SimpleFilesystemFileProcessor::getPath() - Code Metrics - Inspection of "Add getFile to FileProcessor" - philiplb/CRUDlex - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Pull Request — master (#90)

unknown

created 2017-06-23 12:15 UTC

SimpleFilesystemFileProcessor::getPath() A

↳ Parent: SimpleFilesystemFileProcessor

Complexity

Conditions	1
Paths	1

Size

Total Lines	3
Code Lines	2

Duplication

Lines	0
Ratio	0 %

Code Coverage

Tests	2
CRAP Score	1

Importance

Changes

Metric	Value
dl	0
loc	3
ccs	2
cts	2
cp	1
rs	10
c	0
b	0
f	0
nc	1
cc	1
eloc	2
nop	3
crap	1

<?php

/*
 * This file is part of the CRUDlex package.
 *
 * (c) Philip Lehmann-Böhm <[email protected]>
 *
 * For the full copyright and license information, please view the LICENSE
 * file that was distributed with this source code.
 */

namespace CRUDlex;

use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpFoundation\StreamedResponse;

/**
 * An implementation of the {@see FileProcessorInterface} simply using the
 * file system.
 */
class SimpleFilesystemFileProcessor implements FileProcessorInterface {

    /**
     * Holds the base path where all files will be stored into subfolders.
     */
    protected $basePath;

    /**
     * Constructs a file system path for the given parameters for storing the
     * file of the file field.
     *
     * @param string $entityName
     * the entity name
     * @param Entity $entity
     * the entity
     * @param string $field
     * the file field in the entity
     *
     * @return string
     * the constructed path for storing the file of the file field
     */
    protected function getPath($entityName, Entity $entity, $field) {
        return $this->basePath.$entity->getDefinition()->getField($field, 'path').'/'.$entityName.'/'.$entity->get('id').'/'.$field;
    }

    /**
     * Constructor.
     *
     * @param string $basePath
     * the base path where all files will be stored into subfolders
     */
    public function __construct($basePath = '') {
        $this->basePath = $basePath;
    }

    /**
     * {@inheritdoc}
     */
    public function createFile(Request $request, Entity $entity, $entityName, $field) {
        $file = $request->files->get($field);
        if ($file) {
            $targetPath = $this->getPath($entityName, $entity, $field);
            if (!file_exists($targetPath)) {
                mkdir($targetPath, 0777, true);
if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
    throw new \InvalidArgumentException('This input is not allowed.');
}
            }
            $file->move($targetPath, $file->getClientOriginalName());
        }
    }

    /**
     * {@inheritdoc}
     * For now, this implementation is defensive and doesn't delete ever.
     */
    public function updateFile(Request $request, Entity $entity, $entityName, $field) {
        // We could first delete the old file, but for now, we are defensive and don't delete ever.
        $this->createFile($request, $entity, $entityName, $field);
    }

    /**
     * {@inheritdoc}
     * For now, this implementation is defensive and doesn't delete ever.
     */
    public function deleteFile(Entity $entity, $entityName, $field) {
        // For now, we are defensive and don't delete ever.
    }

    /**
     * {@inheritdoc}
     */
    public function renderFile(Entity $entity, $entityName, $field) {
        $targetPath = $this->getPath($entityName, $entity, $field);
        $fileName   = $entity->get($field);
        $file       = $targetPath.'/'.$fileName;
        $response   = new Response('');
        $mimeTypes  = new MimeTypes();
        $mimeType   = $mimeTypes->getMimeType($file);
        $size       = filesize($file);
        if ($fileName && file_exists($file)) {
            $streamedFileResponse = new StreamedFileResponse();
            $response             = new StreamedResponse($streamedFileResponse->getStreamedFileFunction($file), 200, [
                'Content-Type' => $mimeType,
                'Content-Disposition' => 'attachment; filename="'.$fileName.'"',
                'Content-length' => $size
            ]);
            $response->send();
        }
        return $response;
    }


