Bootup::filterRequestUri() - Code Metrics - Inspection of "2.1.27" - nilsteampassnet/TeamPass - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — development ( eda7c5...09d583 )

by Nils

created 2017-07-09 13:37 UTC

Bootup::filterRequestUri() B

↳ Parent: Bootup

Complexity

Conditions	8
Paths	9

Size

Total Lines	57
Code Lines	29

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
cc	8
eloc	29
nc	9
nop	2
dl	0
loc	57
rs	7.2648
c	0
b	0
f	0

How to fix Long Method

<?php

namespace protect\AntiXSS;

/**
 * Class Bootup
 *
 * this is a bootstrap for the polyfills (iconv / intl / mbstring / normalizer / xml)
 *
 * @package voku\helper
 */
class Bootup
{
  /**
   * filter request inputs
   *
   * Ensures inputs are well formed UTF-8
   * When not, assumes Windows-1252 and converts to UTF-8
   * Tests only values, not keys
   *
   * @param int    $normalization_form
   * @param string $leading_combining
   */
  public static function filterRequestInputs($normalization_form = 4 /* n::NFC */, $leading_combining = '◌')
  {
    $a = array(
        &$_FILES,
        &$_ENV,
        &$_GET,
        &$_POST,
        &$_COOKIE,
        &$_SERVER,
        &$_REQUEST,
    );

    /** @noinspection ReferenceMismatchInspection */
    /** @noinspection ForeachSourceInspection */
    foreach ($a[0] as &$r) {
      $a[] = array(
          &$r['name'],
          &$r['type'],
      );
    }
    unset($r, $a[0]);

    $len = count($a) + 1;
    for ($i = 1; $i < $len; ++$i) {
      /** @noinspection ReferenceMismatchInspection */
      /** @noinspection ForeachSourceInspection */
      foreach ($a[$i] as &$r) {
        /** @noinspection ReferenceMismatchInspection */
        $s = $r; // $r is a reference, $s a copy
        if (is_array($s)) {
          $a[$len++] = &$r;
        } else {
          $r = self::filterString($s, $normalization_form, $leading_combining);
        }
      }
      unset($r, $a[$i]);
    }
  }

  /**
   * Filter current REQUEST_URI .
   *
   * @param string|null $uri <p>If null is set, then the server REQUEST_URI will be used.</p>
   * @param bool        $exit
   *
   * @return mixed
   */
  public static function filterRequestUri($uri = null, $exit = true)
  {
    if (!isset($uri)) {

      if (!isset($_SERVER['REQUEST_URI'])) {
        return false;
      }

      $uri = $_SERVER['REQUEST_URI'];
    }

    $uriOrig = $uri;

    //
    // Ensures the URL is well formed UTF-8
    //

    if (preg_match('//u', urldecode($uri))) {
      return $uri;
    }

    //
    // When not, assumes Windows-1252 and redirects to the corresponding UTF-8 encoded URL
    //

    $uri = preg_replace_callback(
        '/[\x80-\xFF]+/',
        function ($m) {
          return urlencode($m[0]);
        },
        $uri
    );

    $uri = preg_replace_callback(
        '/(?:%[89A-F][0-9A-F])+/i',
        function ($m) {
          return urlencode(UTF8::encode('UTF-8', urldecode($m[0])));
        },
        $uri
    );

    if (
        $uri !== $uriOrig
        &&
        $exit === true
        &&
        headers_sent() === false
    ) {
      // Use ob_start() to buffer content and avoid problem of headers already sent...
      $severProtocol = (isset($_SERVER['SERVER_PROTOCOL']) ? $_SERVER['SERVER_PROTOCOL'] : 'HTTP/1.1');
      header($severProtocol . ' 301 Moved Permanently');
      header('Location: ' . $uri);
if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
    throw new \InvalidArgumentException('This input is not allowed.');
}
      exit();
    }

    return $uri;
  }

  /**
   * Normalizes to UTF-8 NFC, converting from WINDOWS-1252 when needed.
   *
   * @param string $s
   * @param int    $normalization_form
   * @param string $leading_combining
   *
   * @return string
   */
  public static function filterString($s, $normalization_form = 4 /* n::NFC */, $leading_combining = '◌')
  {
    return UTF8::filter($s, $normalization_form, $leading_combining);
  }

