Issues in Controller.php (master) - Issues in master - awurth/Silex - Measure and Improve Code Quality continuously with Scrutinizer

Issues (10)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Controller/Controller.php (1 issue)

Labels

Documentation 1

Severity

Minor 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace App\Controller;

use App\Entity\User;
use Doctrine\ORM\EntityManager;
use App\Application;
use Symfony\Component\EventDispatcher\EventDispatcher;
use Symfony\Component\Form\FormBuilder;
use Symfony\Component\Form\FormFactory;
use Symfony\Component\Form\FormTypeInterface;
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpFoundation\Session\Session;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Symfony\Component\Routing\Generator\UrlGenerator;
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
use Symfony\Component\Validator\Validator\RecursiveValidator;
use Twig\Environment;

/**
 * @property EventDispatcher    dispatcher
 * @property RecursiveValidator validator
 * @property Session            session
 * @property Environment        twig
 * @property UrlGenerator       url_generator
 * @property string             env
 * @property string             root_dir
 */
abstract class Controller
{
    /**
     * @var Application
     */
    protected $application;

    /**
     * Constructor.
     *
     * @param Application $app
     */
    public function __construct(Application $app)
    {
        $this->application = $app;
    }

    /**
     * Returns a new AccessDeniedException.
     *
     * @param string $message
     *
     * @return AccessDeniedException
     */
    protected function createAccessDeniedException($message = 'Access Denied.')
    {
        return new AccessDeniedException($message);
    }

    /**
     * Returns a new NotFoundHttpException.
     *
     * @param string $message
     *
     * @return NotFoundHttpException
     */
    protected function createNotFoundHttpException($message = 'Not Found')
    {
        return new NotFoundHttpException($message);
    }

    /**
     * Throws an exception unless the attributes are granted against the current authentication token.
     *
     * @param mixed  $roles
     * @param string $message
     *
     * @throws AccessDeniedException
     */
    protected function denyAccessUnlessGranted($roles, $message = 'Access Denied.')
    {
        if (!$this->isGranted($roles)) {
            $exception = $this->createAccessDeniedException($message);
            $exception->setAttributes($roles);

            throw $exception;
        }
    }

    /**
     * Get a service from the container
     *
     * @param string $service
     *
     * @return mixed
     */
    protected function get($service)
    {
        return $this->application[$service];
    }

    /**
     * Gets Doctrine Entity Manager.
     *
     * @return EntityManager
     */
    protected function getEntityManager()
    {
        return $this->application['orm.em'];
    }

    /**
     * Gets the environment.
     *
     * @return string
     */
    protected function getEnv()
    {
        return $this->application->getEnvironment();
    }

    /**
     * Gets the Form Factory.
     *
     * @return FormFactory
     */
    protected function getFormFactory()
    {
        return $this->application['form.factory'];
    }

    /**
     * Gets the project root directory.
     *
     * @return string
     */
    protected function getRootDir()
    {
        return $this->application->getRootDir();
    }

    /**
     * Gets the router.
     *
     * @return UrlGenerator
     */
    protected function getRouter()
    {
        return $this->application['url_generator'];
    }

    /**
     * Gets the session.
     *
     * @return Session
     */
    protected function getSession()
    {
        return $this->application['session'];
    }

    /**
     * Gets the Twig service.
     *
     * @return Environment
     */
    protected function getTwig()
    {
        return $this->application['twig'];
    }

    /**
     * Gets the current authenticated user or null if not logged in.
     *
     * @return User|null
     */
    protected function getUser()
    {
        $user = $this->application['security.token_storage']->getToken()->getUser();
        if ($user instanceof User) {
            return $user;
        }

        return null;
    }

    /**
     * Adds a flash message.
     *
     * @param string $type
     * @param string $message
     */
    protected function flash($type, $message)
    {
        $this->getSession()->getFlashBag()->add($type, $message);
    }

    /**
     * Creates and returns a form builder instance.
     *
     * @param mixed                    $data    The initial data for the form
     * @param array                    $options Options for the form
     * @param string|FormTypeInterface $type    Type of the form
     *
     * @return FormBuilder
     */
    protected function form($data = null, array $options = [], $type = null)
    {
        return $this->application->form($type, $data, $options);
function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
    }

    /**
     * Checks if the attributes are granted against the current authentication token and optionally supplied object.
     *
     * @param mixed $attributes
     * @param mixed $object
     *
     * @return bool
     */
    protected function isGranted($attributes, $object = null)
    {
        return $this->application->isGranted($attributes, $object);
    }

    /**
     * Generates a path from the given parameters.
     *
     * @param string $route      The name of the route
     * @param mixed  $parameters An array of parameters
     *
     * @return string
     */
    protected function path($route, $parameters = [])
    {
        return $this->application->path($route, $parameters);
    }

