Issues in Resource.php (master) - Issues in master - oscer-io/oscer - Measure and Improve Code Quality continuously with Scrutinizer

Issues (64)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Backend/Resources/Resource.php (1 issue)

Labels

Bug 1

Severity

Critical 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace Oscer\Cms\Backend\Resources;

use Illuminate\Database\Eloquent\Model;
use Illuminate\Http\Request;
use Illuminate\Http\Resources\ConditionallyLoadsAttributes;
use Illuminate\Support\Collection;
use Illuminate\Support\Facades\Validator as ValidatorFactory;
use Illuminate\Support\Str;
use Illuminate\Validation\ValidationException;
use Illuminate\Validation\Validator;
use Oscer\Cms\Backend\Resources\Fields\Field;

abstract class Resource implements \JsonSerializable
{
    use ConditionallyLoadsAttributes;

    public static string $model;


    protected Model $resourceModel;

    protected Collection $fields;

    protected array $additionalValidationRules = [];

    protected bool $displayShowButtonOnIndex = true;

    protected bool $displayEditButtonOnIndex = true;

    public function __construct(Model $resourceModel)
    {
        $this->resourceModel = $resourceModel;
        $this->fields = new Collection();
    }

    /**
     * This method needs to be implemented by the extending Form.
     * It has to return a Collection of Field instances.
     */
    abstract public function fields(): Collection;

    /**
     * This method resolves all the fields values from the single fields
     * depending on the current resource.
     */
    protected function resolveFields()
    {
        // if this method was not executed
        if ($this->fields->isEmpty()) {
            // temporary variable to get a flat collection of fields
            $fields = new Collection();
            // Iterate over the collection returned by the fields method
            $this->fields()->each(function ($field) use ($fields) {
                // These instances can also be cards
                if ($field instanceof Card) {
                    // if it is a card we need all its fields...
                    foreach ($field->fields as $fieldInCard) {
                        // We need to resolve the values for the fields from the resource model.
                        $fieldInCard->resolve($this->resourceModel);
                        // add them to our temporary collection
                        $fields->add($fieldInCard);
                    }
                } elseif ($field instanceof Field) {
                    // the rest should be field instances...
                    if (! $field->card) {
                        // Assign the default card to all fields without card assignment
                        $field->card = 'default';
                    }
                    $field->resolve($this->resourceModel);
                    // add them to our temporary collection
                    $fields->add($field);
                }
            });

            // We need to resolve the values for the fields from the resource model.
            // The result will be assigned to the fields property of this resource.
            $this->fields = $fields;
        }

        // Return the fields
        return $this->fields;
    }

    protected function filteredFields(Request $request): Collection
    {
        return $this->resolveFields()->filter(function (Field $field) use ($request) {
            return ! $field->shouldBeRemoved($request);
        });
    }

    /**
     * This method returns all validation rules form the fields and merges them
     * with the "additionalValidationRules" for validation beyond fields.
     */
    protected function getValidationRules(Request $request)
    {
        return array_merge(
            $this->filteredFields($request)
                ->reduce(function ($rules, Field $field) use ($request) {
                    $rules[$field->name] = $this->resourceModel->id === null
                        ? $field->getCreationRules()
                        : $field->getUpdateRules();

                    return $rules;
                }, []),
            $this->additionalValidationRules
        );
    }

    /**
     * This method creates a validator with the rules form the relevant fields.
     */
    protected function createValidator(Request $request): Validator
    {
        $rules = $this->getValidationRules($request);

        return ValidatorFactory::make($request->all(), $rules);
    }

    /**
     * The "save" method is executed when a form will be submitted.
     * It executes the validator and fills the resource with
     * the updated values from the request.
     */
    public function save(Request $request): Model
    {
        $validator = $this->createValidator($request);

        if ($validator->fails()) {
            throw new ValidationException($validator);
        }

        $this->filteredFields($request)
            ->each(function (Field $field) use ($request) {
                $field->fill($this->resourceModel, $request);
            });

        $this->beforeSave($request);

        $this->resourceModel->save();

        return $this->resourceModel;
    }

    /**
     * This method can be used to alter the resource before it will be saved.
     */
    public function beforeSave(Request $request)
    {
        //
    }

