Issues in Router.php (master) - Issues in master - eric-chau/jarvis - Measure and Improve Code Quality continuously with Scrutinizer

Issues (5)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Skill/Routing/Router.php (3 issues)

Labels

Bug 3

Severity

Major 3

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

declare(strict_types=1);

namespace Jarvis\Skill\Routing;

use FastRoute\DataGenerator\GroupCountBased as DataGenerator;
use FastRoute\Dispatcher\GroupCountBased as Dispatcher;
use FastRoute\RouteCollector;
use FastRoute\RouteParser\Std as Parser;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;

/**
 * @author Eric Chau <[email protected]>
 */
class Router extends Dispatcher
{
    const DEFAULT_SCHEME = 'http';
    const HTTP_PORT = 80;
    const HTTPS_PORT = 443;

    private $computed = false;
    private $host = '';
    private $rawRoutes = [];
    private $routesNames = [];
    private $routeCollector;
    private $scheme = self::DEFAULT_SCHEME;

    /**
     * Creates an instance of Router.
     *
     * Required to disable FastRoute\Dispatcher\GroupCountBased constructor.
     */
    public function __construct()
    {
    }

    /**
     * Adds a new route to the collection.
     *
     * We highly recommend you to use ::beginRoute() instead.
     * {@see ::beginRoute()}
     *
     * @param  Route $route
     * @return self
     */
    public function addRoute(Route $route): void
    {
        $this->rawRoutes[] = [$route->method(), $route->pattern(), $route->handler()];
        $this->computed = false;

        if (false != $name = $route->name()) {
            $this->routesNames[$name] = $route->pattern();
        }
    }

    /**
     * This is an helper that provides you a smooth syntax to add new route. Example:
     *
     * $router
     *     ->beginRoute('hello_world')
     *         ->setPattern('/hello/world')
     *         ->setHandler(function () {
     *             return 'Hello, world!';
     *         })
     *     ->end()
     * ;
     *
     * This syntax avoids you to create a new intance of Route, hydrating it and
     * then adding it to Router.
     *
     * @param  string|null $name
     * @return Route
     */
    public function beginRoute(string $name = null): Route
    {
        return new Route($this, $name);
    }

    /**
     * Generates and returns the full URL (with scheme and host) with provided URI.
     *
     * Notes that this method required at least the host to be setted.
     *
     * @param  string $uri
     * @return string
     */
    public function url(string $uri): string
    {
        $scheme = '';
        if ($this->host) {
            $uri = preg_replace('~/+~', '/', "{$this->host}$uri");
            $scheme = "{$this->scheme}://";
        }

        return "$scheme$uri";
    }

    /**
     * Returns the current scheme.
     *
     * @return string
     */
    public function scheme(): string
    {
        return $this->scheme;
    }

    /**
     * Sets the new scheme to use. Calling this method without parameter will reset
     * it to 'http'.
     *
     * @param string|null $scheme
     */
    public function setScheme(string $scheme = null): void
    {
        $this->scheme = (string) $scheme ?: self::DEFAULT_SCHEME;
    }

    /**
     * Returns the setted host.
     *
     * @return string
     */
    public function host(): string
    {
        return $this->host;
    }

    /**
     * Sets new host to Router. Calling this method without parameter will reset
     * the host to empty string.
     *
     * @param  string|null $host
     * @return self
     */
    public function setHost(string $host = null): void
    {
        $this->host = (string) $host;
    }

    /**
     * Uses the provided request to guess the host. This method also set the
     *
     * @param  Request $request
     * @return self
     */
    public function guessHost(Request $request): void
    {
        $this->setScheme($request->getScheme());
        $this->setHost($request->getHost());
        if (!in_array($request->getPort(), [self::HTTP_PORT, self::HTTPS_PORT])) {
            $this->setHost($this->host() . ':' . $request->getPort());
        }
    }

    /**
     * Generates URI associated to provided route name.
     *
     * @param  string $name   The URI route name we want to generate
     * @param  array  $params Parameters to replace in pattern
     * @return string
     * @throws \InvalidArgumentException if provided route name is unknown
     */
    public function uri(string $name, array $params = []): string
    {
        if (!isset($this->routesNames[$name])) {
            throw new \InvalidArgumentException(
                "Cannot generate URI for '$name' cause it does not exist."
            );
        }

        $uri = $this->routesNames[$name];
        foreach ($params as $key => $value) {
            if (1 !== preg_match("~\{($key:?[^}]*)\}~", $uri, $matches)) {
                continue;
            }

            $value = (string) $value;
            $pieces = explode(':', $matches[1]);
            if (1 < count($pieces) && 1 !== preg_match("~{$pieces[1]}~", $value)) {
                throw new \InvalidArgumentException(
                    "Parameter '{$key}' must match regex '{$pieces[1]}' for route '{$name}'."
                );
            }