    /**
     * {@inheritdoc}
     */
    public function getFile(Entity $entity, $entityName, $field) {
        $targetPath = $this->getPath($entityName, $entity, $field);
        $fileName   = $entity->get($field);
        $file       = $targetPath.'/'.$fileName;

        return fopen($file, 'r');
    }
}


1		<?php
2
3		/*
4		* This file is part of the CRUDlex package.
5		*
6		* (c) Philip Lehmann-Böhm <[email protected]>
7		*
8		* For the full copyright and license information, please view the LICENSE
9		* file that was distributed with this source code.
10		*/
11
12		namespace CRUDlex;
13
14		use Symfony\Component\HttpFoundation\Request;
15		use Symfony\Component\HttpFoundation\Response;
16		use Symfony\Component\HttpFoundation\StreamedResponse;
17
18		/**
19		* An implementation of the {@see FileProcessorInterface} simply using the
20		* file system.
21		*/
22		class SimpleFilesystemFileProcessor implements FileProcessorInterface {
23
24		/**
25		* Holds the base path where all files will be stored into subfolders.
26		*/
27		protected $basePath;
28
29		/**
30		* Constructs a file system path for the given parameters for storing the
31		* file of the file field.
32		*
33		* @param string $entityName
34		* the entity name
35		* @param Entity $entity
36		* the entity
37		* @param string $field
38		* the file field in the entity
39		*
40		* @return string
41		* the constructed path for storing the file of the file field
42		*/
43	4	protected function getPath($entityName, Entity $entity, $field) {
44	4	return $this->basePath.$entity->getDefinition()->getField($field, 'path').'/'.$entityName.'/'.$entity->get('id').'/'.$field;
45		}
46
47		/**
48		* Constructor.
49		*
50		* @param string $basePath
51		* the base path where all files will be stored into subfolders
52		*/
53	5	public function __construct($basePath = '') {
54	5	$this->basePath = $basePath;
55	5	}
56
57		/**
58		* {@inheritdoc}
59		*/
60	4	public function createFile(Request $request, Entity $entity, $entityName, $field) {
61	4	$file = $request->files->get($field);
62	4	if ($file) {
63	4	$targetPath = $this->getPath($entityName, $entity, $field);
64	4	if (!file_exists($targetPath)) {
65	4	mkdir($targetPath, 0777, true);
		0 ignored issues – show Security File Manipulation introduced 2017-06-01 12:59 UTC by Report Bug Copy Issue Report `$targetPath` can contain request data and is used in file manipulation context(s) leading to a potential security vulnerability. 8 paths for user data to reach this point 1. Path: Read from `$_FILES,` and `$_FILES` is passed to Request::createRequestFromFactory() in Request.php on line 317 Read from `$_FILES,` and `$_FILES` is passed to Request::createRequestFromFactory() in vendor/Request.php on line 317 `$files` is passed to Request::__construct() in vendor/Request.php on line 2018 `$files` is passed to Request::initialize() in vendor/Request.php on line 258 `$files` is passed to FileBag::__construct() in vendor/Request.php on line 280 `$parameters` is passed to FileBag::replace() in vendor/FileBag.php on line 33 `$files` is passed to FileBag::add() in vendor/FileBag.php on line 42 `$file` is assigned in vendor/FileBag.php on line 62 `$file` is passed to FileBag::set() in vendor/FileBag.php on line 63 `$value` is passed to FileBag::convertFileInformation() in vendor/FileBag.php on line 54 `$file` is assigned in vendor/FileBag.php on line 80 `$file['name']` is passed to UploadedFile::__construct() in vendor/FileBag.php on line 89 Data is passed through str_replace() in vendor/File/File.php on line 130 UploadedFile::$originalName is assigned in vendor/File/UploadedFile.php on line 90 Tainted property UploadedFile::$originalName is read in