    /**
     * If we have a field which has the "filled" validation rule we have to strip null values
     * from the form. this happens on the client side. This method abstracts the logic.
     */
    protected function shouldRemoveNullValues(): bool
    {
        $rules = $this->resolveFields()->reduce(function ($result, Field $field) {
            foreach ($field->rules as $rule) {
                $result[] = $rule;
            }

            return $result;
        }, []);

        return in_array('filled', $rules);
    }

    public function labels()
    {
        return [
            'buttons' => [
                'create' => __('cms::resources.buttons.create', ['resource' => class_basename($this->resourceModel)]),
                'edit' => __('cms::resources.buttons.edit', ['resource' => class_basename($this->resourceModel)]),
                'save' => __('cms::resources.buttons.save', ['resource' => class_basename($this->resourceModel)]),
                'cancel' => __('cms::resources.buttons.cancel'),
            ],
            'titles' => [
                'index' => __('cms::resources.titles.index', ['resources' => Str::plural(class_basename($this->resourceModel))]),
                'detail' => __('cms::resources.titles.detail', ['resource' => class_basename($this->resourceModel)]),
                'create' => __('cms::resources.titles.create', ['resource' => class_basename($this->resourceModel)]),
                'update' => __('cms::resources.titles.update', ['resource' => class_basename($this->resourceModel)]),
            ],
            'index' => [
                'search' => __('cms::resources.index.search'),
            ],
        ];
    }

    protected function hasDetailView(): bool
    {
        return true;
    }

    protected function defaultCard()
    {
        return new Card('default', [], 'full');
    }

    protected function cards()
    {
        $rawFields = $this->fields();
        $cards = $rawFields->whereInstanceOf(Card::class);
        if ($rawFields->whereInstanceOf(Field::class)->isNotEmpty()) {
            $cards->prepend($this->defaultCard());
        }

        return $cards;
    }

    public function toArray()
    {
        $data = [
            'labels' => $this->labels(),
            'cards' => $this->cards(),
            'fields' => $this->resolveFields(),
            'model' => $this->resourceModel,
            'resourceId' => $this->when($this->resourceModel->id, $this->resourceModel->id),
            'displayShowButtonOnIndex' => $this->displayShowButtonOnIndex,
            'displayEditButtonOnIndex' => $this->displayEditButtonOnIndex,
            'removeNullValues' => $this->shouldRemoveNullValues(),
            'hasDetailView' => $this->hasDetailView(),
        ];

