Issues in Admin.php (master) - Issues in master - laravelflare/flare - Measure and Improve Code Quality continuously with Scrutinizer

Issues (76)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Flare/Admin/Admin.php (3 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace LaravelFlare\Flare\Admin;

use Illuminate\Support\Arr;
use Illuminate\Support\Str;
use Illuminate\Routing\Router;
use LaravelFlare\Flare\Support\ControllerInspector;

abstract class Admin
{
    /**
     * Admin Section Icon.
     *
     * Font Awesome Defined Icon, eg 'user' = 'fa-user'
     *
     * @var string
     */
    protected $icon;

    /**
     * Title of Admin Section.
     *
     * @var string
     */
    protected $title;

    /**
     * Plural Title of Admin Section.
     *
     * @var string
     */
    protected $pluralTitle;

    /**
     * URL Prefix of Admin Section.
     *
     * @var string
     */
    protected $urlPrefix;

    /**
     * The Controller to be used by the Admin.
     *
     * This defaults to parent::getController()
     * if it has been left undefined. 
     * 
     * @var string
     */
    protected $controller = \LaravelFlare\Flare\Http\Controllers\AdminController::class;

    /**
     * The Policy used for the Admin Authorization logic.
     * 
     * @var string
     */
    protected $policy = '\LaravelFlare\Flare\Permissions\AdminPolicy';

    /**
     * An array of subclasses of Admin
     * which allows hierachy in a Module.
     * 
     * @var array
     */
    protected $subAdmin = [];

    /**
     * The Admin Default View.
     *
     * By Default this is the 404 page
     *
     * @var string
     */
    protected $view = 'admin.404';

    /**
     * Array of View Data to Render.
     * 
     * @var array
     */
    protected $viewData = [];

    /**
     * Class Suffix used for matching and removing term
     * from user provided Admin sections.
     *
     * @var string
     */
    const CLASS_SUFFIX = 'Admin';

    /**
     * __construct.
     */
    public function __construct()
    {
    }

    /**
     * Register the routes for this Admin Section.
     *
     * Default routes include, create:, read:, update:, delete:
     *
     * Also attempts to load in ModelAdminController
     * based on the shortName of the class, for
     * overloading and adding additional routes
     *
     * @param \Illuminate\Routing\Router $router
     */
    public function registerRoutes(Router $router)
    {
        // We will need to throw an exception if a ModelAdmin manages a Model which conflicts with an internal flare endpoint
        // such as (create, edit, view, delete etc) 
        $router->group(['prefix' => $this->urlPrefix(), 'namespace' => get_called_class(), 'as' => $this->urlPrefix()], function ($router) {

            $this->registerSubRoutes();
            $this->registerController($this->getController());
        });
    }

    /**
     * Register subRoutes for Defined Admin instances.
     *
     * @return
     */
    public function registerSubRoutes()
    {
        if (!is_array($this->subAdmin)) {
            return;
        }

        foreach ($this->subAdmin as $adminItem) {
            $this->registerRoute($adminItem->getController(), $adminItem->routeParameters());
        }
    }

    /**
     * Register an individual route.
     *
     * @param string $controller
     * @param array  $parameters
     *
     * @return
     */
    public static function registerRoute($controller, $parameters = [])

    {
        \Route::group($parameters, function ($controller) {
            \Route::registerController($controller);
        });
    }

    /**
     * Stolen Method from 5.2 Illumiante/Routing/Router.
     * 
     * @param  string $controller 
     * @return void          
     */
    public static function registerController($controller)
    {
        $uri = '/';

        $routable = (new ControllerInspector)
                            ->getRoutable($controller, $uri);

        // When a controller is routed using this method, we use Reflection to parse
        // out all of the routable methods for the controller, then register each
        // route explicitly for the developers, so reverse routing is possible.
        foreach ($routable as $method => $routes) {
            foreach ($routes as $route) {
                $action = ['uses' => $controller.'@'.$method];

                \Route::{$route['verb']}($route['uri'], $action);
            }
        }

        \Route::any($uri.'/{_missing}', $controller.'@missingMethod');
    }

    /**
     * Returns the Route Paramets.
     * 
     * @return array
     */
    public function routeParameters()
    {
        return [
            'prefix' => $this->urlPrefix(),
            'as' => $this->urlPrefix(),
        ];
    }

    /**
     * Returns the Requested Route Action as a
     * string, namespace is returned by default.
     *
     * @param string $key
     * 
     * @return string|void
     */
    public static function getRequested($key = 'namespace')
    {
        if (!\Route::current()) {
            return;
        }

        $currentAction = \Route::current()->getAction();

        if (isset($currentAction[$key])) {
            return $currentAction[$key];
        }

        return;
    }

    /**
     * Returns the Controller Class for the current Admin section.
     * 
     * @return string
     */
    public function getController()
    {
        return $this->controller;
    }

    /**
     * Set the Controller Class for the current Admin section.
     * 
     * @return string
     */
    public function setController($controller = null)
    {
        $this->controller = $controller;
    }

    /**
     * Returns the Module Admin View.
     * 
     * @return string
     */
    public function getView()
    {
        if (view()->exists($this->view)) {
class A
{
    public function foo() { }
}

class B extends A
{
    public function bar() { }
}

/**
 * @param A|B $x
 */
function someFunction($x)
{
    $x->foo(); // This call is fine as the method exists in A and B.
    $x->bar(); // This method only exists in B and might cause an error.
}
            return $this->view;
        }

        return 'flare::'.$this->view;
    }

    /**
     * Set the Module Admin View.
     * 
     * @param string $view
     */
    public function setView($view = null)
    {
        $this->view = $view;
    }

    /**
     * Returns the View Data.
     * 
     * @return array
     */
    public function getViewData()
    {
        return $this->viewData;
    }

    /**
     * Set the View Data.
     * 
     * @param array $viewData
     */
    public function setViewData($viewData = [])
    {
        $this->viewData = $viewData;
    }

    /**
     * Menu Items.
     * 
     * @return array
     */
    public function menuItems()
    {
        return [];
    }

    /**
     * Icon of a Admin Section Class.
     *
     * @return string
     */
    public function getIcon()
    {
        return $this->icon;
    }

    /**
     * Set Icon of a Admin Section Class.
     *
     * @param string $icon
     */
    public function setIcon($icon = null)
    {
        $this->icon = $icon;
    }

    /**
     * Shortname of a Admin Section Class.
     *
     * @return string
     */
    public static function shortName()
    {
        return (new \ReflectionClass(new static()))->getShortName();
    }

    /**
     * Title of a Admin Section Class.
     *
     * @return string
     */
    public function getTitle()
    {
        if (!isset($this->title) || !$this->title) {
            return Str::title(str_replace('_', ' ', snake_case(preg_replace('/'.static::CLASS_SUFFIX.'$/', '', static::shortName()))));
        }

        return $this->title;
    }

    /**
     * Set Title of a Admin Section Class.
     *
     * @param string $title
     */
    public function setTitle($title = null)
    {
        $this->title = $title;
    }

    /**
     * Plural of the Admin Section Class Title.
     *
     * @return string
     */
    public function getPluralTitle()
    {
        if (!isset($this->pluralTitle) || !$this->pluralTitle) {
            return Str::plural($this->getTitle());
        }

        return $this->pluralTitle;
    }

    /**
     * Set Plural Title.
     * 
     * @param string $pluralTitle
     */
    public function setPluralTitle($pluralTitle = null)
    {
        $this->pluralTitle = $pluralTitle;
    }

    /**
     * URL Prefix to a Admin Section Top Level Page.
     *
     * @return string
     */
    public function urlPrefix()
    {
        if (!isset($this->urlPrefix) || !$this->urlPrefix) {
            return str_slug($this->getPluralTitle());
        }

        return $this->urlPrefix;
    }

    /**
     * URL to a Admin Top Level Page.
     *
     * @param string $path
     *
     * @return string
     */
    public function url($path = '')
    {
        return url($this->relativeUrl($path));
    }

    /**
     * Relative URL to an Admin Top Level Page.
     *
     * @param string $path
     *
     * @return string
     */
    public function relativeUrl($path = '')
    {
        return \Flare::relativeAdminUrl($this->urlPrefix().($path ? '/'.$path : ''));
    }

