Inspection of "Merge pull request #26852 from nextcloud/fix-noaut..." - nextcloud/server - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Push — master ( aa785d...4a0272 )

by Joas

created 2021-05-19 07:51 UTC

Status

Indentation +101 added lines, -101 removed lines patch added patch discarded remove patch

@@ -45,114 +45,114 @@
 block discarded – undo
  * https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
  */
 class CORSMiddleware extends Middleware {
-	/** @var IRequest  */
-	private $request;
-	/** @var ControllerMethodReflector */
-	private $reflector;
-	/** @var Session */
-	private $session;
-	/** @var Throttler */
-	private $throttler;
+    /** @var IRequest  */
+    private $request;
+    /** @var ControllerMethodReflector */
+    private $reflector;
+    /** @var Session */
+    private $session;
+    /** @var Throttler */
+    private $throttler;
 
-	/**
-	 * @param IRequest $request
-	 * @param ControllerMethodReflector $reflector
-	 * @param Session $session
-	 * @param Throttler $throttler
-	 */
-	public function __construct(IRequest $request,
-								ControllerMethodReflector $reflector,
-								Session $session,
-								Throttler $throttler) {
-		$this->request = $request;
-		$this->reflector = $reflector;
-		$this->session = $session;
-		$this->throttler = $throttler;
-	}
+    /**
+     * @param IRequest $request
+     * @param ControllerMethodReflector $reflector
+     * @param Session $session
+     * @param Throttler $throttler
+     */
+    public function __construct(IRequest $request,
+                                ControllerMethodReflector $reflector,
+                                Session $session,
+                                Throttler $throttler) {
+        $this->request = $request;
+        $this->reflector = $reflector;
+        $this->session = $session;
+        $this->throttler = $throttler;
+    }
 
-	/**
-	 * This is being run in normal order before the controller is being
-	 * called which allows several modifications and checks
-	 *
-	 * @param Controller $controller the controller that is being called
-	 * @param string $methodName the name of the method that will be called on
-	 *                           the controller
-	 * @throws SecurityException
-	 * @since 6.0.0
-	 */
-	public function beforeController($controller, $methodName) {
-		// ensure that @CORS annotated API routes are not used in conjunction
-		// with session authentication since this enables CSRF attack vectors
-		if ($this->reflector->hasAnnotation('CORS') && !$this->reflector->hasAnnotation('PublicPage')) {
-			$user = array_key_exists('PHP_AUTH_USER', $this->request->server) ? $this->request->server['PHP_AUTH_USER'] : null;
-			$pass = array_key_exists('PHP_AUTH_PW', $this->request->server) ? $this->request->server['PHP_AUTH_PW'] : null;
+    /**
+     * This is being run in normal order before the controller is being
+     * called which allows several modifications and checks
+     *
+     * @param Controller $controller the controller that is being called
+     * @param string $methodName the name of the method that will be called on
+     *                           the controller
+     * @throws SecurityException
+     * @since 6.0.0
+     */
+    public function beforeController($controller, $methodName) {
+        // ensure that @CORS annotated API routes are not used in conjunction
+        // with session authentication since this enables CSRF attack vectors
+        if ($this->reflector->hasAnnotation('CORS') && !$this->reflector->hasAnnotation('PublicPage')) {
+            $user = array_key_exists('PHP_AUTH_USER', $this->request->server) ? $this->request->server['PHP_AUTH_USER'] : null;
+            $pass = array_key_exists('PHP_AUTH_PW', $this->request->server) ? $this->request->server['PHP_AUTH_PW'] : null;
 
-			$this->session->logout();
-			try {
-				if ($user === null || $pass === null || !$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) {
-					throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED);
-				}
-			} catch (PasswordLoginForbiddenException $ex) {
-				throw new SecurityException('Password login forbidden, use token instead', Http::STATUS_UNAUTHORIZED);
-			}
-		}
-	}
+            $this->session->logout();
+            try {
+                if ($user === null || $pass === null || !$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) {
+                    throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED);
+                }
+            } catch (PasswordLoginForbiddenException $ex) {
+                throw new SecurityException('Password login forbidden, use token instead', Http::STATUS_UNAUTHORIZED);
+            }
+        }
+    }
 
