Issues in FileProvider.php (master) - Issues in master - sonata-project/SonataMediaBundle - Measure and Improve Code Quality continuously with Scrutinizer

Issues (234)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Provider/FileProvider.php (3 issues)

Labels

Severity

Major 3

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

declare(strict_types=1);

/*
 * This file is part of the Sonata Project package.
 *
 * (c) Thomas Rabaix <[email protected]>
 *
 * For the full copyright and license information, please view the LICENSE
 * file that was distributed with this source code.
 */

namespace Sonata\MediaBundle\Provider;

use Gaufrette\Filesystem;
use Sonata\AdminBundle\Form\FormMapper;
use Sonata\Form\Validator\ErrorElement;
use Sonata\MediaBundle\CDN\CDNInterface;
use Sonata\MediaBundle\Extra\ApiMediaFile;
use Sonata\MediaBundle\Filesystem\Local;
use Sonata\MediaBundle\Generator\GeneratorInterface;
use Sonata\MediaBundle\Metadata\MetadataBuilderInterface;
use Sonata\MediaBundle\Model\MediaInterface;
use Sonata\MediaBundle\Thumbnail\ThumbnailInterface;
use Symfony\Component\Form\Extension\Core\Type\FileType;
use Symfony\Component\Form\FormBuilder;
use Symfony\Component\HttpFoundation\BinaryFileResponse;
use Symfony\Component\HttpFoundation\File\Exception\UploadException;
use Symfony\Component\HttpFoundation\File\File;
use Symfony\Component\HttpFoundation\File\UploadedFile;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\StreamedResponse;
use Symfony\Component\Mime\MimeTypes;
use Symfony\Component\Validator\Constraints\NotBlank;
use Symfony\Component\Validator\Constraints\NotNull;

/**
 * @final since sonata-project/media-bundle 3.21.0
 */
class FileProvider extends BaseProvider implements FileProviderInterface
{
    protected $allowedExtensions;

    protected $allowedMimeTypes;

    protected $metadata;

    /**
     * @param string                   $name
     * @param MetadataBuilderInterface $metadata
     */
    public function __construct($name, Filesystem $filesystem, CDNInterface $cdn, GeneratorInterface $pathGenerator, ThumbnailInterface $thumbnail, array $allowedExtensions = [], array $allowedMimeTypes = [], ?MetadataBuilderInterface $metadata = null)
    {
        parent::__construct($name, $filesystem, $cdn, $pathGenerator, $thumbnail);

        $this->allowedExtensions = $allowedExtensions;
        $this->allowedMimeTypes = $allowedMimeTypes;
        $this->metadata = $metadata;
    }

    public function getProviderMetadata()
    {
        return new Metadata(
            $this->getName(),
            $this->getName().'.description',
            null,
            'SonataMediaBundle',
            ['class' => 'fa fa-file-text-o']
        );
    }

    public function getReferenceImage(MediaInterface $media)
    {
        return sprintf(
            '%s/%s',
            $this->generatePath($media),
            $media->getProviderReference()
        );
    }

    public function getReferenceFile(MediaInterface $media)
    {
        return $this->getFilesystem()->get($this->getReferenceImage($media), true);
    }

    /**
     * @return string[]
     */
    public function getAllowedExtensions()
    {
        return $this->allowedExtensions;
    }

    /**
     * @return string[]
     */
    public function getAllowedMimeTypes()
    {
        return $this->allowedMimeTypes;
    }

    public function buildEditForm(FormMapper $formMapper): void
    {
        $formMapper->add('name');
        $formMapper->add('enabled', null, ['required' => false]);
        $formMapper->add('authorName');
        $formMapper->add('cdnIsFlushable');
        $formMapper->add('description');
        $formMapper->add('copyright');
        $formMapper->add('binaryContent', FileType::class, ['required' => false]);
    }

    public function buildCreateForm(FormMapper $formMapper): void
    {
        $formMapper->add('binaryContent', FileType::class, [
            'constraints' => [
                new NotBlank(),
                new NotNull(),
            ],
        ]);
    }

    public function buildMediaType(FormBuilder $formBuilder): void
    {
        if ('api' === $formBuilder->getOption('context')) {
            $formBuilder->add('binaryContent', FileType::class);
            $formBuilder->add('contentType');
        } else {
            $formBuilder->add('binaryContent', FileType::class, [
                'required' => false,
                'label' => 'widget_label_binary_content',
            ]);
        }
    }

    public function postPersist(MediaInterface $media): void
    {
        if (null === $media->getBinaryContent()) {
            return;
        }

