Issues in Matcher.php (dev) - Issues in dev - codeburnerframework/routing - Measure and Improve Code Quality continuously with Scrutinizer

Issues (6)

Security Analysis no request data

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Matcher.php (2 issues)

Labels

Severity

Minor 2

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

/**
 * Codeburner Framework.
 *
 * @author Alex Rohleder <[email protected]>
 * @copyright 2016 Alex Rohleder
 * @license http://opensource.org/licenses/MIT
 */

namespace Codeburner\Router;

use Codeburner\Router\Exceptions\Http\MethodNotAllowedException;
use Codeburner\Router\Exceptions\Http\NotFoundException;
use Exception;

/**
 * The matcher class find the route for a given http method and path.
 *
 * @author Alex Rohleder <[email protected]>
 */

class Matcher
{

    /**
     * @var Collector
     */

    protected $collector;

    /**
     * @var Parser $parser
     */

    protected $parser;

    /**
     * Define a basepath to all routes.
     *
     * @var string
     */

    protected $basepath = "";

    /**
     * Construct the route dispatcher.
     *
     * @param Collector $collector
     * @param string $basepath Define a Path prefix that must be excluded on matches.
     */

    public function __construct(Collector $collector, $basepath = "")
    {
        $this->collector = $collector;
        $this->basepath  = $basepath;
    }

    /**
     * Find a route that matches the given arguments.
     * 
     * @param string $httpMethod
     * @param string $path
     *
     * @throws NotFoundException
     * @throws MethodNotAllowedException
     *
     * @return Route
     */

    public function match($httpMethod, $path)
    {
        $path = $this->parsePath($path);

        if (($route = $this->collector->findStaticRoute($httpMethod, $path)) ||

            ($route = $this->matchDynamicRoute($httpMethod, $path))) {

             $route->setMatcher($this);

            return $route;
        }

        $this->matchSimilarRoute($httpMethod, $path);
    }

    /**
     * Find and return the request dynamic route based on the compiled data and Path.
     *
     * @param string $httpMethod
     * @param string $path
     *
     * @return Route|false If the request match an array with the action and parameters will
     *                     be returned otherwise a false will.
     */

    protected function matchDynamicRoute($httpMethod, $path)
    {
        if ($routes = $this->collector->findDynamicRoutes($httpMethod, $path)) {
            // cache the parser reference
            $this->parser = $this->collector->getParser();
            // chunk routes for smaller regex groups using the Sturges' Formula
            foreach (array_chunk($routes, round(1 + 3.3 * log(count($routes))), true) as $chunk) {
                array_map([$this, "buildRoute"], $chunk);
                list($pattern, $map) = $this->buildGroup($chunk);

                if (!preg_match($pattern, $path, $matches)) {
                    continue;
                }

                /** @var Route $route */
                $route = $map[count($matches)];
                unset($matches[0]);

                $route->setParams(array_combine($route->getParams(), array_filter($matches)));

                return $route;
            }
        }

        return false;
    }

    /**
     * Parse the dynamic segments of the pattern and replace then for
     * corresponding regex.
     *
     * @param Route $route
     * @return Route
     */

    protected function buildRoute(Route $route)
    {
        if ($route->getBlock()) {
            return $route;
        }

        list($pattern, $params) = $this->parsePlaceholders($route->getPattern());
        return $route->setPatternWithoutReset($pattern)->setParams($params)->setBlock(true);
    }

    /**
     * Group several dynamic routes patterns into one big regex and maps
     * the routes to the pattern positions in the big regex.
     *
     * @param Route[] $routes
     * @return array
     */

    protected function buildGroup(array $routes)
    {
        $groupCount = (int) $map = $regex = [];

        foreach ($routes as $route) {
            $params           = $route->getParams();
            $paramsCount      = count($params);
            $groupCount       = max($groupCount, $paramsCount) + 1;
            $regex[]          = $route->getPattern() . str_repeat("()", $groupCount - $paramsCount - 1);
            $map[$groupCount] = $route;
        }

        return ["~^(?|" . implode("|", $regex) . ")$~", $map];
    }

    /**
     * Parse an route pattern seeking for parameters and build the route regex.
     *
     * @param string $pattern
     * @return array 0 => new route regex, 1 => map of parameter names
     */

    protected function parsePlaceholders($pattern)
    {
        $params = [];
        $parser = $this->parser;

        preg_match_all("~" . $parser::DYNAMIC_REGEX . "~x", $pattern, $matches, PREG_SET_ORDER);

        foreach ((array) $matches as $key => $match) {
            $pattern = str_replace($match[0], isset($match[2]) ? "({$match[2]})" : "([^/]+)", $pattern);
            $params[$key] = $match[1];
        }

        return [$pattern, $params];
    }

    /**
     * Get only the path of a given url.
     *
     * @param string $path The given URL
     *
     * @throws Exception
     * @return string
     */

    protected function parsePath($path)
    {
        $path = parse_url(substr(strstr(";" . $path, ";" . $this->basepath), strlen(";" . $this->basepath)), PHP_URL_PATH);

        if ($path === false) {
            throw new Exception("Seriously malformed URL passed to route matcher.");
        }

        return $path;
    }

    /**
     * Generate an HTTP error request with method not allowed or not found.
     *
     * @param string $httpMethod
     * @param string $path
     *
     * @throws NotFoundException
     * @throws MethodNotAllowedException
     */

    protected function matchSimilarRoute($httpMethod, $path)
    {
        $dm = [];

        if (($sm = $this->checkStaticRouteInOtherMethods($httpMethod, $path))
                || ($dm = $this->checkDynamicRouteInOtherMethods($httpMethod, $path))) {
            throw new MethodNotAllowedException($httpMethod, $path, array_merge((array) $sm, (array) $dm));
        }

        throw new NotFoundException;
    }

    /**
     * Verify if a static route match in another method than the requested.
     *
     * @param string $targetHttpMethod The HTTP method that must not be checked
     * @param string $path              The Path that must be matched.
     *
     * @return array
     */

    protected function checkStaticRouteInOtherMethods($targetHttpMethod, $path)
    {
        return array_filter($this->getHttpMethodsBut($targetHttpMethod), function ($httpMethod) use ($path) {
            return (bool) $this->collector->findStaticRoute($httpMethod, $path);
        });
    }

    /**
     * Verify if a dynamic route match in another method than the requested.
     *
     * @param string $targetHttpMethod The HTTP method that must not be checked
     * @param string $path             The Path that must be matched.
     *
     * @return array
     */

    protected function checkDynamicRouteInOtherMethods($targetHttpMethod, $path)
    {
        return array_filter($this->getHttpMethodsBut($targetHttpMethod), function ($httpMethod) use ($path) {
            return (bool) $this->matchDynamicRoute($httpMethod, $path);
        });
    }

    /**
     * Strip the given http methods and return all the others.
     *
     * @param string|string[]
     * @return array
     */

    protected function getHttpMethodsBut($targetHttpMethod)
    {
        return array_diff(explode(" ", Collector::HTTP_METHODS), (array) $targetHttpMethod);
    }

    /**
     * @return Collector
     */

    public function getCollector()
    {
        return $this->collector;
    }

    /**
     * @return string
     */

    public function getBasePath()
    {
        return $this->basepath;
    }

    /**
     * Set a new basepath, this will be a prefix that must be excluded in
     * every requested Path.
     *
     * @param string $basepath The new basepath
     */
    
    public function setBasePath($basepath)
    {
        $this->basepath = $basepath;
    }

}


1		<?php
2
3		/**
4		* Codeburner Framework.
5		*
6		* @author Alex Rohleder <[email protected]>
7		* @copyright 2016 Alex Rohleder
8		* @license http://opensource.org/licenses/MIT
9		*/
10
11		namespace Codeburner\Router;
12
13		use Codeburner\Router\Exceptions\Http\MethodNotAllowedException;
14		use Codeburner\Router\Exceptions\Http\NotFoundException;
15		use Exception;
16
17		/**
18		* The matcher class find the route for a given http method and path.
19		*
20		* @author Alex Rohleder <[email protected]>
21		*/
22
23		class Matcher
24		{
25
26		/**
27		* @var Collector
28		*/
29
30		protected $collector;
31
32		/**
33		* @var Parser $parser
34		*/
35
36		protected $parser;
37
38		/**
39		* Define a basepath to all routes.
40		*
41		* @var string
42		*/
43
44		protected $basepath = "";
45
46		/**
47		* Construct the route dispatcher.
48		*
49		* @param Collector $collector
50		* @param string $basepath Define a Path prefix that must be excluded on matches.
51		*/
52
53	57	public function __construct(Collector $collector, $basepath = "")
54		{
55	57	$this->collector = $collector;
56	57	$this->basepath = $basepath;
57	57	}
58
59		/**
60		* Find a route that matches the given arguments.
61		*
62		* @param string $httpMethod
63		* @param string $path
64		*
65		* @throws NotFoundException
66		* @throws MethodNotAllowedException
67		*
68		* @return Route
69		*/
70
71	51	public function match($httpMethod, $path)
72		{
73	51	$path = $this->parsePath($path);
74
75	51	if (($route = $this->collector->findStaticRoute($httpMethod, $path)) \|\|
		0 ignored issues – show Comprehensibility Best Practice introduced 2016-02-22 17:31 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$this->collector->findSt...te($httpMethod, $path);` of type `Codeburner\Router\Route\|false` adds `false` to the return on line 79 which is incompatible with the return type documented by `Codeburner\Router\Matcher::match` of type `Codeburner\Router\Route\|null`. It seems like you forgot to handle an error condition. Loading history...
76	51	($route = $this->matchDynamicRoute($httpMethod, $path))) {
		0 ignored issues – show Comprehensibility Best Practice introduced 2016-02-22 17:31 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$this->matchDynamicRoute($httpMethod, $path);` of type `Codeburner\Router\Route\|false` adds `false` to the return on line 79 which is incompatible with the return type documented by `Codeburner\Router\Matcher::match` of type `Codeburner\Router\Route\|null`. It seems like you forgot to handle an error condition. Loading history...
77	45	$route->setMatcher($this);
78
79	45	return $route;
80		}
81
82	14	$this->matchSimilarRoute($httpMethod, $path);
83		}
84
85		/**
86		* Find and return the request dynamic route based on the compiled data and Path.
87		*
88		* @param string $httpMethod
89		* @param string $path
90		*
91		* @return Route\|false If the request match an array with the action and parameters will
92		* be returned otherwise a false will.
93		*/
94
95	38	protected function matchDynamicRoute($httpMethod, $path)
96		{
97	38	if ($routes = $this->collector->findDynamicRoutes($httpMethod, $path)) {
98		// cache the parser reference
99	32	$this->parser = $this->collector->getParser();
100		// chunk routes for smaller regex groups using the Sturges' Formula
101	32	foreach (array_chunk($routes, round(1 + 3.3 * log(count($routes))), true) as $chunk) {
102	32	array_map([$this, "buildRoute"], $chunk);
103	32	list($pattern, $map) = $this->buildGroup($chunk);
104
105	32	if (!preg_match($pattern, $path, $matches)) {
106	7	continue;
107		}
108
109		/** @var Route $route */
110	30	$route = $map[count($matches)];
111	30	unset($matches[0]);
112
113	30	$route->setParams(array_combine($route->getParams(), array_filter($matches)));
114
115	30	return $route;
116	7	}
117	7	}
118
119	14	return false;
120		}
121
122		/**
123		* Parse the dynamic segments of the pattern and replace then for
124		* corresponding regex.
125		*
126		* @param Route $route
127		* @return Route
128		*/
129
130	32	protected function buildRoute(Route $route)
131		{
132	32	if ($route->getBlock()) {
133	9	return $route;
134		}
135
136	32	list($pattern, $params) = $this->parsePlaceholders($route->getPattern());
137	32	return $route->setPatternWithoutReset($pattern)->setParams($params)->setBlock(true);
138		}
139
140		/**
141		* Group several dynamic routes patterns into one big regex and maps
142		* the routes to the pattern positions in the big regex.
143		*
144		* @param Route[] $routes
145		* @return array
146		*/
147
148	32	protected function buildGroup(array $routes)
149		{
150	32	$groupCount = (int) $map = $regex = [];
151
152	32	foreach ($routes as $route) {
153	32	$params = $route->getParams();
154	32	$paramsCount = count($params);
155	32	$groupCount = max($groupCount, $paramsCount) + 1;
156	32	$regex[] = $route->getPattern() . str_repeat("()", $groupCount - $paramsCount - 1);
157	32	$map[$groupCount] = $route;
158	32	}
159
160	32	return ["~^(?\|" . implode("\|", $regex) . ")$~", $map];
161		}
162
163		/**
164		* Parse an route pattern seeking for parameters and build the route regex.
165		*
166		* @param string $pattern
167		* @return array 0 => new route regex, 1 => map of parameter names
168		*/
169
170	32	protected function parsePlaceholders($pattern)
171		{
172	32	$params = [];
173	32	$parser = $this->parser;
174
175	32	preg_match_all("~" . $parser::DYNAMIC_REGEX . "~x", $pattern, $matches, PREG_SET_ORDER);
176
177	32	foreach ((array) $matches as $key => $match) {
178	32	$pattern = str_replace($match[0], isset($match[2]) ? "({$match[2]})" : "([^/]+)", $pattern);
179	32	$params[$key] = $match[1];
180	32	}
181
182	32	return [$pattern, $params];
183		}
184
185		/**
186		* Get only the path of a given url.
187		*
188		* @param string $path The given URL
189		*
190		* @throws Exception
191		* @return string
192		*/
193
194	51	protected function parsePath($path)
195		{
196	51	$path = parse_url(substr(strstr(";" . $path, ";" . $this->basepath), strlen(";" . $this->basepath)), PHP_URL_PATH);
197
198	51	if ($path === false) {
199		throw new Exception("Seriously malformed URL passed to route matcher.");
200		}
201
202	51	return $path;
203		}
204
205		/**
206		* Generate an HTTP error request with method not allowed or not found.
207		*
208		* @param string $httpMethod
209		* @param string $path
210		*
211		* @throws NotFoundException
212		* @throws MethodNotAllowedException
213		*/
214
215	14	protected function matchSimilarRoute($httpMethod, $path)
216		{
217	14	$dm = [];
218
219	14	if (($sm = $this->checkStaticRouteInOtherMethods($httpMethod, $path))
220	14	\|\| ($dm = $this->checkDynamicRouteInOtherMethods($httpMethod, $path))) {
221	5	throw new MethodNotAllowedException($httpMethod, $path, array_merge((array) $sm, (array) $dm));
222		}
223
224	9	throw new NotFoundException;
225		}
226
227		/**
228		* Verify if a static route match in another method than the requested.
229		*
230		* @param string $targetHttpMethod The HTTP method that must not be checked
231		* @param string $path The Path that must be matched.
232		*
233		* @return array
234		*/
235
236	14	protected function checkStaticRouteInOtherMethods($targetHttpMethod, $path)
237		{
238		return array_filter($this->getHttpMethodsBut($targetHttpMethod), function ($httpMethod) use ($path) {
239	14	return (bool) $this->collector->findStaticRoute($httpMethod, $path);
240	14	});
241		}
242
243		/**
244		* Verify if a dynamic route match in another method than the requested.
245		*
246		* @param string $targetHttpMethod The HTTP method that must not be checked
247		* @param string $path The Path that must be matched.
248		*
249		* @return array
250		*/
251
252		protected function checkDynamicRouteInOtherMethods($targetHttpMethod, $path)
253		{
254	9	return array_filter($this->getHttpMethodsBut($targetHttpMethod), function ($httpMethod) use ($path) {
255	9	return (bool) $this->matchDynamicRoute($httpMethod, $path);
256	9	});
257		}
258
259		/**
260		* Strip the given http methods and return all the others.
261		*
262		* @param string\|string[]
263		* @return array
264		*/
265
266	14	protected function getHttpMethodsBut($targetHttpMethod)
267		{
268	14	return array_diff(explode(" ", Collector::HTTP_METHODS), (array) $targetHttpMethod);
269		}
270
271		/**
272		* @return Collector
273		*/
274
275		public function getCollector()
276		{
277		return $this->collector;
278		}
279
280		/**
281		* @return string
282		*/
283
284	1	public function getBasePath()
285		{
286	1	return $this->basepath;
287		}
288
289		/**
290		* Set a new basepath, this will be a prefix that must be excluded in
291		* every requested Path.
292		*
293		* @param string $basepath The new basepath
294		*/
295
296	1	public function setBasePath($basepath)
297		{
298	1	$this->basepath = $basepath;
299	1	}
300
301		}
302

codeburnerframework / routing

Issues (6)

Security Analysis no request data

src/Matcher.php (2 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like