuzzleHttp\Client;
use GuzzleHttp\Psr7\Response;
use Illuminate\Contracts\Config\Repository;
use Illuminate\Filesystem\Filesystem;
use Illuminate\Support\Str;
use InvalidArgumentException;
use Psr\Http\Message\ResponseInterface;
use RuntimeException;
use Schnoop\RemoteTemplate\Exceptions\IgnoredUrlSuffixException;
use Schnoop\RemoteTemplate\Exceptions\RemoteHostNotConfiguredException;
use Schnoop\RemoteTemplate\Exceptions\RemoteTemplateNotFoundException;
use Schnoop\RemoteTemplate\Exceptions\UrlIsForbiddenException;

/**
 * Class RemoteTemplateFinder.
 */
class RemoteTemplateFinder
{
    /**
     * @var string
     */
    protected $remotePathDelimiter;

    /**
     * @var Client
     */
    protected $client;

    /**
     * @var Repository
     */
    protected $config;

    /**
     * @var Closure[]
     */
    protected $handler;

    /**
     * @var Filesystem
     */
    protected $files;

    /**
     * @var Closure
     */
    protected $templateUrlCallback;

    /**
     * Create a new file view loader instance.
     *
     * @param Filesystem $files
     * @param Repository $config
     * @param Client $client
     */
    public function __construct(Filesystem $files, Repository $config, Client $client)
    {
        $this->client = $client;
        $this->files = $files;
        $this->config = $config;
        $this->remotePathDelimiter = $this->config->get('remote-view.remote-delimiter');
    }

    /**
     * Returns true if template is a remote resource.
     *
     * @param string $name Name of template
     *
     * @return bool
     */
    public function hasRemoteInformation($name): bool
    {
        return Str::startsWith($name, $this->remotePathDelimiter);
    }

    /**
     * Fetch template from remote resource, store locally and return path to local file.
     *
     * @param string $name Remote URL to fetch template from
     *
     * @return string
     * @throws IgnoredUrlSuffixException
     * @throws RemoteTemplateNotFoundException
     * @throws RemoteHostNotConfiguredException
     * @throws UrlIsForbiddenException
     */
    public function findRemotePathView($name): string
    {
        $name = trim(Str::replaceFirst($this->remotePathDelimiter, '', $name));

        $namespace = 'default';
        if ($this->hasNamespace($name) === true) {
            $elements = $this->parseRemoteNamespaceSegments($name);
            $namespace = $elements[0];
            $name = $elements[1];
        }

        $remoteHost = $this->getRemoteHost($namespace);

        // Check if URL suffix is ignored
        if ($this->urlHasIgnoredSuffix($name, $remoteHost) === true) {
            throw new IgnoredUrlSuffixException('URL # '.$name.' has an ignored suffix.');
        }

        // Check if URL is forbidden.
        if ($this->isForbiddenUrl($name, $remoteHost) === true) {
            throw new UrlIsForbiddenException('URL # '.$name.' is forbidden.', 404);
        }

        $url = $this->getTemplateUrlForIdentifier($name, $remoteHost);
        $url = $this->callModifyTemplateUrlCallback($url);

        $path = $this->getViewFolder($namespace);
        $path .= Str::slug($url).'.blade.php';
        if ($remoteHost['cache'] === true && $this->files->exists($path) === true) {
            return $path;
        }

        $url = rtrim($remoteHost['host'], '/').'/'.ltrim($url, '/');

        $content = $this->fetchContentFromRemoteHost($url, $remoteHost);
        if ($content instanceof Response === true) {
            $content = $content->getBody()->getContents();
        } elseif ($content instanceof \Illuminate\Http\Response) {
            $content = (string) $content->getContent();
        }
        $this->files->put($path, $content);

        return $path;
    }

    /**
     * Returns true if given url is forbidden.
     *
     * @param string $url
     * @param array $remoteHost
     *
     * @return bool
     */
    private function isForbiddenUrl($url, $remoteHost): bool
    {
        $ignoreUrlSuffix = $this->config->get('remote-view.ignore-urls');
        if (isset($remoteHost['ignore-urls']) === true && is_array($remoteHost['ignore-urls']) === true) {
            $ignoreUrlSuffix = array_merge($ignoreUrlSuffix, $remoteHost['ignore-urls']);
        }

