This project does not seem to handle request data directly as such no vulnerable execution paths were found.
include
, or for example
via PHP's auto-loading mechanism.
Check that an empty catch block is always commented
These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
1 | <?php |
||
2 | /** |
||
3 | * Finance module for HiPanel |
||
4 | * |
||
5 | * @link https://github.com/hiqdev/hipanel-module-finance |
||
6 | * @package hipanel-module-finance |
||
7 | * @license BSD-3-Clause |
||
8 | * @copyright Copyright (c) 2015-2019, HiQDev (http://hiqdev.com/) |
||
9 | */ |
||
10 | |||
11 | namespace hipanel\modules\finance\controllers; |
||
12 | |||
13 | use hipanel\modules\finance\models\Merchant; |
||
14 | use hiqdev\hiart\ResponseErrorException; |
||
15 | use hiqdev\yii2\merchant\actions\RequestAction; |
||
16 | use hiqdev\yii2\merchant\events\TransactionInsertEvent; |
||
17 | use hiqdev\yii2\merchant\transactions\Transaction; |
||
18 | use function is_array; |
||
19 | use Yii; |
||
20 | use yii\base\InvalidParamException; |
||
21 | use yii\helpers\Json; |
||
22 | |||
23 | /** |
||
24 | * Class PayController. |
||
25 | * |
||
26 | * @property \hipanel\modules\finance\Module $module |
||
27 | */ |
||
28 | class PayController extends \hiqdev\yii2\merchant\controllers\PayController |
||
29 | { |
||
30 | const SESSION_MERCHANT_LATEST_TRANSACTION_ID = 'MERCHANT_LATEST_TRANSACTION_ID'; |
||
31 | 1 | ||
32 | public function actions() |
||
33 | 1 | { |
|
34 | 1 | return array_merge(parent::actions(), [ |
|
35 | 'request' => [ |
||
36 | 'class' => RequestAction::class, |
||
37 | 'on ' . RequestAction::EVENT_AFTER_TRANSACTION_INSERT => function (TransactionInsertEvent $event) { |
||
38 | if ($event->transaction instanceof Transaction) { |
||
39 | Yii::$app->session->set(self::SESSION_MERCHANT_LATEST_TRANSACTION_ID, $event->transaction->getId()); |
||
40 | 1 | } |
|
41 | }, |
||
42 | ], |
||
43 | ]); |
||
44 | } |
||
45 | |||
46 | public function getMerchantModule() |
||
47 | { |
||
48 | return $this->module->getMerchant(); |
||
49 | } |
||
50 | |||
51 | public function render($view, $params = []) |
||
52 | { |
||
53 | return $this->getMerchantModule()->getPayController()->render($view, $params); |
||
54 | } |
||
55 | |||
56 | public function checkNotify(string $transactionId = null): ?Transaction |
||
57 | { |
||
58 | $transactionIdSources = [ |
||
59 | $transactionId, |
||
60 | Yii::$app->request->get('transactionId'), |
||
61 | Yii::$app->request->post('transactionId'), |
||
62 | Yii::$app->session->get(self::SESSION_MERCHANT_LATEST_TRANSACTION_ID), |
||
63 | Yii::$app->request->get('orderId'), |
||
64 | Yii::$app->request->post('orderId'), |
||
65 | ]; |
||
66 | |||
67 | foreach (array_filter($transactionIdSources) as $possibleTransactionId) { |
||
68 | $transaction = $this->getMerchantModule()->findTransaction($possibleTransactionId); |
||
69 | if ($transaction !== null) { |
||
70 | break; |
||
71 | } |
||
72 | } |
||
73 | |||
74 | if (!isset($transaction)) { |
||
75 | return null; |
||
76 | } |
||
77 | |||
78 | $data = array_merge([ |
||
79 | 'merchant' => $transaction->getMerchant(), |
||
80 | 'username' => $transaction->getParameter('username'), |
||
81 | ], $_REQUEST); |
||
82 | Yii::info(http_build_query($data), 'merchant'); |
||
83 | |||
84 | if (($input = file_get_contents('php://input')) !== null) { |
||
85 | try { |
||
86 | $data['rawBody'] = Json::decode($input); |
||
87 | } catch (InvalidParamException $e) { |
||
0 ignored issues
–
show
Coding Style
Comprehensibility
introduced
by
Loading history...
|
|||
88 | } |
||
89 | } |
||
90 | |||
91 | try { |
||
92 | return Yii::$app->get('hiart')->callWithDisabledAuth(function () use ($transaction, $data) { |
||
93 | $result = Merchant::perform('pay-transaction', $data); |
||
94 | $this->completeTransaction($transaction, $result); |
||
95 | |||
96 | return $transaction; |
||
97 | }); |
||
98 | } catch (ResponseErrorException $e) { |
||
99 | } // Does not matter, let's try the old way then. |
||
100 | |||
101 | try { |
||
102 | return Yii::$app->get('hiart')->callWithDisabledAuth(function () use ($transaction, $data) { |
||
103 | $result = Merchant::perform('pay', $data); |
||
104 | $this->completeTransaction($transaction, $result); |
||
105 | |||
106 | return $transaction; |
||
107 | }); |
||
108 | } catch (ResponseErrorException $e) { |
||
109 | } // Still no luck? Then it's not the right request. |
||
110 | |||
111 | |||
112 | return $transaction; |
||
113 | } |
||
114 | |||
115 | public function actionProxyNotification() |
||
116 | { |
||
117 | // Currently used at least for FreeKassa integration |
||
118 | $data = array_merge(Yii::$app->request->get(), Yii::$app->request->post()); |
||
119 | |||
120 | $result = Yii::$app->get('hiart')->callWithDisabledAuth(function () use ($data) { |
||
121 | return Merchant::perform('pay-transaction', $data); |
||
122 | }); |
||
123 | |||
124 | $this->layout = false; |
||
125 | |||
126 | return $result; |
||
127 | } |
||
128 | |||
129 | /** |
||
130 | * @param Transaction $transaction |
||
131 | * @param string|array $response |
||
132 | * @return Transaction |
||
133 | * @throws \yii\base\ExitException |
||
134 | */ |
||
135 | protected function completeTransaction($transaction, $response) |
||
136 | { |
||
137 | if ($transaction->isCompleted() || isset($response['_error'])) { |
||
138 | return $transaction; |
||
139 | } |
||
140 | |||
141 | if ($response === '"OK"') { |
||
142 | echo $response; |
||
143 | Yii::$app->end(); |
||
144 | } |
||
145 | |||
146 | if (!is_array($response)) { |
||
147 | return $transaction; |
||
148 | } |
||
149 | |||
150 | $transaction->complete(); |
||
151 | $transaction->addParameter('bill_id', $response['id']); |
||
152 | |||
153 | $this->getMerchantModule()->saveTransaction($transaction); |
||
154 | |||
155 | return $transaction; |
||
156 | } |
||
157 | } |
||
158 |