        $this->setFileContents($media);

        $this->generateThumbnails($media);

        $media->resetBinaryContent();
    }

    public function postUpdate(MediaInterface $media): void
    {
        if (!$media->getBinaryContent() instanceof \SplFileInfo) {
            return;
        }

        // Delete the current file from the FS
        $oldMedia = clone $media;
        // if no previous reference is provided, it prevents
        // Filesystem from trying to remove a directory
        if (null !== $media->getPreviousProviderReference()) {
            $oldMedia->setProviderReference($media->getPreviousProviderReference());

            $path = $this->getReferenceImage($oldMedia);

            if ($this->getFilesystem()->has($path)) {
                $this->getFilesystem()->delete($path);
            }
        }

        $this->fixBinaryContent($media);

        $this->setFileContents($media);

        $this->generateThumbnails($media);

        $media->resetBinaryContent();
    }

    public function updateMetadata(MediaInterface $media, $force = true): void
    {
        if (!$media->getBinaryContent() instanceof \SplFileInfo) {
            // this is now optimized at all!!!
            $path = tempnam(sys_get_temp_dir(), 'sonata_update_metadata_');
            $fileObject = new \SplFileObject($path, 'w');
            $fileObject->fwrite($this->getReferenceFile($media)->getContent());
        } else {
            $fileObject = $media->getBinaryContent();
        }

        $media->setSize($fileObject->getSize());
    }

    public function generatePublicUrl(MediaInterface $media, $format)
    {
        if (MediaProviderInterface::FORMAT_REFERENCE === $format) {
            $path = $this->getReferenceImage($media);
        } else {
            // @todo: fix the asset path
            $path = sprintf('sonatamedia/files/%s/file.png', $format);
        }

        return $this->getCdn()->getPath($path, $media->getCdnIsFlushable());
    }

    public function getHelperProperties(MediaInterface $media, $format, $options = [])
    {
        return array_merge([
            'title' => $media->getName(),
            'thumbnail' => $this->getReferenceImage($media),
            'file' => $this->getReferenceImage($media),
        ], $options);
    }

    public function generatePrivateUrl(MediaInterface $media, $format)
    {
        if (MediaProviderInterface::FORMAT_REFERENCE === $format) {
            return $this->getReferenceImage($media);
        }

        return false;
class Author {
    private $name;

    public function __construct($name) {
        $this->name = $name;
    }

    public function getName() {
        return $this->name;
    }
}

abstract class Post {
    public function getAuthor() {
        return 'Johannes';
    }
}

class BlogPost extends Post {
    public function getAuthor() {
        return new Author('Johannes');
    }
}

class ForumPost extends Post { /* ... */ }

function my_function(Post $post) {
    echo strtoupper($post->getAuthor());
}
    }

    public function getDownloadResponse(MediaInterface $media, $format, $mode, array $headers = [])
    {
        // build the default headers
        $headers = array_merge([
            'Content-Type' => $media->getContentType(),
            'Content-Disposition' => sprintf('attachment; filename="%s"', $media->getMetadataValue('filename')),
        ], $headers);

        if (!\in_array($mode, ['http', 'X-Sendfile', 'X-Accel-Redirect'], true)) {
            throw new \RuntimeException('Invalid mode provided');
        }

        if ('http' === $mode) {
            if (MediaProviderInterface::FORMAT_REFERENCE === $format) {
                $file = $this->getReferenceFile($media);
            } else {
                $file = $this->getFilesystem()->get($this->generatePrivateUrl($media, $format));

            }

            return new StreamedResponse(static function () use ($file): void {
                echo $file->getContent();
            }, 200, $headers);
        }

        if (!$this->getFilesystem()->getAdapter() instanceof Local) {
            throw new \RuntimeException('Cannot use X-Sendfile or X-Accel-Redirect with non \Sonata\MediaBundle\Filesystem\Local');
        }

        $filename = sprintf(
            '%s/%s',
            $this->getFilesystem()->getAdapter()->getDirectory(),
            $this->generatePrivateUrl($media, $format)
        );

        return new BinaryFileResponse($filename, 200, $headers);
    }

    public function validate(ErrorElement $errorElement, MediaInterface $media): void
    {
        if (!$media->getBinaryContent() instanceof \SplFileInfo) {
            return;
        }

        if ($media->getBinaryContent() instanceof UploadedFile) {
            $fileName = $media->getBinaryContent()->getClientOriginalName();
        } elseif ($media->getBinaryContent() instanceof File) {
            $fileName = $media->getBinaryContent()->getFilename();
        } else {
            throw new \RuntimeException(sprintf('Invalid binary content type: %s', \get_class($media->getBinaryContent())));
        }

        if ($media->getBinaryContent() instanceof UploadedFile && 0 === ($media->getBinaryContent()->getSize() ?: 0)) {
            $errorElement
                ->with('binaryContent')
                    ->addViolation(
                        'The file is too big, max size: %maxFileSize%',
                        ['%maxFileSize%' => ini_get('upload_max_filesize')]
                    )
                ->end();
        }

        if (!\in_array(strtolower(pathinfo($fileName, PATHINFO_EXTENSION)), $this->allowedExtensions, true)) {
            $errorElement
                ->with('binaryContent')
                ->addViolation('Invalid extensions')
                ->end();
        }

        if ('' !== $media->getBinaryContent()->getFilename() && !\in_array($media->getBinaryContent()->getMimeType(), $this->allowedMimeTypes, true)) {
            $errorElement
                ->with('binaryContent')
                    ->addViolation('Invalid mime type : %type%', ['%type%' => $media->getBinaryContent()->getMimeType()])
                ->end();
        }
    }

    protected function fixBinaryContent(MediaInterface $media): void
    {
        if (null === $media->getBinaryContent() || $media->getBinaryContent() instanceof File) {
            return;
        }

        if ($media->getBinaryContent() instanceof Request) {
            $this->generateBinaryFromRequest($media);
            $this->updateMetadata($media);

            return;
        }

        // if the binary content is a filename => convert to a valid File
        if (!is_file($media->getBinaryContent())) {
            throw new \RuntimeException('The file does not exist : '.$media->getBinaryContent());
        }

        $binaryContent = new File($media->getBinaryContent());
        $media->setBinaryContent($binaryContent);
    }

    /**
     * @throws \RuntimeException
     */
    protected function fixFilename(MediaInterface $media): void
    {
        if ($media->getBinaryContent() instanceof UploadedFile) {
            $media->setName($media->getName() ?: $media->getBinaryContent()->getClientOriginalName());
            $media->setMetadataValue('filename', $media->getBinaryContent()->getClientOriginalName());
        } elseif ($media->getBinaryContent() instanceof File) {
            $media->setName($media->getName() ?: $media->getBinaryContent()->getBasename());
            $media->setMetadataValue('filename', $media->getBinaryContent()->getBasename());
        }

        // this is the original name
        if (!$media->getName()) {
            throw new \RuntimeException('Please define a valid media\'s name');
        }
    }

    protected function doTransform(MediaInterface $media): void
    {
        $this->fixBinaryContent($media);
        $this->fixFilename($media);

        if ($media->getBinaryContent() instanceof UploadedFile && 0 === $media->getBinaryContent()->getSize()) {
            $media->setProviderReference(uniqid($media->getName(), true));
            $media->setProviderStatus(MediaInterface::STATUS_ERROR);

            throw new UploadException('The uploaded file is not found');
        }

        // this is the name used to store the file
        if (!$media->getProviderReference() ||
            MediaInterface::MISSING_BINARY_REFERENCE === $media->getProviderReference()
        ) {
            $media->setProviderReference($this->generateReferenceName($media));
        }

        if ($media->getBinaryContent() instanceof File) {
            $media->setContentType($media->getBinaryContent()->getMimeType());
            $media->setSize($media->getBinaryContent()->getSize());
        }

        $media->setProviderStatus(MediaInterface::STATUS_OK);
    }

    /**
     * Set the file contents for an image.
     *
     * @param string $contents path to contents, defaults to MediaInterface BinaryContent
     */
    protected function setFileContents(MediaInterface $media, $contents = null): void
    {
        $file = $this->getFilesystem()->get(sprintf('%s/%s', $this->generatePath($media), $media->getProviderReference()), true);
        $metadata = $this->metadata ? $this->metadata->get($media, $file->getName()) : [];

        if ($contents) {
''   == false // true
''   == null  // true
'ab' == false // false
'ab' == null  // false

// It is often better to use strict comparison
'' === false // false
'' === null  // false
            $file->setContent($contents, $metadata);

            return;
        }

        $binaryContent = $media->getBinaryContent();
        if ($binaryContent instanceof File) {
            $path = $binaryContent->getRealPath() ?: $binaryContent->getPathname();
            $file->setContent(file_get_contents($path), $metadata);

            return;
        }
    }

    /**
     * @return string
     */
    protected function generateReferenceName(MediaInterface $media)
    {
        return $this->generateMediaUniqId($media).'.'.$media->getBinaryContent()->guessExtension();
    }

    /**
     * @return string
     */
    protected function generateMediaUniqId(MediaInterface $media)
    {
        return sha1($media->getName().uniqid().random_int(11111, 99999));
    }

    /**
     * Set media binary content according to request content.
     */
    protected function generateBinaryFromRequest(MediaInterface $media): void
    {
        if (!$media->getContentType()) {
            throw new \RuntimeException(
                'You must provide the content type value for your media before setting the binary content'
            );
        }

        $request = $media->getBinaryContent();

        if (!$request instanceof Request) {
            throw new \RuntimeException('Expected Request in binary content');
        }

        $content = $request->getContent();

        // create unique id for media reference
        $guesser = MimeTypes::getDefault();
        $extensions = $guesser->getExtensions($media->getContentType());
        $extension = $extensions[0] ?? null;

        if (!$extension) {
            throw new \RuntimeException(
                sprintf('Unable to guess extension for content type %s', $media->getContentType())
            );
        }

        $handle = tmpfile();
        fwrite($handle, $content);
        $file = new ApiMediaFile($handle);
        $file->setExtension($extension);
        $file->setMimetype($media->getContentType());

