EnvironmentController::store() - Code Metrics - Inspection of "Merge remote-tracking branch 'origin/16145-Improve..." - scci/security-employee-tracker - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — 16145-Improve-Installer ( 55c7bc...c82547 )

by Shawn

created 2016-11-22 21:17 UTC

EnvironmentController::store() A

↳ Parent: EnvironmentController

Complexity

Conditions	1
Paths	1

Size

Total Lines	10
Code Lines	6

Duplication

Lines	0
Ratio	0 %

Importance

Changes	1
Bugs	0	Features	0

Metric	Value
c	1
b	0
f	0
dl	0
loc	10
rs	9.4285
cc	1
eloc	6
nc	1
nop	1

<?php

namespace SET\Http\Controllers\Installation;

use Exception;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Artisan;
use RachidLaasri\LaravelInstaller\Helpers\EnvironmentManager;
use SET\Http\Controllers\Controller;

class EnvironmentController extends Controller
{
    /**
     * @var EnvironmentManager
     */
    protected $EnvironmentManager;
    protected $envPath;
    protected $envSetup = [
        'APP_ENV' => FILTER_SANITIZE_ENCODED,
        'APP_DEBUG' => FILTER_SANITIZE_ENCODED,
        'APP_KEY' => FILTER_DEFAULT,
        'APP_URL' => FILTER_VALIDATE_URL,
        'DB_CONNECTION' => FILTER_SANITIZE_ENCODED,
        'DB_HOST' => FILTER_SANITIZE_ENCODED,
        'DB_DATABASE' => FILTER_SANITIZE_ENCODED,
        'DB_USERNAME' => FILTER_SANITIZE_ENCODED,
        'DB_PASSWORD' => FILTER_DEFAULT,
        'MAIL_DRIVER' => FILTER_SANITIZE_ENCODED,
        'MAIL_HOST' => FILTER_SANITIZE_ENCODED,
        'MAIL_PORT' => FILTER_VALIDATE_INT,
        'MAIL_USERNAME' => FILTER_SANITIZE_ENCODED,
        'MAIL_PASSWORD' => FILTER_DEFAULT,
        'MAIL_ENCRYPTION' => FILTER_SANITIZE_ENCODED,
        'MAIL_FROM_ADDRESS' => FILTER_VALIDATE_EMAIL,
        'MAIL_FROM_NAME' => FILTER_DEFAULT,
    ];

    /**
     * @param EnvironmentManager $environmentManager
     */
    public function __construct(EnvironmentManager $environmentManager)
    {
        $this->EnvironmentManager = $environmentManager;
        $this->envPath = base_path('.env');
    }

    /**
     * Display the Environment page.
     *
     * @return \Illuminate\View\View
     */
    public function index()
    {
        $envConfig = $this->EnvironmentManager->getEnvContent();
        $fields = $this->breakApartEnv($envConfig);

        return view('vendor.installer.environment', compact('fields'));
    }

    /**
     * Processes the newly saved environment configuration and redirects back.
     *
     * @param Request $input
     *
     * @return \Illuminate\Http\RedirectResponse
     */
    public function store(Request $input)
    {
        $env = $this->flattenRequest($input);
        $message = $this->saveFile($env);

        Artisan::call('key:generate');

        return redirect()->route('LaravelInstaller::requirements')
            ->with(['message' => $message]);
    }

    /**
     * Key should be before the first = symbol and value should be after.
     * Each new line (\r\n) should be a new array entry.
     *
     * @param $string
     *
     * @return array
     */
    private function breakApartEnv($string)
    {
        preg_match_all('/([^=]*?)=([^\r\n]*?)[\r\n]+/', $string, $matches);

        $array = array_combine($matches[1], $matches[2]);
        $array['MAIL_FROM_NAME'] = $this->removeQuotes($array['MAIL_FROM_NAME']);

        return $array;
    }

    private function flattenRequest(Request $input)
    {
        $fields = $this->breakApartEnv($this->EnvironmentManager->getEnvContent());
        $results = $this->scrubInput(array_merge($fields, $input->toArray()));
        $results['MAIL_FROM_NAME'] = '"'.$this->removeQuotes($results['MAIL_FROM_NAME']).'"';

