Cookie::validateSameSite() - Code Metrics - Inspection of "ENH Add samesite attribute to cookies." - silverstripe/silverstripe-framework - Measure and Improve Code Quality continuously with Scrutinizer

Passed

Pull Request — 4 (#10335)

by Guy

created 2022-06-01 04:41 UTC

Cookie::validateSameSite() A

↳ Parent: Cookie

Complexity

Conditions	4
Paths	3

Size

Total Lines	12
Code Lines	8

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
cc	4
eloc	8
nc	3
nop	1
dl	0
loc	12
rs	10
c	0
b	0
f	0

<?php

namespace SilverStripe\Control;

use LogicException;
use Psr\Log\LoggerInterface;
use SilverStripe\Core\Config\Configurable;
use SilverStripe\Core\Injector\Injector;

/**
 * A set of static methods for manipulating cookies.
 */
class Cookie
{
    use Configurable;

    /**
     * @config
     *
     * @var bool
     */
    private static $report_errors = true;


    /**
     * Must be "Strict", "Lax", or "None"
     * @config
     */
    private static string $default_samesite = 'Lax';


    /**
     * Fetch the current instance of the cookie backend.
     *
     * @return Cookie_Backend
     */
    public static function get_inst()
    {
        return Injector::inst()->get('SilverStripe\\Control\\Cookie_Backend');
    }

    /**
     * Set a cookie variable.
     *
     * Expiry time is set in days, and defaults to 90.
     *
     * @param string $name
     * @param mixed $value
     * @param float $expiry
     * @param string $path
     * @param string $domain
     * @param bool $secure
     * @param bool $httpOnly
     *
     * See http://php.net/set_session
     */
    public static function set(
        $name,
        $value,
        $expiry = 90,
        $path = null,
        $domain = null,
        $secure = false,
        $httpOnly = true
    ) {
        return self::get_inst()->set($name, $value, $expiry, $path, $domain, $secure, $httpOnly);
    }

    /**
     * Get the cookie value by name. Returns null if not set.
     *
     * @param string $name
     * @param bool $includeUnsent
     *
     * @return null|string
     */
    public static function get($name, $includeUnsent = true)
    {
        return self::get_inst()->get($name, $includeUnsent);
    }

    /**
     * Get all the cookies.
     *
     * @param bool $includeUnsent
     *
     * @return array
     */
    public static function get_all($includeUnsent = true)
    {
        return self::get_inst()->getAll($includeUnsent);
    }

    /**
     * @param string $name
     * @param null|string $path
     * @param null|string $domain
     * @param bool $secure
     * @param bool $httpOnly
     */
    public static function force_expiry($name, $path = null, $domain = null, $secure = false, $httpOnly = true)
    {
        return self::get_inst()->forceExpiry($name, $path, $domain, $secure, $httpOnly);
    }

    /**
     * Validate if the samesite value for a cookie is valid for the current request.
     *
     * Logs a warning if the samesite value is "None" for a non-https request.
     * @throws LogicException if the value is not "Strict", "Lax", or "None".
     */
    public static function validateSameSite(string $sameSite): void
    {
        $validValues = [
            'Strict',
            'Lax',
            'None',
        ];
        if (!in_array($sameSite, $validValues)) {
            throw new LogicException('Cookie samesite must be "Strict", "Lax", or "None"');
        }
        if ($sameSite === 'None' && !Director::is_https(self::getRequest())) {
            Injector::inst()->get(LoggerInterface::class)->warning('Cookie samesite cannot be "None" for non-https requests.');
        }
    }

    /**
     * Get the current request, if any.
     */
    private static function getRequest(): ?HTTPRequest
    {
        $request = null;
        if (Controller::has_curr()) {
            $request = Controller::curr()->getRequest();
        }
        // NullHTTPRequest always has a scheme of http - set to null so we can fallback on default_base_url
        return ($request instanceof NullHTTPRequest) ? null : $request;
    }
}


