Issues (258)

Security Analysis    not enabled

This project does not seem to handle request data directly as such no vulnerable execution paths were found.

  Cross-Site Scripting
Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.
  File Exposure
File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.
  File Manipulation
File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.
  Object Injection
Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.
  Code Injection
Code Injection enables an attacker to execute arbitrary code on the server.
  Response Splitting
Response Splitting can be used to send arbitrary responses.
  File Inclusion
File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.
  Command Injection
Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.
  SQL Injection
SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.
  XPath Injection
XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.
  LDAP Injection
LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.
  Header Injection
  Other Vulnerability
This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.
  Regex Injection
Regex Injection enables an attacker to execute arbitrary code in your PHP process.
  XML Injection
XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.
  Variable Injection
Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.
Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

app/Ship/core/Abstracts/Requests/Request.php (1 issue)

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

1
<?php
2
3
namespace Apiato\Core\Abstracts\Requests;
4
5
use Illuminate\Support\Arr;
6
use Apiato\Core\Abstracts\Transporters\Transporter;
7
use Apiato\Core\Exceptions\UndefinedTransporterException;
8
use Apiato\Core\Traits\HashIdTrait;
9
use Apiato\Core\Traits\SanitizerTrait;
10
use Apiato\Core\Traits\StateKeeperTrait;
11
use App;
12
use App\Containers\Authentication\Tasks\GetAuthenticatedUserTask;
13
use App\Containers\User\Models\User;
14
use Illuminate\Foundation\Http\FormRequest as LaravelRequest;
15
use Illuminate\Support\Facades\Config;
16
17
/**
18
 * Class Request
19
 *
20
 * A.K.A (app/Http/Requests/Request.php)
21
 *
22
 * @author  Mahmoud Zalt  <[email protected]>
23
 */
24
abstract class Request extends LaravelRequest
25
{
26
27
    use HashIdTrait;
28
    use StateKeeperTrait;
29
    use SanitizerTrait;
30
31
    /**
32
     * The transporter to be "casted" to
33
     *
34
     * @var null
35
     */
36
    protected $transporter = null;
37
38
    /**
39
     * Overriding this function to modify the any user input before
40
     * applying the validation rules.
41
     *
42
     * @param null $keys
43
     *
44
     * @return  array
45
     */
46
    public function all($keys = null)
47
    {
48
        $requestData = parent::all($keys);
49
50
        $requestData = $this->mergeUrlParametersWithRequestData($requestData);
51
52
        $requestData = $this->decodeHashedIdsBeforeValidation($requestData);
53
54
        return $requestData;
55
    }
56
57
    /**
58
     * check if a user has permission to perform an action.
59
     * User can set multiple permissions (separated with "|") and if the user has
60
     * any of the permissions, he will be authorize to proceed with this action.
61
     *
62
     * @param \App\Containers\User\Models\User|null $user
63
     *
64
     * @return  bool
65
     */
66
    public function hasAccess(User $user = null)
67
    {
68
        // if not in parameters, take from the request object {$this}
69
        $user = $user ? : $this->user();
70
71
        if ($user) {
72
            $autoAccessRoles = Config::get('apiato.requests.allow-roles-to-access-all-routes');
73
            // there are some roles defined that will automatically grant access
74
            if (!empty($autoAccessRoles)) {
75
                $hasAutoAccessByRole = $user->hasAnyRole($autoAccessRoles);
76
                if ($hasAutoAccessByRole) {
77
                    return true;
78
                }
79
            }
80
        }
81
82
        // check if the user has any role / permission to access the route
83
        $hasAccess = array_merge(
84
            $this->hasAnyPermissionAccess($user),
85
            $this->hasAnyRoleAccess($user)
86
        );
87
88
        // allow access if user has access to any of the defined roles or permissions.
89
        return empty($hasAccess) ? true : in_array(true, $hasAccess);
90
    }
91
92
    /**
93
     * Check if the submitted ID (mainly URL ID's) is the same as
94
     * the authenticated user ID (based on the user Token).
95
     *
96
     * @return  bool
97
     */
98
    public function isOwner()
99
    {
100
        return App::make(GetAuthenticatedUserTask::class)->run()->id == $this->id;
101
    }
102
103
    /**
104
     * To be used mainly from unit tests.
105
     *
106
     * @param array                                 $parameters
107
     * @param \App\Containers\User\Models\User|null $user
108
     * @param array                                 $cookies
109
     * @param array                                 $files
110
     * @param array                                 $server
111
     *
112
     * @return  static
113
     */
114
    public static function injectData($parameters = [], User $user = null, $cookies = [], $files = [], $server = [])
115
    {
116
        // if user is passed, will be returned when asking for the authenticated user using `\Auth::user()`
117
        if ($user) {
118
            $app = App::getInstance();
119
            $app['auth']->guard($driver = 'api')->setUser($user);
120
            $app['auth']->shouldUse($driver);
121
        }
122
123
        // For now doesn't matter which URI or Method is used.
124
        $request = parent::create('/', 'GET', $parameters, $cookies, $files, $server);
0 ignored issues
show
Comprehensibility Bug introduced by Mahmoud Zalt
It seems like you call parent on a different method (create() instead of injectData()). Are you sure this is correct? If so, you might want to change this to $this->create().

This check looks for a call to a parent method whose name is different than the method from which it is called.

Consider the following code:

class Daddy
{
    protected function getFirstName()
    {
        return "Eidur";
    }

    protected function getSurName()
    {
        return "Gudjohnsen";
    }
}

class Son
{
    public function getFirstName()
    {
        return parent::getSurname();
    }
}

The getFirstName() method in the Son calls the wrong method in the parent class.