-	/**
-	 * This is being run after a successful controllermethod call and allows
-	 * the manipulation of a Response object. The middleware is run in reverse order
-	 *
-	 * @param Controller $controller the controller that is being called
-	 * @param string $methodName the name of the method that will be called on
-	 *                           the controller
-	 * @param Response $response the generated response from the controller
-	 * @return Response a Response object
-	 * @throws SecurityException
-	 */
-	public function afterController($controller, $methodName, Response $response) {
-		// only react if its a CORS request and if the request sends origin and
+    /**
+     * This is being run after a successful controllermethod call and allows
+     * the manipulation of a Response object. The middleware is run in reverse order
+     *
+     * @param Controller $controller the controller that is being called
+     * @param string $methodName the name of the method that will be called on
+     *                           the controller
+     * @param Response $response the generated response from the controller
+     * @return Response a Response object
+     * @throws SecurityException
+     */
+    public function afterController($controller, $methodName, Response $response) {
+        // only react if its a CORS request and if the request sends origin and
 
-		if (isset($this->request->server['HTTP_ORIGIN']) &&
-			$this->reflector->hasAnnotation('CORS')) {
+        if (isset($this->request->server['HTTP_ORIGIN']) &&
+            $this->reflector->hasAnnotation('CORS')) {
 
-			// allow credentials headers must not be true or CSRF is possible
-			// otherwise
-			foreach ($response->getHeaders() as $header => $value) {
-				if (strtolower($header) === 'access-control-allow-credentials' &&
-				   strtolower(trim($value)) === 'true') {
-					$msg = 'Access-Control-Allow-Credentials must not be '.
-						   'set to true in order to prevent CSRF';
-					throw new SecurityException($msg);
-				}
-			}
+            // allow credentials headers must not be true or CSRF is possible
+            // otherwise
+            foreach ($response->getHeaders() as $header => $value) {
+                if (strtolower($header) === 'access-control-allow-credentials' &&
+                   strtolower(trim($value)) === 'true') {
+                    $msg = 'Access-Control-Allow-Credentials must not be '.
+                            'set to true in order to prevent CSRF';
+                    throw new SecurityException($msg);
+                }
+            }
 
-			$origin = $this->request->server['HTTP_ORIGIN'];
-			$response->addHeader('Access-Control-Allow-Origin', $origin);
-		}
-		return $response;
-	}
+            $origin = $this->request->server['HTTP_ORIGIN'];
+            $response->addHeader('Access-Control-Allow-Origin', $origin);
+        }
+        return $response;
+    }
 
-	/**
-	 * If an SecurityException is being caught return a JSON error response
-	 *
-	 * @param Controller $controller the controller that is being called
-	 * @param string $methodName the name of the method that will be called on
-	 *                           the controller
-	 * @param \Exception $exception the thrown exception
-	 * @throws \Exception the passed in exception if it can't handle it
-	 * @return Response a Response object or null in case that the exception could not be handled
-	 */
-	public function afterException($controller, $methodName, \Exception $exception) {
-		if ($exception instanceof SecurityException) {
-			$response = new JSONResponse(['message' => $exception->getMessage()]);
-			if ($exception->getCode() !== 0) {
-				$response->setStatus($exception->getCode());
-			} else {
-				$response->setStatus(Http::STATUS_INTERNAL_SERVER_ERROR);
-			}
-			return $response;
-		}
+    /**
+     * If an SecurityException is being caught return a JSON error response
+     *
+     * @param Controller $controller the controller that is being called
+     * @param string $methodName the name of the method that will be called on
+     *                           the controller
+     * @param \Exception $exception the thrown exception
+     * @throws \Exception the passed in exception if it can't handle it
+     * @return Response a Response object or null in case that the exception could not be handled
+     */
+    public function afterException($controller, $methodName, \Exception $exception) {
+        if ($exception instanceof SecurityException) {
+            $response = new JSONResponse(['message' => $exception->getMessage()]);
+            if ($exception->getCode() !== 0) {
+                $response->setStatus($exception->getCode());
+            } else {
+                $response->setStatus(Http::STATUS_INTERNAL_SERVER_ERROR);
+            }
+            return $response;
+        }
 
-		throw $exception;
-	}
+        throw $exception;
+    }
 }

Please login to merge, or discard this patch.