vendor/File/UploadedFile.php on line 109 UploadedFile::getClientOriginalName() returns tainted data, and `$file->getClientOriginalName()` is passed to Entity::set() in src/CRUDlex/Entity.php on line 146 Entity::$entity is assigned in src/CRUDlex/Entity.php on line 77 Tainted property Entity::$entity is read, and `$value` is assigned in src/CRUDlex/Entity.php on line 119 Entity::get() returns tainted data in src/CRUDlex/SimpleFilesystemFileProcessor.php on line 44 SimpleFilesystemFileProcessor::getPath() returns tainted data, and `$targetPath` is assigned in src/CRUDlex/SimpleFilesystemFileProcessor.php on line 63 2. Path: `$this->parameters['HTTP_AUTHORIZATION']` seems to return tainted data, and `$authorizationHeader` is assigned in ServerBag.php on line 62 `$this->parameters['HTTP_AUTHORIZATION']` seems to return tainted data, and `$authorizationHeader` is assigned in vendor/ServerBag.php on line 62 ParameterBag::$parameters is assigned in vendor/ServerBag.php on line 77 Tainted property ParameterBag::$parameters is read in vendor/ParameterBag.php on line 88 ParameterBag::get() returns tainted data, and `$result` is assigned in vendor/Request.php on line 798 Request::get() returns tainted data, and `$array` is assigned in src/CRUDlex/Entity.php on line 155 `$array` is passed through array_map() in src/CRUDlex/Entity.php on line 159 `$many` is assigned in src/CRUDlex/Entity.php on line 157 `$many` is passed to Entity::set() in src/CRUDlex/Entity.php on line 160 Entity::$entity is assigned in src/CRUDlex/Entity.php on line 77 Tainted property Entity::$entity is read, and `$value` is assigned in src/CRUDlex/Entity.php on line 119 Entity::get() returns tainted data in src/CRUDlex/SimpleFilesystemFileProcessor.php on line 44 SimpleFilesystemFileProcessor::getPath() returns tainted data, and `$targetPath` is assigned in src/CRUDlex/SimpleFilesystemFileProcessor.php on line 63 3. Path: Read from `$_SERVER,` and `$server` is assigned in Request.php on line 307 Read from `$_SERVER,` and `$server` is assigned in vendor/Request.php on line 307 `$server` is passed to Request::createRequestFromFactory() in vendor/Request.php on line 317 `$server` is passed to Request::__construct() in vendor/Request.php on line 2018 `$server` is passed to Request::initialize() in vendor/Request.php on line 258 `$server` is passed to ParameterBag::__construct() in vendor/Request.php on line 281 ParameterBag::$parameters is assigned in vendor/ParameterBag.php on line 35 Tainted property ParameterBag::$parameters is read in vendor/ParameterBag.php on line 88 ParameterBag::get() returns tainted data, and `$result` is assigned in vendor/Request.php on line 798 Request::get() returns tainted data, and `$array` is assigned in src/CRUDlex/Entity.php on line 155 `$array` is passed through array_map() in src/CRUDlex/Entity.php on line 159 `$many` is assigned in src/CRUDlex/Entity.php on line 157 `$many` is passed to Entity::set() in src/CRUDlex/Entity.php on line 160 Entity::$entity is assigned in src/CRUDlex/Entity.php on line 77 Tainted property Entity::$entity is read, and `$value` is assigned in src/CRUDlex/Entity.php on line 119 Entity::get() returns tainted data in src/CRUDlex/SimpleFilesystemFileProcessor.php on line 44 SimpleFilesystemFileProcessor::getPath() returns tainted data, and `$targetPath` is assigned in src/CRUDlex/SimpleFilesystemFileProcessor.php on line 63 4. Path: Fetching key `HTTP_CONTENT_LENGTH` from `$_SERVER,` and `$server` is assigned in Request.php on line 310 Fetching key `HTTP_CONTENT_LENGTH` from `$_SERVER,` and `$server` is assigned in vendor/Request.php on line 310 `$server` is passed to Request::createRequestFromFactory() in vendor/Request.php