Issues in ViewNameParser.php (master) - Issues in master - ThrusterIO/view-bundle - Measure and Improve Code Quality continuously with Scrutinizer

Issues (4)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/View/ViewNameParser.php (2 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace Thruster\Bundle\ViewBundle\View;

use Symfony\Component\HttpKernel\Bundle\BundleInterface;
use Symfony\Component\HttpKernel\KernelInterface;

/**
 * ViewNameParser converts controller from the short notation a:b:c
 * (BlogBundle:Post:index) to a fully-qualified class::method string
 * (Bundle\BlogBundle\View\PostView::singleItem).
 *
 * @package Thruster\Bundle\ViewsBundle\View
 * @author  Aurimas Niekis <[email protected]>
 */
class ViewNameParser
{
    /**
     * @var KernelInterface
     */
    protected $kernel;

    /**
     * Constructor.
     *
     * @param KernelInterface $kernel A KernelInterface instance
     */
    public function __construct(KernelInterface $kernel)
    {
        $this->kernel = $kernel;
    }

    /**
     * Converts a short notation a:b:c to a class::method.
     *
     * @param string $view A short notation view (a:b:c)
     *
     * @return string A string in the class::method notation
     *
     * @throws \InvalidArgumentException when the specified bundle is not enabled
     *                                   or the controller cannot be found
     */
    public function parse($view)
    {
        $originalView = $view;

        if (3 !== count($parts = explode(':', $view))) {
            throw new \InvalidArgumentException(
                sprintf(
                    'The "%s" view is not a valid "a:b:c" view string.',
                    $view
                )
            );
        }

        list($bundle, $view, $method) = $parts;
        $view    = str_replace('/', '\\', $view);
        $bundles = [];

        try {
            // this throws an exception if there is no such bundle
            $allBundles = $this->kernel->getBundle($bundle, false);

        } catch (\InvalidArgumentException $e) {
            $message = sprintf(
                'The "%s" (from the view name "%s") does not exist or is not enabled in your kernel!',
                $bundle,
                $originalView
            );

            if ($alternative = $this->findAlternative($bundle)) {
                $message .= sprintf(' Did you mean "%s:%s:%s"?', $alternative, $view, $method);
            }

            throw new \InvalidArgumentException($message, 0, $e);
        }

        foreach ($allBundles as $b) {

            $try = $b->getNamespace() . '\\View\\' . $view . 'View';
            if (class_exists($try)) {
                return $try . '::' . $method;
            }

            $bundles[] = $b->getName();
            $msg       = sprintf(
                'The view value "%s:%s:%s" maps to a "%s" class, but this class was not found. Create this class or ' .
                'check the spelling of the class and its namespace.',
                $bundle,
                $view,
                $method,
                $try
            );
        }

        if (count($bundles) > 1) {
            $msg = sprintf(
                'Unable to find view "%s:%s" in bundles %s.',
                $bundle,
                $view,
                implode(', ', $bundles)
            );
        }

        throw new \InvalidArgumentException($msg);
    }

    /**
     * Converts a class::method notation to a short one (a:b:c).
     *
     * @param string $view A string in the class::method notation
     *
     * @return string A short notation view (a:b:c)
     *
     * @throws \InvalidArgumentException when the view is not valid or cannot be found in any bundle
     */
    public function build($view)
    {
        if (0 === preg_match('#^(.*?\\\\View\\\\(.+)View)::(.+)$#', $view, $match)) {
            throw new \InvalidArgumentException(
                sprintf('The "%s" view is not a valid "class::method" string.', $view)
            );
        }

        $className = $match[1];
        $viewName = $match[2];
        $methodName = $match[3];
        foreach ($this->kernel->getBundles() as $name => $bundle) {
            if (0 !== strpos($className, $bundle->getNamespace())) {
                continue;
            }

            return sprintf('%s:%s:%s', $name, $viewName, $methodName);
        }

        throw new \InvalidArgumentException(
            sprintf('Unable to find a bundle that defines view "%s".', $view)
        );
    }

    /**
     * Attempts to find a bundle that is *similar* to the given bundle name.
     *
     * @param string $nonExistentBundleName
     *
     * @return string
     */
    private function findAlternative($nonExistentBundleName)
    {
        $bundleNames = array_map(function (BundleInterface $b) {
            return $b->getName();
        }, $this->kernel->getBundles());

        $alternative = null;
        $shortest = null;
        foreach ($bundleNames as $bundleName) {
            // if there's a partial match, return it immediately
            if (false !== strpos($bundleName, $nonExistentBundleName)) {
                return $bundleName;
            }