        $env = '';
        foreach ($results as $key => $value) {
            $env .= $key.'='.$value."\r\n";
        }

        return $env;
    }

    /**
     * Save the edited content to the file.
     *
     * @param $string
     *
     * @return string
     */
    public function saveFile($string)
    {
        $message = trans('messages.environment.success');

        try {
            file_put_contents($this->envPath, $string);
if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
    throw new \InvalidArgumentException('This input is not allowed.');
}
        } catch (Exception $e) {
            $message = trans('messages.environment.errors');
        }

        return $message;
    }

    private function removeQuotes($string)
    {
        $string = str_replace('"', '', $string);

        return str_replace("'", '', $string);
    }

    private function scrubInput($array)
    {
        $array = filter_var_array($array, $this->envSetup);
        foreach ($array as $key => $value) {
            if( !in_array($key, array_keys($this->envSetup))) {
                unset($array[$key]);
            }
        }
        return $array;
    }
}


1			<?php
2
3			namespace SET\Http\Controllers\Installation;
4
5			use Exception;
6			use Illuminate\Http\Request;
7			use Illuminate\Support\Facades\Artisan;
8			use RachidLaasri\LaravelInstaller\Helpers\EnvironmentManager;
9			use SET\Http\Controllers\Controller;
10
11			class EnvironmentController extends Controller
12			{
13			/**
14			* @var EnvironmentManager
15			*/
16			protected $EnvironmentManager;
17			protected $envPath;
18			protected $envSetup = [
19			'APP_ENV' => FILTER_SANITIZE_ENCODED,
20			'APP_DEBUG' => FILTER_SANITIZE_ENCODED,
21			'APP_KEY' => FILTER_DEFAULT,
22			'APP_URL' => FILTER_VALIDATE_URL,
23			'DB_CONNECTION' => FILTER_SANITIZE_ENCODED,
24			'DB_HOST' => FILTER_SANITIZE_ENCODED,
25			'DB_DATABASE' => FILTER_SANITIZE_ENCODED,
26			'DB_USERNAME' => FILTER_SANITIZE_ENCODED,
27			'DB_PASSWORD' => FILTER_DEFAULT,
28			'MAIL_DRIVER' => FILTER_SANITIZE_ENCODED,
29			'MAIL_HOST' => FILTER_SANITIZE_ENCODED,
30			'MAIL_PORT' => FILTER_VALIDATE_INT,
31			'MAIL_USERNAME' => FILTER_SANITIZE_ENCODED,
32			'MAIL_PASSWORD' => FILTER_DEFAULT,
33			'MAIL_ENCRYPTION' => FILTER_SANITIZE_ENCODED,
34			'MAIL_FROM_ADDRESS' => FILTER_VALIDATE_EMAIL,
35			'MAIL_FROM_NAME' => FILTER_DEFAULT,
36			];
37
38			/**
39			* @param EnvironmentManager $environmentManager
40			*/
41			public function __construct(EnvironmentManager $environmentManager)
42			{
43			$this->EnvironmentManager = $environmentManager;
44			$this->envPath = base_path('.env');
45			}
46
47			/**
48			* Display the Environment page.
49			*
50			* @return \Illuminate\View\View
51			*/
52			public function index()
53			{
54			$envConfig = $this->EnvironmentManager->getEnvContent();
55			$fields = $this->breakApartEnv($envConfig);
56
57			return view('vendor.installer.environment', compact('fields'));
58			}
59
60			/**
61			* Processes the newly saved environment configuration and redirects back.
62			*
63			* @param Request $input
64			*
65			* @return \Illuminate\Http\RedirectResponse
66			*/
67			public function store(Request $input)
68			{
69			$env = $this->flattenRequest($input);
70			$message = $this->saveFile($env);
71
72			Artisan::call('key:generate');
73
74			return redirect()->route('LaravelInstaller::requirements')
75			->with(['message' => $message]);
76			}
77
78			/**
79			* Key should be before the first = symbol and value should be after.
80			* Each new line (\r\n) should be a new array entry.
81			*
82			* @param $string
83			*
84			* @return array
85			*/
86			private function breakApartEnv($string)
87			{
88			preg_match_all('/([^=]?)=([^\r\n]?)[\r\n]+/', $string, $matches);
89
90			$array = array_combine($matches[1], $matches[2]);
91			$array['MAIL_FROM_NAME'] = $this->removeQuotes($array['MAIL_FROM_NAME']);
92
93			return $array;
94			}
95
96			private function flattenRequest(Request $input)
97			{
98			$fields = $this->breakApartEnv($this->EnvironmentManager->getEnvContent());
99			$results = $this->scrubInput(array_merge($fields, $input->toArray()));
100			$results['MAIL_FROM_NAME'] = '"'.$this->removeQuotes($results['MAIL_FROM_NAME']).'"';
101