on line 317 `$server` is passed to Request::__construct() in vendor/Request.php on line 2018 `$server` is passed to Request::initialize() in vendor/Request.php on line 258 `$server` is passed to ParameterBag::__construct() in vendor/Request.php on line 281 ParameterBag::$parameters is assigned in vendor/ParameterBag.php on line 35 Tainted property ParameterBag::$parameters is read in vendor/ParameterBag.php on line 88 ParameterBag::get() returns tainted data, and `$result` is assigned in vendor/Request.php on line 798 Request::get() returns tainted data, and `$array` is assigned in src/CRUDlex/Entity.php on line 155 `$array` is passed through array_map() in src/CRUDlex/Entity.php on line 159 `$many` is assigned in src/CRUDlex/Entity.php on line 157 `$many` is passed to Entity::set() in src/CRUDlex/Entity.php on line 160 Entity::$entity is assigned in src/CRUDlex/Entity.php on line 77 Tainted property Entity::$entity is read, and `$value` is assigned in src/CRUDlex/Entity.php on line 119 Entity::get() returns tainted data in src/CRUDlex/SimpleFilesystemFileProcessor.php on line 44 SimpleFilesystemFileProcessor::getPath() returns tainted data, and `$targetPath` is assigned in src/CRUDlex/SimpleFilesystemFileProcessor.php on line 63 5. Path: Fetching key `HTTP_CONTENT_TYPE` from `$_SERVER,` and `$server` is assigned in Request.php on line 313 Fetching key `HTTP_CONTENT_TYPE` from `$_SERVER,` and `$server` is assigned in vendor/Request.php on line 313 `$server` is passed to Request::createRequestFromFactory() in vendor/Request.php on line 317 `$server` is passed to Request::__construct() in vendor/Request.php on line 2018 `$server` is passed to Request::initialize() in vendor/Request.php on line 258 `$server` is passed to ParameterBag::__construct() in vendor/Request.php on line 281 ParameterBag::$parameters is assigned in vendor/ParameterBag.php on line 35 Tainted property ParameterBag::$parameters is read in vendor/ParameterBag.php on line 88 ParameterBag::get() returns tainted data, and `$result` is assigned in vendor/Request.php on line 798 Request::get() returns tainted data, and `$array` is assigned in src/CRUDlex/Entity.php on line 155 `$array` is passed through array_map() in src/CRUDlex/Entity.php on line 159 `$many` is assigned in src/CRUDlex/Entity.php on line 157 `$many` is passed to Entity::set() in src/CRUDlex/Entity.php on line 160 Entity::$entity is assigned in src/CRUDlex/Entity.php on line 77 Tainted property Entity::$entity is read, and `$value` is assigned in src/CRUDlex/Entity.php on line 119 Entity::get() returns tainted data in src/CRUDlex/SimpleFilesystemFileProcessor.php on line 44 SimpleFilesystemFileProcessor::getPath() returns tainted data, and `$targetPath` is assigned in src/CRUDlex/SimpleFilesystemFileProcessor.php on line 63 6. Path: `$server['HTTP_HOST']` seems to return tainted data, and `$server` is assigned in Request.php on line 383 `$server['HTTP_HOST']` seems to return tainted data, and `$server` is assigned in vendor/Request.php on line 383 `$server` is assigned in vendor/Request.php on line 431 `$server` is assigned in vendor/Request.php on line 432 `$server` is passed to Request::createRequestFromFactory() in vendor/Request.php on line 434 `$server` is passed to Request::__construct() in vendor/Request.php on line 2018 `$server` is passed to Request::initialize() in vendor/Request.php on line 258 `$server` is passed to ParameterBag::__construct() in vendor/Request.php on line 281 ParameterBag::$parameters is assigned in vendor/ParameterBag.php on line 35 Tainted property ParameterBag::$parameters is read in vendor/ParameterBag.php on line 88 ParameterBag::get() returns tainted data, and `$result` is