            $lev = levenshtein($nonExistentBundleName, $bundleName);
            if ($lev <= strlen($nonExistentBundleName) / 3 && ($alternative === null || $lev < $shortest)) {
                $alternative = $bundleName;
                $shortest = $lev;
            }
        }

        return $alternative;
    }
}


1			<?php
2
3			namespace Thruster\Bundle\ViewBundle\View;
4
5			use Symfony\Component\HttpKernel\Bundle\BundleInterface;
6			use Symfony\Component\HttpKernel\KernelInterface;
7
8			/**
9			* ViewNameParser converts controller from the short notation a:b:c
10			* (BlogBundle:Post:index) to a fully-qualified class::method string
11			* (Bundle\BlogBundle\View\PostView::singleItem).
12			*
13			* @package Thruster\Bundle\ViewsBundle\View
14			* @author Aurimas Niekis <[email protected]>
15			*/
16			class ViewNameParser
17			{
18			/**
19			* @var KernelInterface
20			*/
21			protected $kernel;
22
23			/**
24			* Constructor.
25			*
26			* @param KernelInterface $kernel A KernelInterface instance
27			*/
28			public function __construct(KernelInterface $kernel)
29			{
30			$this->kernel = $kernel;
31			}
32
33			/**
34			* Converts a short notation a:b:c to a class::method.
35			*
36			* @param string $view A short notation view (a:b:c)
37			*
38			* @return string A string in the class::method notation
39			*
40			* @throws \InvalidArgumentException when the specified bundle is not enabled
41			* or the controller cannot be found
42			*/
43			public function parse($view)
44			{
45			$originalView = $view;
46
47			if (3 !== count($parts = explode(':', $view))) {
48			throw new \InvalidArgumentException(
49			sprintf(
50			'The "%s" view is not a valid "a:b:c" view string.',
51			$view
52			)
53			);
54			}
55
56			list($bundle, $view, $method) = $parts;
57			$view = str_replace('/', '\\', $view);
58			$bundles = [];
59
60			try {
61			// this throws an exception if there is no such bundle
62			$allBundles = $this->kernel->getBundle($bundle, false);
			0 ignored issues – show Unused Code introduced 2018-02-01 10:44 UTC by Report Bug Copy Issue Report Show Similar Issues like this The call to `KernelInterface::getBundle()` has too many arguments starting with `false`. This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue. If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress. In this case you can add the `@ignore` PhpDoc annotation to the duplicate definition and it will be ignored. Loading history...
63			} catch (\InvalidArgumentException $e) {
64			$message = sprintf(
65			'The "%s" (from the view name "%s") does not exist or is not enabled in your kernel!',
66			$bundle,
67			$originalView
68			);
69
70			if ($alternative = $this->findAlternative($bundle)) {
71			$message .= sprintf(' Did you mean "%s:%s:%s"?', $alternative, $view, $method);
72			}
73
74			throw new \InvalidArgumentException($message, 0, $e);
75			}
76
77			foreach ($allBundles as $b) {
			0 ignored issues – show Bug introduced 2018-02-01 10:44 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$allBundles` of type `object<Symfony\Component...Bundle\BundleInterface>` is not traversable. Loading history...
78			$try = $b->getNamespace() . '\\View\\' . $view . 'View';
79			if (class_exists($try)) {
80			return $try . '::' . $method;
81			}
82
83			$bundles[] = $b->getName();
84			$msg = sprintf(
85			'The view value "%s:%s:%s" maps to a "%s" class, but this class was not found. Create this class or ' .
86			'check the spelling of the class and its namespace.',
87			$bundle,
88			$view,
89			$method,
90			$try
91			);
92			}
93
94			if (count($bundles) > 1) {
95			$msg = sprintf(
96			'Unable to find view "%s:%s" in bundles %s.',
97			$bundle,
98			$view,
99			implode(', ', $bundles)
100			);
101			}
102
103			throw new \InvalidArgumentException($msg);
104			}
105
106			/**
107			* Converts a class::method notation to a short one (a:b:c).
108			*
109			* @param string $view A string in the class::method notation
110			*
111			* @return string A short notation view (a:b:c)
112			*
113			* @throws \InvalidArgumentException when the view is not valid or cannot be found in any bundle
114			*/
115			public function build($view)
116			{
117			if (0 === preg_match('#^(.*?\\\\View\\\\(.+)View)::(.+)$#', $view, $match)) {
118			throw new \InvalidArgumentException(
119			sprintf('The "%s" view is not a valid "class::method" string.', $view)
120			);
121			}
122
123			$className = $match[1];
124			$viewName = $match[2];
125			$methodName = $match[3];
126			foreach ($this->kernel->getBundles() as $name => $bundle) {
127			if (0 !== strpos($className, $bundle->getNamespace())) {
128			continue;
129			}
130
131			return sprintf('%s:%s:%s', $name, $viewName, $methodName);
132			}
133
134			throw new \InvalidArgumentException(
135			sprintf('Unable to find a bundle that defines view "%s".', $view)
136			);
137			}
138
139			/**
140			* Attempts to find a bundle that is similar to the given bundle name.
141			*
142			* @param string $nonExistentBundleName
143			*
144			* @return string
145			*/
146			private function findAlternative($nonExistentBundleName)
147			{
148			$bundleNames = array_map(function (BundleInterface $b) {
149			return $b->getName();
150			}, $this->kernel->getBundles());
151
152			$alternative = null;
153			$shortest = null;
154			foreach ($bundleNames as $bundleName) {
155			// if there's a partial match, return it immediately
156			if (false !== strpos($bundleName, $nonExistentBundleName)) {
157			return $bundleName;
158			}
159
160			$lev = levenshtein($nonExistentBundleName, $bundleName);
161			if ($lev <= strlen($nonExistentBundleName) / 3 && ($alternative === null \|\| $lev < $shortest)) {
162			$alternative = $bundleName;
163			$shortest = $lev;
164			}
165			}
166
167			return $alternative;
168			}
169			}
170

ThrusterIO / view-bundle

Issues (4)

Security Analysis no request data

src/View/ViewNameParser.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like