Issues in AbstractForm.php (master) - Issues in master - code4interactive/forms - Measure and Improve Code Quality continuously with Scrutinizer

Issues (21)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/AbstractForm.php (1 issue)

Labels

Bug 1

Severity

Minor 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
namespace Code4\Forms;

use Illuminate\Contracts\Support\Arrayable;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;
use Illuminate\Support\Collection;
use Validator;
use Symfony\Component\Yaml\Yaml;
use Illuminate\Support\MessageBag;

class AbstractForm  {

    /**
     * @var Collection;
     */
    protected $fields;

    protected $configPath;

    /**
     * @var array
     */
    protected $config;

    protected $values;

    /**
     * @var Request
     */
    protected $request;

    /**
     * Custom error messages
     * @var array
     */
    protected $messages = [];

    /**
     * @var MessageBag
     */
    protected $messageBag;

    /**
     * Custom rules (callback or method name)
     * @var array
     */
    protected $customRules = [];

    protected $customFieldRules = [];

    public function __construct() {
        $this->fields = new Collection();
        $this->messageBag = new MessageBag();
    }

    /**
     * Reads config from yaml file
     * @param null $configPath
     * @throws \Exception
     */
    public function loadFromConfigYaml($configPath = null) {
        if (is_null($configPath)) {
            $configPath = $this->configPath;
        }
        if (is_null($configPath) || !is_string($configPath) || $configPath == '') {
            throw new \Exception('Config path should be string');
        }
        $configPath = rtrim($configPath, '/');
        $yaml = \File::get($configPath);
        $this->config = Yaml::parse($yaml);
        $this->loadFromConfigArray($this->config);
    }

    /**
     * Loads fields from array
     * @param array $config
     * @throws \Exception
     */
    public function loadFromConfigArray($config) {
        if (!is_array($config)) {
            throw new \Exception('Provided config is not an array');
        }

        foreach($config as $fieldName => $field) {
            //check for field type or default to text
            $type = array_key_exists('type', $field) ? $field['type'] : 'text';

            //Constructs or creates fields
            $this->$type($fieldName, $field);
        }
    }

    /**
     * Gets field from collection
     * @param $fieldName
     * @return Fields\FieldsInterface
     */
    public function get($fieldName) {
        return $this->fields->get($fieldName);
    }

    /**
     * Gets title of field
     * @param $fieldName
     */
    public function title($fieldName) {
        return $this->get($fieldName)->title();
    }

    /**
     * Returns all fields
     * @return Collection
     */
    public function all() {
        return $this->fields;
    }

    /**
     * Sets values for all fields from passed array or object (eg. model).
     * @param array|Arrayable $values
     * @return null
     */
    public function values($values) {
        if (is_object($values) && $values instanceof Arrayable) {
            $values = $values->toArray();
        }
        if (!is_array($values)) {
            return null;
        }
        foreach($this->fields as $fieldName => $field) {
            $name = $field->name();
            if (array_key_exists($name, $values)) {
                $this->fields[$fieldName]->value($values[$name]);
            }
        }
    }

    /**
     * Validates all fields with Laravel and custom rules
     * @param Request $request
     * @param array $passedRules
     * @return bool
     */
    public function validate(Request $request, $passedRules = []) {


        $this->request = $request;

        //Collect rules from fields
        list($rules, $customFieldRules) = $this->collectRules();

        //Combine passed rules with those extracted from fields
        $rules = array_merge($rules, $passedRules);

        //Make validator
        $validator = Validator::make($request->all(), $rules, $this->messages);

        //Set fields names for messages
        $validator->setAttributeNames($this->getAttributeNames());

        //Run validation
        $validator->passes();

        //Get messages
        $this->messageBag = $validator->messages();

        //Do custom validation in fields ($field->customRules property)
        $customFieldRules = array_merge_recursive($customFieldRules, $this->customFieldRules);
        foreach($customFieldRules as $fieldName => $rule) {
            foreach($rule as $cr) {
                if ($message = $this->callCustomRules($cr, $request)) {
                    $this->messageBag->add($fieldName, $message);
                }
            }
        }