            $uri = str_replace($matches[0], $value, $uri);
        }

        return $uri;
    }

    /**
     * Matches the given HTTP method and URI to the route collection and returns
     * the callback with the array of arguments to use.
     *
     * @param  string $method
     * @param  string $uri
     * @return array
     */
    public function match(string $method, string $uri): array
    {
        $arguments = [];
        $callback = null;
        $result = $this->dispatch($method, $uri);

        if (Dispatcher::FOUND === $result[0]) {
            [1 => $callback, 2 => $arguments] = $result;
        } else {
            $callback = function () use ($result): Response {
                return new Response(null, Dispatcher::NOT_FOUND === $result[0]
                    ? Response::HTTP_NOT_FOUND
                    : Response::HTTP_METHOD_NOT_ALLOWED
                );
            };
        }

        return [$callback, $arguments];
    }

    /**
     * {@inheritdoc}
     * Overrides GroupCountBased::dispatch() to ensure that dispatcher always deals with up-to-date
     * route collection.
     */
    public function dispatch($method, $uri): array
    {
        [$this->staticRouteMap, $this->variableRouteData] = $this->routeCollector()->getData();

        return parent::dispatch(strtolower($method), $uri);
    }

    /**
     * Will always return the right RouteCollector and knows when to recompute it.
     *
     * @return RouteCollector
     */
    private function routeCollector(): RouteCollector
    {
        if (!$this->computed) {
            $this->routeCollector = new RouteCollector(new Parser(), new DataGenerator());
            foreach ($this->rawRoutes as $rawRoute) {
                [$method, $route, $handler] = $rawRoute;