        return $this->filter($data);
    }

    public function jsonSerialize()
    {
        return $this->toArray();
    }
}


1			<?php
2
3			namespace Oscer\Cms\Backend\Resources;
4
5			use Illuminate\Database\Eloquent\Model;
6			use Illuminate\Http\Request;
7			use Illuminate\Http\Resources\ConditionallyLoadsAttributes;
8			use Illuminate\Support\Collection;
9			use Illuminate\Support\Facades\Validator as ValidatorFactory;
10			use Illuminate\Support\Str;
11			use Illuminate\Validation\ValidationException;
12			use Illuminate\Validation\Validator;
13			use Oscer\Cms\Backend\Resources\Fields\Field;
14
15			abstract class Resource implements \JsonSerializable
16			{
17			use ConditionallyLoadsAttributes;
18
19			public static string $model;
			0 ignored issues – show Bug introduced 2020-04-23 14:53 UTC by Report Bug Copy Issue Report Show Similar Issues like this This code did not parse for me. Apparently, there is an error somewhere around this line: Syntax error, unexpected T_STRING, expecting T_FUNCTION or T_CONST Loading history...
20
21			protected Model $resourceModel;
22
23			protected Collection $fields;
24
25			protected array $additionalValidationRules = [];
26
27			protected bool $displayShowButtonOnIndex = true;
28
29			protected bool $displayEditButtonOnIndex = true;
30
31			public function __construct(Model $resourceModel)
32			{
33			$this->resourceModel = $resourceModel;
34			$this->fields = new Collection();
35			}
36
37			/**
38			* This method needs to be implemented by the extending Form.
39			* It has to return a Collection of Field instances.
40			*/
41			abstract public function fields(): Collection;
42
43			/**
44			* This method resolves all the fields values from the single fields
45			* depending on the current resource.
46			*/
47			protected function resolveFields()
48			{
49			// if this method was not executed
50			if ($this->fields->isEmpty()) {
51			// temporary variable to get a flat collection of fields
52			$fields = new Collection();
53			// Iterate over the collection returned by the fields method
54			$this->fields()->each(function ($field) use ($fields) {
55			// These instances can also be cards
56			if ($field instanceof Card) {
57			// if it is a card we need all its fields...
58			foreach ($field->fields as $fieldInCard) {
59			// We need to resolve the values for the fields from the resource model.
60			$fieldInCard->resolve($this->resourceModel);
61			// add them to our temporary collection
62			$fields->add($fieldInCard);
63			}
64			} elseif ($field instanceof Field) {
65			// the rest should be field instances...
66			if (! $field->card) {
67			// Assign the default card to all fields without card assignment
68			$field->card = 'default';
69			}
70			$field->resolve($this->resourceModel);
71			// add them to our temporary collection
72			$fields->add($field);
73			}
74			});
75
76			// We need to resolve the values for the fields from the resource model.
77			// The result will be assigned to the fields property of this resource.
78			$this->fields = $fields;
79			}
80
81			// Return the fields
82			return $this->fields;
83			}
84
85			protected function filteredFields(Request $request): Collection
86			{
87			return $this->resolveFields()->filter(function (Field $field) use ($request) {
88			return ! $field->shouldBeRemoved($request);
89			});
90			}
91
92			/**
93			* This method returns all validation rules form the fields and merges them
94			* with the "additionalValidationRules" for validation beyond fields.
95			*/
96			protected function getValidationRules(Request $request)
97			{
98			return array_merge(
99			$this->filteredFields($request)
100			->reduce(function ($rules, Field $field) use ($request) {
101			$rules[$field->name] = $this->resourceModel->id === null
102			? $field->getCreationRules()
103			: $field->getUpdateRules();
104
105			return $rules;
106			}, []),
107			$this->additionalValidationRules
108			);
109			}
110
111			/**
112			* This method creates a validator with the rules form the relevant fields.
113			*/
114			protected function createValidator(Request $request): Validator
115			{
116			$rules = $this->getValidationRules($request);
117
118			return ValidatorFactory::make($request->all(), $rules);
119			}
120
121			/**
122			* The "save" method is executed when a form will be submitted.
123			* It executes the validator and fills the resource with
124			* the updated values from the request.
125			*/
126			public function save(Request $request): Model
127			{
128			$validator = $this->createValidator($request);
129
130			if ($validator->fails()) {
131			throw new ValidationException($validator);
132			}
133
134			$this->filteredFields($request)
135			->each(function (Field $field) use ($request) {
136			$field->fill($this->resourceModel, $request);
137			});
138
139			$this->beforeSave($request);
140
141			$this->resourceModel->save();
142
143			return $this->resourceModel;
144			}
145
146			/**
147			* This method can be used to alter the resource before it will be saved.
148			*/
149			public function beforeSave(Request $request)
150			{
151			//
152			}
153
154			/**
155			* If we have a field which has the "filled" validation rule we have to strip null values
156			* from the form. this happens on the client side. This method abstracts the logic.
157			*/
158			protected function shouldRemoveNullValues(): bool
159			{
160			$rules = $this->resolveFields()->reduce(function ($result, Field $field) {
161			foreach ($field->rules as $rule) {
162			$result[] = $rule;
163			}
164
165			return $result;
166			}, []);
167
168			return in_array('filled', $rules);
169			}
170
171			public function labels()
172			{
173			return [
174			'buttons' => [
175			'create' => __('cms::resources.buttons.create', ['resource' => class_basename($this->resourceModel)]),
176			'edit' => __('cms::resources.buttons.edit', ['resource' => class_basename($this->resourceModel)]),
177			'save' => __('cms::resources.buttons.save', ['resource' => class_basename($this->resourceModel)]),
178			'cancel' => __('cms::resources.buttons.cancel'),
179			],
180			'titles' => [
181			'index' => __('cms::resources.titles.index', ['resources' => Str::plural(class_basename($this->resourceModel))]),
182			'detail' => __('cms::resources.titles.detail', ['resource' => class_basename($this->resourceModel)]),
183			'create' => __('cms::resources.titles.create', ['resource' => class_basename($this->resourceModel)]),
184			'update' => __('cms::resources.titles.update', ['resource' => class_basename($this->resourceModel)]),
185			],
186			'index' => [
187			'search' => __('cms::resources.index.search'),
188			],
189			];
190			}
191
192			protected function hasDetailView(): bool
193			{
194			return true;
195			}
196
197			protected function defaultCard()
198			{
199			return new Card('default', [], 'full');
200			}
201
202			protected function cards()
203			{
204			$rawFields = $this->fields();
205			$cards = $rawFields->whereInstanceOf(Card::class);
206			if ($rawFields->whereInstanceOf(Field::class)->isNotEmpty()) {
207			$cards->prepend($this->defaultCard());
208			}
209
210			return $cards;
211			}
212
213			public function toArray()
214			{
215			$data = [
216			'labels' => $this->labels(),
217			'cards' => $this->cards(),
218			'fields' => $this->resolveFields(),
219			'model' => $this->resourceModel,
220			'resourceId' => $this->when($this->resourceModel->id, $this->resourceModel->id),
221			'displayShowButtonOnIndex' => $this->displayShowButtonOnIndex,
222			'displayEditButtonOnIndex' => $this->displayEditButtonOnIndex,
223			'removeNullValues' => $this->shouldRemoveNullValues(),
224			'hasDetailView' => $this->hasDetailView(),
225			];
226
227			return $this->filter($data);
228			}
229
230			public function jsonSerialize()
231			{
232			return $this->toArray();
233			}
234			}
235

oscer-io / oscer

Issues (64)

Security Analysis not enabled

src/Backend/Resources/Resource.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like