superdesk /
web-publisher
Complex classes like AnalyticsEventConsumer often do a lot of different things. To break such a class down, we need to identify a cohesive component within that class. A common approach to find such a component is to look for fields/methods that share the same prefixes, or suffixes. You can also have a look at the cohesion graph to spot any un-connected, or weakly-connected components.
Once you have determined the fields that belong together, you can apply the Extract Class refactoring. If the component makes sense as a sub-class, Extract Subclass is also a candidate, and is often faster.
While breaking up the class, it is a good idea to analyze how other classes use AnalyticsEventConsumer, and based on these observations, apply Extract Interface, too.
| 1 | <?php |
||
| 40 | final class AnalyticsEventConsumer implements ConsumerInterface |
||
| 41 | { |
||
| 42 | /** |
||
| 43 | * @var ArticleStatisticsServiceInterface |
||
| 44 | */ |
||
| 45 | private $articleStatisticsService; |
||
| 46 | |||
| 47 | /** |
||
| 48 | * @var TenantResolver |
||
| 49 | */ |
||
| 50 | private $tenantResolver; |
||
| 51 | |||
| 52 | /** |
||
| 53 | * @var TenantContextInterface |
||
| 54 | */ |
||
| 55 | private $tenantContext; |
||
| 56 | |||
| 57 | /** |
||
| 58 | * @var UrlMatcherInterface |
||
| 59 | */ |
||
| 60 | private $matcher; |
||
| 61 | |||
| 62 | /** |
||
| 63 | * @var ArticleResolverInterface |
||
| 64 | */ |
||
| 65 | private $articleResolver; |
||
| 66 | |||
| 67 | private $articleStatisticsObjectManager; |
||
| 68 | |||
| 69 | private $cacheProvider; |
||
| 70 | |||
| 71 | public function __construct( |
||
| 88 | |||
| 89 | /** |
||
| 90 | * @param AMQPMessage $message |
||
| 91 | * |
||
| 92 | * @return bool|mixed |
||
| 93 | */ |
||
| 94 | public function execute(AMQPMessage $message) |
||
| 125 | |||
| 126 | private function handleArticleImpressions(Request $request): void |
||
| 127 | { |
||
| 128 | $articles = []; |
||
| 129 | if (!\is_array($request->attributes->get('data'))) { |
||
| 130 | return; |
||
| 131 | } |
||
| 132 | |||
| 133 | foreach ($request->attributes->get('data') as $articleId) { |
||
| 134 | $cacheKey = md5('article_impressions_'.$articleId); |
||
| 135 | |||
| 136 | if ($this->cacheProvider->contains($cacheKey)) { |
||
| 137 | $articleId = $this->cacheProvider->fetch($cacheKey); |
||
| 138 | } elseif (filter_var($articleId, FILTER_VALIDATE_URL)) { |
||
| 139 | try { |
||
| 140 | $article = $this->articleResolver->resolve($articleId); |
||
| 141 | if (null === $article) { |
||
| 142 | continue; |
||
| 143 | } |
||
| 144 | } catch (\Exception $e) { |
||
| 145 | continue; |
||
| 146 | } |
||
| 147 | |||
| 148 | $articleId = $article->getId(); |
||
| 149 | $this->cacheProvider->save($cacheKey, $articleId); |
||
| 150 | } |
||
| 151 | |||
| 152 | if (!\array_key_exists($articleId, $articles)) { |
||
| 153 | $articles[] = $articleId; |
||
| 154 | } |
||
| 155 | } |
||
| 156 | |||
| 157 | $impressionSource = $this->getImpressionSource($request); |
||
| 158 | |||
| 159 | $this->articleStatisticsObjectManager->getConnection()->beginTransaction(); |
||
| 160 | |||
| 161 | try { |
||
| 162 | $ids = []; |
||
| 163 | foreach ($articles as $articleId) { |
||
| 164 | $articleStatistics = $this->articleStatisticsService->addArticleEvent( |
||
| 165 | (int) $articleId, |
||
| 166 | ArticleEventInterface::ACTION_IMPRESSION, |
||
| 167 | $impressionSource |
||
| 168 | ); |
||
| 169 | |||
| 170 | $ids[] = $articleStatistics->getId(); |
