Issues (42)

Security Analysis    no request data  

This project does not seem to handle request data directly as such no vulnerable execution paths were found.

  Cross-Site Scripting
Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.
  File Exposure
File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.
  File Manipulation
File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.
  Object Injection
Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.
  Code Injection
Code Injection enables an attacker to execute arbitrary code on the server.
  Response Splitting
Response Splitting can be used to send arbitrary responses.
  File Inclusion
File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.
  Command Injection
Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.
  SQL Injection
SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.
  XPath Injection
XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.
  LDAP Injection
LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.
  Header Injection
  Other Vulnerability
This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.
  Regex Injection
Regex Injection enables an attacker to execute arbitrary code in your PHP process.
  XML Injection
XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.
  Variable Injection
Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.
Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Route/Route.php (6 issues)

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

1
<?php
2
3
namespace Anax\Route;
4
5
use Anax\Commons\ContainerInjectableInterface;
6
use Anax\Route\Exception\ConfigurationException;
7
use Psr\Container\ContainerInterface;
8
9
/**
10
 * Route to match a $path, mounted on $mount having a $handler to call.
11
 */
12
class Route
13
{
14
    /**
15
     * @var string       $name          a name for this route.
16
     * @var string       $info          description of route.
17
     * @var array        $method        the method(s) to support
18
     * @var string       $methodMatched the matched method.
19
     * @var string       $mount         where to mount the path
20
     * @var string       $path          the path rule for this route
21
     * @var string       $pathMatched   the matched path.
22
     * @var callable     $handler       the callback to handle this route
23
     * @var null|array   $arguments     arguments for the callback, extracted
24
     *                                  from path
25
     */
26
    private $name;
27
    private $info;
28
    private $method;
29
    private $methodMatched;
30
    private $mount;
31
    private $path;
32
    private $pathMatched;
33
    private $handler;
34
    private $arguments = [];
35
36
37
38
    /**
39
     * Set values for route.
40
     *
41
     * @param string|array           $method  as request method to support
42
     * @param string                 $mount   where to mount the path
43
     * @param string                 $path    for this route
44
     * @param string|array|callable  $handler for this path, callable or equal
45
     * @param string                 $info    description of the route
46
     *
47
     * @return $this
48
     */
49 174
    public function set(
50
        $method = null,
51
        $mount = null,
52
        $path = null,
53
        $handler = null,
54
        string $info = null
55
    ) : object {
56 174
        $this->mount = rtrim($mount, "/");
57 174
        $this->path = $path;
58 174
        $this->handler = $handler;
59 174
        $this->info = $info;
60
61 174
        $this->method = $method;
62 174
        if (is_string($method)) {
63 16
            $this->method = array_map("trim", explode("|", $method));
64
        }
65 174
        if (is_array($this->method)) {
66 58
            $this->method = array_map("strtoupper", $this->method);
67
        }
68
69 174
        return $this;
70
    }
71
72
73
74
    /**
75
     * Check if the route matches a query and request method.
76
     *
77
     * @param string $query  to match against
78
     * @param string $method as request method
79
     *
80
     * @return boolean true if query matches the route
81
     */
82 154
    public function match(string $query, string $method = null)
83
    {
84 154
        $this->arguments = [];
85 154
        $this->methodMatched = null;
86 154
        $this->pathMatched = null;
87
88 154
        $matcher = new RouteMatcher();
89 154
        $res = $matcher->match(
90 154
            $this->mount,
91 154
            $this->path,
92 154
            $this->getAbsolutePath(),
93 154
            $query,
94 154
            $this->method,
0 ignored issues
show
It seems like $this->method can also be of type null or string; however, Anax\Route\RouteMatcher::match() does only seem to accept array, maybe add an additional type check?

If a method or function can return multiple different values and unless you are sure that you only can receive a single value in this context, we recommend to add an additional type check:

/**
 * @return array|string
 */
function returnsDifferentValues($x) {
    if ($x) {
        return 'foo';
    }

    return array();
}

$x = returnsDifferentValues($y);
if (is_array($x)) {
    // $x is an array.
}

If this a common case that PHP Analyzer should handle natively, please let us know by opening an issue.

Loading history...
95 154
            $method
96
        );
97 154
        $this->arguments = $matcher->arguments;
0 ignored issues
show
Documentation Bug introduced by Mikael Roos
It seems like $matcher->arguments can be null. However, the property $arguments is declared as array. Maybe change the type of the property to array|null or add a type check?

Our type inference engine has found an assignment of a scalar value (like a string, an integer or null) to a property which is an array.

Either this assignment is in error or the assigned type should be added to the documentation/type hint for that property.

To type hint that a parameter can be either an array or null, you can set a type hint of array and a default value of null. The PHP interpreter will then accept both an array or null for that parameter.

function aContainsB(array $needle = null, array  $haystack) {
    if (!$needle) {
        return false;
    }

    return array_intersect($haystack, $needle) == $haystack;
}

The function can be called with either null or an array for the parameter $needle but will only accept an array as $haystack.