  /**
   * Get random bytes via "random_bytes()" (+ polyfill).
   *
   * @ref https://github.com/paragonie/random_compat/
   *
   * @param  int $length Output length
   *
   * @return  string|false false on error
   */
  public static function get_random_bytes($length)
  {
    if (!$length) {
      return false;
    }

    $length = (int)$length;

    if ($length <= 0) {
      return false;
    }

    return random_bytes($length);
  }

  /**
   * bootstrap
   */
  public static function initAll()
  {
    ini_set('default_charset', 'UTF-8');

    // everything is init via composer, so we are done here ...
  }

  /**
   * Determines if the current version of PHP is equal to or greater than the supplied value.
   *
   * @param string $version
   *
   * @return bool <p>Return <strong>true</strong> if the current version is $version or higher</p>
   */
  public static function is_php($version)
  {
    static $_IS_PHP;

    $version = (string)$version;

    if (!isset($_IS_PHP[$version])) {
      $_IS_PHP[$version] = version_compare(PHP_VERSION, $version, '>=');
    }

    return $_IS_PHP[$version];
  }
}

1			<?php
2
3			namespace protect\AntiXSS;
4
5			/**
6			* Class Bootup
7			*
8			* this is a bootstrap for the polyfills (iconv / intl / mbstring / normalizer / xml)
9			*
10			* @package voku\helper
11			*/
12			class Bootup
13			{
14			/**
15			* filter request inputs
16			*
17			* Ensures inputs are well formed UTF-8
18			* When not, assumes Windows-1252 and converts to UTF-8
19			* Tests only values, not keys
20			*
21			* @param int $normalization_form
22			* @param string $leading_combining
23			*/
24			public static function filterRequestInputs($normalization_form = 4 /* n::NFC */, $leading_combining = '◌')
25			{
26			$a = array(
27			&$_FILES,
28			&$_ENV,
29			&$_GET,
30			&$_POST,
31			&$_COOKIE,
32			&$_SERVER,
33			&$_REQUEST,
34			);
35
36			/** @noinspection ReferenceMismatchInspection */
37			/** @noinspection ForeachSourceInspection */
38			foreach ($a[0] as &$r) {
39			$a[] = array(
40			&$r['name'],
41			&$r['type'],
42			);
43			}
44			unset($r, $a[0]);
45
46			$len = count($a) + 1;
47			for ($i = 1; $i < $len; ++$i) {
48			/** @noinspection ReferenceMismatchInspection */
49			/** @noinspection ForeachSourceInspection */
50			foreach ($a[$i] as &$r) {
51			/** @noinspection ReferenceMismatchInspection */
52			$s = $r; // $r is a reference, $s a copy
53			if (is_array($s)) {
54			$a[$len++] = &$r;
55			} else {
56			$r = self::filterString($s, $normalization_form, $leading_combining);
57			}
58			}
59			unset($r, $a[$i]);
60			}
61			}
62
63			/**
64			* Filter current REQUEST_URI .
65			*
66			* @param string\|null $uri <p>If null is set, then the server REQUEST_URI will be used.</p>
67			* @param bool $exit
68			*
69			* @return mixed
70			*/
71			public static function filterRequestUri($uri = null, $exit = true)
72			{
73			if (!isset($uri)) {
74
75			if (!isset($_SERVER['REQUEST_URI'])) {
76			return false;
77			}
78
79			$uri = $_SERVER['REQUEST_URI'];
80			}
81
82			$uriOrig = $uri;
83
84			//
85			// Ensures the URL is well formed UTF-8
86			//
87
88			if (preg_match('//u', urldecode($uri))) {
89			return $uri;
90			}
91
92			//
93			// When not, assumes Windows-1252 and redirects to the corresponding UTF-8 encoded URL
94			//
95
96			$uri = preg_replace_callback(
97			'/[\x80-\xFF]+/',
98			function ($m) {
99			return urlencode($m[0]);
100			},
101			$uri
102			);
103
104			$uri = preg_replace_callback(
105			'/(?:%[89A-F][0-9A-F])+/i',
106			function ($m) {
107			return urlencode(UTF8::encode('UTF-8', urldecode($m[0])));
108			},
109			$uri
110			);
111
112			if (
113			$uri !== $uriOrig
114			&&
115			$exit === true
116			&&
