View GitHub Repository TeamPass

Schedule Inspection
Subscribe
Passed
Push — master ( bda737...e0ed8e )
by Nils
09:32
created

BaseController::getUriSegments()   A

↳ Parent: BaseController

Complexity

Conditions 1
Paths 1

Size

Total Lines 6
Code Lines 3

Duplication

Lines 0
Ratio 0 %

Importance

Changes 1
Bugs 0 Features 0
Metric Value
cc 1
eloc 3
c 1
b 0
f 0
nc 1
nop 0
dl 0
loc 6
rs 10
1 
<?php
2 
/**
3 
 * Teampass - a collaborative passwords manager.
4 
 * ---
5 
 * This library is distributed in the hope that it will be useful,
6 
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
7 
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
8 
 * ---
9 
 *
10 
 * @project   Teampass API
11 
 *
12 
 * @file      BaseController.php
13 
 * ---
14 
 *
15 
 * @author    Nils Laumaillé ([email protected])
16 
 *
17 
 * @copyright 2009-2022 Teampass.net
18 
 *
19 
 * @license   https://spdx.org/licenses/GPL-3.0-only.html#licenseText GPL-3.0
20 
 * ---
21 
 *
22 
 * @see       https://www.teampass.net
23 
 */
24 
class BaseController
25 
{
26 
    /**
27 
     * __call magic method.
28 
     */
29 
    public function __call($name, $arguments)
30 
    {
31 
        $this->sendOutput('', array('HTTP/1.1 404 Not Found'));
32 
    }
33
34 
    /**
35 
     * Get URI elements.
36 
     *
37 
     * @return array
38 
     */
39 
    protected function getUriSegments()
40 
    {
41 
        $uri = parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH);
42 
        $uri = explode( '/', $uri );
43
44 
        return $uri;
45 
    }
46
47 
    /**
48 
     * Get querystring params.
49 
     *
50 
     * @return array
51 
     */
52 
    protected function getQueryStringParams()
53 
    {
54 
        return parse_str($_SERVER['QUERY_STRING'], $query);
0 ignored issues
show
Bug introduced by
Are you sure the usage of parse_str($_SERVER['QUERY_STRING'], $query) is correct as it seems to always return null.

This check looks for function or method calls that always return null and whose return value is used.

class A
{
    function getObject()
    {
        return null;
    }

}

$a = new A();
if ($a->getObject()) {

The method getObject() can return nothing but null, so it makes no sense to use the return value.

The reason is most likely that a function or method is imcomplete or has been reduced for debug purposes.

Loading history...
Bug Best Practice introduced by
The expression return parse_str($_SERVE...QUERY_STRING'], $query) returns the type void which is incompatible with the documented return type array.
Loading history...
Security Variable Injection introduced by
$_SERVER['QUERY_STRING'] can contain request data and is used in variable name context(s) leading to a potential security vulnerability.

1 path for user data to reach this point

  1. Read tainted data from array
    in api/Controller/Api/BaseController.php on line 54

General Strategies to prevent injection

In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values: 

if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
    throw new \InvalidArgumentException('This input is not allowed.');
}

For numeric data, we recommend to explicitly cast the data: 

$sanitized = (integer) $tainted;
Loading history...
55 
    }
56
57 
    /**
58 
     * Send API output.
59 
     *
60 
     * @param mixed  $data
61 
     * @param string $httpHeader
62 
     */
63 
    protected function sendOutput($data, $httpHeaders=array())
64 
    {
65 
        header_remove('Set-Cookie');
66
67 
        if (is_array($httpHeaders) && count($httpHeaders)) {
68 
            foreach ($httpHeaders as $httpHeader) {
69 
                header($httpHeader);
70 
            }
71 
        }
72
73 
        echo $data;
74 
        exit;
0 ignored issues
show
Best Practice introduced by
Using exit here is not recommended.

In general, usage of exit should be done with care and only when running in a scripting context like a CLI script.

Loading history...
75 
    }
76 
}