        $parsedUrl = parse_url($url, PHP_URL_PATH);

        return in_array(pathinfo($parsedUrl, PATHINFO_DIRNAME), $ignoreUrlSuffix, true)
            || in_array(pathinfo($parsedUrl, PATHINFO_BASENAME), $ignoreUrlSuffix, true);
    }

    /**
     * Check for valid namespace.
     *
     * @param string $name
     *
     * @return bool
     */
    protected function hasNamespace($name): bool
    {
        try {
            $this->parseRemoteNamespaceSegments($name);
        } catch (Exception $e) {
            return false;
        }

        return true;
    }

    /**
     * Get the segments of a template with a named path.
     *
     * @param string $name
     *
     * @return array
     *
     * @throws InvalidArgumentException
     */
    protected function parseRemoteNamespaceSegments($name): array
    {
        $segments = explode(FileViewFinder::HINT_PATH_DELIMITER, $name);
        if (count($segments) !== 2) {
            throw new InvalidArgumentException("View [{$name}] has an invalid name.");
        }

        return $segments;
    }

    /**
     * Return array with remote host config.
     *
     * @param string $namespace
     *
     * @return array
     * @throws RemoteHostNotConfiguredException
     */
    protected function getRemoteHost($namespace): array
    {
        $config = $this->config->get('remote-view.hosts');
        if (isset($config[$namespace]) === false) {
            throw new RemoteHostNotConfiguredException('No remote host configured for namespace # '
                .$namespace.'. Please check your remote-view.php config file.');
        }

        return $config[$namespace];
    }

    /**
     * Returns true if given url is static.
     *
     * @param string $url
     * @param array $remoteHost
     *
     * @return bool
     */
    protected function urlHasIgnoredSuffix($url, $remoteHost): bool
    {
        $parsedUrl = parse_url($url, PHP_URL_PATH);
        $pathInfo = pathinfo($parsedUrl, PATHINFO_EXTENSION);

        $ignoreUrlSuffix = $this->config->get('remote-view.ignore-url-suffix');
        if (isset($remoteHost['ignore-url-suffix']) === true && is_array($remoteHost['ignore-url-suffix']) === true) {
            $ignoreUrlSuffix = array_merge($ignoreUrlSuffix, $remoteHost['ignore-url-suffix']);
        }

        return in_array($pathInfo, $ignoreUrlSuffix, true);
    }

    /**
     * Returns remote url for given $identifier.
     *
     * @param string $identifier
     * @param array $remoteHost
     *
     * @return string
     */
    protected function getTemplateUrlForIdentifier($identifier, $remoteHost): string
    {
        $route = $identifier;
        if (isset($remoteHost['mapping'][$identifier]) === true) {
            $route = $remoteHost['mapping'][$identifier];
        }
        if (strpos($route, '/') > 0) {
            return '/'.$route;
        }

        return $route;
    }

    /**
     * Call callback that will be called after template url has been set.
     *
     * @param string $url
     *
     * @return string
     */
    protected function callModifyTemplateUrlCallback(string $url): string
    {
        if ($this->templateUrlCallback !== null
            && is_callable($this->templateUrlCallback) === true
        ) {
            return call_user_func($this->templateUrlCallback, $url);
        }

        return $url;
    }

    /**
     * Get folder where fetched views will be stored.
     *
     * @param string $namespace
     *
     * @return string
     * @throws RuntimeException
     */
    protected function getViewFolder($namespace): string
    {
        $path = $this->config->get('remote-view.view-folder');
        $path = rtrim($path, '/').'/'.$namespace.'/';
        if (is_dir($path) === false) {
            if (! mkdir($path, 0777, true) && ! is_dir($path)) {
                throw new RuntimeException(sprintf('Directory "%s" was not created', $path));
            }
        }

        return $path;
    }

    /**
     * Fetch content from $url.
     *
     * @param string $url
     * @param array $remoteHost
     *
     * @return ResponseInterface|Response
     * @throws RemoteTemplateNotFoundException
     */
    public function fetchContentFromRemoteHost($url, $remoteHost)
    {
        $options = ['http_errors' => false];
        if (isset($remoteHost['request_options']) === true) {
            $options = array_merge($options, $remoteHost['request_options']);
        }
        try {
            $result = $this->client->get($url, $options);

            return $this->callResponseHandler($result, $remoteHost);