assigned in vendor/Request.php on line 798 Request::get() returns tainted data, and `$array` is assigned in src/CRUDlex/Entity.php on line 155 `$array` is passed through array_map() in src/CRUDlex/Entity.php on line 159 `$many` is assigned in src/CRUDlex/Entity.php on line 157 `$many` is passed to Entity::set() in src/CRUDlex/Entity.php on line 160 Entity::$entity is assigned in src/CRUDlex/Entity.php on line 77 Tainted property Entity::$entity is read, and `$value` is assigned in src/CRUDlex/Entity.php on line 119 Entity::get() returns tainted data in src/CRUDlex/SimpleFilesystemFileProcessor.php on line 44 SimpleFilesystemFileProcessor::getPath() returns tainted data, and `$targetPath` is assigned in src/CRUDlex/SimpleFilesystemFileProcessor.php on line 63 7. Path: `$this->parameters['PHP_AUTH_USER']` seems to return tainted data, and `$headers` is assigned in ServerBag.php on line 43 `$this->parameters['PHP_AUTH_USER']` seems to return tainted data, and `$headers` is assigned in vendor/ServerBag.php on line 43 `$headers` is assigned in vendor/ServerBag.php on line 44 ServerBag::getHeaders() returns tainted data, and `$this->server->getHeaders()` is passed to HeaderBag::__construct() in vendor/Request.php on line 282 `$values` is assigned in vendor/HeaderBag.php on line 31 `$values` is passed to HeaderBag::set() in vendor/HeaderBag.php on line 32 `(array) $values` is passed through array_values(), and `$values` is assigned in vendor/HeaderBag.php on line 143 HeaderBag::$headers is assigned in vendor/HeaderBag.php on line 146 Tainted property HeaderBag::$headers is read in vendor/HeaderBag.php on line 67 HeaderBag::all() returns tainted data, and `$headers` is assigned in vendor/HeaderBag.php on line 115 HeaderBag::get() returns tainted data, and `$requestUri` is assigned in vendor/Request.php on line 1788 `$requestUri` is passed to ParameterBag::set() in vendor/Request.php on line 1819 ParameterBag::$parameters is assigned in vendor/ParameterBag.php on line 99 Tainted property ParameterBag::$parameters is read in vendor/ParameterBag.php on line 88 ParameterBag::get() returns tainted data, and `$result` is assigned in vendor/Request.php on line 798 Request::get() returns tainted data, and `$array` is assigned in src/CRUDlex/Entity.php on line 155 `$array` is passed through array_map() in src/CRUDlex/Entity.php on line 159 `$many` is assigned in src/CRUDlex/Entity.php on line 157 `$many` is passed to Entity::set() in src/CRUDlex/Entity.php on line 160 Entity::$entity is assigned in src/CRUDlex/Entity.php on line 77 Tainted property Entity::$entity is read, and `$value` is assigned in src/CRUDlex/Entity.php on line 119 Entity::get() returns tainted data in src/CRUDlex/SimpleFilesystemFileProcessor.php on line 44 SimpleFilesystemFileProcessor::getPath() returns tainted data, and `$targetPath` is assigned in src/CRUDlex/SimpleFilesystemFileProcessor.php on line 63 8. Path: `$this->parameters['PHP_AUTH_PW']` seems to return tainted data, and `$headers` is assigned in ServerBag.php on line 44 `$this->parameters['PHP_AUTH_PW']` seems to return tainted data, and `$headers` is assigned in vendor/ServerBag.php on line 44 ServerBag::getHeaders() returns tainted data, and `$this->server->getHeaders()` is passed to HeaderBag::__construct() in vendor/Request.php on line 282 `$values` is assigned in vendor/HeaderBag.php on line 31 `$values` is passed to HeaderBag::set() in vendor/HeaderBag.php on line 32 `(array) $values` is passed through array_values(), and `$values` is assigned in vendor/HeaderBag.php on line 143 HeaderBag::$headers is assigned in vendor/HeaderBag.php on line 146 Tainted property HeaderBag::$headers is read in vendor/HeaderBag.php