Ffcms\Core\Helper\Security

Complexity

Total Complexity

18

Size/Duplication

Total Lines	122
Duplicated Lines	0 %

Importance

Changes	1
Bugs	0	Features	0

8 Methods

Rating	Name	Duplication	Size	Complexity
A	escapeQuotes()	0	3	1
A	secureHtml()	0	3	2
A	__construct()	0	11	1
A	strip_php_tags()	0	9	3
A	var_export54()	0	3	1
A	strip_tags()	0	16	4
A	password_hash()	0	7	4
A	simpleHash()	0	7	2

<?php

namespace Ffcms\Core\Helper;

use Ffcms\Core\App;
use Ffcms\Core\Helper\Type\Any;
use Ffcms\Core\Helper\Type\Arr;
use Ffcms\Core\Helper\Type\Obj;
use Ffcms\Core\Helper\Type\Str;

/**
 * Class Security. Basic framework security entry point
 * @package Ffcms\Core\Helper
 */
class Security
{
    protected $purifier;

    /**
     * Security constructor. Construct html purifier instance.
     */
    public function __construct()
    {
        $config = \HTMLPurifier_Config::createDefault();
        $config->set('Cache.SerializerPath', root . '/Private/Cache/HTMLPurifier/');

The constant Ffcms\Core\Helper\root was not found. Maybe you did not declare it correctly or list all dependencies?

        $config->set('HTML.Allowed', 'p,b,strong,em,a[href],i,span,ul,ol,li,blockquote,h2,h3,pre,code,img[src|alt|width|height]');
        //$config->set('URI.Base', 'http://www.example.com');

80% of this comment could be valid code. Did you maybe forget this after debugging?

        //$config->set('URI.MakeAbsolute', true);

80% of this comment could be valid code. Did you maybe forget this after debugging?

        $config->set('AutoFormat.AutoParagraph', false);
        $config->set('HTML.TargetBlank', true);

        $this->purifier = new \HTMLPurifier($config);
    }

    /**
     * Secure html code
     * @param string|array $data
     * @return string
     */
    public function secureHtml($data): ?string
    {
        return (Any::isArray($data) ? $this->purifier->purifyArray($data) : $this->purifier->purify($data));

The expression return Ffcms\Core\Helper\Type\Any::isArray($data) ? $this->purifier->purifyArray($data) : $this->purifier->purify($data) could return the type string[] which is incompatible with the type-hinted return null|string. Consider adding an additional type-check to rule them out.

It seems like $data can also be of type array; however, parameter $html of HTMLPurifier::purify() does only seem to accept string, maybe add an additional type check?

It seems like $data can also be of type string; however, parameter $array_of_html of HTMLPurifier::purifyArray() does only seem to accept string[], maybe add an additional type check?

    }

    /**
     * String html tags and escape quotes
     * @param string|array $html
     * @param boolean $escapeQuotes
     * @return string|array|null
     */
    public function strip_tags($html, $escapeQuotes = true)
    {
        // recursive usage
        if (Any::isArray($html)) {
            foreach ($html as $key=>$value) {
                $html[$key] = $this->strip_tags($value, $escapeQuotes);
            }
            return $html;
        }

        $text = strip_tags($html);

It seems like $html can also be of type array; however, parameter $str of strip_tags() does only seem to accept string, maybe add an additional type check?

        if ($escapeQuotes) {
            $text = $this->escapeQuotes($text);
        }

        return $text;
    }

    /**
     * Strip php tags and notations in string.
     * @param array|string $data
     * @return array|null|string
     */
    public function strip_php_tags($data)
    {
        if (is_array($data)) {
            foreach ($data as $key=>$value) {
                $data[$key] = $this->strip_php_tags($value);
            }
            return $data;
        }
        return addslashes(htmlspecialchars(strip_tags($data)));
    }

    /**
     * Alternative var_export function for php >= 5.4 syntax
     * @deprecated
     * @param $var
     * @param null $indent

Are you sure the doc-type for parameter $indent is correct as it would always require null to be passed?

     * @return mixed|string
     */
    public function var_export54($var, $indent = null, $guessTypes = false)
    {
        return Arr::exportVar($var, $indent, $guessTypes);
    }

    /**
     * Escape quotes
     * @param string $html
     * @return string
     */
    public function escapeQuotes($html)
    {
        return Str::ireplace(["\"", "'", """], '', $html);
    }

    /**
     * Crypt password secure with Blow fish crypt algo (defined in salt)
     * Blow fish crypt example: crypt('somedata', '$2a$07$usesomesillystringfor$'), where $2a$07$ - definition of algo,
     * usesomesillystringfor - is salt (must be 21 or more chars), $ - end caret. Output: $2a$07$usesomesillystringfor.sUeCOxyFvckc3xgq1Kzqq90gLrrIVjq
     * @param string $password
     * @param string|null $salt
     * @return string
     * @deprecated
     */
    public static function password_hash($password, $salt = null)
    {
        if ($salt === null || !Any::isStr($salt) || Str::length($salt) < 1) {
            $salt = App::$Properties->get('passwordSalt');
        }

        return crypt($password, $salt);
    }

    /**
     * Generate simple hash of 8 chars (32bit) for string. This method is NOT SECURE for crypt reason!
     * @param string $string
     * @return string|null
     */
    public static function simpleHash($string): ?string
    {
        if (!Any::isLine($string)) {
            return null;
        }

        return dechex(crc32($string));
    }
}