        } catch (Exception $e) {
            throw new RemoteTemplateNotFoundException($url, 404);
        }
    }

    /**
     * Call handler if any defined.
     *
     * @param ResponseInterface $result
     * @param array $remoteHost
     *
     * @return ResponseInterface|\Illuminate\Http\Response|Response
     */
    protected function callResponseHandler($result, array $remoteHost)
    {
        if (isset($this->handler[$result->getStatusCode()]) === true
            && is_callable($this->handler[$result->getStatusCode()]) === true
        ) {
            return call_user_func($this->handler[$result->getStatusCode()], $result, $remoteHost, $this);
        }

        return $result;
    }

    /**
     * Push a handler to the stack.
     *
     * @param int|array $statusCodes
     * @param callable $callback
     */
    public function pushResponseHandler($statusCodes, $callback)
    {
        foreach ((array) $statusCodes as $statusCode) {
            $this->handler[$statusCode] = $callback;
        }
    }

    /**
     * Set a callback that will be called after template url has been set.
     *
     * @param Closure $callback
     */
    public function setModifyTemplateUrlCallback($callback)
    {
        $this->templateUrlCallback = $callback;
    }
}


1			<?php
2
3			namespace Schnoop\RemoteTemplate\View;
4
5			use Closure;
6			use Exception;
7			use GuzzleHttp\Client;
8			use GuzzleHttp\Psr7\Response;
9			use Illuminate\Contracts\Config\Repository;
10			use Illuminate\Filesystem\Filesystem;
11			use Illuminate\Support\Str;
12			use InvalidArgumentException;
13			use Psr\Http\Message\ResponseInterface;
14			use RuntimeException;
15			use Schnoop\RemoteTemplate\Exceptions\IgnoredUrlSuffixException;
16			use Schnoop\RemoteTemplate\Exceptions\RemoteHostNotConfiguredException;
17			use Schnoop\RemoteTemplate\Exceptions\RemoteTemplateNotFoundException;
18			use Schnoop\RemoteTemplate\Exceptions\UrlIsForbiddenException;
19
20			/**
21			* Class RemoteTemplateFinder.
22			*/
23			class RemoteTemplateFinder
24			{
25			/**
26			* @var string
27			*/
28			protected $remotePathDelimiter;
29
30			/**
31			* @var Client
32			*/
33			protected $client;
34
35			/**
36			* @var Repository
37			*/
38			protected $config;
39
40			/**
41			* @var Closure[]
42			*/
43			protected $handler;
44
45			/**
46			* @var Filesystem
47			*/
48			protected $files;
49
50			/**
51			* @var Closure
52			*/
53			protected $templateUrlCallback;
54
55			/**
56			* Create a new file view loader instance.
57			*
58			* @param Filesystem $files
59			* @param Repository $config
60			* @param Client $client
61			*/
62			public function __construct(Filesystem $files, Repository $config, Client $client)
63			{
64			$this->client = $client;
65			$this->files = $files;
66			$this->config = $config;
67			$this->remotePathDelimiter = $this->config->get('remote-view.remote-delimiter');
68			}
69
70			/**
71			* Returns true if template is a remote resource.
72			*
73			* @param string $name Name of template
74			*
75			* @return bool
76			*/
77			public function hasRemoteInformation($name): bool
78			{
79			return Str::startsWith($name, $this->remotePathDelimiter);
80			}
81
82			/**
83			* Fetch template from remote resource, store locally and return path to local file.
84			*
85			* @param string $name Remote URL to fetch template from
86			*
87			* @return string
88			* @throws IgnoredUrlSuffixException
89			* @throws RemoteTemplateNotFoundException
90			* @throws RemoteHostNotConfiguredException
91			* @throws UrlIsForbiddenException
92			*/
93			public function findRemotePathView($name): string
94			{
95			$name = trim(Str::replaceFirst($this->remotePathDelimiter, '', $name));
96
97			$namespace = 'default';
98			if ($this->hasNamespace($name) === true) {
99			$elements = $this->parseRemoteNamespaceSegments($name);
100			$namespace = $elements[0];
101			$name = $elements[1];
102			}
103
104			$remoteHost = $this->getRemoteHost($namespace);
105
106			// Check if URL suffix is ignored
107			if ($this->urlHasIgnoredSuffix($name, $remoteHost) === true) {