||
| 171 | echo 'Article '.$articleId." impression was added \n"; |
||
| 172 | } |
||
| 173 | |||
| 174 | try { |
||
| 175 | $stmt = $this->articleStatisticsObjectManager->getConnection()->prepare('LOCK TABLE swp_article_statistics IN EXCLUSIVE MODE;'); |
||
| 176 | $stmt->execute(); |
||
| 177 | } catch (\Exception $e) { |
||
| 178 | // ignore when lock not supported |
||
| 179 | } |
||
| 180 | |||
| 181 | $query = $this->articleStatisticsObjectManager->createQuery('UPDATE '.ArticleStatistics::class.' s SET s.impressionsNumber = s.impressionsNumber + 1 WHERE s.id IN (:ids)'); |
||
| 182 | $query->setParameter('ids', $ids); |
||
| 183 | $query->execute(); |
||
| 184 | |||
| 185 | $this->articleStatisticsObjectManager->flush(); |
||
| 186 | $this->articleStatisticsObjectManager->getConnection()->commit(); |
||
| 187 | } catch (\Exception $e) { |
||
| 188 | $this->articleStatisticsObjectManager->getConnection()->rollBack(); |
||
| 189 | |||
| 190 | throw $e; |
||
| 191 | } |
||
| 192 | } |
||
| 193 | |||
| 194 | private function handleArticlePageViews(Request $request): void |
||
| 207 | |||
| 208 | private function getImpressionSource(Request $request): array |
||
| 235 | |||
| 236 | private function getPageViewSource(Request $request): string |
||
| 248 | |||
| 249 | private function getFragmentFromUrl(string $url, string $fragment): ?string |
||
| 258 | |||
| 259 | private function isHostMatchingTenant(string $host): bool |
||
| 269 | |||
| 270 | /** |
||
| 271 | * @param Request $request |
||
| 272 | */ |
||
| 273 | private function setTenant(Request $request): void |
||
| 285 | } |
||
| 286 |
Loading history...
'Pageview for article ' ...') . ' was processed 'can contain request data and is used in output context(s) leading to a potential security vulnerability.2 paths for user data to reach this point
$this->parameters['HTTP_AUTHORIZATION']seems to return tainted data, and$authorizationHeaderis assigned in ServerBag.php on line 62$this->parameters['HTTP_AUTHORIZATION']seems to return tainted data, and$authorizationHeaderis assignedin vendor/ServerBag.php on line 62
in vendor/ServerBag.php on line 77
in vendor/ParameterBag.php on line 84
in src/SWP/Bundle/CoreBundle/Consumer/AnalyticsEventConsumer.php on line 114
$_POST,and$_POSTis passed to Request::createRequestFromFactory() in Request.php on line 281$_POST,and$_POSTis passed to Request::createRequestFromFactory()in vendor/Request.php on line 281
$requestis passed to Request::__construct()in vendor/Request.php on line 1943
$requestis passed to Request::initialize()in vendor/Request.php on line 235
$requestis passed to ParameterBag::__construct()in vendor/Request.php on line 253
in vendor/ParameterBag.php on line 31
in vendor/ParameterBag.php on line 84
in src/SWP/Bundle/CoreBundle/Consumer/AnalyticsEventConsumer.php on line 114
Preventing Cross-Site-Scripting Attacks
Cross-Site-Scripting allows an attacker to inject malicious code into your website - in particular Javascript code, and have that code executed with the privileges of a visiting user. This can be used to obtain data, or perform actions on behalf of that visiting user.
In order to prevent this, make sure to escape all user-provided data:
General Strategies to prevent injection
In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values:
if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) { throw new \InvalidArgumentException('This input is not allowed.'); }For numeric data, we recommend to explicitly cast the data: