Inspection of "Merge pull request #36396 from nextcloud/fix/cors" - nextcloud/server - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Push — master ( d33fbb...90d2cb )

by Julius

created 2023-02-17 08:42 UTC

Status

Indentation +105 added lines, -105 removed lines patch added patch discarded remove patch

@@ -45,117 +45,117 @@
 block discarded – undo
  * https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
  */
 class CORSMiddleware extends Middleware {
-	/** @var IRequest  */
-	private $request;
-	/** @var ControllerMethodReflector */
-	private $reflector;
-	/** @var Session */
-	private $session;
-	/** @var Throttler */
-	private $throttler;
+    /** @var IRequest  */
+    private $request;
+    /** @var ControllerMethodReflector */
+    private $reflector;
+    /** @var Session */
+    private $session;
+    /** @var Throttler */
+    private $throttler;
 
-	/**
-	 * @param IRequest $request
-	 * @param ControllerMethodReflector $reflector
-	 * @param Session $session
-	 * @param Throttler $throttler
-	 */
-	public function __construct(IRequest $request,
-								ControllerMethodReflector $reflector,
-								Session $session,
-								Throttler $throttler) {
-		$this->request = $request;
-		$this->reflector = $reflector;
-		$this->session = $session;
-		$this->throttler = $throttler;
-	}
+    /**
+     * @param IRequest $request
+     * @param ControllerMethodReflector $reflector
+     * @param Session $session
+     * @param Throttler $throttler
+     */
+    public function __construct(IRequest $request,
+                                ControllerMethodReflector $reflector,
+                                Session $session,
+                                Throttler $throttler) {
+        $this->request = $request;
+        $this->reflector = $reflector;
+        $this->session = $session;
+        $this->throttler = $throttler;
+    }
 
-	/**
-	 * This is being run in normal order before the controller is being
-	 * called which allows several modifications and checks
-	 *
-	 * @param Controller $controller the controller that is being called
-	 * @param string $methodName the name of the method that will be called on
-	 *                           the controller
-	 * @throws SecurityException
-	 * @since 6.0.0
-	 */
-	public function beforeController($controller, $methodName) {
-		// ensure that @CORS annotated API routes are not used in conjunction
-		// with session authentication since this enables CSRF attack vectors
-		if ($this->reflector->hasAnnotation('CORS') && (!$this->reflector->hasAnnotation('PublicPage') || $this->session->isLoggedIn())) {
-			$user = array_key_exists('PHP_AUTH_USER', $this->request->server) ? $this->request->server['PHP_AUTH_USER'] : null;
-			$pass = array_key_exists('PHP_AUTH_PW', $this->request->server) ? $this->request->server['PHP_AUTH_PW'] : null;
+    /**
+     * This is being run in normal order before the controller is being
+     * called which allows several modifications and checks
+     *
+     * @param Controller $controller the controller that is being called
+     * @param string $methodName the name of the method that will be called on
+     *                           the controller
+     * @throws SecurityException
+     * @since 6.0.0
+     */
+    public function beforeController($controller, $methodName) {
+        // ensure that @CORS annotated API routes are not used in conjunction
+        // with session authentication since this enables CSRF attack vectors
+        if ($this->reflector->hasAnnotation('CORS') && (!$this->reflector->hasAnnotation('PublicPage') || $this->session->isLoggedIn())) {
+            $user = array_key_exists('PHP_AUTH_USER', $this->request->server) ? $this->request->server['PHP_AUTH_USER'] : null;
+            $pass = array_key_exists('PHP_AUTH_PW', $this->request->server) ? $this->request->server['PHP_AUTH_PW'] : null;
 
-			// Allow to use the current session if a CSRF token is provided
-			if ($this->request->passesCSRFCheck()) {
-				return;
-			}
-			$this->session->logout();
-			try {
-				if ($user === null || $pass === null || !$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) {
-					throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED);
-				}
-			} catch (PasswordLoginForbiddenException $ex) {
-				throw new SecurityException('Password login forbidden, use token instead', Http::STATUS_UNAUTHORIZED);
-			}
-		}
-	}
+            // Allow to use the current session if a CSRF token is provided
+            if ($this->request->passesCSRFCheck()) {
+                return;
+            }
+            $this->session->logout();
+            try {
+                if ($user === null || $pass === null || !$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) {
+                    throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED);
+                }
+            } catch (PasswordLoginForbiddenException $ex) {
+                throw new SecurityException('Password login forbidden, use token instead', Http::STATUS_UNAUTHORIZED);
+            }
+        }
+    }
 
-	/**
-	 * This is being run after a successful controllermethod call and allows
-	 * the manipulation of a Response object. The middleware is run in reverse order
-	 *
-	 * @param Controller $controller the controller that is being called
-	 * @param string $methodName the name of the method that will be called on
-	 *                           the controller
-	 * @param Response $response the generated response from the controller
-	 * @return Response a Response object
-	 * @throws SecurityException
-	 */
-	public function afterController($controller, $methodName, Response $response) {
-		// only react if its a CORS request and if the request sends origin and
+    /**
+     * This is being run after a successful controllermethod call and allows
+     * the manipulation of a Response object. The middleware is run in reverse order
+     *
+     * @param Controller $controller the controller that is being called
+     * @param string $methodName the name of the method that will be called on
+     *                           the controller
+     * @param Response $response the generated response from the controller
+     * @return Response a Response object
+     * @throws SecurityException
+     */
+    public function afterController($controller, $methodName, Response $response) {
+        // only react if its a CORS request and if the request sends origin and
 
-		if (isset($this->request->server['HTTP_ORIGIN']) &&
-			$this->reflector->hasAnnotation('CORS')) {
-			// allow credentials headers must not be true or CSRF is possible
-			// otherwise
-			foreach ($response->getHeaders() as $header => $value) {
-				if (strtolower($header) === 'access-control-allow-credentials' &&
-				   strtolower(trim($value)) === 'true') {
-					$msg = 'Access-Control-Allow-Credentials must not be '.
-						   'set to true in order to prevent CSRF';
-					throw new SecurityException($msg);
-				}
-			}
+        if (isset($this->request->server['HTTP_ORIGIN']) &&
+            $this->reflector->hasAnnotation('CORS')) {
+            // allow credentials headers must not be true or CSRF is possible
+            // otherwise
+            foreach ($response->getHeaders() as $header => $value) {
+                if (strtolower($header) === 'access-control-allow-credentials' &&
+                   strtolower(trim($value)) === 'true') {
+                    $msg = 'Access-Control-Allow-Credentials must not be '.
+                            'set to true in order to prevent CSRF';
+                    throw new SecurityException($msg);
+                }
+            }
 
-			$origin = $this->request->server['HTTP_ORIGIN'];
-			$response->addHeader('Access-Control-Allow-Origin', $origin);
-		}
-		return $response;
-	}
+            $origin = $this->request->server['HTTP_ORIGIN'];
+            $response->addHeader('Access-Control-Allow-Origin', $origin);
+        }
+        return $response;
+    }
 
-	/**
-	 * If an SecurityException is being caught return a JSON error response
-	 *
-	 * @param Controller $controller the controller that is being called
-	 * @param string $methodName the name of the method that will be called on
-	 *                           the controller
-	 * @param \Exception $exception the thrown exception
-	 * @throws \Exception the passed in exception if it can't handle it
-	 * @return Response a Response object or null in case that the exception could not be handled
-	 */
-	public function afterException($controller, $methodName, \Exception $exception) {
-		if ($exception instanceof SecurityException) {
-			$response = new JSONResponse(['message' => $exception->getMessage()]);
-			if ($exception->getCode() !== 0) {
-				$response->setStatus($exception->getCode());
-			} else {
-				$response->setStatus(Http::STATUS_INTERNAL_SERVER_ERROR);
-			}
-			return $response;
-		}
+    /**
+     * If an SecurityException is being caught return a JSON error response
+     *
+     * @param Controller $controller the controller that is being called
+     * @param string $methodName the name of the method that will be called on
+     *                           the controller
+     * @param \Exception $exception the thrown exception
+     * @throws \Exception the passed in exception if it can't handle it
+     * @return Response a Response object or null in case that the exception could not be handled
+     */
+    public function afterException($controller, $methodName, \Exception $exception) {
+        if ($exception instanceof SecurityException) {
+            $response = new JSONResponse(['message' => $exception->getMessage()]);
+            if ($exception->getCode() !== 0) {
+                $response->setStatus($exception->getCode());
+            } else {
+                $response->setStatus(Http::STATUS_INTERNAL_SERVER_ERROR);
+            }
+            return $response;
+        }
 
-		throw $exception;
-	}
+        throw $exception;
+    }
 }

Please login to merge, or discard this patch.

