These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
1 | <?php /** CsrfFilterMicro */ |
||
2 | |||
3 | namespace Micro\filter; |
||
4 | |||
5 | /** |
||
6 | * Class CsrfFilter |
||
7 | * |
||
8 | * @author Oleg Lunegov <[email protected]> |
||
9 | * @link https://github.com/lugnsk/micro |
||
10 | * @copyright Copyright © 2013 Oleg Lunegov |
||
11 | * @license /LICENSE |
||
12 | * @package micro |
||
13 | * @subpackage filter |
||
14 | * @version 1.0 |
||
15 | * @since 1.0 |
||
16 | */ |
||
17 | class CsrfFilter extends Filter |
||
18 | { |
||
19 | /** |
||
20 | * @inheritdoc |
||
21 | */ |
||
22 | public function pre(array $params) |
||
23 | { |
||
24 | if ($this->container->request->server('REQUEST_METHOD') !== 'POST') { |
||
0 ignored issues
–
show
|
|||
25 | return true; |
||
26 | } |
||
27 | |||
28 | $postCSRF = $this->container->request->post('csrf'); |
||
0 ignored issues
–
show
Accessing
request on the interface Micro\base\IContainer suggest that you code against a concrete implementation. How about adding an instanceof check?
If you access a property on an interface, you most likely code against a concrete implementation of the interface. Available Fixes
![]() |
|||
29 | View Code Duplication | if (!$postCSRF) { |
|
30 | $this->result = [ |
||
31 | 'redirect' => !empty($rule['redirect']) ? $rule['redirect'] : null, |
||
32 | 'message' => !empty($rule['message']) ? $rule['message'] : 'Not allowed!' |
||
33 | ]; |
||
34 | |||
35 | return false; |
||
36 | } |
||
37 | |||
38 | $csrf = $this->container->session->csrf; |
||
0 ignored issues
–
show
Accessing
session on the interface Micro\base\IContainer suggest that you code against a concrete implementation. How about adding an instanceof check?
If you access a property on an interface, you most likely code against a concrete implementation of the interface. Available Fixes
![]() |
|||
39 | if (($key = in_array(md5($postCSRF), $csrf, true)) !== null) { |
||
40 | unset($csrf[$key]); |
||
41 | |||
42 | $this->container->session->csrf = $csrf; |
||
0 ignored issues
–
show
Accessing
session on the interface Micro\base\IContainer suggest that you code against a concrete implementation. How about adding an instanceof check?
If you access a property on an interface, you most likely code against a concrete implementation of the interface. Available Fixes
![]() |
|||
43 | |||
44 | return true; |
||
45 | } |
||
46 | |||
47 | $this->result = [ |
||
48 | 'redirect' => !empty($rule['redirect']) ? $rule['redirect'] : null, |
||
49 | 'message' => !empty($rule['message']) ? $rule['message'] : 'Bad request!' |
||
50 | ]; |
||
51 | |||
52 | return false; |
||
53 | } |
||
54 | |||
55 | /** |
||
56 | * @inheritdoc |
||
57 | */ |
||
58 | public function post(array $params) |
||
59 | { |
||
60 | return preg_replace_callback( |
||
61 | '/(<form[^>]*>)(.*?)(<\/form>)/m', |
||
62 | array($this, 'insertProtect'), |
||
63 | $params['data'] |
||
64 | ); |
||
65 | } |
||
66 | |||
67 | /** |
||
68 | * Insert CSRF protect into forms |
||
69 | * |
||
70 | * @access public |
||
71 | * |
||
72 | * @param array $matches Form |
||
73 | * |
||
74 | * @return string |
||
75 | */ |
||
76 | public function insertProtect(array $matches = []) |
||
77 | { |
||
78 | $gen = md5(mt_rand()); |
||
79 | $s = $this->container->session; |
||
0 ignored issues
–
show
Accessing
session on the interface Micro\base\IContainer suggest that you code against a concrete implementation. How about adding an instanceof check?
If you access a property on an interface, you most likely code against a concrete implementation of the interface. Available Fixes
![]() |
|||
80 | |||
81 | $s->csrf = array_merge(is_array($s->csrf) ? $s->csrf : [], [md5($gen)]); |
||
82 | |||
83 | return $matches[1] . '<input type="hidden" name="csrf" value="' . $gen . '" />' . $matches[2] . $matches[3]; |
||
84 | } |
||
85 | } |
||
86 |
If you access a property on an interface, you most likely code against a concrete implementation of the interface.
Available Fixes
Adding an additional type check:
Changing the type hint: