Issues in BaseModelController.php (master) - Issues in master - marcmascarell/laravel-artificer - Measure and Improve Code Quality continuously with Scrutinizer

Issues (85)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Http/Controllers/BaseModelController.php (4 issues)

Labels

Severity

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php namespace Mascame\Artificer\Http\Controllers;

use App;
use Auth;
use File;
use Illuminate\Routing\Redirector;
use Illuminate\Routing\Router;
use Input;
use Mascame\Artificer\Fields\FieldFactory;
use Mascame\Artificer\Permit\ModelPermit;
use Redirect;
use Route;
use Session;
use Str;
use Validator;
use View;


class BaseModelController extends BaseController
{

    /**
     * The Eloquent model instance
     * @var \Eloquent
     */
    protected $model;

    /**
     *
     */
    public function __construct()
    {
        parent::__construct();

        if (! Auth::check() || ! ModelPermit::access()) {
            App::abort('403', 'Forbidden access');
        }

        $this->model = $this->modelObject->model;

        $this->checkPermissions();
    }

    /**
     *
     */
    protected function checkPermissions()
    {
        $permit = array(
            'view' => ModelPermit::to('view'),
            'update' => ModelPermit::to('update'),
            'create' => ModelPermit::to('create'),
            'delete' => ModelPermit::to('delete'),
        );

        ModelPermit::routeAction(Route::currentRouteName());

        View::share('permit', $permit);
    }

    /**
     * @param $data
     */
    protected function handleData($data)
    {
        $this->data = $data;

        $this->getFields($data);
    }

    /**
     * @param $data
     * @return null
     */
    protected function getFields($data)
    {
        if ($this->fields != null) {
            return $this->fields;
        }

        $this->fields = (new FieldFactory($this->modelObject))->makeFields($data);

        View::share('fields', $this->fields);

        return $this->fields;
    }

    /**
     * @return array
     */
    protected function getSort()
    {
        $sort = array();

        if (Input::has('sort_by')) {
            $sort['column'] = Input::get('sort_by');
            $sort['direction'] = Input::get('direction');
        } else {

            if ($this->modelObject->schema->hasColumn('sort_id')) {
                $sort['column'] = 'sort_id';
            } else {
                $sort['column'] = 'id';
            }

            $sort['direction'] = 'asc';
        }

        return $sort;
    }

    /**
     * @return array
     */
    protected function getRules()
    {
        if (isset($this->options['rules'])) {
            return $this->options['rules'];
        } else {
            if (isset($this->model->rules)) {
                return $this->model->rules;
            }
        }

        return array();
    }

    /**
     * @param $items
     * @return null
     */
    public static function getCurrentModelId($items)
    {
        return (isset($items->id)) ? $items->id : null;
    }

    /**
     * @return array|mixed
     */
    protected function filterInputData()
    {
        if ($this->modelObject->hasGuarded()) {
            $input = Input::all();
            $filtered_input = array();

            foreach ($input as $key => $value) {
                if (in_array($key, $this->modelObject->columns)) {
                    $filtered_input[$key] = $value;
                }
            }

            return $this->except($this->modelObject->options['guarded'], $filtered_input);
        }

        return Input::except('id');
    }

    /**
     * @param $keys
     * @param $values
     * @return mixed
     */
    protected function except($keys, $values)
    {
        $keys = is_array($keys) ? $keys : func_get_args();

        $results = $values;

        array_forget($results, $keys);

        return $results;
    }

    /**
     * @param $data
     * @return array
     */
    protected function handleFiles($data)
    {
        $new_data = array();
        $fields = $this->getFields($data);
class A
{
    function getObject()
    {
        return null;
    }

}

$a = new A();
$object = $a->getObject();

        if (!is_null($fields)) {
            foreach ($fields as $field) {
                if ($this->isFileInput($field->type)) {
                    if (Input::hasFile($field->name)) {
                        $new_data[$field->name] = $this->uploadFile($field->name);
                    } else {
                        unset($data[$field->name]);
                    }
                }
            }
        }

        return array_merge($data, $new_data);
    }

    /**
     * @param $type
     * @return bool
     */
    protected function isFileInput($type)
    {
        return ($type == 'file' || $type == 'image');
    }

    /**
     * This is used for simple upload (no plugins)
     *
     * @param $fieldName
     * @param null $path
     * @return string
     */
    protected function uploadFile($fieldName, $path = null)
    {
        if (!$path) {
            $path = public_path() . '/uploads/';
        }

        $file = Input::file($fieldName);

        if (!file_exists($path)) {
            File::makeDirectory($path);
        }

        $name = uniqid() . '-' . Str::slug($file->getFilename()) . '.' . $file->guessExtension();

        $file->move($path, $name);

        return $name;
    }

    /**
     * @param $modelName
     * @param $id
     * @param $field
     * @return null
     */
    protected function getRelatedFieldOutput($modelName, $id, $field)