        $media->setBinaryContent($file);
    }
}


1			<?php
2
3			declare(strict_types=1);
4
5			/*
6			* This file is part of the Sonata Project package.
7			*
8			* (c) Thomas Rabaix <[email protected]>
9			*
10			* For the full copyright and license information, please view the LICENSE
11			* file that was distributed with this source code.
12			*/
13
14			namespace Sonata\MediaBundle\Provider;
15
16			use Gaufrette\Filesystem;
17			use Sonata\AdminBundle\Form\FormMapper;
18			use Sonata\Form\Validator\ErrorElement;
19			use Sonata\MediaBundle\CDN\CDNInterface;
20			use Sonata\MediaBundle\Extra\ApiMediaFile;
21			use Sonata\MediaBundle\Filesystem\Local;
22			use Sonata\MediaBundle\Generator\GeneratorInterface;
23			use Sonata\MediaBundle\Metadata\MetadataBuilderInterface;
24			use Sonata\MediaBundle\Model\MediaInterface;
25			use Sonata\MediaBundle\Thumbnail\ThumbnailInterface;
26			use Symfony\Component\Form\Extension\Core\Type\FileType;
27			use Symfony\Component\Form\FormBuilder;
28			use Symfony\Component\HttpFoundation\BinaryFileResponse;
29			use Symfony\Component\HttpFoundation\File\Exception\UploadException;
30			use Symfony\Component\HttpFoundation\File\File;
31			use Symfony\Component\HttpFoundation\File\UploadedFile;
32			use Symfony\Component\HttpFoundation\Request;
33			use Symfony\Component\HttpFoundation\StreamedResponse;
34			use Symfony\Component\Mime\MimeTypes;
35			use Symfony\Component\Validator\Constraints\NotBlank;
36			use Symfony\Component\Validator\Constraints\NotNull;
37
38			/**
39			* @final since sonata-project/media-bundle 3.21.0
40			*/
41			class FileProvider extends BaseProvider implements FileProviderInterface
42			{
43			protected $allowedExtensions;
44
45			protected $allowedMimeTypes;
46
47			protected $metadata;
48
49			/**
50			* @param string $name
51			* @param MetadataBuilderInterface $metadata
52			*/
53			public function __construct($name, Filesystem $filesystem, CDNInterface $cdn, GeneratorInterface $pathGenerator, ThumbnailInterface $thumbnail, array $allowedExtensions = [], array $allowedMimeTypes = [], ?MetadataBuilderInterface $metadata = null)
54			{
55			parent::__construct($name, $filesystem, $cdn, $pathGenerator, $thumbnail);
56
57			$this->allowedExtensions = $allowedExtensions;
58			$this->allowedMimeTypes = $allowedMimeTypes;
59			$this->metadata = $metadata;
60			}
61
62			public function getProviderMetadata()
63			{
64			return new Metadata(
65			$this->getName(),
66			$this->getName().'.description',
67			null,
68			'SonataMediaBundle',
69			['class' => 'fa fa-file-text-o']
70			);
71			}
72
73			public function getReferenceImage(MediaInterface $media)
74			{
75			return sprintf(
76			'%s/%s',
77			$this->generatePath($media),
78			$media->getProviderReference()
79			);
80			}
81
82			public function getReferenceFile(MediaInterface $media)
83			{
84			return $this->getFilesystem()->get($this->getReferenceImage($media), true);
85			}
86
87			/**
88			* @return string[]
89			*/
90			public function getAllowedExtensions()
91			{
92			return $this->allowedExtensions;
93			}
94
95			/**
96			* @return string[]
97			*/
98			public function getAllowedMimeTypes()
99			{
100			return $this->allowedMimeTypes;
101			}
102
103			public function buildEditForm(FormMapper $formMapper): void
104			{
105			$formMapper->add('name');
106			$formMapper->add('enabled', null, ['required' => false]);
107			$formMapper->add('authorName');
108			$formMapper->add('cdnIsFlushable');
109			$formMapper->add('description');
110			$formMapper->add('copyright');
111			$formMapper->add('binaryContent', FileType::class, ['required' => false]);
112			}
113
114			public function buildCreateForm(FormMapper $formMapper): void
115			{
116			$formMapper->add('binaryContent', FileType::class, [
117			'constraints' => [
118			new NotBlank(),
119			new NotNull(),
120			],
121			]);
122			}
123
124			public function buildMediaType(FormBuilder $formBuilder): void
125			{
126			if ('api' === $formBuilder->getOption('context')) {
127			$formBuilder->add('binaryContent', FileType::class);
128			$formBuilder->add('contentType');
129			} else {
130			$formBuilder->add('binaryContent', FileType::class, [
131			'required' => false,
132			'label' => 'widget_label_binary_content',
133			]);
134			}
135			}
136
137			public function postPersist(MediaInterface $media): void
138			{
139			if (null === $media->getBinaryContent()) {
140			return;
141			}
142