                $this->routeCollector->addRoute($method, $route, $handler);
            }

            $this->computed = true;
        }

        return $this->routeCollector;
    }
}


1			<?php
2
3			declare(strict_types=1);
4
5			namespace Jarvis\Skill\Routing;
6
7			use FastRoute\DataGenerator\GroupCountBased as DataGenerator;
8			use FastRoute\Dispatcher\GroupCountBased as Dispatcher;
9			use FastRoute\RouteCollector;
10			use FastRoute\RouteParser\Std as Parser;
11			use Symfony\Component\HttpFoundation\Request;
12			use Symfony\Component\HttpFoundation\Response;
13
14			/**
15			* @author Eric Chau <[email protected]>
16			*/
17			class Router extends Dispatcher
18			{
19			const DEFAULT_SCHEME = 'http';
20			const HTTP_PORT = 80;
21			const HTTPS_PORT = 443;
22
23			private $computed = false;
24			private $host = '';
25			private $rawRoutes = [];
26			private $routesNames = [];
27			private $routeCollector;
28			private $scheme = self::DEFAULT_SCHEME;
29
30			/**
31			* Creates an instance of Router.
32			*
33			* Required to disable FastRoute\Dispatcher\GroupCountBased constructor.
34			*/
35			public function __construct()
36			{
37			}
38
39			/**
40			* Adds a new route to the collection.
41			*
42			* We highly recommend you to use ::beginRoute() instead.
43			* {@see ::beginRoute()}
44			*
45			* @param Route $route
46			* @return self
47			*/
48			public function addRoute(Route $route): void
49			{
50			$this->rawRoutes[] = [$route->method(), $route->pattern(), $route->handler()];
51			$this->computed = false;
52
53			if (false != $name = $route->name()) {
54			$this->routesNames[$name] = $route->pattern();
55			}
56			}
57
58			/**
59			* This is an helper that provides you a smooth syntax to add new route. Example:
60			*
61			* $router
62			* ->beginRoute('hello_world')
63			* ->setPattern('/hello/world')
64			* ->setHandler(function () {
65			* return 'Hello, world!';
66			* })
67			* ->end()
68			* ;
69			*
70			* This syntax avoids you to create a new intance of Route, hydrating it and
71			* then adding it to Router.
72			*
73			* @param string\|null $name
74			* @return Route
75			*/
76			public function beginRoute(string $name = null): Route
77			{
78			return new Route($this, $name);
79			}
80
81			/**
82			* Generates and returns the full URL (with scheme and host) with provided URI.
83			*
84			* Notes that this method required at least the host to be setted.
85			*
86			* @param string $uri
87			* @return string
88			*/
89			public function url(string $uri): string
90			{
91			$scheme = '';
92			if ($this->host) {
93			$uri = preg_replace('~/+~', '/', "{$this->host}$uri");
94			$scheme = "{$this->scheme}://";
95			}
96
97			return "$scheme$uri";
98			}
99
100			/**
101			* Returns the current scheme.
102			*
103			* @return string
104			*/
105			public function scheme(): string
106			{
107			return $this->scheme;
108			}
109
110			/**
111			* Sets the new scheme to use. Calling this method without parameter will reset
112			* it to 'http'.
113			*
114			* @param string\|null $scheme
115			*/
116			public function setScheme(string $scheme = null): void
117			{
118			$this->scheme = (string) $scheme ?: self::DEFAULT_SCHEME;
119			}
120
121			/**
122			* Returns the setted host.
123			*
124			* @return string
125			*/
126			public function host(): string
127			{
128			return $this->host;
129			}
130
131			/**
132			* Sets new host to Router. Calling this method without parameter will reset
133			* the host to empty string.
134			*
135			* @param string\|null $host
136			* @return self
137			*/
138			public function setHost(string $host = null): void
139			{
140			$this->host = (string) $host;
141			}
142
143			/**
144			* Uses the provided request to guess the host. This method also set the
145			*
146			* @param Request $request
147			* @return self
148			*/
149			public function guessHost(Request $request): void
150			{
151			$this->setScheme($request->getScheme());
152			$this->setHost($request->getHost());
153			if (!in_array($request->getPort(), [self::HTTP_PORT, self::HTTPS_PORT])) {
154			$this->setHost($this->host() . ':' . $request->getPort());
155			}
156			}
157
158			/**
159			* Generates URI associated to provided route name.
160			*
161			* @param string $name The URI route name we want to generate
162			* @param array $params Parameters to replace in pattern
163			* @return string
164			* @throws \InvalidArgumentException if provided route name is unknown
165			*/
166			public function uri(string $name, array $params = []): string
167			{
168			if (!isset($this->routesNames[$name])) {
169			throw new \InvalidArgumentException(
170			"Cannot generate URI for '$name' cause it does not exist."
171			);
172			}
173
174			$uri = $this->routesNames[$name];
175			foreach ($params as $key => $value) {
176			if (1 !== preg_match("~\{($key:?[^}]*)\}~", $uri, $matches)) {
177			continue;
178			}
179
180			$value = (string) $value;
181			$pieces = explode(':', $matches[1]);
182			if (1 < count($pieces) && 1 !== preg_match("~{$pieces[1]}~", $value)) {
183			throw new \InvalidArgumentException(
184			"Parameter '{$key}' must match regex '{$pieces[1]}' for route '{$name}'."
185			);
186			}
187
188			$uri = str_replace($matches[0], $value, $uri);
189			}
190
191			return $uri;
192			}
193
194			/**
195			* Matches the given HTTP method and URI to the route collection and returns
196			* the callback with the array of arguments to use.
197			*
198			* @param string $method
199			* @param string $uri
200			* @return array
201			*/
202			public function match(string $method, string $uri): array
203			{
204			$arguments = [];
205			$callback = null;
206			$result = $this->dispatch($method, $uri);
207
208			if (Dispatcher::FOUND === $result[0]) {
209			[1 => $callback, 2 => $arguments] = $result;
210			} else {
211			$callback = function () use ($result): Response {
212			return new Response(null, Dispatcher::NOT_FOUND === $result[0]
213			? Response::HTTP_NOT_FOUND
214			: Response::HTTP_METHOD_NOT_ALLOWED
215			);
216			};
217			}
218
219			return [$callback, $arguments];
220			}
221
222			/**
223			* {@inheritdoc}
224			* Overrides GroupCountBased::dispatch() to ensure that dispatcher always deals with up-to-date
225			* route collection.
226			*/
227			public function dispatch($method, $uri): array
228			{
229			[$this->staticRouteMap, $this->variableRouteData] = $this->routeCollector()->getData();
230
231			return parent::dispatch(strtolower($method), $uri);
232			}
233
234			/**
235			* Will always return the right RouteCollector and knows when to recompute it.
236			*
237			* @return RouteCollector
238			*/
239			private function routeCollector(): RouteCollector
240			{
241			if (!$this->computed) {
242			$this->routeCollector = new RouteCollector(new Parser(), new DataGenerator());
243			foreach ($this->rawRoutes as $rawRoute) {
244			[$method, $route, $handler] = $rawRoute;
			0 ignored issues – show Bug introduced 2017-01-04 22:07 UTC by Report Bug Copy Issue Report Show Similar Issues like this The variable `$method` does not exist. Did you forget to declare it? This check marks access to variables or properties that have not been declared yet. While PHP has no explicit notion of declaring a variable, accessing it before a value is assigned to it is most likely a bug. Loading history... Bug introduced 2017-01-04 22:07 UTC by Report Bug Copy Issue Report Show Similar Issues like this The variable `$route` does not exist. Did you forget to declare it? This check marks access to variables or properties that have not been declared yet. While PHP has no explicit notion of declaring a variable, accessing it before a value is assigned to it is most likely a bug. Loading history... Bug introduced 2017-01-04 22:07 UTC by Report Bug Copy Issue Report Show Similar Issues like this The variable `$handler` does not exist. Did you forget to declare it? This check marks access to variables or properties that have not been declared yet. While PHP has no explicit notion of declaring a variable, accessing it before a value is assigned to it is most likely a bug. Loading history...
245			$this->routeCollector->addRoute($method, $route, $handler);
246			}
247
248			$this->computed = true;
249			}
250
251			return $this->routeCollector;
252			}
253			}
254

eric-chau / jarvis

Issues (5)

Security Analysis not enabled

src/Skill/Routing/Router.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like