108			throw new IgnoredUrlSuffixException('URL # '.$name.' has an ignored suffix.');
109			}
110
111			// Check if URL is forbidden.
112			if ($this->isForbiddenUrl($name, $remoteHost) === true) {
113			throw new UrlIsForbiddenException('URL # '.$name.' is forbidden.', 404);
114			}
115
116			$url = $this->getTemplateUrlForIdentifier($name, $remoteHost);
117			$url = $this->callModifyTemplateUrlCallback($url);
118
119			$path = $this->getViewFolder($namespace);
120			$path .= Str::slug($url).'.blade.php';
121			if ($remoteHost['cache'] === true && $this->files->exists($path) === true) {
122			return $path;
123			}
124
125			$url = rtrim($remoteHost['host'], '/').'/'.ltrim($url, '/');
126
127			$content = $this->fetchContentFromRemoteHost($url, $remoteHost);
128			if ($content instanceof Response === true) {
129			$content = $content->getBody()->getContents();
130			} elseif ($content instanceof \Illuminate\Http\Response) {
131			$content = (string) $content->getContent();
132			}
133			$this->files->put($path, $content);
134
135			return $path;
136			}
137
138			/**
139			* Returns true if given url is forbidden.
140			*
141			* @param string $url
142			* @param array $remoteHost
143			*
144			* @return bool
145			*/
146			private function isForbiddenUrl($url, $remoteHost): bool
147			{
148			$ignoreUrlSuffix = $this->config->get('remote-view.ignore-urls');
149			if (isset($remoteHost['ignore-urls']) === true && is_array($remoteHost['ignore-urls']) === true) {
150			$ignoreUrlSuffix = array_merge($ignoreUrlSuffix, $remoteHost['ignore-urls']);
151			}
152
153			$parsedUrl = parse_url($url, PHP_URL_PATH);
154
155			return in_array(pathinfo($parsedUrl, PATHINFO_DIRNAME), $ignoreUrlSuffix, true)
156			\|\| in_array(pathinfo($parsedUrl, PATHINFO_BASENAME), $ignoreUrlSuffix, true);
157			}
158
159			/**
160			* Check for valid namespace.
161			*
162			* @param string $name
163			*
164			* @return bool
165			*/
166			protected function hasNamespace($name): bool
167			{
168			try {
169			$this->parseRemoteNamespaceSegments($name);
170			} catch (Exception $e) {
171			return false;
172			}
173
174			return true;
175			}
176
177			/**
178			* Get the segments of a template with a named path.
179			*
180			* @param string $name
181			*
182			* @return array
183			*
184			* @throws InvalidArgumentException
185			*/
186			protected function parseRemoteNamespaceSegments($name): array
187			{
188			$segments = explode(FileViewFinder::HINT_PATH_DELIMITER, $name);
189			if (count($segments) !== 2) {
190			throw new InvalidArgumentException("View [{$name}] has an invalid name.");
191			}
192
193			return $segments;
194			}
195
196			/**
197			* Return array with remote host config.
198			*
199			* @param string $namespace
200			*
201			* @return array
202			* @throws RemoteHostNotConfiguredException
203			*/
204			protected function getRemoteHost($namespace): array
205			{
206			$config = $this->config->get('remote-view.hosts');
207			if (isset($config[$namespace]) === false) {
208			throw new RemoteHostNotConfiguredException('No remote host configured for namespace # '
209			.$namespace.'. Please check your remote-view.php config file.');
210			}
211
212			return $config[$namespace];
213			}
214
215			/**
216			* Returns true if given url is static.
217			*
218			* @param string $url
219			* @param array $remoteHost
220			*
221			* @return bool
222			*/
223			protected function urlHasIgnoredSuffix($url, $remoteHost): bool
224			{
225			$parsedUrl = parse_url($url, PHP_URL_PATH);
226			$pathInfo = pathinfo($parsedUrl, PATHINFO_EXTENSION);
227
228			$ignoreUrlSuffix = $this->config->get('remote-view.ignore-url-suffix');
229			if (isset($remoteHost['ignore-url-suffix']) === true && is_array($remoteHost['ignore-url-suffix']) === true) {
230			$ignoreUrlSuffix = array_merge($ignoreUrlSuffix, $remoteHost['ignore-url-suffix']);
231			}
232
233			return in_array($pathInfo, $ignoreUrlSuffix, true);
234			}
235
236			/**
237			* Returns remote url for given $identifier.
238			*