Loading history...
98 154
        $this->methodMatched = $matcher->methodMatched;
99 154
        $this->pathMatched = $matcher->pathMatched;
100
101 154
        return $res;
102
    }
103
104
105
106
    /**
107
     * Handle the action for the route.
108
     *
109
     * @param string                       $path the matched path
110
     * @param ContainerInjectableInterface $di   container with services
111
     *
112
     * @return mixed
113
     */
114 149
    public function handle(
115
        string $path = null,
116
        ContainerInterface $di = null
117
    ) {
118 149 View Code Duplication
        if ($this->mount) {
0 ignored issues
show
This code seems to be duplicated across your project.

Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation.

You can also find more detailed suggestions in the “Code” section of your repository.

Loading history...
119
            // Remove the mount path to get base for controller
120 32
            $len = strlen($this->mount);
121 32
            if (substr($path, 0, $len) == $this->mount) {
122 32
                $path = ltrim(substr($path, $len), "/");
123
            }
124
        }
125
126
        try {
127 149
            $handler = new RouteHandler();
128 149
            return $handler->handle($this->methodMatched, $path, $this->handler, $this->arguments, $di);
0 ignored issues
show
$this->handler is of type callable|null, but the function expects a string|array.

It seems like the type of the argument is not accepted by the function/method which you are calling.

In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.

We suggest to add an explicit type cast like in the following example:

function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
Loading history...
129 23
        } catch (ConfigurationException $e) {
130 5
            throw new ConfigurationException(
131 5
                $e->getMessage()
132 5
                . " Route matched method='{$this->methodMatched}', mount='{$this->mount}', path='$path', handler='"
133
                . (
134 5
                    is_string($this->handler)
135 3
                        ? "$this->handler"
136 5
                        : "array/object"
137
                )
138 5
                . "'."
139
            );
140
        }
141
    }
142
143
144
145
    /**
146
     * Set the path that matched this route.
147
     *
148
     * @param string $path to set
149
     *
150
     * @return $this
151
     */
152 22
    public function setMatchedPath($path)
153
    {
154 22
        $this->pathMatched = $path;
155 22
        return $this;
156
    }
157
158
159
160
    /**
161
     * Get the matched basename of the path, its the part without the mount
162
     * point.
163
     *
164
     * @return string|null
165
     */
166 3
    public function getMatchedPath()
167
    {
168 3
        $path = $this->pathMatched;
169 3 View Code Duplication
        if ($this->mount) {
0 ignored issues
show
This code seems to be duplicated across your project.

Duplicated code is one of the most pungent code smells. If you need to duplicate the same code in three or more different places, we strongly encourage you to look into extracting the code into a single class or operation.

You can also find more detailed suggestions in the “Code” section of your repository.

Loading history...
170 1
            $len = strlen($this->mount);
171 1
            if (substr($path, 0, $len) == $this->mount) {
172 1
                $path = ltrim(substr($path, $len), "/");
173
            }
174
        }
175
176 3
        return $path;
177
    }
178
179
180
181
    /**
182
     * Set the name of the route.
183
     *
184
     * @param string $name set a name for the route
185
     *
186
     * @return $this
187
     */
188 1
    public function setName($name)
189
    {
190 1
        $this->name = $name;
191 1
        return $this;
192
    }
193
194
195
196
    /**
197
     * Set the arguments of the route, these are sent to the route handler.
198
     *
199
     * @param array $args the arguments.
200
     *
201
     * @return $this
202
     */
203 14
    public function setArguments(array $args) : object
204
    {
205 14
        $this->arguments = $args;
206 14
        return $this;
207
    }
208
209
210
211
    /**
212
     * Get information of the route.
213
     *
214
     * @return null|string as route information.
215
     */
216 2
    public function getInfo()
217
    {
218 2
        return $this->info;
219
    }
220
221
222
223
    /**
224
     * Get the path for the route.
225
     *
226
     * @return string
227
     */
228 1
    public function getPath()
229
    {
230 1
        return $this->path;
231
    }
232
233
234
235
    /**
236
     * Get the absolute $path by adding $mount.
237
     *
238
     * @return string|null as absolute path for this route.
239
     */
240 155
    public function getAbsolutePath()
241
    {
242 155
        if (empty($this->mount) && is_null($this->path)) {
243 60
            return null;
244
        }
245
246 130
        if (empty($this->mount)) {
247 102
            return $this->path;
248
        }
249
250 32
        return $this->mount . "/" . $this->path;
251
    }
252
253
254
255
    /**
256
     * Get the request method for the route.
257
     *
258
     * @return string representing the request method supported
259
     */
260 1
    public function getRequestMethod() : string
261
    {
262 1
        return is_array($this->method)
263 1
            ? implode("|", $this->method)
264 1
            : "";
265
    }
266
267
268
269
    /**
270
     * Get the handler type as a informative string.
271
     *
272
     * @param ContainerInjectableInterface $di container with services
273
     *
274
     * @return string representing the handler.
275
     */
276 2
    public function getHandlerType(ContainerInterface $di = null) : string
277
    {
278 2
        $handler = new RouteHandler();
279 2
        return $handler->getHandlerType($this->handler, $di);
0 ignored issues
show
$this->handler is of type callable|null, but the function expects a string|array.

It seems like the type of the argument is not accepted by the function/method which you are calling.

In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug.

We suggest to add an explicit type cast like in the following example:

function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
Loading history...
280
    }
281
}
282