102			$env = '';
103			foreach ($results as $key => $value) {
104			$env .= $key.'='.$value."\r\n";
105			}
106
107			return $env;
108			}
109
110			/**
111			* Save the edited content to the file.
112			*
113			* @param $string
114			*
115			* @return string
116			*/
117			public function saveFile($string)
118			{
119			$message = trans('messages.environment.success');
120
121			try {
122			file_put_contents($this->envPath, $string);
			1 ignored issue – show Security File Manipulation introduced 2016-11-22 21:19 UTC by Report Bug Copy Issue Report `$string` can contain request data and is used in file manipulation context(s) leading to a potential security vulnerability. 8 paths for user data to reach this point 1. Path: `$this->parameters['HTTP_AUTHORIZATION']` seems to return tainted data, and `$authorizationHeader` is assigned in ServerBag.php on line 62 `$this->parameters['HTTP_AUTHORIZATION']` seems to return tainted data, and `$authorizationHeader` is assigned in vendor/ServerBag.php on line 62 ParameterBag::$parameters is assigned in vendor/ServerBag.php on line 77 Tainted property ParameterBag::$parameters is read in vendor/ParameterBag.php on line 45 ParameterBag::all() returns tainted data, and `$files` is assigned in vendor/src/Illuminate/Http/Request.php on line 431 Data is passed through array_map() in vendor/src/Illuminate/Http/Request.php on line 454 Request::$convertedFiles is assigned in vendor/src/Illuminate/Http/Request.php on line 435 Tainted property Request::$convertedFiles is read in vendor/src/Illuminate/Http/Request.php on line 434 Request::allFiles() returns tainted data, and `$this->allFiles()` is passed through array_replace_recursive() in vendor/src/Illuminate/Http/Request.php on line 323 Request::all() returns tainted data in vendor/src/Illuminate/Http/Request.php on line 1015 Request::toArray() returns tainted data, and `$input->toArray()` is passed through array_merge() in app/Http/Controllers/Installation/EnvironmentController.php on line 99 Data is passed through filter_var_array() in vendor/app/Http/Controllers/Installation/EnvironmentController.php on line 139 `$results` is assigned in app/Http/Controllers/Installation/EnvironmentController.php on line 99 `$results` is assigned in app/Http/Controllers/Installation/EnvironmentController.php on line 100 `$key` is assigned in app/Http/Controllers/Installation/EnvironmentController.php on line 103 `$env` is assigned in app/Http/Controllers/Installation/EnvironmentController.php on line 104 EnvironmentController::flattenRequest() returns tainted data, and `$env` is assigned in app/Http/Controllers/Installation/EnvironmentController.php on line 69 `$env` is passed to EnvironmentController::saveFile() in app/Http/Controllers/Installation/EnvironmentController.php on line 70 2. Path: Read from `$_POST,` and `$_POST` is passed to Request::createRequestFromFactory() in Request.php on line 281 Read from `$_POST,` and `$_POST` is passed to Request::createRequestFromFactory() in vendor/Request.php on line 281 `$request` is passed to Request::__construct() in vendor/Request.php on line 1939 `$request` is passed to Request::initialize() in vendor/Request.php on line 222 `$request` is passed to ParameterBag::__construct() in vendor/Request.php on line 240 ParameterBag::$parameters is assigned in vendor/ParameterBag.php on line 35 Tainted property ParameterBag::$parameters is read in vendor/ParameterBag.php on line 45 ParameterBag::all() returns tainted data, and `$files` is assigned in vendor/src/Illuminate/Http/Request.php on line 431 Data is passed through array_map() in vendor/src/Illuminate/Http/Request.php on line 454 Request::$convertedFiles is assigned in vendor/src/Illuminate/Http/Request.php on line 435 Tainted property Request::$convertedFiles is read in vendor/src/Illuminate/Http/Request.php on line 434 Request::allFiles() returns tainted data, and `$this->allFiles()` is passed through array_replace_recursive() in vendor/src/Illuminate/Http/Request.php on line 323 Request::all() returns tainted data in vendor/src/Illuminate/Http/Request.php on line 1015 Request::toArray() returns tainted data, and `$input->toArray()` is passed through array_merge() in app/Http/Controllers/Installation/EnvironmentController.php on