143			$this->setFileContents($media);
144
145			$this->generateThumbnails($media);
146
147			$media->resetBinaryContent();
148			}
149
150			public function postUpdate(MediaInterface $media): void
151			{
152			if (!$media->getBinaryContent() instanceof \SplFileInfo) {
153			return;
154			}
155
156			// Delete the current file from the FS
157			$oldMedia = clone $media;
158			// if no previous reference is provided, it prevents
159			// Filesystem from trying to remove a directory
160			if (null !== $media->getPreviousProviderReference()) {
161			$oldMedia->setProviderReference($media->getPreviousProviderReference());
162
163			$path = $this->getReferenceImage($oldMedia);
164
165			if ($this->getFilesystem()->has($path)) {
166			$this->getFilesystem()->delete($path);
167			}
168			}
169
170			$this->fixBinaryContent($media);
171
172			$this->setFileContents($media);
173
174			$this->generateThumbnails($media);
175
176			$media->resetBinaryContent();
177			}
178
179			public function updateMetadata(MediaInterface $media, $force = true): void
180			{
181			if (!$media->getBinaryContent() instanceof \SplFileInfo) {
182			// this is now optimized at all!!!
183			$path = tempnam(sys_get_temp_dir(), 'sonata_update_metadata_');
184			$fileObject = new \SplFileObject($path, 'w');
185			$fileObject->fwrite($this->getReferenceFile($media)->getContent());
186			} else {
187			$fileObject = $media->getBinaryContent();
188			}
189
190			$media->setSize($fileObject->getSize());
191			}
192
193			public function generatePublicUrl(MediaInterface $media, $format)
194			{
195			if (MediaProviderInterface::FORMAT_REFERENCE === $format) {
196			$path = $this->getReferenceImage($media);
197			} else {
198			// @todo: fix the asset path
199			$path = sprintf('sonatamedia/files/%s/file.png', $format);
200			}
201
202			return $this->getCdn()->getPath($path, $media->getCdnIsFlushable());
203			}
204
205			public function getHelperProperties(MediaInterface $media, $format, $options = [])
206			{
207			return array_merge([
208			'title' => $media->getName(),
209			'thumbnail' => $this->getReferenceImage($media),
210			'file' => $this->getReferenceImage($media),
211			], $options);
212			}
213
214			public function generatePrivateUrl(MediaInterface $media, $format)
215			{
216			if (MediaProviderInterface::FORMAT_REFERENCE === $format) {
217			return $this->getReferenceImage($media);
218			}
219
220			return false;
			0 ignored issues – show Bug Best Practice introduced 2020-08-01 08:43 UTC by Report Bug Copy Issue Report Show Similar Issues like this The return type of `return false;` (`false`) is incompatible with the return type declared by the interface `Sonata\MediaBundle\Provi...ace::generatePrivateUrl` of type `string`. If you return a value from a function or method, it should be a sub-type of the type that is given by the parent type f.e. an interface, or abstract method. This is more formally defined by the Lizkov substitution principle, and guarantees that classes that depend on the parent type can use any instance of a child type interchangably. This principle also belongs to the SOLID principles for object oriented design. Let’s take a look at an example: class Author { private $name; public function __construct($name) { $this->name = $name; } public function getName() { return $this->name; } } abstract class Post { public function getAuthor() { return 'Johannes'; } } class BlogPost extends Post { public function getAuthor() { return new Author('Johannes'); } } class ForumPost extends Post { /* ... */ } function my_function(Post $post) { echo strtoupper($post->getAuthor()); } Our function `my_function` expects a `Post` object, and outputs the author of the post. The base class `Post` returns a simple string and outputting a simple string will work just fine. However, the child class `BlogPost` which is a sub-type of `Post` instead decided to return an `object`, and is therefore violating the SOLID principles. If a `BlogPost` were passed to `my_function`, PHP would not complain, but ultimately fail when executing the `strtoupper` call in its body. Loading history...
221			}
222
223			public function getDownloadResponse(MediaInterface $media, $format, $mode, array $headers = [])
224			{
225			// build the default headers
226			$headers = array_merge([
227			'Content-Type' => $media->getContentType(),
228			'Content-Disposition' => sprintf('attachment; filename="%s"', $media->getMetadataValue('filename')),