    {
        if ($id != 0) {
            $this->handleData($this->model->with($this->modelObject->getRelations())->findOrFail($id));
        } else {
            if (Session::has('_set_relation_on_create_' . $this->modelObject->name)) {
                $relateds = Session::get('_set_relation_on_create_' . $this->modelObject->name);
                $related_ids = array();
                foreach ($relateds as $related) {
                    $related_ids[] = $related['id'];
                }

                $data = $relateds[0]['modelClass']::whereIn('id', $related_ids)->get();

                $this->handleData($data);
            } else {
                return null;
            }
        }

        return $this->fields[$field]->output();
    }

    /**
     * @param $validator
     * @param string $route
     * @return $this
     */
    protected function redirect($validator, $route, $id = null)
    {
        if (Input::has('_standalone')) {
            $route_params = array('slug' => Input::get('_standalone'));

            if ($id) {
                $route_params['id'] = $id;
            }

            return Redirect::route($route, $route_params)

                ->withErrors($validator)
                ->withInput();
        }

        return Redirect::back()->withErrors($validator)->withInput();

    }

    /**
     * @param $data
     * @return \Illuminate\Validation\Validator
     */
    protected function validator($data)
    {
        return Validator::make($data, $this->getRules());
    }

    /**
     * @param $modelName
     * @param null $data
     * @param $sort
     * @return $this
     */
    protected function all($modelName, $data = null, $sort)
    {
        $this->handleData($data);

        return View::make($this->getView('all'))
            ->with('items', $this->data)
            ->with('sort', $sort);
    }
}