line 99 Data is passed through filter_var_array() in vendor/app/Http/Controllers/Installation/EnvironmentController.php on line 139 `$results` is assigned in app/Http/Controllers/Installation/EnvironmentController.php on line 99 `$results` is assigned in app/Http/Controllers/Installation/EnvironmentController.php on line 100 `$key` is assigned in app/Http/Controllers/Installation/EnvironmentController.php on line 103 `$env` is assigned in app/Http/Controllers/Installation/EnvironmentController.php on line 104 EnvironmentController::flattenRequest() returns tainted data, and `$env` is assigned in app/Http/Controllers/Installation/EnvironmentController.php on line 69 `$env` is passed to EnvironmentController::saveFile() in app/Http/Controllers/Installation/EnvironmentController.php on line 70 3. Path: Read from `$_SERVER,` and `$server` is assigned in Request.php on line 271 Read from `$_SERVER,` and `$server` is assigned in vendor/Request.php on line 271 `$server` is passed to Request::createRequestFromFactory() in vendor/Request.php on line 281 `$server` is passed to Request::__construct() in vendor/Request.php on line 1939 `$server` is passed to Request::initialize() in vendor/Request.php on line 222 `$server` is passed to ParameterBag::__construct() in vendor/Request.php on line 245 ParameterBag::$parameters is assigned in vendor/ParameterBag.php on line 35 Tainted property ParameterBag::$parameters is read in vendor/ParameterBag.php on line 45 ParameterBag::all() returns tainted data, and `$files` is assigned in vendor/src/Illuminate/Http/Request.php on line 431 Data is passed through array_map() in vendor/src/Illuminate/Http/Request.php on line 454 Request::$convertedFiles is assigned in vendor/src/Illuminate/Http/Request.php on line 435 Tainted property Request::$convertedFiles is read in vendor/src/Illuminate/Http/Request.php on line 434 Request::allFiles() returns tainted data, and `$this->allFiles()` is passed through array_replace_recursive() in vendor/src/Illuminate/Http/Request.php on line 323 Request::all() returns tainted data in vendor/src/Illuminate/Http/Request.php on line 1015 Request::toArray() returns tainted data, and `$input->toArray()` is passed through array_merge() in app/Http/Controllers/Installation/EnvironmentController.php on line 99 Data is passed through filter_var_array() in vendor/app/Http/Controllers/Installation/EnvironmentController.php on line 139 `$results` is assigned in app/Http/Controllers/Installation/EnvironmentController.php on line 99 `$results` is assigned in app/Http/Controllers/Installation/EnvironmentController.php on line 100 `$key` is assigned in app/Http/Controllers/Installation/EnvironmentController.php on line 103 `$env` is assigned in app/Http/Controllers/Installation/EnvironmentController.php on line 104 EnvironmentController::flattenRequest() returns tainted data, and `$env` is assigned in app/Http/Controllers/Installation/EnvironmentController.php on line 69 `$env` is passed to EnvironmentController::saveFile() in app/Http/Controllers/Installation/EnvironmentController.php on line 70 4. Path: Fetching key `HTTP_CONTENT_LENGTH` from `$_SERVER,` and `$server` is assigned in Request.php on line 274 Fetching key `HTTP_CONTENT_LENGTH` from `$_SERVER,` and `$server` is assigned in vendor/Request.php on line 274 `$server` is passed to Request::createRequestFromFactory() in vendor/Request.php on line 281 `$server` is passed to Request::__construct() in vendor/Request.php on line 1939 `$server` is passed to Request::initialize() in vendor/Request.php on line 222 `$server` is passed to ParameterBag::__construct() in vendor/Request.php on line 245 ParameterBag::$parameters is assigned in vendor/ParameterBag.php on line 35 Tainted property ParameterBag::$parameters is read in vendor/ParameterBag.php on line 45 ParameterBag::all() returns tainted data, and `$files` is assigned in vendor/src/Illuminate/Http/Request.php on line 431 Data is passed through array_map() in vendor/src/Illuminate/Http/Request.php on line 454 Request::$convertedFiles is assigned in vendor/src/Illuminate/Http/Request.php on line 435 Tainted property Request::$convertedFiles is read in vendor/src/Illuminate/Http/Request.php on line 434 Request::allFiles() returns tainted data, and `$this->allFiles()` is passed through array_replace_recursive() in vendor/src/Illuminate/Http/Request.php on line 323 Request::all() returns tainted data in vendor/src/Illuminate/Http/Request.php on line 1015 Request::toArray() returns tainted data, and `$input->toArray()` is passed through array_merge() in app/Http/Controllers/Installation/EnvironmentController.php on line 99 Data is passed through filter_var_array() in vendor/app/Http/Controllers/Installation/EnvironmentController.php on line 139 `$results` is assigned in app/Http/Controllers/Installation/EnvironmentController.php on line 99 `$results` is assigned in app/Http/Controllers/Installation/EnvironmentController.php on line 100 `$key` is assigned in app/Http/Controllers/Installation/EnvironmentController.php on line 103 `$env` is assigned in app/Http/Controllers/Installation/EnvironmentController.php on line 104 EnvironmentController::flattenRequest() returns tainted data, and `$env` is assigned in app/Http/Controllers/Installation/EnvironmentController.php on line 69 `$env` is passed to EnvironmentController::saveFile() in app/Http/Controllers/Installation/EnvironmentController.php on line 70 5. Path: Fetching key `HTTP_CONTENT_TYPE` from `$_SERVER,` and `$server` is assigned in Request.php on line 277 Fetching key `HTTP_CONTENT_TYPE` from `$_SERVER,` and `$server` is assigned in vendor/Request.php on line 277 `$server` is passed to Request::createRequestFromFactory() in vendor/Request.php on line 281 `$server` is passed to Request::__construct() in vendor/Request.php on line 1939 `$server` is passed to Request::initialize() in vendor/Request.php on line 222 `$server` is passed to ParameterBag::__construct() in vendor/Request.php on line 245 ParameterBag::$parameters is assigned in vendor/ParameterBag.php on line 35 Tainted property ParameterBag::$parameters is read in vendor/ParameterBag.php on line 45 ParameterBag::all() returns tainted data, and `$files` is assigned in vendor/src/Illuminate/Http/Request.php on line 431 Data is passed through array_map() in vendor/src/Illuminate/Http/Request.php on line 454 Request::$convertedFiles is assigned in vendor/src/Illuminate/Http/Request.php on line 435 Tainted property Request::$convertedFiles is read in vendor/src/Illuminate/Http/Request.php on line 434 Request::allFiles() returns tainted data, and `$this->allFiles()` is passed through array_replace_recursive() in vendor/src/Illuminate/Http/Request.php on line 323 Request::all() returns tainted data in vendor/src/Illuminate/Http/Request.php on line 1015 Request::toArray() returns tainted data, and `$input->toArray()` is passed through array_merge() in app/Http/Controllers/Installation/EnvironmentController.php on line 99 Data is passed through filter_var_array() in vendor/app/Http/Controllers/Installation/EnvironmentController.php on line 139 `$results` is assigned in app/Http/Controllers/Installation/EnvironmentController.php on line 99 `$results` is assigned in app/Http/Controllers/Installation/EnvironmentController.php on line 100 `$key` is assigned in app/Http/Controllers/Installation/EnvironmentController.php on line 103 `$env` is assigned in app/Http/Controllers/Installation/EnvironmentController.php on line 104 EnvironmentController::flattenRequest() returns tainted data, and `$env` is assigned in app/Http/Controllers/Installation/EnvironmentController.php on line 69 `$env` is passed to EnvironmentController::saveFile() in app/Http/Controllers/Installation/EnvironmentController.php on line 70 6. Path: `$server['HTTP_HOST']` seems to return tainted data, and `$server` is assigned in Request.php on line 347 `$server['HTTP_HOST']` seems to return tainted data, and `$server` is assigned in vendor/Request.php on line 347 `$server` is assigned in vendor/Request.php on line 395 `$server` is assigned in vendor/Request.php on line 396 `$server` is passed to Request::createRequestFromFactory() in vendor/Request.php on line 398 `$server` is passed to Request::__construct() in vendor/Request.php on line 1939 `$server` is passed to Request::initialize() in vendor/Request.php on line 222 `$server` is passed to ParameterBag::__construct() in vendor/Request.php on line 245 ParameterBag::$parameters is assigned in vendor/ParameterBag.php on line 35 Tainted property ParameterBag::$parameters is read in vendor/ParameterBag.php on line 45 ParameterBag::all() returns tainted data, and `$files` is assigned in vendor/src/Illuminate/Http/Request.php on line 431 Data is passed through array_map() in vendor/src/Illuminate/Http/Request.php on line 454 Request::$convertedFiles is assigned in vendor/src/Illuminate/Http/Request.php on line 435 Tainted property Request::$convertedFiles is read in vendor/src/Illuminate/Http/Request.php on line 434 Request::allFiles() returns tainted data, and `$this->allFiles()` is passed through array_replace_recursive() in vendor/src/Illuminate/Http/Request.php on line 323 Request::all() returns tainted data in vendor/src/Illuminate/Http/Request.php on line 1015 Request::toArray() returns tainted data, and `$input->toArray()` is passed through array_merge() in app/Http/Controllers/Installation/EnvironmentController.php on line 99 Data is passed through filter_var_array() in vendor/app/Http/Controllers/Installation/EnvironmentController.php on line 139 `$results` is assigned in app/Http/Controllers/Installation/EnvironmentController.php on line 99 `$results` is assigned in app/Http/Controllers/Installation/EnvironmentController.php on line 100 `$key` is assigned in app/Http/Controllers/Installation/EnvironmentController.php on line 103 `$env` is assigned in app/Http/Controllers/Installation/EnvironmentController.php on line 104 EnvironmentController::flattenRequest() returns tainted data, and `$env` is assigned in app/Http/Controllers/Installation/EnvironmentController.php on line 69 `$env` is passed to EnvironmentController::saveFile() in app/Http/Controllers/Installation/EnvironmentController.php on line 70 7. Path: `$this->parameters['PHP_AUTH_USER']` seems to return tainted data, and `$headers` is assigned in ServerBag.php on line 43 `$this->parameters['PHP_AUTH_USER']` seems to return tainted data, and `$headers` is assigned in vendor/ServerBag.php on line 43 `$headers` is assigned in vendor/ServerBag.php on line 44 ServerBag::getHeaders() returns tainted data, and `$this->server->getHeaders()` is passed to HeaderBag::__construct() in vendor/Request.php on line 246 `$values` is assigned in vendor/HeaderBag.php on line 31 `$values` is passed to HeaderBag::set() in vendor/HeaderBag.php on line 32 `(array) $values` is passed through array_values(), and `$values` is assigned in vendor/HeaderBag.php on line 142 HeaderBag::$headers is assigned in vendor/HeaderBag.php on line 145 Tainted property HeaderBag::$headers is read in vendor/HeaderBag.php on line 125 HeaderBag::get() returns tainted data, and `$requestUri` is assigned in vendor/Request.php on line 1709 `$requestUri` is passed to ParameterBag::set() in vendor/Request.php on line 1740 ParameterBag::$parameters is assigned in vendor/ParameterBag.php on line 99 Tainted property ParameterBag::$parameters is read in vendor/ParameterBag.php on line 45 ParameterBag::all() returns tainted data, and `$files` is assigned in vendor/src/Illuminate/Http/Request.php on line 431 Data is passed through array_map() in vendor/src/Illuminate/Http/Request.php on line 454 Request::$convertedFiles is assigned in vendor/src/Illuminate/Http/Request.php on line 435 Tainted property Request::$convertedFiles is read in vendor/src/Illuminate/Http/Request.php on line 434 Request::allFiles() returns tainted data, and `$this->allFiles()` is passed through array_replace_recursive() in vendor/src/Illuminate/Http/Request.php on line 323 Request::all() returns tainted data in vendor/src/Illuminate/Http/Request.php on line 1015 Request::toArray() returns tainted data, and `$input->toArray()` is passed through array_merge() in app/Http/Controllers/Installation/EnvironmentController.php on line 99 Data is passed through filter_var_array() in vendor/app/Http/Controllers/Installation/EnvironmentController.php on line 139 `$results` is assigned in app/Http/Controllers/Installation/EnvironmentController.php on line 99 `$results` is assigned in app/Http/Controllers/Installation/EnvironmentController.php on line 100 `$key` is assigned in app/Http/Controllers/Installation/EnvironmentController.php on line 103 `$env` is assigned in app/Http/Controllers/Installation/EnvironmentController.php