        //Do custom validation in form class ($form->customRules property)
        foreach ($this->customRules as $fieldName => $cr) {
            if ($message = $this->callCustomRules($cr, $request)) {
                $this->messageBag->add($fieldName, $message);
            }
        }

        return $this->passed();
    }

    /**
     * Run validate() before this
     * @return bool
     */
    public function passed() {
        return count($this->messageBag) === 0;
    }

    /**
     * Returns messages generated during validation
     * @return MessageBag
     */
    public function messages() {
        return $this->messageBag;
    }

    /**
     * Returns response for browser
     */
    public function response($redirect = null) {
        if ($this->request->ajax() || $this->request->wantsJson()) {
            return new JsonResponse(['formErrors' =>$this->messageBag->toArray()], 422);
        }
        return \Redirect::to($redirect)->withErrors($this->messageBag->toArray());
    }


    /**
     * Calls custom rule which can be an callback or private method
     * @param $rule
     * @param $request
     * @return mixed
     */
    protected function callCustomRules($rule, $request) {
        if (is_callable($rule))
        {
            if ($message = call_user_func($rule, $request))
            {
                return $message;
            }
        }
        else if (method_exists($this, $rule))
        {
            if ($message = call_user_func( array($this, $rule), $request ))
            {
                return $message;
            }
        }
    }

    /**
     * Gets titles of attributes from fields (used in error messages in validation)
     * @return array
     */
    public function getAttributeNames() {
        $attributeNames = [];
        foreach($this->fields as $field) {
            $attributeNames[$field->name()] = $field->title();
        }
        return $attributeNames;
    }


    /**
     * Add custom callable rule to field
     * @param string $fieldName
     * @param $rule
     * @return AbstractForm
     */
    public function customFieldRule($fieldName, $rule) {
        $this->customFieldRules[$fieldName][] = $rule;
        return $this;
    }


    /**
     * Collects rules from all fields
     * @return array
     */
    public function collectRules() {
        $rules = [];
        $customRules = [];
        foreach($this->fields as $field) {

            $fieldRule = $field->getRulesForValidator();
            $rules = array_merge($rules, $fieldRule);

            if ($field->customRules()) {
                $customRules[$field->name()] = $field->customRules();
            }
        }
        return [$rules, $customRules];
    }

    /**
     * Makes new field from passed class
     * @param string $fieldName
     * @param string $fieldClass
     * @param array $args
     * @return Fields\FieldsInterface
     */
    public function make($fieldName, $fieldClass, $args = []) {
        $this->fields->put($fieldName, \FormsFactory::makeField($fieldClass, $fieldName, $args));
        return $this->get($fieldName);
    }

    /**
     * Calls requested element from fields array or creates it
     * @param string $method
     * @param mixed $args
     * @return mixed|Fields\FieldsInterface
     * @throws \Exception
     */
    public function __call($method, $args) {

        if (count($args) > 0) {
            $fieldName = $args[0];

            //Looking for existing field by its name
            if ($this->fields->has($fieldName)) {
                return $this->get($fieldName);
            }

            //No field? Create one!

            //If there is no second argument (no initial data for field)
            $data = array_key_exists(1, $args) ? $args[1] : [];

            //Method used defines field type
            $type = $method;

            return $this->make($fieldName, $type, $data);
        }
    }

}

1			<?php
2			namespace Code4\Forms;
3
4			use Illuminate\Contracts\Support\Arrayable;
5			use Illuminate\Http\JsonResponse;
6			use Illuminate\Http\Request;
7			use Illuminate\Support\Collection;
8			use Validator;
9			use Symfony\Component\Yaml\Yaml;
10			use Illuminate\Support\MessageBag;
11
12			class AbstractForm {
13
14			/**
15			* @var Collection;
16			*/
17			protected $fields;
18
19			protected $configPath;
20
21			/**
22			* @var array
23			*/
24			protected $config;
25
26			protected $values;
27
28			/**
29			* @var Request
30			*/
31			protected $request;
32
33			/**
34			* Custom error messages
35			* @var array
36			*/
37			protected $messages = [];
38
39			/**
40			* @var MessageBag
41			*/
42			protected $messageBag;
43
44			/**
45			* Custom rules (callback or method name)
46			* @var array
47			*/
48			protected $customRules = [];
49
50			protected $customFieldRules = [];
51
52			public function __construct() {
53			$this->fields = new Collection();
54			$this->messageBag = new MessageBag();
55			}
56
57			/**
58			* Reads config from yaml file
59			* @param null $configPath
60			* @throws \Exception
61			*/
62			public function loadFromConfigYaml($configPath = null) {
63			if (is_null($configPath)) {
64			$configPath = $this->configPath;
65			}
66			if (is_null($configPath) \|\| !is_string($configPath) \|\| $configPath == '') {
67			throw new \Exception('Config path should be string');
68			}
69			$configPath = rtrim($configPath, '/');
70			$yaml = \File::get($configPath);
71			$this->config = Yaml::parse($yaml);
72			$this->loadFromConfigArray($this->config);
73			}
74
75			/**
76			* Loads fields from array
77			* @param array $config
78			* @throws \Exception
79			*/
80			public function loadFromConfigArray($config) {
81			if (!is_array($config)) {
82			throw new \Exception('Provided config is not an array');
83			}
84
85			foreach($config as $fieldName => $field) {
86			//check for field type or default to text
87			$type = array_key_exists('type', $field) ? $field['type'] : 'text';
88
89			//Constructs or creates fields
90			$this->$type($fieldName, $field);
91			}
92			}
93
94			/**
95			* Gets field from collection
96			* @param $fieldName
97			* @return Fields\FieldsInterface
98			*/
99			public function get($fieldName) {
100			return $this->fields->get($fieldName);
101			}
102
103			/**
104			* Gets title of field
105			* @param $fieldName
106			*/
107			public function title($fieldName) {
108			return $this->get($fieldName)->title();
109			}
110
111			/**
112			* Returns all fields
113			* @return Collection
114			*/
115			public function all() {
116			return $this->fields;
117			}
118
119			/**
120			* Sets values for all fields from passed array or object (eg. model).
121			* @param array\|Arrayable $values
122			* @return null
123			*/
124			public function values($values) {
125			if (is_object($values) && $values instanceof Arrayable) {
126			$values = $values->toArray();
127			}
128			if (!is_array($values)) {
129			return null;
130			}
131			foreach($this->fields as $fieldName => $field) {
132			$name = $field->name();
133			if (array_key_exists($name, $values)) {
134			$this->fields[$fieldName]->value($values[$name]);
135			}
136			}
137			}
138
139			/**
140			* Validates all fields with Laravel and custom rules
141			* @param Request $request
142			* @param array $passedRules
143			* @return bool
144			*/
145			public function validate(Request $request, $passedRules = []) {
			0 ignored issues – show Bug introduced 2015-11-23 16:14 UTC by Report Bug Copy Issue Report Show Similar Issues like this You have injected the Request via parameter `$request`. This is generally not recommended as there might be multiple instances during a request cycle (f.e. when using sub-requests). Instead, it is recommended to inject the RequestStack and retrieve the current request each time you need it via `getCurrentRequest()`. Loading history...
146
147			$this->request = $request;
148
149			//Collect rules from fields
150			list($rules, $customFieldRules) = $this->collectRules();
151
152			//Combine passed rules with those extracted from fields
153			$rules = array_merge($rules, $passedRules);
154
155			//Make validator
156			$validator = Validator::make($request->all(), $rules, $this->messages);
157
158			//Set fields names for messages
159			$validator->setAttributeNames($this->getAttributeNames());
160
161			//Run validation