117			headers_sent() === false
118			) {
119			// Use ob_start() to buffer content and avoid problem of headers already sent...
120			$severProtocol = (isset($_SERVER['SERVER_PROTOCOL']) ? $_SERVER['SERVER_PROTOCOL'] : 'HTTP/1.1');
121			header($severProtocol . ' 301 Moved Permanently');
122			header('Location: ' . $uri);
			0 ignored issues – show Security Response Splitting introduced 2017-07-09 13:44 UTC by Report Bug Copy Issue Report `'Location: ' . $uri` can contain request data and is used in response header context(s) leading to a potential security vulnerability. 1 path for user data to reach this point Fetching key `REQUEST_URI` from `$_SERVER,` and `$uri` is assigned in includes/libraries/protect/AntiXSS/bootup.php on line 79 `$uri` is passed through preg_replace_callback() in includes/libraries/protect/AntiXSS/bootup.php on line 101 `$uri` is assigned in includes/libraries/protect/AntiXSS/bootup.php on line 96 `$uri` is passed through preg_replace_callback() in includes/libraries/protect/AntiXSS/bootup.php on line 109 `$uri` is assigned in includes/libraries/protect/AntiXSS/bootup.php on line 104 Response Splitting Attacks Allowing an attacker to set a response header, opens your application to response splitting attacks; effectively allowing an attacker to send any response, he would like. General Strategies to prevent injection In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values: if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) { throw new \InvalidArgumentException('This input is not allowed.'); } For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted; Loading history...
123			exit();
124			}
125
126			return $uri;
127			}
128
129			/**
130			* Normalizes to UTF-8 NFC, converting from WINDOWS-1252 when needed.
131			*
132			* @param string $s
133			* @param int $normalization_form
134			* @param string $leading_combining
135			*
136			* @return string
137			*/
138			public static function filterString($s, $normalization_form = 4 /* n::NFC */, $leading_combining = '◌')
139			{
140			return UTF8::filter($s, $normalization_form, $leading_combining);
141			}
142
143			/**
144			* Get random bytes via "random_bytes()" (+ polyfill).
145			*
146			* @ref https://github.com/paragonie/random_compat/
147			*
148			* @param int $length Output length
149			*
150			* @return string\|false false on error
151			*/
152			public static function get_random_bytes($length)
153			{
154			if (!$length) {
155			return false;
156			}
157
158			$length = (int)$length;
159
160			if ($length <= 0) {
161			return false;
162			}
163
164			return random_bytes($length);
165			}
166
167			/**
168			* bootstrap
169			*/
170			public static function initAll()
171			{
172			ini_set('default_charset', 'UTF-8');
173
174			// everything is init via composer, so we are done here ...
175			}
176
177			/**
178			* Determines if the current version of PHP is equal to or greater than the supplied value.
179			*
180			* @param string $version
181			*
182			* @return bool <p>Return <strong>true</strong> if the current version is $version or higher</p>
183			*/
184			public static function is_php($version)
185			{
186			static $_IS_PHP;
187
188			$version = (string)$version;
189
190			if (!isset($_IS_PHP[$version])) {
191			$_IS_PHP[$version] = version_compare(PHP_VERSION, $version, '>=');
192			}
193
194			return $_IS_PHP[$version];
195			}
196			}

nilsteampassnet / TeamPass

Push — development ( eda7c5...09d583 )

Bootup::filterRequestUri() B

Complexity

Size

Duplication

Importance

How to fix Long Method

Long Method

1 path for user data to reach this point

Response Splitting Attacks

General Strategies to prevent injection

Duplication Side-by-Side

Filter issues like