		@@ -45,117 +45,117 @@
		block discarded – undo
45	45	* https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
46	46	*/
47	47	class CORSMiddleware extends Middleware {
48		- /** @var IRequest */
49		- private $request;
50		- /** @var ControllerMethodReflector */
51		- private $reflector;
52		- /** @var Session */
53		- private $session;
54		- /** @var Throttler */
55		- private $throttler;
	48	+ /** @var IRequest */
	49	+ private $request;
	50	+ /** @var ControllerMethodReflector */
	51	+ private $reflector;
	52	+ /** @var Session */
	53	+ private $session;
	54	+ /** @var Throttler */
	55	+ private $throttler;
56	56
57		- /**
58		- * @param IRequest $request
59		- * @param ControllerMethodReflector $reflector
60		- * @param Session $session
61		- * @param Throttler $throttler
62		- */
63		- public function __construct(IRequest $request,
64		- ControllerMethodReflector $reflector,
65		- Session $session,
66		- Throttler $throttler) {
67		- $this->request = $request;
68		- $this->reflector = $reflector;
69		- $this->session = $session;
70		- $this->throttler = $throttler;
71		- }
	57	+ /**
	58	+ * @param IRequest $request
	59	+ * @param ControllerMethodReflector $reflector
	60	+ * @param Session $session
	61	+ * @param Throttler $throttler
	62	+ */
	63	+ public function __construct(IRequest $request,
	64	+ ControllerMethodReflector $reflector,
	65	+ Session $session,
	66	+ Throttler $throttler) {
	67	+ $this->request = $request;
	68	+ $this->reflector = $reflector;
	69	+ $this->session = $session;
	70	+ $this->throttler = $throttler;
	71	+ }
72	72
73		- /**
74		- * This is being run in normal order before the controller is being
75		- * called which allows several modifications and checks
76		- *
77		- * @param Controller $controller the controller that is being called
78		- * @param string $methodName the name of the method that will be called on
79		- * the controller
80		- * @throws SecurityException
81		- * @since 6.0.0
82		- */
83		- public function beforeController($controller, $methodName) {
84		- // ensure that @CORS annotated API routes are not used in conjunction
85		- // with session authentication since this enables CSRF attack vectors
86		- if ($this->reflector->hasAnnotation('CORS') && (!$this->reflector->hasAnnotation('PublicPage') \|\| $this->session->isLoggedIn())) {
87		- $user = array_key_exists('PHP_AUTH_USER', $this->request->server) ? $this->request->server['PHP_AUTH_USER'] : null;
88		- $pass = array_key_exists('PHP_AUTH_PW', $this->request->server) ? $this->request->server['PHP_AUTH_PW'] : null;
	73	+ /**
	74	+ * This is being run in normal order before the controller is being
	75	+ * called which allows several modifications and checks
	76	+ *
	77	+ * @param Controller $controller the controller that is being called
	78	+ * @param string $methodName the name of the method that will be called on
	79	+ * the controller
	80	+ * @throws SecurityException
	81	+ * @since 6.0.0
	82	+ */
	83	+ public function beforeController($controller, $methodName) {
	84	+ // ensure that @CORS annotated API routes are not used in conjunction
	85	+ // with session authentication since this enables CSRF attack vectors
	86	+ if ($this->reflector->hasAnnotation('CORS') && (!$this->reflector->hasAnnotation('PublicPage') \|\| $this->session->isLoggedIn())) {
	87	+ $user = array_key_exists('PHP_AUTH_USER', $this->request->server) ? $this->request->server['PHP_AUTH_USER'] : null;
	88	+ $pass = array_key_exists('PHP_AUTH_PW', $this->request->server) ? $this->request->server['PHP_AUTH_PW'] : null;
89	89
90		- // Allow to use the current session if a CSRF token is provided
91		- if ($this->request->passesCSRFCheck()) {
92		- return;
93		- }
94		- $this->session->logout();
95		- try {
96		- if ($user === null \|\| $pass === null \|\| !$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) {
97		- throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED);
98		- }
99		- } catch (PasswordLoginForbiddenException $ex) {
100		- throw new SecurityException('Password login forbidden, use token instead', Http::STATUS_UNAUTHORIZED);
101		- }
102		- }
103		- }
	90	+ // Allow to use the current session if a CSRF token is provided
	91	+ if ($this->request->passesCSRFCheck()) {
	92	+ return;
	93	+ }
	94	+ $this->session->logout();
	95	+ try {
	96	+ if ($user === null \|\| $pass === null \|\| !$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) {
	97	+ throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED);
	98	+ }
	99	+ } catch (PasswordLoginForbiddenException $ex) {
	100	+ throw new SecurityException('Password login forbidden, use token instead', Http::STATUS_UNAUTHORIZED);
	101	+ }
	102	+ }
	103	+ }
104	104
105		- /**
106		- * This is being run after a successful controllermethod call and allows
107		- * the manipulation of a Response object. The middleware is run in reverse order
