Issues in AbstractRestfulController.php (master) - Issues in master - TomHart/laravel-restful-controller - Measure and Improve Code Quality continuously with Scrutinizer

Issues (19)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/AbstractRestfulController.php (2 issues)

Labels

Severity

Informational 2

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace TomHart\Restful;

use BadMethodCallException;
use Exception;
use Illuminate\Contracts\Pagination\LengthAwarePaginator;
use Illuminate\Contracts\Routing\ResponseFactory;
use Illuminate\Contracts\View\Factory;
use Illuminate\Database\Eloquent\Builder;
use Illuminate\Database\Eloquent\Collection;
use Illuminate\Database\Eloquent\Model;
use Illuminate\Database\Eloquent\Relations\BelongsToMany;
use Illuminate\Database\Eloquent\Relations\HasMany;
use Illuminate\Database\Eloquent\Relations\HasOneOrMany;
use Illuminate\Database\Eloquent\Relations\MorphMany;
use Illuminate\Database\Eloquent\Relations\MorphOneOrMany;
use Illuminate\Database\Eloquent\Relations\MorphToMany;
use Illuminate\Database\Eloquent\Relations\Relation;
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
use Illuminate\Foundation\Validation\ValidatesRequests;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\RedirectResponse;
use Illuminate\Http\Request;
use Illuminate\Http\Response;
use Illuminate\Routing\Controller as BaseController;
use Illuminate\Routing\Redirector;
use Illuminate\Routing\Route;
use Illuminate\Support\Str;
use Illuminate\View\View;
use InvalidArgumentException;
use Symfony\Component\HttpFoundation\Response as SymResponse;
use TomHart\Restful\Concerns\HasLinks;

abstract class AbstractRestfulController extends BaseController
{
    use AuthorizesRequests;
    use ValidatesRequests;

    /**
     * The views to render.
     * @var string[]
     */
    protected $views = [];

    /**
     * Return a list of matching models.
     * @param Request $request
     * @return JsonResponse|RedirectResponse|ResponseFactory|Response|Redirector
     */
    public function index(Request $request)
    {
        $builder = $this->createModelQueryBuilder();

        $input = collect($request->input())->except(config('restful.query_string_keys.page'))->toArray();
        foreach ($input as $column => $value) {
            $this->filterValue($builder, $column, $value);
        }

        $data = $builder->paginate(
            $request->input('limit', null),
            ['*'],
            config('restful.query_string_keys.page')
        );

        return $this->return($request, $data, 'index');
    }

    /**
     * Generate a new query builder for the model.
     * @return Builder
     */
    protected function createModelQueryBuilder(): Builder
    {
        return $this->newModelInstance()->newQuery();
    }

    /**
     * Creates a new model instance.
     * @return Model
     */
    protected function newModelInstance(): Model
    {
        $classFQDN = $this->getModelClass();

        return app($classFQDN);
    }

    /**
     * What Model class to search for entities.
     * @return string
     */
    abstract protected function getModelClass(): string;

    /**
     * Apply causes to the builder.
     * @param Builder $builder
     * @param string $column
     * @param mixed $value
     */
    protected function filterValue(Builder $builder, string $column, $value): void
    {
        $builder->where($column, $value);
    }

    /**
     * Build and return a response.
     * @param Request $request
     * @param mixed $data
     * @param string $method
     * @return JsonResponse|ResponseFactory|Response|RedirectResponse|Redirector
     */
    protected function return(Request $request, $data, string $method)
    {
        $status = SymResponse::HTTP_OK;
        switch ($method) {
            case 'store':
                $status = SymResponse::HTTP_CREATED;
                break;
        }

        if ($request->wantsJson()) {
            return app(ResponseFactory::class)->json($data, $status);
        }

        if (isset($this->views[$method]) && app(Factory::class)->exists($this->views[$method])) {
            /** @var View $view */
            $view = view(
                $this->views[$method],
                [
                    'data' => $data
                ]
            );

            return response($view, $status);
        }

        switch ($method) {
            case 'store':
            case 'update':
                // If it's store/update, and the user isn't asking for JSON, we want to
                // try and redirect them to the related show record page.
                if (($redirect = $this->redirectToShowRoute($request, $data))) {
                    return $redirect;
                }
        }

        return app(ResponseFactory::class)->json($data, $status);
    }

    /**
     * Redirects to the show route for the model if one exists.
     * @param Request $request
     * @param mixed $data
     * @return RedirectResponse|Redirector|null
     */
    protected function redirectToShowRoute(Request $request, $data)
    {
        if ($data instanceof HasLinks) {
            $route = $data->getRouteName() . '.show';
            $key = $data->getRouteKey();

            return redirect(
                route(
                    $route,
                    [
                        $key => $data->id
                    ]
                )
            );
        }

        /** @var Route|null $route */
        $route = $request->route();
        if (!$route) {
            return null;
        }

        $name = $route->getName();
        if (!$name) {
            return null;
        }

        $exploded = explode('.', $name);
        array_pop($exploded);
        $topLevel = array_pop($exploded);

        if (!$topLevel) {
            return null;
        }

        $key = Str::singular(str_replace('-', '_', $topLevel));

        return redirect(
            route(
                "$topLevel.show",
                [
                    $key => $data->id
                ]
            )
        );
    }

    /**
     * Handles creating a model. The C of CRUD
     * @param Request $request
     * @return JsonResponse|RedirectResponse|ResponseFactory|Response|Redirector
     */
    public function store(Request $request)

    {
        $model = $this->newModelInstance();

        foreach ((array)$request->input() as $column => $value) {
            $model->$column = $value;
        }

        $this->saveModel($model);

        return $this->return($request, $this->findModel($model->getAttribute('id')), 'store');
    }

    /**
     * Save a model, either from a store or an update.
     * @param Model $model
     * @return bool
     */
    protected function saveModel(Model $model)
    {
        return $model->save();
    }

    /**
     * Finds the model instance.
     * @param int|string $id
     * @param Request|null $request
     * @return Model
     */
    protected function findModel($id, Request $request = null): Model
    {
        $builder = $this->createModelQueryBuilder();

        if ($request) {
            $this->preloadRelationships($builder, $request);
        }


        $builder = $builder->findOrFail($id);
        return $builder;
    }

    /**
     * Preload any relationships required.
     * @param Builder $builder
     * @param Request $request
     * @return void
     */
    protected function preloadRelationships(Builder &$builder, Request $request): void
    {
        $headers = $request->headers;
        if (!$headers) {
            return;
        }

        $header = $headers->get('X-Load-Relationship');
        if (!$header || empty($header)) {
            return;
        }

        $relationships = array_filter(explode(',', $header));

        $builder = $builder->with($relationships);
    }

    /**
     * Shows a model. The R of CRUD.
     * @param Request $request
     * @param int $id
     * @return JsonResponse|RedirectResponse|ResponseFactory|Response|Redirector
     */
    public function show(Request $request, $id)
    {
        $model = $this->findModel($id, $request);

        $model = $this->iterateThroughChildren($model, $request);

        return $this->return($request, $model, 'show');
    }

    /**
     * Looks for an "extra" param in the route, and if it exists, looks for relationships
     * based on that route.
     * @param Model $model
     * @param Request $request
     * @return LengthAwarePaginator|Collection|Model|mixed
     * @throws BadMethodCallException
     */
    protected function iterateThroughChildren(Model $model, Request $request)
    {
        // If there's no route or extra param, just return.
        if (!$request->route() ||
            !($request->route() instanceof Route) ||
            !$request->route()->parameter('extra')) {
            return $model;
        }

        $parts = array_filter(explode('/', (string)$request->route()->parameter('extra')));

        // Loop through the parts.
        foreach ($parts as $part) {
            // Look for an array accessor, "children[5]" for example.
            preg_match('/\[(\d+)]$/', $part, $matches);
            $offset = false;

            // If one was found, save the offset and remove it from $part.
            if (!empty($matches[0])) {
                $part = str_replace(array_shift($matches), '', $part);
                $offset = array_shift($matches);
            }

            $model = $model->$part();

            // If it's a relationship, see if it's paginate-able.
            if (stripos(get_class($model), 'Many') !== false) {
                /** @var BelongsToMany|HasMany|HasOneOrMany|MorphMany|MorphOneOrMany|MorphToMany $model */
                $model = $model->paginate();
            } elseif ($model instanceof Relation) {
                $model = $model->getResults();
            }