Loading history...
125
126
        $request->setUserResolver(function () use ($user) {
127
            return $user;
128
        });
129
130
        return $request;
131
    }
132
133
134
    /**
135
     * Maps Keys in the Request.
136
     *
137
     * For example, ['data.attributes.name' => 'firstname'] would map the field [data][attributes][name] to [firstname].
138
     * Note that the old value (data.attributes.name) is removed the original request - this method manipulates the request!
139
     * Be sure you know what you do!
140
     *
141
     * @param array $fields
142
     */
143
    public function mapInput(array $fields)
144
    {
145
        $data = $this->all();
146
147
        foreach ($fields as $oldKey => $newKey) {
148
            // the key to be mapped does not exist - skip it
149
            if (!Arr::has($data, $oldKey)) {
150
                continue;
151
            }
152
153
            // set the new field and remove the old one
154
            Arr::set($data, $newKey, Arr::get($data, $oldKey));
155
            Arr::forget($data, $oldKey);
156
        }
157
158
        // overwrite the initial request
159
        $this->replace($data);
160
    }
161
162
    /**
163
     * Used from the `authorize` function if the Request class.
164
     * To call functions and compare their bool responses to determine
165
     * if the user can proceed with the request or not.
166
     *
167
     * @param array $functions
168
     *
169
     * @return  bool
170
     */
171
    protected function check(array $functions)
172
    {
173
        $orIndicator = '|';
174
        $returns = [];
175
176
        // iterate all functions in the array
177
        foreach ($functions as $function) {
178
179
            // in case the value doesn't contains a separator (single function per key)
180
            if (!strpos($function, $orIndicator)) {
181
                // simply call the single function and store the response.
182
                $returns[] = $this->{$function}();
183
            } else {
184
                // in case the value contains a separator (multiple functions per key)
185
                $orReturns = [];
186
187
                // iterate over each function in the key
188
                foreach (explode($orIndicator, $function) as $orFunction) {
189
                    // dynamically call each function
190
                    $orReturns[] = $this->{$orFunction}();
191
                }
192
193
                // if in_array returned `true` means at least one function returned `true` thus return `true` to allow access.
194
                // if in_array returned `false` means no function returned `true` thus return `false` to prevent access.
195
                // return single boolean for all the functions found inside the same key.
196
                $returns[] = in_array(true, $orReturns) ? true : false;
197
            }
198
        }
199
200
        // if in_array returned `true` means a function returned `false` thus return `false` to prevent access.
201
        // if in_array returned `false` means all functions returned `true` thus return `true` to allow access.
202
        // return the final boolean
203
        return in_array(false, $returns) ? false : true;
204
    }
205
206
    /**
207
     * apply validation rules to the ID's in the URL, since Laravel
208
     * doesn't validate them by default!
209
     *
210
     * Now you can use validation riles like this: `'id' => 'required|integer|exists:items,id'`
211
     *
212
     * @param array $requestData
213
     *
214
     * @return  array
215
     */
216
    private function mergeUrlParametersWithRequestData(Array $requestData)
217
    {
218
        if (isset($this->urlParameters) && !empty($this->urlParameters)) {
219
            foreach ($this->urlParameters as $param) {
220
                $requestData[$param] = $this->route($param);
221
            }
222
        }
223
224
        return $requestData;
225
    }
226
227
    /**
228
     * @param $user
229
     *
230
     * @return  array
231
     */
232 View Code Duplication
    private function hasAnyPermissionAccess($user)
233
    {
234
        if (!array_key_exists('permissions', $this->access) || !$this->access['permissions']) {
235
            return [];
236
        }
237
238
        $permissions = is_array($this->access['permissions']) ? $this->access['permissions'] :
239
            explode('|', $this->access['permissions']);
240
241
        $hasAccess = array_map(function ($permission) use ($user) {
242
            // Note: internal return
243
            return $user->hasPermissionTo($permission);
244
        }, $permissions);
245
246
        return $hasAccess;
247
    }
248
249
    /**
250
     * @param $user
251
     *
252
     * @return  array
253
     */
254 View Code Duplication
    private function hasAnyRoleAccess($user)
255
    {
256
        if (!array_key_exists('roles', $this->access) || !$this->access['roles']) {
257
            return [];
258
        }
259
260
        $roles = is_array($this->access['roles']) ? $this->access['roles'] :
261
            explode('|', $this->access['roles']);
262
263
        $hasAccess = array_map(function ($role) use ($user) {
264
            // Note: internal return
265
            return $user->hasRole($role);
266
        }, $roles);
267
268
        return $hasAccess;
269
    }
270
271
    /**
272
     * This method mimics the $request->input() method but works on the "decoded" values
273
     *
274
     * @param $key
275
     * @param $default
276
     *
277
     * @return mixed
278
     */
279
    public function getInputByKey($key = null, $default = null)
280
    {
281
        return data_get($this->all(), $key, $default);
282
    }
283
284
    /**
285
     * Returns the Transporter (if correctly set)
286
     *
287
     * @return string
288
     * @throws UndefinedTransporterException
289
     */
290
    public function getTransporter()
291
    {
292
        if ($this->transporter == null) {
293
            throw new UndefinedTransporterException();
294
        }
295
296
        return $this->transporter;
297
    }
298
299
    /**
300
     * Transforms the Request into a specified Transporter class.
301
     *
302
     * @return Transporter
303
     */
304
    public function toTransporter()
305
    {
306
        $transporterClass = $this->getTransporter();
307
308
        /** @var Transporter $transporter */
309
        $transporter = new $transporterClass($this);
310
        $transporter->setInstance('request', $this);
311
312
        return $transporter;
313
    }
314
315
}
316