108		- *
109		- * @param Controller $controller the controller that is being called
110		- * @param string $methodName the name of the method that will be called on
111		- * the controller
112		- * @param Response $response the generated response from the controller
113		- * @return Response a Response object
114		- * @throws SecurityException
115		- */
116		- public function afterController($controller, $methodName, Response $response) {
117		- // only react if its a CORS request and if the request sends origin and
	105	+ /**
	106	+ * This is being run after a successful controllermethod call and allows
	107	+ * the manipulation of a Response object. The middleware is run in reverse order
	108	+ *
	109	+ * @param Controller $controller the controller that is being called
	110	+ * @param string $methodName the name of the method that will be called on
	111	+ * the controller
	112	+ * @param Response $response the generated response from the controller
	113	+ * @return Response a Response object
	114	+ * @throws SecurityException
	115	+ */
	116	+ public function afterController($controller, $methodName, Response $response) {
	117	+ // only react if its a CORS request and if the request sends origin and
118	118
119		- if (isset($this->request->server['HTTP_ORIGIN']) &&
120		- $this->reflector->hasAnnotation('CORS')) {
121		- // allow credentials headers must not be true or CSRF is possible
122		- // otherwise
123		- foreach ($response->getHeaders() as $header => $value) {
124		- if (strtolower($header) === 'access-control-allow-credentials' &&
125		- strtolower(trim($value)) === 'true') {
126		- $msg = 'Access-Control-Allow-Credentials must not be '.
127		- 'set to true in order to prevent CSRF';
128		- throw new SecurityException($msg);
129		- }
130		- }
	119	+ if (isset($this->request->server['HTTP_ORIGIN']) &&
	120	+ $this->reflector->hasAnnotation('CORS')) {
	121	+ // allow credentials headers must not be true or CSRF is possible
	122	+ // otherwise
	123	+ foreach ($response->getHeaders() as $header => $value) {
	124	+ if (strtolower($header) === 'access-control-allow-credentials' &&
	125	+ strtolower(trim($value)) === 'true') {
	126	+ $msg = 'Access-Control-Allow-Credentials must not be '.
	127	+ 'set to true in order to prevent CSRF';
	128	+ throw new SecurityException($msg);
	129	+ }
	130	+ }
131	131
132		- $origin = $this->request->server['HTTP_ORIGIN'];
133		- $response->addHeader('Access-Control-Allow-Origin', $origin);
134		- }
135		- return $response;
136		- }
	132	+ $origin = $this->request->server['HTTP_ORIGIN'];
	133	+ $response->addHeader('Access-Control-Allow-Origin', $origin);
	134	+ }
	135	+ return $response;
	136	+ }
137	137
138		- /**
139		- * If an SecurityException is being caught return a JSON error response
140		- *
141		- * @param Controller $controller the controller that is being called
142		- * @param string $methodName the name of the method that will be called on
143		- * the controller
144		- * @param \Exception $exception the thrown exception
145		- * @throws \Exception the passed in exception if it can't handle it
146		- * @return Response a Response object or null in case that the exception could not be handled
147		- */
148		- public function afterException($controller, $methodName, \Exception $exception) {
149		- if ($exception instanceof SecurityException) {
150		- $response = new JSONResponse(['message' => $exception->getMessage()]);
151		- if ($exception->getCode() !== 0) {
152		- $response->setStatus($exception->getCode());
153		- } else {
154		- $response->setStatus(Http::STATUS_INTERNAL_SERVER_ERROR);
155		- }
156		- return $response;
157		- }
	138	+ /**
	139	+ * If an SecurityException is being caught return a JSON error response
	140	+ *
	141	+ * @param Controller $controller the controller that is being called
	142	+ * @param string $methodName the name of the method that will be called on
	143	+ * the controller
	144	+ * @param \Exception $exception the thrown exception
	145	+ * @throws \Exception the passed in exception if it can't handle it
	146	+ * @return Response a Response object or null in case that the exception could not be handled
	147	+ */
	148	+ public function afterException($controller, $methodName, \Exception $exception) {
	149	+ if ($exception instanceof SecurityException) {
	150	+ $response = new JSONResponse(['message' => $exception->getMessage()]);
	151	+ if ($exception->getCode() !== 0) {
	152	+ $response->setStatus($exception->getCode());
	153	+ } else {
	154	+ $response->setStatus(Http::STATUS_INTERNAL_SERVER_ERROR);
	155	+ }
	156	+ return $response;
	157	+ }
158	158
159		- throw $exception;
160		- }
	159	+ throw $exception;
	160	+ }
161	161	}

nextcloud / server

Push — master ( d33fbb...90d2cb )

Status

Category

Indentation +105 added lines, -105 removed lines patch added patch discarded remove patch