PasswordSecureTransferRule::doValidation() - Code Metrics - phmLabs/Smoke - Measure and Improve Code Quality continuously with Scrutinizer

PasswordSecureTransferRule::doValidation() B
last analyzed 2019-05-12 19:55 UTC

↳ Parent: PasswordSecureTransferRule

Complexity

Conditions	6
Paths	8

Size

Total Lines

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
dl	0
loc	34
rs	8.7537
c	0
b	0
f	0
cc	6
nc	8
nop	1

<?php

namespace whm\Smoke\Rules\Security;

use Psr\Http\Message\ResponseInterface;
use Symfony\Component\DomCrawler\Crawler;
use whm\Smoke\Http\Response;
use whm\Smoke\Rules\Rule;
use whm\Smoke\Rules\StandardRule;

/**
 * This rule checks if a https request contains any insecure includes via http.
 */
class PasswordSecureTransferRule extends StandardRule
{
    protected $contentTypes = array('text/html');

    private $knownIdentifier = array();

    protected function doValidation(ResponseInterface $response)
    {
        $crawler = new Crawler((string)$response->getBody());
        $actionNodes = $crawler->filterXPath('//form[//input[@type="password"]]');

        $url = (string)$response->getUri();
interface User
{
    /** @return string */
    public function getPassword();
}

class MyUser implements User
{
    public function getPassword()
    {
        // return something
    }

    public function getDisplayName()
    {
        // return some name.
    }
}

class AuthSystem
{
    public function authenticate(User $user)
    {
        $this->logger->info(sprintf('Authenticating %s.', $user->getDisplayName()));
        // do something.
    }
}

        foreach ($actionNodes as $node) {
            $action = $node->getAttribute('action');

            if (strpos($action, 'https://') === 0) {
                continue;
            }

            $fullPath = $node->tagName;
            $parent = $node->parentNode;

            while ($parent = $parent->parentNode) {
                if (property_exists($parent, 'tagName')) {
                    $fullPath = $parent->tagName . '/' . $fullPath;
                } else {
                    break;
                }
            }

            if (in_array($fullPath, $this->knownIdentifier, true)) {
                continue;
            }

            $this->knownIdentifier[] = $fullPath;

            $this->assert(strpos($url, 'https://') !== false, 'Password is transferred insecure using HTTP.');
        }
    }
}


1			<?php
2
3			namespace whm\Smoke\Rules\Security;
4
5			use Psr\Http\Message\ResponseInterface;
6			use Symfony\Component\DomCrawler\Crawler;
7			use whm\Smoke\Http\Response;
8			use whm\Smoke\Rules\Rule;
9			use whm\Smoke\Rules\StandardRule;
10
11			/**
12			* This rule checks if a https request contains any insecure includes via http.
13			*/
14			class PasswordSecureTransferRule extends StandardRule
15			{
16			protected $contentTypes = array('text/html');
17
18			private $knownIdentifier = array();
19
20			protected function doValidation(ResponseInterface $response)
21			{
22			$crawler = new Crawler((string)$response->getBody());
23			$actionNodes = $crawler->filterXPath('//form[//input[@type="password"]]');
24
25			$url = (string)$response->getUri();
			0 ignored issues – show Bug introduced 2018-12-28 01:14 UTC by Report Bug Copy Issue Report It seems like you code against a concrete implementation and not the interface `Psr\Http\Message\ResponseInterface` as the method `getUri()` does only exist in the following implementations of said interface: `phm\HttpWebdriverClient\...t\Chrome\ChromeResponse`, `phm\HttpWebdriverClient\...t\Guzzle\GuzzleResponse`, `phm\HttpWebdriverClient\...\Client\Guzzle\Response`, `phm\HttpWebdriverClient\...esponse\BrowserResponse`, `whm\Smoke\Http\ConnectionRefusedResponse`, `whm\Smoke\Http\ErrorResponse`. Let’s take a look at an example: interface User { /** @return string / public function getPassword(); } class MyUser implements User { public function getPassword() { // return something } public function getDisplayName() { // return some name. } } class AuthSystem { public function authenticate(User $user) { $this->logger->info(sprintf('Authenticating %s.', $user->getDisplayName())); // do something. } } In the above example, the authenticate() method works fine as long as you just pass instances of MyUser. However, if you now also want to pass a different implementation of User which does not have a getDisplayName() method, the code will break. Available Fixes Change the type-hint for the parameter: class AuthSystem { public function authenticate(MyUser $user) { / ... / } } Add an additional type-check: class AuthSystem { public function authenticate(User $user) { if ($user instanceof MyUser) { $this->logger->info(/* ... /); } // or alternatively if ( ! $user instanceof MyUser) { throw new \LogicException( '$user must be an instance of MyUser, ' .'other instances are not supported.' ); } } } Note:* PHP Analyzer uses reverse abstract interpretation to narrow down the types inside the if block in such a case. Add the method to the interface: interface User { /** @return string / public function getPassword(); /* @return string */ public function getDisplayName(); } Loading history...
26
27			foreach ($actionNodes as $node) {
28			$action = $node->getAttribute('action');
29
30			if (strpos($action, 'https://') === 0) {
31			continue;
32			}
33
34			$fullPath = $node->tagName;
35			$parent = $node->parentNode;
36
37			while ($parent = $parent->parentNode) {
38			if (property_exists($parent, 'tagName')) {
39			$fullPath = $parent->tagName . '/' . $fullPath;
40			} else {
41			break;
42			}
43			}
44
45			if (in_array($fullPath, $this->knownIdentifier, true)) {
46			continue;
47			}
48
49			$this->knownIdentifier[] = $fullPath;
50
51			$this->assert(strpos($url, 'https://') !== false, 'Password is transferred insecure using HTTP.');
52			}
53			}
54			}
55

phmLabs / Smoke

PasswordSecureTransferRule::doValidation() B last analyzed 2019-05-12 19:55 UTC

Complexity

Size

Duplication

Importance

Available Fixes

Duplication Side-by-Side

Filter issues like

PasswordSecureTransferRule::doValidation() B
last analyzed 2019-05-12 19:55 UTC