229			], $headers);
230
231			if (!\in_array($mode, ['http', 'X-Sendfile', 'X-Accel-Redirect'], true)) {
232			throw new \RuntimeException('Invalid mode provided');
233			}
234
235			if ('http' === $mode) {
236			if (MediaProviderInterface::FORMAT_REFERENCE === $format) {
237			$file = $this->getReferenceFile($media);
238			} else {
239			$file = $this->getFilesystem()->get($this->generatePrivateUrl($media, $format));
			0 ignored issues – show Security Bug introduced 2015-11-21 05:46 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like `$this->generatePrivateUrl($media, $format)` targeting `Sonata\MediaBundle\Provi...r::generatePrivateUrl()` can also be of type `false`; however, `Gaufrette\Filesystem::get()` does only seem to accept `string`, did you maybe forget to handle an error condition? Loading history...
240			}
241
242			return new StreamedResponse(static function () use ($file): void {
243			echo $file->getContent();
244			}, 200, $headers);
245			}
246
247			if (!$this->getFilesystem()->getAdapter() instanceof Local) {
248			throw new \RuntimeException('Cannot use X-Sendfile or X-Accel-Redirect with non \Sonata\MediaBundle\Filesystem\Local');
249			}
250
251			$filename = sprintf(
252			'%s/%s',
253			$this->getFilesystem()->getAdapter()->getDirectory(),
254			$this->generatePrivateUrl($media, $format)
255			);
256
257			return new BinaryFileResponse($filename, 200, $headers);
258			}
259
260			public function validate(ErrorElement $errorElement, MediaInterface $media): void
261			{
262			if (!$media->getBinaryContent() instanceof \SplFileInfo) {
263			return;
264			}
265
266			if ($media->getBinaryContent() instanceof UploadedFile) {
267			$fileName = $media->getBinaryContent()->getClientOriginalName();
268			} elseif ($media->getBinaryContent() instanceof File) {
269			$fileName = $media->getBinaryContent()->getFilename();
270			} else {
271			throw new \RuntimeException(sprintf('Invalid binary content type: %s', \get_class($media->getBinaryContent())));
272			}
273
274			if ($media->getBinaryContent() instanceof UploadedFile && 0 === ($media->getBinaryContent()->getSize() ?: 0)) {
275			$errorElement
276			->with('binaryContent')
277			->addViolation(
278			'The file is too big, max size: %maxFileSize%',
279			['%maxFileSize%' => ini_get('upload_max_filesize')]
280			)
281			->end();
282			}
283
284			if (!\in_array(strtolower(pathinfo($fileName, PATHINFO_EXTENSION)), $this->allowedExtensions, true)) {
285			$errorElement
286			->with('binaryContent')
287			->addViolation('Invalid extensions')
288			->end();
289			}
290
291			if ('' !== $media->getBinaryContent()->getFilename() && !\in_array($media->getBinaryContent()->getMimeType(), $this->allowedMimeTypes, true)) {
292			$errorElement
293			->with('binaryContent')
294			->addViolation('Invalid mime type : %type%', ['%type%' => $media->getBinaryContent()->getMimeType()])
295			->end();
296			}
297			}
298
299			protected function fixBinaryContent(MediaInterface $media): void
300			{
301			if (null === $media->getBinaryContent() \|\| $media->getBinaryContent() instanceof File) {
302			return;
303			}
304
305			if ($media->getBinaryContent() instanceof Request) {
306			$this->generateBinaryFromRequest($media);
307			$this->updateMetadata($media);
308
309			return;
310			}
311
312			// if the binary content is a filename => convert to a valid File
313			if (!is_file($media->getBinaryContent())) {
314			throw new \RuntimeException('The file does not exist : '.$media->getBinaryContent());
315			}
316
317			$binaryContent = new File($media->getBinaryContent());
318			$media->setBinaryContent($binaryContent);
319			}
320
321			/**
322			* @throws \RuntimeException
323			*/
324			protected function fixFilename(MediaInterface $media): void
325			{
326			if ($media->getBinaryContent() instanceof UploadedFile) {
327			$media->setName($media->getName() ?: $media->getBinaryContent()->getClientOriginalName());
328			$media->setMetadataValue('filename', $media->getBinaryContent()->getClientOriginalName());
329			} elseif ($media->getBinaryContent() instanceof File) {
330			$media->setName($media->getName() ?: $media->getBinaryContent()->getBasename());
331			$media->setMetadataValue('filename', $media->getBinaryContent()->getBasename());
332			}
333
334			// this is the original name
335			if (!$media->getName()) {
336			throw new \RuntimeException('Please define a valid media\'s name');
337			}
