DefaultRoute::nonsense() - Code Metrics - Inspection of "It's not vulnerabilities" - dspbee/pivasic - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — master ( 064ba2...12e217 )

by Igor

created 2016-08-15 16:19 UTC

DefaultRoute::nonsense() A

↳ Parent: Project

Complexity

Conditions	1
Paths	1

Size

Total Lines	4
Code Lines	2

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
dl	0
loc	4
rs	10
c	0
b	0
f	0
cc	1
eloc	2
nc	1
nop	1

<?php
/**
 * @license MIT
 * @author Igor Sorokin <[email protected]>
 */
namespace Dspbee\Core;

/**
 * Base routing.
 *
 * Class DefaultRoute
 * @package Dspbee\Core
 */
class DefaultRoute implements IRoute
{
    /**
     * Get object of Response.
     *
     * @param string $packageRoot
     * @param Request $request
     *
     * @return Response|null
     */
    public function getResponse($packageRoot, Request $request)
    {
        $packageRoot = rtrim($packageRoot, '/');
        $path = $packageRoot . '/Route/' . $request->route() . '/' . $request->method() . '.php';
        if (file_exists($path)) {
            require $path;
            $controllerClass = $request->package() . '\\Route_' . str_replace('/', '_', $request->route()) . '\\' . $request->method();
            /**
             * @var BaseController $controller
             */
            $controller = new $controllerClass($packageRoot, $request);
if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
    throw new \InvalidArgumentException('This input is not allowed.');
}

            /**
             * Call handler.
             */
            $handler = $_POST['handler'] ?? $_GET['handler'] ?? 'index';
            if (preg_match('/[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*/', $handler) && method_exists($controllerClass, $handler)) {
                $controller->$handler();
if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
    throw new \InvalidArgumentException('This input is not allowed.');
}
                return $controller->getResponse();
            }
        }

        return null;
    }
}

Push — master ( 064ba2...12e217 )

DefaultRoute::nonsense() A

Complexity

Size

Duplication

Importance

1 path for user data to reach this point

General Strategies to prevent injection

1 path for user data to reach this point

General Strategies to prevent injection

1			<?php
2			/**
3			* @license MIT
4			* @author Igor Sorokin <[email protected]>
5			*/
6			namespace Dspbee\Core;
7
8			/**
9			* Base routing.
10			*
11			* Class DefaultRoute
12			* @package Dspbee\Core
13			*/
14			class DefaultRoute implements IRoute
15			{
16			/**
17			* Get object of Response.
18			*
19			* @param string $packageRoot
20			* @param Request $request
21			*
22			* @return Response\|null
23			*/
24			public function getResponse($packageRoot, Request $request)
25			{
26			$packageRoot = rtrim($packageRoot, '/');
27			$path = $packageRoot . '/Route/' . $request->route() . '/' . $request->method() . '.php';
28			if (file_exists($path)) {
29			require $path;
30			$controllerClass = $request->package() . '\\Route_' . str_replace('/', '_', $request->route()) . '\\' . $request->method();
31			/**
32			* @var BaseController $controller
33			*/
34			$controller = new $controllerClass($packageRoot, $request);
			0 ignored issues – show Security Code Execution introduced 2016-08-15 16:08 UTC by Report Bug Copy Issue Report `$controllerClass` can contain request data and is used in code execution context(s) leading to a potential security vulnerability. 1 path for user data to reach this point Fetching key `REQUEST_URI` from `$_SERVER,` and `$url` is assigned in src/Core/Request.php on line 26 `$url` is passed through explode(), and `$url` is assigned in src/Core/Request.php on line 34 `$url` is assigned in src/Core/Request.php on line 35 `$url` is passed through trim(), and `trim($url)` is passed through trim(), and `$url` is assigned in src/Core/Request.php on line 36 `$url` is passed through explode(), and `$partList` is assigned in src/Core/Request.php on line 38 `$partList` is passed through implode(), and Request::$route is assigned in src/Core/Request.php on line 67 Tainted property Request::$route is read in src/Core/Request.php on line 146 Request::route() returns tainted data, and `$request->route()` is passed through str_replace(), and `$controllerClass` is assigned in src/Core/DefaultRoute.php on line 30 General Strategies to prevent injection In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values: if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) { throw new \InvalidArgumentException('This input is not allowed.'); } For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted; Loading history...
35
36			/**
37			* Call handler.
38			*/
39			$handler = $_POST['handler'] ?? $_GET['handler'] ?? 'index';
40			if (preg_match('/[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff]*/', $handler) && method_exists($controllerClass, $handler)) {
41			$controller->$handler();
			0 ignored issues – show Security Code Execution introduced 2016-08-15 16:08 UTC by Report Bug Copy Issue Report `$handler` can contain request data and is used in code execution context(s) leading to a potential security vulnerability. 1 path for user data to reach this point Read from `$_POST,` and `$handler` is assigned in src/Core/DefaultRoute.php on line 39 General Strategies to prevent injection In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values: if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) { throw new \InvalidArgumentException('This input is not allowed.'); } For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted; Loading history...
42			return $controller->getResponse();
43			}
44			}
45
46			return null;
47			}
48			}

dspbee / pivasic

Push — master ( 064ba2...12e217 )

DefaultRoute::nonsense() A

Complexity

Size

Duplication

Importance

1 path for user data to reach this point

General Strategies to prevent injection

1 path for user data to reach this point

General Strategies to prevent injection

Duplication Side-by-Side

Filter issues like