    /**
     * Redirects the user to another route.
     *
     * @param string $route
     * @param array $parameters
     * @param int $status
     *
     * @return RedirectResponse
     */
    protected function redirect($route, $parameters = [], $status = 302)
    {
        return $this->application->redirect($this->path($route, $parameters), $status);
    }

    /**
     * Redirects the user to another URL.
     *
     * @param string $url The URL to redirect to
     * @param int $status The status code (302 by default)
     *
     * @return RedirectResponse
     */
    protected function redirectTo($url, $status = 302)
    {
        return $this->application->redirect($url, $status);
    }

    /**
     * Renders a view and returns a Response.
     *
     * @param string   $view       The view name
     * @param array    $parameters An array of parameters to pass to the view
     * @param Response $response   A Response instance
     *
     * @return Response
     */
    protected function render($view, array $parameters = [], Response $response = null)
    {
        return $this->application->render($view, $parameters, $response);
    }

    /**
     * Translates the given message.
     *
     * @param string $id         The message id
     * @param array  $parameters An array of parameters for the message
     * @param string $domain     The domain for the message
     * @param string $locale     The locale
     *
     * @return string
     */
    protected function trans($id, array $parameters = [], $domain = 'messages', $locale = null)
    {
        return $this->application->trans($id, $parameters, $domain, $locale);
    }

    /**
     * Generates an absolute URL from the given parameters.
     *
     * @param string $route      The name of the route
     * @param mixed  $parameters An array of parameters
     *
     * @return string
     */
    protected function url($route, $parameters = [])
    {
        return $this->application->url($route, $parameters);
    }

    /**
     * Gets a service from the container.
     *
     * @param string $property
     *
     * @return mixed
     */
    public function __get($property)
    {
        return $this->application[$property];
    }
}