1			<?php namespace Mascame\Artificer\Http\Controllers;
2
3			use App;
4			use Auth;
5			use File;
6			use Illuminate\Routing\Redirector;
7			use Illuminate\Routing\Router;
8			use Input;
9			use Mascame\Artificer\Fields\FieldFactory;
10			use Mascame\Artificer\Permit\ModelPermit;
11			use Redirect;
12			use Route;
13			use Session;
14			use Str;
15			use Validator;
16			use View;
17
18
19			class BaseModelController extends BaseController
20			{
21
22			/**
23			* The Eloquent model instance
24			* @var \Eloquent
25			*/
26			protected $model;
27
28			/**
29			*
30			*/
31			public function __construct()
32			{
33			parent::__construct();
34
35			if (! Auth::check() \|\| ! ModelPermit::access()) {
36			App::abort('403', 'Forbidden access');
37			}
38
39			$this->model = $this->modelObject->model;
40
41			$this->checkPermissions();
42			}
43
44			/**
45			*
46			*/
47			protected function checkPermissions()
48			{
49			$permit = array(
50			'view' => ModelPermit::to('view'),
51			'update' => ModelPermit::to('update'),
52			'create' => ModelPermit::to('create'),
53			'delete' => ModelPermit::to('delete'),
54			);
55
56			ModelPermit::routeAction(Route::currentRouteName());
57
58			View::share('permit', $permit);
59			}
60
61			/**
62			* @param $data
63			*/
64			protected function handleData($data)
65			{
66			$this->data = $data;
67
68			$this->getFields($data);
69			}
70
71			/**
72			* @param $data
73			* @return null
74			*/
75			protected function getFields($data)
76			{
77			if ($this->fields != null) {
78			return $this->fields;
79			}
80
81			$this->fields = (new FieldFactory($this->modelObject))->makeFields($data);
82
83			View::share('fields', $this->fields);
84
85			return $this->fields;
86			}
87
88			/**
89			* @return array
90			*/
91			protected function getSort()
92			{
93			$sort = array();
94
95			if (Input::has('sort_by')) {
96			$sort['column'] = Input::get('sort_by');
97			$sort['direction'] = Input::get('direction');
98			} else {
99
100			if ($this->modelObject->schema->hasColumn('sort_id')) {
101			$sort['column'] = 'sort_id';
102			} else {
103			$sort['column'] = 'id';
104			}
105
106			$sort['direction'] = 'asc';
107			}
108
109			return $sort;
110			}
111
112			/**
113			* @return array
114			*/
115			protected function getRules()
116			{
117			if (isset($this->options['rules'])) {
118			return $this->options['rules'];
119			} else {
120			if (isset($this->model->rules)) {
121			return $this->model->rules;
122			}
123			}
124
125			return array();
126			}
127
128			/**
129			* @param $items
130			* @return null
131			*/
132			public static function getCurrentModelId($items)
133			{
134			return (isset($items->id)) ? $items->id : null;
135			}
136
137			/**
138			* @return array\|mixed
139			*/
140			protected function filterInputData()
141			{
142			if ($this->modelObject->hasGuarded()) {
143			$input = Input::all();
144			$filtered_input = array();
145
146			foreach ($input as $key => $value) {
147			if (in_array($key, $this->modelObject->columns)) {
148			$filtered_input[$key] = $value;
149			}
150			}
151
152			return $this->except($this->modelObject->options['guarded'], $filtered_input);
153			}
154
155			return Input::except('id');
156			}
157
158			/**
159			* @param $keys
160			* @param $values
161			* @return mixed
162			*/
163			protected function except($keys, $values)
164			{
165			$keys = is_array($keys) ? $keys : func_get_args();
166
167			$results = $values;
168
169			array_forget($results, $keys);
170
171			return $results;
172			}
173
174			/**
175			* @param $data
176			* @return array
177			*/
178			protected function handleFiles($data)
179			{
180			$new_data = array();
181			$fields = $this->getFields($data);
			0 ignored issues – show Bug introduced 2016-02-25 21:36 UTC by Report Bug Copy Issue Report Show Similar Issues like this Are you sure the assignment to `$fields` is correct as `$this->getFields($data)` (which targets `Mascame\Artificer\Http\C...Controller::getFields()`) seems to always return null. This check looks for function or method calls that always return null and whose return value is assigned to a variable. class A { function getObject() { return null; } } $a = new A(); $object = $a->getObject(); The method `getObject()` can return nothing but null, so it makes no sense to assign that value to a variable. The reason is most likely that a function or method is imcomplete or has been reduced for debug purposes. Loading history...
182
183			if (!is_null($fields)) {
184			foreach ($fields as $field) {
185			if ($this->isFileInput($field->type)) {
186			if (Input::hasFile($field->name)) {
187			$new_data[$field->name] = $this->uploadFile($field->name);
188			} else {
189			unset($data[$field->name]);
190			}
191			}
192			}
193			}
194
195			return array_merge($data, $new_data);
196			}
197
198			/**
199			* @param $type
200			* @return bool
201			*/
202			protected function isFileInput($type)
203			{
204			return ($type == 'file' \|\| $type == 'image');
205			}
206
207			/**
208			* This is used for simple upload (no plugins)
209			*
210			* @param $fieldName
211			* @param null $path
212			* @return string
213			*/
214			protected function uploadFile($fieldName, $path = null)
215			{
216			if (!$path) {
217			$path = public_path() . '/uploads/';
218			}
219
220			$file = Input::file($fieldName);
221
222			if (!file_exists($path)) {
223			File::makeDirectory($path);
224			}
225
226			$name = uniqid() . '-' . Str::slug($file->getFilename()) . '.' . $file->guessExtension();
227
228			$file->move($path, $name);
229
230			return $name;
231			}
232
233			/**
234			* @param $modelName
235			* @param $id
236			* @param $field
237			* @return null
238			*/
239			protected function getRelatedFieldOutput($modelName, $id, $field)
			0 ignored issues – show Unused Code introduced 2016-02-25 21:36 UTC by Report Bug Copy Issue Report Show Similar Issues like this The parameter `$modelName` is not used and could be removed. This check looks from parameters that have been defined for a function or method, but which are not used in the method body. Loading history...
240			{
241			if ($id != 0) {
242			$this->handleData($this->model->with($this->modelObject->getRelations())->findOrFail($id));
243			} else {
244			if (Session::has('_set_relation_on_create_' . $this->modelObject->name)) {
245			$relateds = Session::get('_set_relation_on_create_' . $this->modelObject->name);
246			$related_ids = array();
247			foreach ($relateds as $related) {
248			$related_ids[] = $related['id'];
249			}
250
251			$data = $relateds[0]['modelClass']::whereIn('id', $related_ids)->get();
252
253			$this->handleData($data);
254			} else {
255			return null;
256			}
257			}
258
259			return $this->fields[$field]->output();
260			}
261
262			/**
263			* @param $validator
264			* @param string $route
265			* @return $this
266			*/
267			protected function redirect($validator, $route, $id = null)
268			{
269			if (Input::has('_standalone')) {
270			$route_params = array('slug' => Input::get('_standalone'));
271
272			if ($id) {
273			$route_params['id'] = $id;
274			}
275
276			return Redirect::route($route, $route_params)
			0 ignored issues – show Bug introduced 2016-02-25 21:36 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `route()` does not seem to exist on `object<redirect>`. This check looks for calls to methods that do not seem to exist on a given type. It looks for the method on the type itself as well as in inherited classes or implemented interfaces. This is most likely a typographical error or the method has been renamed. Loading history...
277			->withErrors($validator)
278			->withInput();
279			}
280
281			return Redirect::back()->withErrors($validator)->withInput();
			0 ignored issues – show Bug introduced 2016-02-25 21:36 UTC by Report Bug Copy Issue Report Show Similar Issues like this The method `back()` does not seem to exist on `object<redirect>`. This check looks for calls to methods that do not seem to exist on a given type. It looks for the method on the type itself as well as in inherited classes or implemented interfaces. This is most likely a typographical error or the method has been renamed. Loading history...
282			}
283
284			/**
285			* @param $data
286			* @return \Illuminate\Validation\Validator
287			*/
288			protected function validator($data)
289			{
290			return Validator::make($data, $this->getRules());
291			}
292
293			/**
294			* @param $modelName
295			* @param null $data
296			* @param $sort
297			* @return $this
298			*/
299			protected function all($modelName, $data = null, $sort)
300			{
301			$this->handleData($data);
302
303			return View::make($this->getView('all'))
304			->with('items', $this->data)
305			->with('sort', $sort);
306			}
307			}

marcmascarell / laravel-artificer

Issues (85)

Security Analysis not enabled

src/Http/Controllers/BaseModelController.php (4 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like