239			* @param string $identifier
240			* @param array $remoteHost
241			*
242			* @return string
243			*/
244			protected function getTemplateUrlForIdentifier($identifier, $remoteHost): string
245			{
246			$route = $identifier;
247			if (isset($remoteHost['mapping'][$identifier]) === true) {
248			$route = $remoteHost['mapping'][$identifier];
249			}
250			if (strpos($route, '/') > 0) {
251			return '/'.$route;
252			}
253
254			return $route;
255			}
256
257			/**
258			* Call callback that will be called after template url has been set.
259			*
260			* @param string $url
261			*
262			* @return string
263			*/
264			protected function callModifyTemplateUrlCallback(string $url): string
265			{
266			if ($this->templateUrlCallback !== null
267			&& is_callable($this->templateUrlCallback) === true
268			) {
269			return call_user_func($this->templateUrlCallback, $url);
270			}
271
272			return $url;
273			}
274
275			/**
276			* Get folder where fetched views will be stored.
277			*
278			* @param string $namespace
279			*
280			* @return string
281			* @throws RuntimeException
282			*/
283			protected function getViewFolder($namespace): string
284			{
285			$path = $this->config->get('remote-view.view-folder');
286			$path = rtrim($path, '/').'/'.$namespace.'/';
287			if (is_dir($path) === false) {
288			if (! mkdir($path, 0777, true) && ! is_dir($path)) {
289			throw new RuntimeException(sprintf('Directory "%s" was not created', $path));
290			}
291			}
292
293			return $path;
294			}
295
296			/**
297			* Fetch content from $url.
298			*
299			* @param string $url
300			* @param array $remoteHost
301			*
302			* @return ResponseInterface\|Response
303			* @throws RemoteTemplateNotFoundException
304			*/
305			public function fetchContentFromRemoteHost($url, $remoteHost)
306			{
307			$options = ['http_errors' => false];
308			if (isset($remoteHost['request_options']) === true) {
309			$options = array_merge($options, $remoteHost['request_options']);
310			}
311			try {
312			$result = $this->client->get($url, $options);
313
314			return $this->callResponseHandler($result, $remoteHost);
			0 ignored issues – show Bug Compatibility introduced 2019-08-31 13:32 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$this->callResponseHandler($result, $remoteHost);` of type `Psr\Http\Message\Respons...lluminate\Http\Response` adds the type `Illuminate\Http\Response` to the return on line 314 which is incompatible with the return type documented by `Schnoop\RemoteTemplate\V...chContentFromRemoteHost` of type `Psr\Http\Message\ResponseInterface`. Loading history...
315			} catch (Exception $e) {
316			throw new RemoteTemplateNotFoundException($url, 404);
317			}
318			}
319
320			/**
321			* Call handler if any defined.
322			*
323			* @param ResponseInterface $result
324			* @param array $remoteHost
325			*
326			* @return ResponseInterface\|\Illuminate\Http\Response\|Response
327			*/
328			protected function callResponseHandler($result, array $remoteHost)
329			{
330			if (isset($this->handler[$result->getStatusCode()]) === true
331			&& is_callable($this->handler[$result->getStatusCode()]) === true
332			) {
333			return call_user_func($this->handler[$result->getStatusCode()], $result, $remoteHost, $this);
334			}
335
336			return $result;
337			}
338
339			/**
340			* Push a handler to the stack.
341			*
342			* @param int\|array $statusCodes
343			* @param callable $callback
344			*/
345			public function pushResponseHandler($statusCodes, $callback)
346			{
347			foreach ((array) $statusCodes as $statusCode) {
348			$this->handler[$statusCode] = $callback;
349			}
350			}
351
352			/**
353			* Set a callback that will be called after template url has been set.
354			*
355			* @param Closure $callback
356			*/
357			public function setModifyTemplateUrlCallback($callback)
358			{
359			$this->templateUrlCallback = $callback;
360			}
361			}
362

Schnoop / laravel-remote-template

Issues (1)

Security Analysis no request data

src/View/RemoteTemplateFinder.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like