on line 67 HeaderBag::all() returns tainted data, and `$headers` is assigned in vendor/HeaderBag.php on line 115 HeaderBag::get() returns tainted data, and `$requestUri` is assigned in vendor/Request.php on line 1788 `$requestUri` is passed to ParameterBag::set() in vendor/Request.php on line 1819 ParameterBag::$parameters is assigned in vendor/ParameterBag.php on line 99 Tainted property ParameterBag::$parameters is read in vendor/ParameterBag.php on line 88 ParameterBag::get() returns tainted data, and `$result` is assigned in vendor/Request.php on line 798 Request::get() returns tainted data, and `$array` is assigned in src/CRUDlex/Entity.php on line 155 `$array` is passed through array_map() in src/CRUDlex/Entity.php on line 159 `$many` is assigned in src/CRUDlex/Entity.php on line 157 `$many` is passed to Entity::set() in src/CRUDlex/Entity.php on line 160 Entity::$entity is assigned in src/CRUDlex/Entity.php on line 77 Tainted property Entity::$entity is read, and `$value` is assigned in src/CRUDlex/Entity.php on line 119 Entity::get() returns tainted data in src/CRUDlex/SimpleFilesystemFileProcessor.php on line 44 SimpleFilesystemFileProcessor::getPath() returns tainted data, and `$targetPath` is assigned in src/CRUDlex/SimpleFilesystemFileProcessor.php on line 63 General Strategies to prevent injection In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values: if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) { throw new \InvalidArgumentException('This input is not allowed.'); } For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted; Loading history...
66		}
67	4	$file->move($targetPath, $file->getClientOriginalName());
68		}
69	4	}
70
71		/**
72		* {@inheritdoc}
73		* For now, this implementation is defensive and doesn't delete ever.
74		*/
75	1	public function updateFile(Request $request, Entity $entity, $entityName, $field) {
76		// We could first delete the old file, but for now, we are defensive and don't delete ever.
77	1	$this->createFile($request, $entity, $entityName, $field);
78	1	}
79
80		/**
81		* {@inheritdoc}
82		* For now, this implementation is defensive and doesn't delete ever.
83		*/
84	1	public function deleteFile(Entity $entity, $entityName, $field) {
85		// For now, we are defensive and don't delete ever.
86	1	}
87
88		/**
89		* {@inheritdoc}
90		*/
91	1	public function renderFile(Entity $entity, $entityName, $field) {
92	1	$targetPath = $this->getPath($entityName, $entity, $field);
93	1	$fileName = $entity->get($field);
94	1	$file = $targetPath.'/'.$fileName;
95	1	$response = new Response('');
96	1	$mimeTypes = new MimeTypes();
97	1	$mimeType = $mimeTypes->getMimeType($file);
98	1	$size = filesize($file);
99	1	if ($fileName && file_exists($file)) {
100	1	$streamedFileResponse = new StreamedFileResponse();
101	1	$response = new StreamedResponse($streamedFileResponse->getStreamedFileFunction($file), 200, [
102	1	'Content-Type' => $mimeType,
103	1	'Content-Disposition' => 'attachment; filename="'.$fileName.'"',
104	1	'Content-length' => $size
105		]);
106	1	$response->send();
107		}
108	1	return $response;
109		}
110
111
112		/**
113		* {@inheritdoc}
114		*/
115		public function getFile(Entity $entity, $entityName, $field) {
116		$targetPath = $this->getPath($entityName, $entity, $field);
117		$fileName = $entity->get($field);
118		$file = $targetPath.'/'.$fileName;
119
120		return fopen($file, 'r');
121		}
122		}
123

philiplb / CRUDlex

Pull Request — master (#90)

SimpleFilesystemFileProcessor::getPath() A

Complexity

Size

Duplication

Code Coverage

Importance

8 paths for user data to reach this point

General Strategies to prevent injection

Duplication Side-by-Side

Filter issues like