    /**
     * Retrieves the Current Admin Route URL.
     *
     * @param string $path
     *
     * @return string
     */
    public function currentUrl($path = '')
    {
        return url($this->relativeCurrentUrl($path));
    }

    /**
     * Retrieves the Current Admin Route URL.
     *
     * @param string $path
     *
     * @return string
     */
    public function relativeCurrentUrl($path)
    {
        return \Route::current() ? \Route::current()->getPrefix().'/'.$path : null;
    }

    /*
     * Handle dynamic static method calls into the Admin.
     *
     * @param string $method
     * @param array  $parameters
     * 
     * @return mixed
     */
    // public static function __callStatic($method, $parameters)
    // {
    //     $instance = new static();

    //     return call_user_func_array([$instance, $method], $parameters);
    // }
}


GitHub Access Token became invalid

Issues (76)

Security Analysis not enabled

src/Flare/Admin/Admin.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Available Fixes

1			<?php
2
3			namespace LaravelFlare\Flare\Admin;
4
5			use Illuminate\Support\Arr;
6			use Illuminate\Support\Str;
7			use Illuminate\Routing\Router;
8			use LaravelFlare\Flare\Support\ControllerInspector;
9
10			abstract class Admin
11			{
12			/**
13			* Admin Section Icon.
14			*
15			* Font Awesome Defined Icon, eg 'user' = 'fa-user'
16			*
17			* @var string
18			*/
19			protected $icon;
20
21			/**
22			* Title of Admin Section.
23			*
24			* @var string
25			*/
26			protected $title;
27
28			/**
29			* Plural Title of Admin Section.
30			*
31			* @var string
32			*/
33			protected $pluralTitle;
34
35			/**
36			* URL Prefix of Admin Section.
37			*
38			* @var string
39			*/
40			protected $urlPrefix;
41
42			/**
43			* The Controller to be used by the Admin.
44			*
45			* This defaults to parent::getController()
46			* if it has been left undefined.
47			*
48			* @var string
49			*/
50			protected $controller = \LaravelFlare\Flare\Http\Controllers\AdminController::class;
51
52			/**
53			* The Policy used for the Admin Authorization logic.
54			*
55			* @var string
56			*/
57			protected $policy = '\LaravelFlare\Flare\Permissions\AdminPolicy';
58
59			/**
60			* An array of subclasses of Admin
61			* which allows hierachy in a Module.
62			*
63			* @var array
64			*/
65			protected $subAdmin = [];
66
67			/**
68			* The Admin Default View.
69			*
70			* By Default this is the 404 page
71			*
72			* @var string
73			*/
74			protected $view = 'admin.404';
75
76			/**
77			* Array of View Data to Render.
78			*
79			* @var array
80			*/
81			protected $viewData = [];
82
83			/**
84			* Class Suffix used for matching and removing term
85			* from user provided Admin sections.
86			*
87			* @var string
88			*/
89			const CLASS_SUFFIX = 'Admin';
90
91			/**
92			* __construct.
93			*/
94			public function __construct()
95			{
96			}
97
98			/**
99			* Register the routes for this Admin Section.
100			*
101			* Default routes include, create:, read:, update:, delete:
102			*
103			* Also attempts to load in ModelAdminController
104			* based on the shortName of the class, for
105			* overloading and adding additional routes
106			*
107			* @param \Illuminate\Routing\Router $router
108			*/
109			public function registerRoutes(Router $router)
110			{
111			// We will need to throw an exception if a ModelAdmin manages a Model which conflicts with an internal flare endpoint
112			// such as (create, edit, view, delete etc)
113			$router->group(['prefix' => $this->urlPrefix(), 'namespace' => get_called_class(), 'as' => $this->urlPrefix()], function ($router) {
			0 ignored issues – show Unused Code introduced 2017-12-21 18:05 UTC by Report Bug Copy Issue Report Show Similar Issues like this The parameter `$router` is not used and could be removed. This check looks from parameters that have been defined for a function or method, but which are not used in the method body. Loading history...
114			$this->registerSubRoutes();
115			$this->registerController($this->getController());
116			});
117			}
118
119			/**
120			* Register subRoutes for Defined Admin instances.
121			*
122			* @return
123			*/
124			public function registerSubRoutes()