		@@ -45,114 +45,114 @@
		block discarded – undo
45	45	* https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
46	46	*/
47	47	class CORSMiddleware extends Middleware {
48		- /** @var IRequest */
49		- private $request;
50		- /** @var ControllerMethodReflector */
51		- private $reflector;
52		- /** @var Session */
53		- private $session;
54		- /** @var Throttler */
55		- private $throttler;
	48	+ /** @var IRequest */
	49	+ private $request;
	50	+ /** @var ControllerMethodReflector */
	51	+ private $reflector;
	52	+ /** @var Session */
	53	+ private $session;
	54	+ /** @var Throttler */
	55	+ private $throttler;
56	56
57		- /**
58		- * @param IRequest $request
59		- * @param ControllerMethodReflector $reflector
60		- * @param Session $session
61		- * @param Throttler $throttler
62		- */
63		- public function __construct(IRequest $request,
64		- ControllerMethodReflector $reflector,
65		- Session $session,
66		- Throttler $throttler) {
67		- $this->request = $request;
68		- $this->reflector = $reflector;
69		- $this->session = $session;
70		- $this->throttler = $throttler;
71		- }
	57	+ /**
	58	+ * @param IRequest $request
	59	+ * @param ControllerMethodReflector $reflector
	60	+ * @param Session $session
	61	+ * @param Throttler $throttler
	62	+ */
	63	+ public function __construct(IRequest $request,
	64	+ ControllerMethodReflector $reflector,
	65	+ Session $session,
	66	+ Throttler $throttler) {
	67	+ $this->request = $request;
	68	+ $this->reflector = $reflector;
	69	+ $this->session = $session;
	70	+ $this->throttler = $throttler;
	71	+ }
72	72
73		- /**
74		- * This is being run in normal order before the controller is being
75		- * called which allows several modifications and checks
76		- *
77		- * @param Controller $controller the controller that is being called
78		- * @param string $methodName the name of the method that will be called on
79		- * the controller
80		- * @throws SecurityException
81		- * @since 6.0.0
82		- */
83		- public function beforeController($controller, $methodName) {
84		- // ensure that @CORS annotated API routes are not used in conjunction
85		- // with session authentication since this enables CSRF attack vectors
86		- if ($this->reflector->hasAnnotation('CORS') && !$this->reflector->hasAnnotation('PublicPage')) {
87		- $user = array_key_exists('PHP_AUTH_USER', $this->request->server) ? $this->request->server['PHP_AUTH_USER'] : null;
88		- $pass = array_key_exists('PHP_AUTH_PW', $this->request->server) ? $this->request->server['PHP_AUTH_PW'] : null;
	73	+ /**
	74	+ * This is being run in normal order before the controller is being
	75	+ * called which allows several modifications and checks
	76	+ *
	77	+ * @param Controller $controller the controller that is being called
	78	+ * @param string $methodName the name of the method that will be called on
	79	+ * the controller
	80	+ * @throws SecurityException
	81	+ * @since 6.0.0
	82	+ */
	83	+ public function beforeController($controller, $methodName) {
	84	+ // ensure that @CORS annotated API routes are not used in conjunction
	85	+ // with session authentication since this enables CSRF attack vectors
	86	+ if ($this->reflector->hasAnnotation('CORS') && !$this->reflector->hasAnnotation('PublicPage')) {
	87	+ $user = array_key_exists('PHP_AUTH_USER', $this->request->server) ? $this->request->server['PHP_AUTH_USER'] : null;
	88	+ $pass = array_key_exists('PHP_AUTH_PW', $this->request->server) ? $this->request->server['PHP_AUTH_PW'] : null;
89	89
90		- $this->session->logout();
91		- try {
92		- if ($user === null \|\| $pass === null \|\| !$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) {
93		- throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED);
94		- }
95		- } catch (PasswordLoginForbiddenException $ex) {
96		- throw new SecurityException('Password login forbidden, use token instead', Http::STATUS_UNAUTHORIZED);
97		- }
98		- }
99		- }
	90	+ $this->session->logout();
	91	+ try {
	92	+ if ($user === null \|\| $pass === null \|\| !$this->session->logClientIn($user, $pass, $this->request, $this->throttler)) {
	93	+ throw new SecurityException('CORS requires basic auth', Http::STATUS_UNAUTHORIZED);
	94	+ }
	95	+ } catch (PasswordLoginForbiddenException $ex) {
	96	+ throw new SecurityException('Password login forbidden, use token instead', Http::STATUS_UNAUTHORIZED);
	97	+ }
	98	+ }
	99	+ }
100	100
101		- /**
102		- * This is being run after a successful controllermethod call and allows
103		- * the manipulation of a Response object. The middleware is run in reverse order
104		- *
105		- * @param Controller $controller the controller that is being called
106		- * @param string $methodName the name of the method that will be called on