162			$validator->passes();
163
164			//Get messages
165			$this->messageBag = $validator->messages();
166
167			//Do custom validation in fields ($field->customRules property)
168			$customFieldRules = array_merge_recursive($customFieldRules, $this->customFieldRules);
169			foreach($customFieldRules as $fieldName => $rule) {
170			foreach($rule as $cr) {
171			if ($message = $this->callCustomRules($cr, $request)) {
172			$this->messageBag->add($fieldName, $message);
173			}
174			}
175			}
176
177			//Do custom validation in form class ($form->customRules property)
178			foreach ($this->customRules as $fieldName => $cr) {
179			if ($message = $this->callCustomRules($cr, $request)) {
180			$this->messageBag->add($fieldName, $message);
181			}
182			}
183
184			return $this->passed();
185			}
186
187			/**
188			* Run validate() before this
189			* @return bool
190			*/
191			public function passed() {
192			return count($this->messageBag) === 0;
193			}
194
195			/**
196			* Returns messages generated during validation
197			* @return MessageBag
198			*/
199			public function messages() {
200			return $this->messageBag;
201			}
202
203			/**
204			* Returns response for browser
205			*/
206			public function response($redirect = null) {
207			if ($this->request->ajax() \|\| $this->request->wantsJson()) {
208			return new JsonResponse(['formErrors' =>$this->messageBag->toArray()], 422);
209			}
210			return \Redirect::to($redirect)->withErrors($this->messageBag->toArray());
211			}
212
213
214			/**
215			* Calls custom rule which can be an callback or private method
216			* @param $rule
217			* @param $request
218			* @return mixed
219			*/
220			protected function callCustomRules($rule, $request) {
221			if (is_callable($rule))
222			{
223			if ($message = call_user_func($rule, $request))
224			{
225			return $message;
226			}
227			}
228			else if (method_exists($this, $rule))
229			{
230			if ($message = call_user_func( array($this, $rule), $request ))
231			{
232			return $message;
233			}
234			}
235			}
236
237			/**
238			* Gets titles of attributes from fields (used in error messages in validation)
239			* @return array
240			*/
241			public function getAttributeNames() {
242			$attributeNames = [];
243			foreach($this->fields as $field) {
244			$attributeNames[$field->name()] = $field->title();
245			}
246			return $attributeNames;
247			}
248
249
250			/**
251			* Add custom callable rule to field
252			* @param string $fieldName
253			* @param $rule
254			* @return AbstractForm
255			*/
256			public function customFieldRule($fieldName, $rule) {
257			$this->customFieldRules[$fieldName][] = $rule;
258			return $this;
259			}
260
261
262			/**
263			* Collects rules from all fields
264			* @return array
265			*/
266			public function collectRules() {
267			$rules = [];
268			$customRules = [];
269			foreach($this->fields as $field) {
270
271			$fieldRule = $field->getRulesForValidator();
272			$rules = array_merge($rules, $fieldRule);
273
274			if ($field->customRules()) {
275			$customRules[$field->name()] = $field->customRules();
276			}
277			}
278			return [$rules, $customRules];
279			}
280
281			/**
282			* Makes new field from passed class
283			* @param string $fieldName
284			* @param string $fieldClass
285			* @param array $args
286			* @return Fields\FieldsInterface
287			*/
288			public function make($fieldName, $fieldClass, $args = []) {
289			$this->fields->put($fieldName, \FormsFactory::makeField($fieldClass, $fieldName, $args));
290			return $this->get($fieldName);
291			}
292
293			/**
294			* Calls requested element from fields array or creates it
295			* @param string $method
296			* @param mixed $args
297			* @return mixed\|Fields\FieldsInterface
298			* @throws \Exception
299			*/
300			public function __call($method, $args) {
301
302			if (count($args) > 0) {
303			$fieldName = $args[0];
304
305			//Looking for existing field by its name
306			if ($this->fields->has($fieldName)) {
307			return $this->get($fieldName);
308			}
309
310			//No field? Create one!
311
312			//If there is no second argument (no initial data for field)
313			$data = array_key_exists(1, $args) ? $args[1] : [];
314
315			//Method used defines field type
316			$type = $method;
317
318			return $this->make($fieldName, $type, $data);
319			}
320			}
321
322			}

code4interactive / forms

Issues (21)

Security Analysis no request data

src/AbstractForm.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like