125			{
126			if (!is_array($this->subAdmin)) {
127			return;
128			}
129
130			foreach ($this->subAdmin as $adminItem) {
131			$this->registerRoute($adminItem->getController(), $adminItem->routeParameters());
132			}
133			}
134
135			/**
136			* Register an individual route.
137			*
138			* @param string $controller
139			* @param array $parameters
140			*
141			* @return
142			*/
143			public static function registerRoute($controller, $parameters = [])
			0 ignored issues – show Unused Code introduced 2015-11-29 15:51 UTC by Report Bug Copy Issue Report Show Similar Issues like this The parameter `$controller` is not used and could be removed. This check looks from parameters that have been defined for a function or method, but which are not used in the method body. Loading history...
144			{
145			\Route::group($parameters, function ($controller) {
146			\Route::registerController($controller);
147			});
148			}
149
150			/**
151			* Stolen Method from 5.2 Illumiante/Routing/Router.
152			*
153			* @param string $controller
154			* @return void
155			*/
156			public static function registerController($controller)
157			{
158			$uri = '/';
159
160			$routable = (new ControllerInspector)
161			->getRoutable($controller, $uri);
162
163			// When a controller is routed using this method, we use Reflection to parse
164			// out all of the routable methods for the controller, then register each
165			// route explicitly for the developers, so reverse routing is possible.
166			foreach ($routable as $method => $routes) {
167			foreach ($routes as $route) {
168			$action = ['uses' => $controller.'@'.$method];
169
170			\Route::{$route['verb']}($route['uri'], $action);
171			}
172			}
173
174			\Route::any($uri.'/{_missing}', $controller.'@missingMethod');
175			}
176
177			/**
178			* Returns the Route Paramets.
179			*
180			* @return array
181			*/
182			public function routeParameters()
183			{
184			return [
185			'prefix' => $this->urlPrefix(),
186			'as' => $this->urlPrefix(),
187			];
188			}
189
190			/**
191			* Returns the Requested Route Action as a
192			* string, namespace is returned by default.
193			*
194			* @param string $key
195			*
196			* @return string\|void
197			*/
198			public static function getRequested($key = 'namespace')
199			{
200			if (!\Route::current()) {
201			return;
202			}
203
204			$currentAction = \Route::current()->getAction();
205
206			if (isset($currentAction[$key])) {
207			return $currentAction[$key];
208			}
209
210			return;
211			}
212
213			/**
214			* Returns the Controller Class for the current Admin section.
215			*
216			* @return string
217			*/
218			public function getController()
219			{
220			return $this->controller;
221			}
222
223			/**
224			* Set the Controller Class for the current Admin section.
225			*
226			* @return string
227			*/
228			public function setController($controller = null)
229			{
230			$this->controller = $controller;
231			}
232
233			/**
234			* Returns the Module Admin View.
235			*
236			* @return string
237			*/
238			public function getView()
239			{
240			if (view()->exists($this->view)) {
			0 ignored issues – show Bug introduced 2015-11-29 15:51 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `exists` does only exist in `Illuminate\Contracts\View\Factory`, but not in `Illuminate\View\View`. It seems like the method you are trying to call exists only in some of the possible types. Let’s take a look at an example: class A { public function foo() { } } class B extends A { public function bar() { } } /** * @param A\|B $x / function someFunction($x) { $x->foo(); // This call is fine as the method exists in A and B. $x->bar(); // This method only exists in B and might cause an error. } Available Fixes Add an additional type-check: /* * @param A\|B $x / function someFunction($x) { $x->foo(); if ($x instanceof B) { $x->bar(); } } Only allow a single type to be passed if the variable comes from a parameter: function someFunction(B $x) { /* ... */ } Loading history...
241			return $this->view;
242			}
243
244			return 'flare::'.$this->view;
245			}
246
247			/**
248			* Set the Module Admin View.
249			*
250			* @param string $view
251			*/
252			public function setView($view = null)
253			{
254			$this->view = $view;
255			}
256
257			/**
258			* Returns the View Data.
259			*
260			* @return array
261			*/
262			public function getViewData()
263			{
264			return $this->viewData;
265			}
266
267			/**
268			* Set the View Data.
269			*
270			* @param array $viewData
271			*/
272			public function setViewData($viewData = [])
273			{
274			$this->viewData = $viewData;
275			}
276
277			/**
278			* Menu Items.
279			*
280			* @return array
281			*/
282			public function menuItems()
283			{
284			return [];
285			}
286
287			/**
288			* Icon of a Admin Section Class.
289			*
290			* @return string
291			*/
292			public function getIcon()
293			{
294			return $this->icon;
295			}
296
297			/**
298			* Set Icon of a Admin Section Class.
299			*
300			* @param string $icon
301			*/
302			public function setIcon($icon = null)
303			{
304			$this->icon = $icon;
305			}
306
307			/**
308			* Shortname of a Admin Section Class.
309			*
310			* @return string
311			*/
312			public static function shortName()
313			{
314			return (new \ReflectionClass(new static()))->getShortName();
315			}
316
317			/**
318			* Title of a Admin Section Class.
319			*
320			* @return string
321			*/
322			public function getTitle()
323			{
324			if (!isset($this->title) \|\| !$this->title) {
325			return Str::title(str_replace('_', ' ', snake_case(preg_replace('/'.static::CLASS_SUFFIX.'$/', '', static::shortName()))));
326			}
327
328			return $this->title;
329			}
330
331			/**
332			* Set Title of a Admin Section Class.
333			*
334			* @param string $title
335			*/
336			public function setTitle($title = null)
337			{
338			$this->title = $title;
339			}
340
341			/**
342			* Plural of the Admin Section Class Title.
343			*
344			* @return string
345			*/
346			public function getPluralTitle()
347			{
348			if (!isset($this->pluralTitle) \|\| !$this->pluralTitle) {
349			return Str::plural($this->getTitle());
350			}
351
352			return $this->pluralTitle;
353			}
354
355			/**
356			* Set Plural Title.
357			*
358			* @param string $pluralTitle
359			*/
360			public function setPluralTitle($pluralTitle = null)
361			{
362			$this->pluralTitle = $pluralTitle;
363			}
364
365			/**
366			* URL Prefix to a Admin Section Top Level Page.
367			*
368			* @return string
369			*/
370			public function urlPrefix()
371			{
372			if (!isset($this->urlPrefix) \|\| !$this->urlPrefix) {
373			return str_slug($this->getPluralTitle());
374			}
375
376			return $this->urlPrefix;
377			}
378
379			/**
380			* URL to a Admin Top Level Page.
381			*
382			* @param string $path
383			*
384			* @return string
385			*/
386			public function url($path = '')
387			{
388			return url($this->relativeUrl($path));
389			}
390
391			/**
392			* Relative URL to an Admin Top Level Page.
393			*
394			* @param string $path
395			*
396			* @return string
397			*/
398			public function relativeUrl($path = '')
399			{
400			return \Flare::relativeAdminUrl($this->urlPrefix().($path ? '/'.$path : ''));
401			}
402
403			/**
404			* Retrieves the Current Admin Route URL.
405			*
406			* @param string $path
407			*
408			* @return string
409			*/
410			public function currentUrl($path = '')
411			{
412			return url($this->relativeCurrentUrl($path));
413			}
414
415			/**
416			* Retrieves the Current Admin Route URL.
417			*
418			* @param string $path
419			*
420			* @return string
421			*/
422			public function relativeCurrentUrl($path)
423			{
424			return \Route::current() ? \Route::current()->getPrefix().'/'.$path : null;
425			}
426
427			/*
428			* Handle dynamic static method calls into the Admin.
429			*
430			* @param string $method
431			* @param array $parameters
432			*
433			* @return mixed
434			*/
435			// public static function __callStatic($method, $parameters)
436			// {
437			// $instance = new static();
438
439			// return call_user_func_array([$instance, $method], $parameters);
440			// }
441			}
442

laravelflare / flare

GitHub Access Token became invalid

Issues (76)

Security Analysis not enabled

src/Flare/Admin/Admin.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Available Fixes

Duplication Side-by-Side

Filter issues like