            // If there is an offset, get it.
            if ($offset !== false) {
                $model = $model[$offset];
            }
        }

        return $model;
    }

    /**
     * Update a record. The U of CRUD.
     * @param Request $request
     * @param int $id
     * @return JsonResponse|RedirectResponse|ResponseFactory|Response|Redirector
     */
    public function update(Request $request, $id)

    {
        $model = $this->findModel($id);

        foreach ((array)$request->input() as $column => $value) {
            $model->$column = $value;
        }

        $this->saveModel($model);

        return $this->return($request, $model, 'update');
    }

    /**
     * Destroy a model. The D of CRUD.
     * @param Request $request
     * @param int $id
     * @return ResponseFactory|Response
     * @throws Exception
     */
    public function destroy(Request $request, $id)
    {
        $model = $this->findModel($id);

        $model->delete();

        return response(null, SymResponse::HTTP_NO_CONTENT);
    }

    /**
     * Return the _links. The O of CRUD.....
     * @param Request $request
     * @return ResponseFactory|JsonResponse|RedirectResponse|Response|Redirector
     */
    public function options(Request $request)
    {
        $class = $this->newModelInstance();

        if (!($class instanceof HasLinks)) {
            throw new InvalidArgumentException('OPTIONS only works for models implementing HasLinks');
        }

        foreach ($request->input() as $key => $value) {
            $class->$key = $value;
        }