1			<?php
2
3			namespace App\Controller;
4
5			use App\Entity\User;
6			use Doctrine\ORM\EntityManager;
7			use App\Application;
8			use Symfony\Component\EventDispatcher\EventDispatcher;
9			use Symfony\Component\Form\FormBuilder;
10			use Symfony\Component\Form\FormFactory;
11			use Symfony\Component\Form\FormTypeInterface;
12			use Symfony\Component\HttpFoundation\RedirectResponse;
13			use Symfony\Component\HttpFoundation\Response;
14			use Symfony\Component\HttpFoundation\Session\Session;
15			use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
16			use Symfony\Component\Routing\Generator\UrlGenerator;
17			use Symfony\Component\Security\Core\Exception\AccessDeniedException;
18			use Symfony\Component\Validator\Validator\RecursiveValidator;
19			use Twig\Environment;
20
21			/**
22			* @property EventDispatcher dispatcher
23			* @property RecursiveValidator validator
24			* @property Session session
25			* @property Environment twig
26			* @property UrlGenerator url_generator
27			* @property string env
28			* @property string root_dir
29			*/
30			abstract class Controller
31			{
32			/**
33			* @var Application
34			*/
35			protected $application;
36
37			/**
38			* Constructor.
39			*
40			* @param Application $app
41			*/
42			public function __construct(Application $app)
43			{
44			$this->application = $app;
45			}
46
47			/**
48			* Returns a new AccessDeniedException.
49			*
50			* @param string $message
51			*
52			* @return AccessDeniedException
53			*/
54			protected function createAccessDeniedException($message = 'Access Denied.')
55			{
56			return new AccessDeniedException($message);
57			}
58
59			/**
60			* Returns a new NotFoundHttpException.
61			*
62			* @param string $message
63			*
64			* @return NotFoundHttpException
65			*/
66			protected function createNotFoundHttpException($message = 'Not Found')
67			{
68			return new NotFoundHttpException($message);
69			}
70
71			/**
72			* Throws an exception unless the attributes are granted against the current authentication token.
73			*
74			* @param mixed $roles
75			* @param string $message
76			*
77			* @throws AccessDeniedException
78			*/
79			protected function denyAccessUnlessGranted($roles, $message = 'Access Denied.')
80			{
81			if (!$this->isGranted($roles)) {
82			$exception = $this->createAccessDeniedException($message);
83			$exception->setAttributes($roles);
84
85			throw $exception;
86			}
87			}
88
89			/**
90			* Get a service from the container
91			*
92			* @param string $service
93			*
94			* @return mixed
95			*/
96			protected function get($service)
97			{
98			return $this->application[$service];
99			}
100
101			/**
102			* Gets Doctrine Entity Manager.
103			*
104			* @return EntityManager
105			*/
106			protected function getEntityManager()
107			{
108			return $this->application['orm.em'];
109			}
110
111			/**
112			* Gets the environment.
113			*
114			* @return string
115			*/
116			protected function getEnv()
117			{
118			return $this->application->getEnvironment();
119			}
120
121			/**
122			* Gets the Form Factory.
123			*
124			* @return FormFactory
125			*/
126			protected function getFormFactory()
127			{
128			return $this->application['form.factory'];
129			}
130
131			/**
132			* Gets the project root directory.
133			*
134			* @return string
135			*/
136			protected function getRootDir()
137			{
138			return $this->application->getRootDir();
139			}
140
141			/**
142			* Gets the router.
143			*
144			* @return UrlGenerator
145			*/
146			protected function getRouter()
147			{
148			return $this->application['url_generator'];
149			}
150
151			/**
152			* Gets the session.
153			*
154			* @return Session
155			*/
156			protected function getSession()
157			{
158			return $this->application['session'];
159			}
160
161			/**
162			* Gets the Twig service.
163			*
164			* @return Environment
165			*/
166			protected function getTwig()
167			{
168			return $this->application['twig'];
169			}
170
171			/**
172			* Gets the current authenticated user or null if not logged in.
173			*
174			* @return User\|null
175			*/
176			protected function getUser()
177			{
178			$user = $this->application['security.token_storage']->getToken()->getUser();
179			if ($user instanceof User) {
180			return $user;
181			}
182
183			return null;
184			}
185
186			/**
187			* Adds a flash message.
188			*
189			* @param string $type
190			* @param string $message
191			*/
192			protected function flash($type, $message)
193			{
194			$this->getSession()->getFlashBag()->add($type, $message);
195			}
196
197			/**
198			* Creates and returns a form builder instance.
199			*
200			* @param mixed $data The initial data for the form
201			* @param array $options Options for the form
202			* @param string\|FormTypeInterface $type Type of the form
203			*
204			* @return FormBuilder
205			*/
206			protected function form($data = null, array $options = [], $type = null)
207			{
208			return $this->application->form($type, $data, $options);
			0 ignored issues – show Documentation introduced 2018-02-10 17:27 UTC by Report Bug Copy Issue Report Show Similar Issues like this `$options` is of type `array`, but the function expects a `string\|object<Symfony\Co...FormTypeInterface>\|null`. It seems like the type of the argument is not accepted by the function/method which you are calling. In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug. We suggest to add an explicit type cast like in the following example: function acceptsInteger($int) { } $x = '123'; // string "123" // Instead of acceptsInteger($x); // we recommend to use acceptsInteger((integer) $x); Loading history...
209			}
210
211			/**
212			* Checks if the attributes are granted against the current authentication token and optionally supplied object.
213			*
214			* @param mixed $attributes
215			* @param mixed $object
216			*
217			* @return bool
218			*/
219			protected function isGranted($attributes, $object = null)
220			{
221			return $this->application->isGranted($attributes, $object);
222			}
223
224			/**
225			* Generates a path from the given parameters.
226			*
227			* @param string $route The name of the route
228			* @param mixed $parameters An array of parameters
229			*
230			* @return string
231			*/
232			protected function path($route, $parameters = [])
233			{
234			return $this->application->path($route, $parameters);
235			}
236
237			/**
238			* Redirects the user to another route.
239			*
240			* @param string $route
241			* @param array $parameters
242			* @param int $status
243			*
244			* @return RedirectResponse
245			*/
246			protected function redirect($route, $parameters = [], $status = 302)
247			{
248			return $this->application->redirect($this->path($route, $parameters), $status);
249			}
250
251			/**
252			* Redirects the user to another URL.
253			*
254			* @param string $url The URL to redirect to
255			* @param int $status The status code (302 by default)
256			*
257			* @return RedirectResponse
258			*/
259			protected function redirectTo($url, $status = 302)
260			{
261			return $this->application->redirect($url, $status);
262			}
263
264			/**
265			* Renders a view and returns a Response.
266			*
267			* @param string $view The view name
268			* @param array $parameters An array of parameters to pass to the view
269			* @param Response $response A Response instance
270			*
271			* @return Response
272			*/
273			protected function render($view, array $parameters = [], Response $response = null)
274			{
275			return $this->application->render($view, $parameters, $response);
276			}
277
278			/**
279			* Translates the given message.
280			*
281			* @param string $id The message id
282			* @param array $parameters An array of parameters for the message
283			* @param string $domain The domain for the message
284			* @param string $locale The locale
285			*
286			* @return string
287			*/
288			protected function trans($id, array $parameters = [], $domain = 'messages', $locale = null)
289			{
290			return $this->application->trans($id, $parameters, $domain, $locale);
291			}
292
293			/**
294			* Generates an absolute URL from the given parameters.
295			*
296			* @param string $route The name of the route
297			* @param mixed $parameters An array of parameters
298			*
299			* @return string
300			*/
301			protected function url($route, $parameters = [])
302			{
303			return $this->application->url($route, $parameters);
304			}
305
306			/**
307			* Gets a service from the container.
308			*
309			* @param string $property
310			*
311			* @return mixed
312			*/
313			public function __get($property)
314			{
315			return $this->application[$property];
316			}
317			}
318

awurth / Silex

Issues (10)

Security Analysis no request data

src/Controller/Controller.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like