This project does not seem to handle request data directly as such no vulnerable execution paths were found.
include
, or for example
via PHP's auto-loading mechanism.
These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more
1 | <?php |
||
2 | |||
3 | namespace Sunspikes\ClamavValidator; |
||
4 | |||
5 | use Illuminate\Contracts\Translation\Translator; |
||
6 | use Illuminate\Support\Arr; |
||
7 | use Illuminate\Support\Facades\Config; |
||
8 | use Illuminate\Validation\Validator; |
||
9 | use Xenolope\Quahog\Client as QuahogClient; |
||
10 | use Socket\Raw\Factory as SocketFactory; |
||
11 | use Symfony\Component\HttpFoundation\File\UploadedFile; |
||
12 | |||
13 | class ClamavValidator extends Validator |
||
14 | { |
||
15 | /** |
||
16 | * Creates a new instance of ClamavValidator. |
||
17 | * |
||
18 | * ClamavValidator constructor. |
||
19 | * @param Translator $translator |
||
20 | * @param array $data |
||
21 | * @param array $rules |
||
22 | * @param array $messages |
||
23 | * @param array $customAttributes |
||
24 | */ |
||
25 | 6 | public function __construct( |
|
26 | Translator $translator, |
||
27 | array $data, |
||
28 | array $rules, |
||
29 | array $messages = [], |
||
30 | array $customAttributes = [] |
||
31 | ) { |
||
32 | 6 | parent::__construct($translator, $data, $rules, $messages, $customAttributes); |
|
33 | 6 | } |
|
34 | |||
35 | /** |
||
36 | * Validate the uploaded file for virus/malware with ClamAV. |
||
37 | * |
||
38 | * @param $attribute string |
||
39 | * @param $value mixed |
||
40 | * @param $parameters array |
||
41 | * |
||
42 | * @return boolean |
||
43 | * @throws ClamavValidatorException |
||
44 | */ |
||
45 | 5 | public function validateClamav($attribute, $value, $parameters) |
|
0 ignored issues
–
show
|
|||
46 | { |
||
47 | 5 | if (true === Config::get('clamav.skip_validation')) { |
|
48 | return true; |
||
49 | } |
||
50 | |||
51 | 5 | if(is_array($value)) { |
|
52 | 2 | $result = true; |
|
53 | 2 | foreach($value as $file) { |
|
54 | 2 | $result &= $this->validateFileWithClamAv($file); |
|
55 | 2 | } |
|
56 | |||
57 | 2 | return $result; |
|
58 | } |
||
59 | |||
60 | 3 | return $this->validateFileWithClamAv($value); |
|
61 | } |
||
62 | |||
63 | /** |
||
64 | * Validate the single uploaded file for virus/malware with ClamAV. |
||
65 | * |
||
66 | * @param $value mixed |
||
67 | * |
||
68 | * @return bool |
||
69 | * @throws ClamavValidatorException |
||
70 | */ |
||
71 | 5 | protected function validateFileWithClamAv($value) |
|
72 | { |
||
73 | 5 | $file = $this->getFilePath($value); |
|
74 | 5 | if (! is_readable($file)) { |
|
75 | 1 | throw ClamavValidatorException::forNonReadableFile($file); |
|
76 | } |
||
77 | |||
78 | try { |
||
79 | 4 | $socket = $this->getClamavSocket(); |
|
80 | 4 | $scanner = $this->createQuahogScannerClient($socket); |
|
81 | 4 | $result = $scanner->scanResourceStream(fopen($file, 'rb')); |
|
82 | 4 | } catch (\Exception $exception) { |
|
83 | throw ClamavValidatorException::forClientException($exception); |
||
84 | } |
||
85 | |||
86 | 4 | if (QuahogClient::RESULT_ERROR === $result['status']) { |
|
87 | throw ClamavValidatorException::forScanResult($result); |
||
88 | } |
||
89 | |||
90 | // Check if scan result is clean |
||
91 | 4 | return QuahogClient::RESULT_OK === $result['status']; |
|
92 | } |
||
93 | |||
94 | /** |
||
95 | * Guess the ClamAV socket. |
||
96 | * |
||
97 | * @return string |
||
98 | */ |
||
99 | 4 | protected function getClamavSocket() |
|
100 | { |
||
101 | 4 | $preferredSocket = Config::get('clamav.preferred_socket'); |
|
102 | |||
103 | 4 | if ($preferredSocket === 'unix_socket') { |
|
104 | 4 | $unixSocket = Config::get('clamav.unix_socket'); |
|
105 | 4 | if (file_exists($unixSocket)) { |
|
106 | 4 | return 'unix://' . $unixSocket; |
|
107 | } |
||
108 | } |
||
109 | |||
110 | // We use the tcp_socket as fallback as well |
||
111 | return Config::get('clamav.tcp_socket'); |
||
112 | } |
||
113 | |||
114 | /** |
||
115 | * Return the file path from the passed object. |
||
116 | * |
||
117 | * @param mixed $file |
||
118 | * @return string |
||
119 | */ |
||
120 | 5 | protected function getFilePath($file) |
|
121 | { |
||
122 | // if were passed an instance of UploadedFile, return the path |
||
123 | 5 | if ($file instanceof UploadedFile) { |
|
124 | return $file->getPathname(); |
||
125 | } |
||
126 | |||
127 | // if we're passed a PHP file upload array, return the "tmp_name" |
||
128 | 5 | if (is_array($file) && null !== Arr::get($file, 'tmp_name')) { |
|
129 | return $file['tmp_name']; |
||
130 | } |
||
131 | |||
132 | // fallback: we were likely passed a path already |
||
133 | 5 | return $file; |
|
0 ignored issues
–
show
The return type of
return $file; (object|integer|double|string|null|boolean|array ) is incompatible with the return type documented by Sunspikes\ClamavValidato...vValidator::getFilePath of type string .
If you return a value from a function or method, it should be a sub-type of the type that is given by the parent type f.e. an interface, or abstract method. This is more formally defined by the Lizkov substitution principle, and guarantees that classes that depend on the parent type can use any instance of a child type interchangably. This principle also belongs to the SOLID principles for object oriented design. Let’s take a look at an example: class Author {
private $name;
public function __construct($name) {
$this->name = $name;
}
public function getName() {
return $this->name;
}
}
abstract class Post {
public function getAuthor() {
return 'Johannes';
}
}
class BlogPost extends Post {
public function getAuthor() {
return new Author('Johannes');
}
}
class ForumPost extends Post { /* ... */ }
function my_function(Post $post) {
echo strtoupper($post->getAuthor());
}
Our function
Loading history...
|
|||
134 | } |
||
135 | |||
136 | /** |
||
137 | * Create a new quahog ClamAV scanner client. |
||
138 | * |
||
139 | * @param string $socket |
||
140 | * @return QuahogClient |
||
141 | */ |
||
142 | 4 | protected function createQuahogScannerClient($socket) |
|
143 | { |
||
144 | // Create a new client socket instance |
||
145 | 4 | $client = (new SocketFactory())->createClient($socket); |
|
146 | |||
147 | 4 | return new QuahogClient($client, Config::get('clamav.socket_read_timeout'), PHP_NORMAL_READ); |
|
148 | } |
||
149 | } |
||
150 |
This check looks from parameters that have been defined for a function or method, but which are not used in the method body.