338			}
339
340			protected function doTransform(MediaInterface $media): void
341			{
342			$this->fixBinaryContent($media);
343			$this->fixFilename($media);
344
345			if ($media->getBinaryContent() instanceof UploadedFile && 0 === $media->getBinaryContent()->getSize()) {
346			$media->setProviderReference(uniqid($media->getName(), true));
347			$media->setProviderStatus(MediaInterface::STATUS_ERROR);
348
349			throw new UploadException('The uploaded file is not found');
350			}
351
352			// this is the name used to store the file
353			if (!$media->getProviderReference() \|\|
354			MediaInterface::MISSING_BINARY_REFERENCE === $media->getProviderReference()
355			) {
356			$media->setProviderReference($this->generateReferenceName($media));
357			}
358
359			if ($media->getBinaryContent() instanceof File) {
360			$media->setContentType($media->getBinaryContent()->getMimeType());
361			$media->setSize($media->getBinaryContent()->getSize());
362			}
363
364			$media->setProviderStatus(MediaInterface::STATUS_OK);
365			}
366
367			/**
368			* Set the file contents for an image.
369			*
370			* @param string $contents path to contents, defaults to MediaInterface BinaryContent
371			*/
372			protected function setFileContents(MediaInterface $media, $contents = null): void
373			{
374			$file = $this->getFilesystem()->get(sprintf('%s/%s', $this->generatePath($media), $media->getProviderReference()), true);
375			$metadata = $this->metadata ? $this->metadata->get($media, $file->getName()) : [];
376
377			if ($contents) {
			0 ignored issues – show Bug Best Practice introduced 2015-11-21 05:46 UTC by Report Bug Copy Issue Report Show Similar Issues like this The expression `$contents` of type `string\|null` is loosely compared to `true`; this is ambiguous if the string can be empty. You might want to explicitly use `!== null` instead. In PHP, under loose comparison (like `==`, or `!=`, or `switch` conditions), values of different types might be equal. For `string` values, the empty string `''` is a special case, in particular the following results might be unexpected: '' == false // true '' == null // true 'ab' == false // false 'ab' == null // false // It is often better to use strict comparison '' === false // false '' === null // false Loading history...
378			$file->setContent($contents, $metadata);
379
380			return;
381			}
382
383			$binaryContent = $media->getBinaryContent();
384			if ($binaryContent instanceof File) {
385			$path = $binaryContent->getRealPath() ?: $binaryContent->getPathname();
386			$file->setContent(file_get_contents($path), $metadata);
387
388			return;
389			}
390			}
391
392			/**
393			* @return string
394			*/
395			protected function generateReferenceName(MediaInterface $media)
396			{
397			return $this->generateMediaUniqId($media).'.'.$media->getBinaryContent()->guessExtension();
398			}
399
400			/**
401			* @return string
402			*/
403			protected function generateMediaUniqId(MediaInterface $media)
404			{
405			return sha1($media->getName().uniqid().random_int(11111, 99999));
406			}
407
408			/**
409			* Set media binary content according to request content.
410			*/
411			protected function generateBinaryFromRequest(MediaInterface $media): void
412			{
413			if (!$media->getContentType()) {
414			throw new \RuntimeException(
415			'You must provide the content type value for your media before setting the binary content'
416			);
417			}
418
419			$request = $media->getBinaryContent();
420
421			if (!$request instanceof Request) {
422			throw new \RuntimeException('Expected Request in binary content');
423			}
424
425			$content = $request->getContent();
426
427			// create unique id for media reference
428			$guesser = MimeTypes::getDefault();
429			$extensions = $guesser->getExtensions($media->getContentType());
430			$extension = $extensions[0] ?? null;
431
432			if (!$extension) {
433			throw new \RuntimeException(
434			sprintf('Unable to guess extension for content type %s', $media->getContentType())
435			);
436			}
437
438			$handle = tmpfile();
439			fwrite($handle, $content);
440			$file = new ApiMediaFile($handle);
441			$file->setExtension($extension);
442			$file->setMimetype($media->getContentType());
443
444			$media->setBinaryContent($file);
445			}
446			}
447

sonata-project / SonataMediaBundle

Issues (234)

Security Analysis not enabled

src/Provider/FileProvider.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like