1			<?php
2
3			namespace SilverStripe\Control;
4
5			use LogicException;
6			use Psr\Log\LoggerInterface;
7			use SilverStripe\Core\Config\Configurable;
8			use SilverStripe\Core\Injector\Injector;
9
10			/**
11			* A set of static methods for manipulating cookies.
12			*/
13			class Cookie
14			{
15			use Configurable;
16
17			/**
18			* @config
19			*
20			* @var bool
21			*/
22			private static $report_errors = true;
			0 ignored issues – show introduced 2017-11-28 04:26 UTC by Report Bug Copy Issue Report The private property `$report_errors` is not used, and could be removed. Loading history...
23
24			/**
25			* Must be "Strict", "Lax", or "None"
26			* @config
27			*/
28			private static string $default_samesite = 'Lax';
			0 ignored issues – show introduced 2022-05-26 05:23 UTC by Report Bug Copy Issue Report The private property `$default_samesite` is not used, and could be removed. Loading history...
29
30			/**
31			* Fetch the current instance of the cookie backend.
32			*
33			* @return Cookie_Backend
34			*/
35			public static function get_inst()
36			{
37			return Injector::inst()->get('SilverStripe\\Control\\Cookie_Backend');
38			}
39
40			/**
41			* Set a cookie variable.
42			*
43			* Expiry time is set in days, and defaults to 90.
44			*
45			* @param string $name
46			* @param mixed $value
47			* @param float $expiry
48			* @param string $path
49			* @param string $domain
50			* @param bool $secure
51			* @param bool $httpOnly
52			*
53			* See http://php.net/set_session
54			*/
55			public static function set(
56			$name,
57			$value,
58			$expiry = 90,
59			$path = null,
60			$domain = null,
61			$secure = false,
62			$httpOnly = true
63			) {
64			return self::get_inst()->set($name, $value, $expiry, $path, $domain, $secure, $httpOnly);
65			}
66
67			/**
68			* Get the cookie value by name. Returns null if not set.
69			*
70			* @param string $name
71			* @param bool $includeUnsent
72			*
73			* @return null\|string
74			*/
75			public static function get($name, $includeUnsent = true)
76			{
77			return self::get_inst()->get($name, $includeUnsent);
78			}
79
80			/**
81			* Get all the cookies.
82			*
83			* @param bool $includeUnsent
84			*
85			* @return array
86			*/
87			public static function get_all($includeUnsent = true)
88			{
89			return self::get_inst()->getAll($includeUnsent);
90			}
91
92			/**
93			* @param string $name
94			* @param null\|string $path
95			* @param null\|string $domain
96			* @param bool $secure
97			* @param bool $httpOnly
98			*/
99			public static function force_expiry($name, $path = null, $domain = null, $secure = false, $httpOnly = true)
100			{
101			return self::get_inst()->forceExpiry($name, $path, $domain, $secure, $httpOnly);
102			}
103
104			/**
105			* Validate if the samesite value for a cookie is valid for the current request.
106			*
107			* Logs a warning if the samesite value is "None" for a non-https request.
108			* @throws LogicException if the value is not "Strict", "Lax", or "None".
109			*/
110			public static function validateSameSite(string $sameSite): void
111			{
112			$validValues = [
113			'Strict',
114			'Lax',
115			'None',
116			];
117			if (!in_array($sameSite, $validValues)) {
118			throw new LogicException('Cookie samesite must be "Strict", "Lax", or "None"');
119			}
120			if ($sameSite === 'None' && !Director::is_https(self::getRequest())) {
121			Injector::inst()->get(LoggerInterface::class)->warning('Cookie samesite cannot be "None" for non-https requests.');
122			}
123			}
124
125			/**
126			* Get the current request, if any.
127			*/
128			private static function getRequest(): ?HTTPRequest
129			{
130			$request = null;
131			if (Controller::has_curr()) {
132			$request = Controller::curr()->getRequest();
133			}
134			// NullHTTPRequest always has a scheme of http - set to null so we can fallback on default_base_url
135			return ($request instanceof NullHTTPRequest) ? null : $request;
136			}
137			}
138

silverstripe / silverstripe-framework

Pull Request — 4 (#10335)

Cookie::validateSameSite() A

Complexity

Size

Duplication

Importance

Duplication Side-by-Side

Filter issues like