        return $this->return($request, $class->buildLinks(), 'options');
    }
}


1		<?php
2
3		namespace TomHart\Restful;
4
5		use BadMethodCallException;
6		use Exception;
7		use Illuminate\Contracts\Pagination\LengthAwarePaginator;
8		use Illuminate\Contracts\Routing\ResponseFactory;
9		use Illuminate\Contracts\View\Factory;
10		use Illuminate\Database\Eloquent\Builder;
11		use Illuminate\Database\Eloquent\Collection;
12		use Illuminate\Database\Eloquent\Model;
13		use Illuminate\Database\Eloquent\Relations\BelongsToMany;
14		use Illuminate\Database\Eloquent\Relations\HasMany;
15		use Illuminate\Database\Eloquent\Relations\HasOneOrMany;
16		use Illuminate\Database\Eloquent\Relations\MorphMany;
17		use Illuminate\Database\Eloquent\Relations\MorphOneOrMany;
18		use Illuminate\Database\Eloquent\Relations\MorphToMany;
19		use Illuminate\Database\Eloquent\Relations\Relation;
20		use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
21		use Illuminate\Foundation\Validation\ValidatesRequests;
22		use Illuminate\Http\JsonResponse;
23		use Illuminate\Http\RedirectResponse;
24		use Illuminate\Http\Request;
25		use Illuminate\Http\Response;
26		use Illuminate\Routing\Controller as BaseController;
27		use Illuminate\Routing\Redirector;
28		use Illuminate\Routing\Route;
29		use Illuminate\Support\Str;
30		use Illuminate\View\View;
31		use InvalidArgumentException;
32		use Symfony\Component\HttpFoundation\Response as SymResponse;
33		use TomHart\Restful\Concerns\HasLinks;
34
35		abstract class AbstractRestfulController extends BaseController
36		{
37		use AuthorizesRequests;
38		use ValidatesRequests;
39
40		/**
41		* The views to render.
42		* @var string[]
43		*/
44		protected $views = [];
45
46		/**
47		* Return a list of matching models.
48		* @param Request $request
49		* @return JsonResponse\|RedirectResponse\|ResponseFactory\|Response\|Redirector
50		*/
51		public function index(Request $request)
52		{
53		$builder = $this->createModelQueryBuilder();
54
55		$input = collect($request->input())->except(config('restful.query_string_keys.page'))->toArray();
56		foreach ($input as $column => $value) {
57		$this->filterValue($builder, $column, $value);
58		}
59
60		$data = $builder->paginate(
61		$request->input('limit', null),
62		['*'],
63		config('restful.query_string_keys.page')
64		);
65
66		return $this->return($request, $data, 'index');
67		}
68
69		/**
70		* Generate a new query builder for the model.
71		* @return Builder
72		*/
73		protected function createModelQueryBuilder(): Builder
74		{
75		return $this->newModelInstance()->newQuery();
76		}
77
78		/**
79		* Creates a new model instance.
80		* @return Model
81		*/
82		protected function newModelInstance(): Model
83		{
84		$classFQDN = $this->getModelClass();
85
86		return app($classFQDN);
87		}
88
89		/**
90		* What Model class to search for entities.
91		* @return string
92		*/
93		abstract protected function getModelClass(): string;
94
95		/**
96		* Apply causes to the builder.
97		* @param Builder $builder
98		* @param string $column
99		* @param mixed $value
100		*/
101		protected function filterValue(Builder $builder, string $column, $value): void
102		{
103		$builder->where($column, $value);
104		}
105
106		/**
107		* Build and return a response.
108		* @param Request $request
109		* @param mixed $data
110		* @param string $method
111		* @return JsonResponse\|ResponseFactory\|Response\|RedirectResponse\|Redirector
112		*/
113		protected function return(Request $request, $data, string $method)
114		{
115		$status = SymResponse::HTTP_OK;
116		switch ($method) {
117		case 'store':
118		$status = SymResponse::HTTP_CREATED;
119		break;
120		}
121
122		if ($request->wantsJson()) {
123		return app(ResponseFactory::class)->json($data, $status);
124		}
125
126		if (isset($this->views[$method]) && app(Factory::class)->exists($this->views[$method])) {
127		/** @var View $view */
128		$view = view(
129		$this->views[$method],
130		[
131		'data' => $data
132		]
133		);
134
135		return response($view, $status);
136		}
137
138		switch ($method) {
139		case 'store':
140		case 'update':
141		// If it's store/update, and the user isn't asking for JSON, we want to
142		// try and redirect them to the related show record page.
143		if (($redirect = $this->redirectToShowRoute($request, $data))) {
144		return $redirect;
145		}
146		}
147
148		return app(ResponseFactory::class)->json($data, $status);
149		}
150
151		/**
152		* Redirects to the show route for the model if one exists.
153		* @param Request $request
154		* @param mixed $data
155		* @return RedirectResponse\|Redirector\|null
156		*/
157		protected function redirectToShowRoute(Request $request, $data)
158		{
159		if ($data instanceof HasLinks) {
160		$route = $data->getRouteName() . '.show';
161		$key = $data->getRouteKey();
162
163		return redirect(
164		route(
165		$route,
166		[
167		$key => $data->id
168		]
169		)
170		);
171		}
172
173		/** @var Route\|null $route */
174		$route = $request->route();
175		if (!$route) {
176		return null;
177		}
178
179		$name = $route->getName();
180		if (!$name) {
181		return null;
182		}
183
184		$exploded = explode('.', $name);
185		array_pop($exploded);
186		$topLevel = array_pop($exploded);
187
188		if (!$topLevel) {
189		return null;
190		}
191
192		$key = Str::singular(str_replace('-', '_', $topLevel));
193
194		return redirect(
195		route(
196		"$topLevel.show",
197		[
198		$key => $data->id
199		]
200		)
201		);
202		}
203
204		/**
205		* Handles creating a model. The C of CRUD
206		* @param Request $request
207		* @return JsonResponse\|RedirectResponse\|ResponseFactory\|Response\|Redirector
208		*/
209	View Code Duplication	public function store(Request $request)
