These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
1 | <?php |
||
2 | |||
3 | namespace BeyondCode\LaravelWebSockets\Server; |
||
4 | |||
5 | use Ratchet\ConnectionInterface; |
||
6 | use Ratchet\Http\CloseResponseTrait; |
||
7 | use Ratchet\Http\HttpServerInterface; |
||
8 | use Psr\Http\Message\RequestInterface; |
||
9 | use Ratchet\MessageComponentInterface; |
||
10 | |||
11 | class OriginCheck implements HttpServerInterface |
||
12 | { |
||
13 | use CloseResponseTrait; |
||
14 | |||
15 | /** @var \Ratchet\MessageComponentInterface */ |
||
16 | protected $_component; |
||
17 | |||
18 | protected $allowedOrigins = []; |
||
19 | |||
20 | public function __construct(MessageComponentInterface $component, array $allowedOrigins = []) |
||
21 | { |
||
22 | $this->_component = $component; |
||
23 | |||
24 | $this->allowedOrigins = $allowedOrigins; |
||
25 | } |
||
26 | |||
27 | public function onOpen(ConnectionInterface $connection, RequestInterface $request = null) |
||
28 | { |
||
29 | if ($request->hasHeader('Origin')) { |
||
0 ignored issues
–
show
|
|||
30 | $this->verifyOrigin($connection, $request); |
||
0 ignored issues
–
show
It seems like
$request defined by parameter $request on line 27 can be null ; however, BeyondCode\LaravelWebSoc...inCheck::verifyOrigin() does not accept null , maybe add an additional type check?
It seems like you allow that null is being passed for a parameter, however the function which is called does not seem to accept null. We recommend to add an additional type check (or disallow null for the parameter): function notNullable(stdClass $x) { }
// Unsafe
function withoutCheck(stdClass $x = null) {
notNullable($x);
}
// Safe - Alternative 1: Adding Additional Type-Check
function withCheck(stdClass $x = null) {
if ($x instanceof stdClass) {
notNullable($x);
}
}
// Safe - Alternative 2: Changing Parameter
function withNonNullableParam(stdClass $x) {
notNullable($x);
}
Loading history...
|
|||
31 | } |
||
32 | |||
33 | return $this->_component->onOpen($connection, $request); |
||
0 ignored issues
–
show
The call to
MessageComponentInterface::onOpen() has too many arguments starting with $request .
This check compares calls to functions or methods with their respective definitions. If the call has more arguments than are defined, it raises an issue. If a function is defined several times with a different number of parameters, the check may pick up the wrong definition and report false positives. One codebase where this has been known to happen is Wordpress. In this case you can add the
Loading history...
|
|||
34 | } |
||
35 | |||
36 | public function onMessage(ConnectionInterface $from, $msg) |
||
37 | { |
||
38 | return $this->_component->onMessage($from, $msg); |
||
39 | } |
||
40 | |||
41 | public function onClose(ConnectionInterface $connection) |
||
42 | { |
||
43 | return $this->_component->onClose($connection); |
||
44 | } |
||
45 | |||
46 | public function onError(ConnectionInterface $connection, \Exception $e) |
||
47 | { |
||
48 | return $this->_component->onError($connection, $e); |
||
49 | } |
||
50 | |||
51 | protected function verifyOrigin(ConnectionInterface $connection, RequestInterface $request) |
||
52 | { |
||
53 | $header = (string) $request->getHeader('Origin')[0]; |
||
54 | $origin = parse_url($header, PHP_URL_HOST) ?: $header; |
||
55 | |||
56 | if (! empty($this->allowedOrigins) && ! in_array($origin, $this->allowedOrigins)) { |
||
57 | return $this->close($connection, 403); |
||
58 | } |
||
59 | } |
||
60 | } |
||
61 |
If a variable is not always an object, we recommend to add an additional type check to ensure your method call is safe: