DefaultRoute::getResponse() - Code Metrics - Inspection of "Release pre update" - dspbee/pivasic - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — master ( d9f7fe...0d6725 )

by Igor

created 2018-09-19 12:32 UTC

DefaultRoute::getResponse() A

↳ Parent: DefaultRoute

Complexity

Conditions	4
Paths	4

Size

Total Lines

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
dl	0
loc	31
rs	9.424
c	0
b	0
f	0
cc	4
nc	4
nop	2

<?php
/**
 * @license MIT
 */
namespace Pivasic\Core;

/**
 * Base routing.
 *
 * Class DefaultRoute
 * @package Pivasic\Core
 */
class DefaultRoute implements IRoute
{
    /**
     * Find and call controller, get Response object.
     *
     * @param string $packageRoot
     * @param Request $request
     *
     * @return Response|null
     */
    public function getResponse($packageRoot, Request $request)
    {
        $packageRoot = rtrim($packageRoot, '/');
        $route = preg_replace('/\/\d+/u', '/D', $request->route());
        $path = $packageRoot . '/Route/' . $route . '/' . $request->method() . '.php';
        if (file_exists($path)) {
            require $path;
            $controllerClass = $request->package() . '\\Route_' . str_replace('/', '_', $route) . '\\' . $request->method();
            /**
             * @var BaseController $controller
             */
            if (class_exists($controllerClass)) {
                $controller = new $controllerClass($packageRoot, $request);
if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
    throw new \InvalidArgumentException('This input is not allowed.');
}
            } else {
                throw new \RuntimeException(sprintf('The class "%s" does not exist', $controllerClass));
            }

            /**
             * Call handler.
             */
            $handler = filter_input_array(INPUT_POST)['handler'] ?? filter_input_array(INPUT_GET)['handler'] ?? 'index';
            if (method_exists($controllerClass, $handler)) {
                $controller->$handler();
                return $controller->getResponse();
            } else {
                throw new \RuntimeException(sprintf('The method "%s" does not exist', $handler));
            }
        }

        return null;
    }
}

Push — master ( d9f7fe...0d6725 )

DefaultRoute::getResponse() A

Complexity

Size

Duplication

Importance

1 path for user data to reach this point

General Strategies to prevent injection

1			<?php
2			/**
3			* @license MIT
4			*/
5			namespace Pivasic\Core;
6
7			/**
8			* Base routing.
9			*
10			* Class DefaultRoute
11			* @package Pivasic\Core
12			*/
13			class DefaultRoute implements IRoute
14			{
15			/**
16			* Find and call controller, get Response object.
17			*
18			* @param string $packageRoot
19			* @param Request $request
20			*
21			* @return Response\|null
22			*/
23			public function getResponse($packageRoot, Request $request)
24			{
25			$packageRoot = rtrim($packageRoot, '/');
26			$route = preg_replace('/\/\d+/u', '/D', $request->route());
27			$path = $packageRoot . '/Route/' . $route . '/' . $request->method() . '.php';
28			if (file_exists($path)) {
29			require $path;
30			$controllerClass = $request->package() . '\\Route_' . str_replace('/', '_', $route) . '\\' . $request->method();
31			/**
32			* @var BaseController $controller
33			*/
34			if (class_exists($controllerClass)) {
35			$controller = new $controllerClass($packageRoot, $request);
			0 ignored issues – show Security Code Execution introduced 2018-09-19 12:34 UTC by Report Bug Copy Issue Report `$controllerClass` can contain request data and is used in code execution context(s) leading to a potential security vulnerability. 1 path for user data to reach this point `filter_input_array(INPUT_SERVER)['REQUEST_URI']` seems to return tainted data, and `$url` is assigned in src/Core/Request.php on line 25 `$url` is passed through explode(), and `$url` is assigned in src/Core/Request.php on line 33 `$url[0]` is passed through trim(), and `trim($url[0])` is passed through trim(), and `$url` is assigned in src/Core/Request.php on line 34 `$url` is passed through explode(), and `$partList` is assigned in src/Core/Request.php on line 36 `$partList` is passed through implode(), and Request::$route is assigned in src/Core/Request.php on line 60 Tainted property Request::$route is read in src/Core/Request.php on line 109 Request::route() returns tainted data, and `$request->route()` is passed through preg_replace(), and `$route` is assigned in src/Core/DefaultRoute.php on line 26 `$route` is passed through str_replace(), and `$controllerClass` is assigned in src/Core/DefaultRoute.php on line 30 General Strategies to prevent injection In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values: if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) { throw new \InvalidArgumentException('This input is not allowed.'); } For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted; Loading history...
36			} else {
37			throw new \RuntimeException(sprintf('The class "%s" does not exist', $controllerClass));
38			}
39
40			/**
41			* Call handler.
42			*/
43			$handler = filter_input_array(INPUT_POST)['handler'] ?? filter_input_array(INPUT_GET)['handler'] ?? 'index';
44			if (method_exists($controllerClass, $handler)) {
45			$controller->$handler();
46			return $controller->getResponse();
47			} else {
48			throw new \RuntimeException(sprintf('The method "%s" does not exist', $handler));
49			}
50			}
51
52			return null;
53			}
54			}

dspbee / pivasic

Push — master ( d9f7fe...0d6725 )

DefaultRoute::getResponse() A

Complexity

Size

Duplication

Importance

1 path for user data to reach this point

General Strategies to prevent injection

Duplication Side-by-Side

Filter issues like