107		- * the controller
108		- * @param Response $response the generated response from the controller
109		- * @return Response a Response object
110		- * @throws SecurityException
111		- */
112		- public function afterController($controller, $methodName, Response $response) {
113		- // only react if its a CORS request and if the request sends origin and
	101	+ /**
	102	+ * This is being run after a successful controllermethod call and allows
	103	+ * the manipulation of a Response object. The middleware is run in reverse order
	104	+ *
	105	+ * @param Controller $controller the controller that is being called
	106	+ * @param string $methodName the name of the method that will be called on
	107	+ * the controller
	108	+ * @param Response $response the generated response from the controller
	109	+ * @return Response a Response object
	110	+ * @throws SecurityException
	111	+ */
	112	+ public function afterController($controller, $methodName, Response $response) {
	113	+ // only react if its a CORS request and if the request sends origin and
114	114
115		- if (isset($this->request->server['HTTP_ORIGIN']) &&
116		- $this->reflector->hasAnnotation('CORS')) {
	115	+ if (isset($this->request->server['HTTP_ORIGIN']) &&
	116	+ $this->reflector->hasAnnotation('CORS')) {
117	117
118		- // allow credentials headers must not be true or CSRF is possible
119		- // otherwise
120		- foreach ($response->getHeaders() as $header => $value) {
121		- if (strtolower($header) === 'access-control-allow-credentials' &&
122		- strtolower(trim($value)) === 'true') {
123		- $msg = 'Access-Control-Allow-Credentials must not be '.
124		- 'set to true in order to prevent CSRF';
125		- throw new SecurityException($msg);
126		- }
127		- }
	118	+ // allow credentials headers must not be true or CSRF is possible
	119	+ // otherwise
	120	+ foreach ($response->getHeaders() as $header => $value) {
	121	+ if (strtolower($header) === 'access-control-allow-credentials' &&
	122	+ strtolower(trim($value)) === 'true') {
	123	+ $msg = 'Access-Control-Allow-Credentials must not be '.
	124	+ 'set to true in order to prevent CSRF';
	125	+ throw new SecurityException($msg);
	126	+ }
	127	+ }
128	128
129		- $origin = $this->request->server['HTTP_ORIGIN'];
130		- $response->addHeader('Access-Control-Allow-Origin', $origin);
131		- }
132		- return $response;
133		- }
	129	+ $origin = $this->request->server['HTTP_ORIGIN'];
	130	+ $response->addHeader('Access-Control-Allow-Origin', $origin);
	131	+ }
	132	+ return $response;
	133	+ }
134	134
135		- /**
136		- * If an SecurityException is being caught return a JSON error response
137		- *
138		- * @param Controller $controller the controller that is being called
139		- * @param string $methodName the name of the method that will be called on
140		- * the controller
141		- * @param \Exception $exception the thrown exception
142		- * @throws \Exception the passed in exception if it can't handle it
143		- * @return Response a Response object or null in case that the exception could not be handled
144		- */
145		- public function afterException($controller, $methodName, \Exception $exception) {
146		- if ($exception instanceof SecurityException) {
147		- $response = new JSONResponse(['message' => $exception->getMessage()]);
148		- if ($exception->getCode() !== 0) {
149		- $response->setStatus($exception->getCode());
150		- } else {
151		- $response->setStatus(Http::STATUS_INTERNAL_SERVER_ERROR);
152		- }
153		- return $response;
154		- }
	135	+ /**
	136	+ * If an SecurityException is being caught return a JSON error response
	137	+ *
	138	+ * @param Controller $controller the controller that is being called
	139	+ * @param string $methodName the name of the method that will be called on
	140	+ * the controller
	141	+ * @param \Exception $exception the thrown exception
	142	+ * @throws \Exception the passed in exception if it can't handle it
	143	+ * @return Response a Response object or null in case that the exception could not be handled
	144	+ */
	145	+ public function afterException($controller, $methodName, \Exception $exception) {
	146	+ if ($exception instanceof SecurityException) {
	147	+ $response = new JSONResponse(['message' => $exception->getMessage()]);
	148	+ if ($exception->getCode() !== 0) {
	149	+ $response->setStatus($exception->getCode());
	150	+ } else {
	151	+ $response->setStatus(Http::STATUS_INTERNAL_SERVER_ERROR);
	152	+ }
	153	+ return $response;
	154	+ }
155	155
156		- throw $exception;
157		- }
	156	+ throw $exception;
	157	+ }
158	158	}

nextcloud / server

Push — master ( aa785d...4a0272 )

Status

Category

Indentation +101 added lines, -101 removed lines patch added patch discarded remove patch