		0 ignored issues – show Duplication introduced 2019-12-07 23:12 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
210		{
211		$model = $this->newModelInstance();
212
213		foreach ((array)$request->input() as $column => $value) {
214		$model->$column = $value;
215		}
216
217		$this->saveModel($model);
218
219		return $this->return($request, $this->findModel($model->getAttribute('id')), 'store');
220		}
221
222		/**
223		* Save a model, either from a store or an update.
224		* @param Model $model
225		* @return bool
226		*/
227		protected function saveModel(Model $model)
228		{
229		return $model->save();
230		}
231
232		/**
233		* Finds the model instance.
234		* @param int\|string $id
235		* @param Request\|null $request
236		* @return Model
237		*/
238		protected function findModel($id, Request $request = null): Model
239		{
240		$builder = $this->createModelQueryBuilder();
241
242		if ($request) {
243		$this->preloadRelationships($builder, $request);
244		}
245
246
247		$builder = $builder->findOrFail($id);
248		return $builder;
249		}
250
251		/**
252		* Preload any relationships required.
253		* @param Builder $builder
254		* @param Request $request
255		* @return void
256		*/
257		protected function preloadRelationships(Builder &$builder, Request $request): void
258		{
259		$headers = $request->headers;
260		if (!$headers) {
261		return;
262		}
263
264		$header = $headers->get('X-Load-Relationship');
265		if (!$header \|\| empty($header)) {
266		return;
267		}
268
269		$relationships = array_filter(explode(',', $header));
270
271		$builder = $builder->with($relationships);
272		}
273
274		/**
275		* Shows a model. The R of CRUD.
276		* @param Request $request
277		* @param int $id
278		* @return JsonResponse\|RedirectResponse\|ResponseFactory\|Response\|Redirector
279		*/
280		public function show(Request $request, $id)
281		{
282		$model = $this->findModel($id, $request);
283
284		$model = $this->iterateThroughChildren($model, $request);
285
286		return $this->return($request, $model, 'show');
287		}
288
289		/**
290		* Looks for an "extra" param in the route, and if it exists, looks for relationships
291		* based on that route.
292		* @param Model $model
293		* @param Request $request
294		* @return LengthAwarePaginator\|Collection\|Model\|mixed
295		* @throws BadMethodCallException
296		*/
297		protected function iterateThroughChildren(Model $model, Request $request)
298		{
299		// If there's no route or extra param, just return.
300		if (!$request->route() \|\|
301		!($request->route() instanceof Route) \|\|
302		!$request->route()->parameter('extra')) {
303		return $model;
304		}
305
306		$parts = array_filter(explode('/', (string)$request->route()->parameter('extra')));
307
308		// Loop through the parts.
309		foreach ($parts as $part) {
310		// Look for an array accessor, "children[5]" for example.
311		preg_match('/\[(\d+)]$/', $part, $matches);
312		$offset = false;
313
314		// If one was found, save the offset and remove it from $part.
315		if (!empty($matches[0])) {
316		$part = str_replace(array_shift($matches), '', $part);
317		$offset = array_shift($matches);
318		}
319
320		$model = $model->$part();
321
322		// If it's a relationship, see if it's paginate-able.
323		if (stripos(get_class($model), 'Many') !== false) {
324		/** @var BelongsToMany\|HasMany\|HasOneOrMany\|MorphMany\|MorphOneOrMany\|MorphToMany $model */
325		$model = $model->paginate();
326		} elseif ($model instanceof Relation) {
327		$model = $model->getResults();
328		}
329
330		// If there is an offset, get it.
331		if ($offset !== false) {
332		$model = $model[$offset];
333		}
334		}
335
336		return $model;
337		}
338
339		/**
340		* Update a record. The U of CRUD.
341		* @param Request $request
342		* @param int $id
343		* @return JsonResponse\|RedirectResponse\|ResponseFactory\|Response\|Redirector
344		*/
345	View Code Duplication	public function update(Request $request, $id)
		0 ignored issues – show Duplication introduced 2019-12-07 23:12 UTC by Report Bug Copy Issue Report Show Similar Issues like this This method seems to be duplicated in your project. Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation. You can also find more detailed suggestions in the “Code” section of your repository. Loading history...
346		{
347		$model = $this->findModel($id);
348
349		foreach ((array)$request->input() as $column => $value) {
350		$model->$column = $value;
351		}
352
353		$this->saveModel($model);
354
355		return $this->return($request, $model, 'update');
356		}
357
358		/**
359		* Destroy a model. The D of CRUD.
360		* @param Request $request
361		* @param int $id
362		* @return ResponseFactory\|Response
363		* @throws Exception
364		*/
365		public function destroy(Request $request, $id)
366		{
367		$model = $this->findModel($id);
368
369		$model->delete();
370
371		return response(null, SymResponse::HTTP_NO_CONTENT);
372		}
373
374		/**
375		* Return the _links. The O of CRUD.....
376		* @param Request $request
377		* @return ResponseFactory\|JsonResponse\|RedirectResponse\|Response\|Redirector
378		*/
379		public function options(Request $request)
380		{
381		$class = $this->newModelInstance();
382
383		if (!($class instanceof HasLinks)) {
384		throw new InvalidArgumentException('OPTIONS only works for models implementing HasLinks');
385		}
386
387		foreach ($request->input() as $key => $value) {
388		$class->$key = $value;
389		}
390
391		return $this->return($request, $class->buildLinks(), 'options');
392		}
393		}
394

TomHart / laravel-restful-controller

Issues (19)

Security Analysis not enabled

src/AbstractRestfulController.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like