on line 104 EnvironmentController::flattenRequest() returns tainted data, and `$env` is assigned in app/Http/Controllers/Installation/EnvironmentController.php on line 69 `$env` is passed to EnvironmentController::saveFile() in app/Http/Controllers/Installation/EnvironmentController.php on line 70 8. Path: `$this->parameters['PHP_AUTH_PW']` seems to return tainted data, and `$headers` is assigned in ServerBag.php on line 44 `$this->parameters['PHP_AUTH_PW']` seems to return tainted data, and `$headers` is assigned in vendor/ServerBag.php on line 44 ServerBag::getHeaders() returns tainted data, and `$this->server->getHeaders()` is passed to HeaderBag::__construct() in vendor/Request.php on line 246 `$values` is assigned in vendor/HeaderBag.php on line 31 `$values` is passed to HeaderBag::set() in vendor/HeaderBag.php on line 32 `(array) $values` is passed through array_values(), and `$values` is assigned in vendor/HeaderBag.php on line 142 HeaderBag::$headers is assigned in vendor/HeaderBag.php on line 145 Tainted property HeaderBag::$headers is read in vendor/HeaderBag.php on line 125 HeaderBag::get() returns tainted data, and `$requestUri` is assigned in vendor/Request.php on line 1709 `$requestUri` is passed to ParameterBag::set() in vendor/Request.php on line 1740 ParameterBag::$parameters is assigned in vendor/ParameterBag.php on line 99 Tainted property ParameterBag::$parameters is read in vendor/ParameterBag.php on line 45 ParameterBag::all() returns tainted data, and `$files` is assigned in vendor/src/Illuminate/Http/Request.php on line 431 Data is passed through array_map() in vendor/src/Illuminate/Http/Request.php on line 454 Request::$convertedFiles is assigned in vendor/src/Illuminate/Http/Request.php on line 435 Tainted property Request::$convertedFiles is read in vendor/src/Illuminate/Http/Request.php on line 434 Request::allFiles() returns tainted data, and `$this->allFiles()` is passed through array_replace_recursive() in vendor/src/Illuminate/Http/Request.php on line 323 Request::all() returns tainted data in vendor/src/Illuminate/Http/Request.php on line 1015 Request::toArray() returns tainted data, and `$input->toArray()` is passed through array_merge() in app/Http/Controllers/Installation/EnvironmentController.php on line 99 Data is passed through filter_var_array() in vendor/app/Http/Controllers/Installation/EnvironmentController.php on line 139 `$results` is assigned in app/Http/Controllers/Installation/EnvironmentController.php on line 99 `$results` is assigned in app/Http/Controllers/Installation/EnvironmentController.php on line 100 `$key` is assigned in app/Http/Controllers/Installation/EnvironmentController.php on line 103 `$env` is assigned in app/Http/Controllers/Installation/EnvironmentController.php on line 104 EnvironmentController::flattenRequest() returns tainted data, and `$env` is assigned in app/Http/Controllers/Installation/EnvironmentController.php on line 69 `$env` is passed to EnvironmentController::saveFile() in app/Http/Controllers/Installation/EnvironmentController.php on line 70 General Strategies to prevent injection In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values: if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) { throw new \InvalidArgumentException('This input is not allowed.'); } For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted; Loading history...
123			} catch (Exception $e) {
124			$message = trans('messages.environment.errors');
125			}
126
127			return $message;
128			}
129
130			private function removeQuotes($string)
131			{
132			$string = str_replace('"', '', $string);
133
134			return str_replace("'", '', $string);
135			}
136
137			private function scrubInput($array)
138			{
139			$array = filter_var_array($array, $this->envSetup);
140			foreach ($array as $key => $value) {
141			if( !in_array($key, array_keys($this->envSetup))) {
142			unset($array[$key]);
143			}
144			}
145			return $array;
146			}
147			}
148

scci / security-employee-tracker

Push — 16145-Improve-Installer ( 55c7bc...c82547 )

EnvironmentController::store() A

Complexity

Size

Duplication

Importance

8 paths for user data to reach this point

General Strategies to prevent injection

Duplication Side-by-Side

Filter issues like