ArticleNotFoundListener::onKernelException() - Code Metrics - Inspection of "Merge pull request #975 from superdesk/2.0" - superdesk/web-publisher - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — master ( d01ad3...6b97e6 )

by Paweł

created 2019-10-15 13:09 UTC

ArticleNotFoundListener::onKernelException() A

↳ Parent: ArticleNotFoundListener

Complexity

Conditions	4
Paths	3

Size

Total Lines

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
dl	0
loc	18
rs	9.6666
c	0
b	0
f	0
cc	4
nc	3
nop	1

<?php

declare(strict_types=1);

/*
 * This file is part of the Superdesk Web Publisher Content Bundle.
 *
 * Copyright 2017 Sourcefabric z.ú. and contributors.
 *
 * For the full copyright and license information, please see the
 * AUTHORS and LICENSE files distributed with this source code.
 *
 * @copyright 2017 Sourcefabric z.ú
 * @license http://www.superdesk.org/license
 */

namespace SWP\Bundle\ContentBundle\EventListener;

use SWP\Component\Common\Exception\ArticleNotFoundException;
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Event\ExceptionEvent;
use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
use Symfony\Component\Routing\RouterInterface;

final class ArticleNotFoundListener
{
    private $router;

    private $redirectNotFoundArticles;

    public function __construct(RouterInterface $router, bool $redirectNotFoundArticles)
    {
        $this->router = $router;
        $this->redirectNotFoundArticles = $redirectNotFoundArticles;
    }

    public function onKernelException(ExceptionEvent $event)
    {
        $exception = $event->getException();
        $request = $event->getRequest();
        if (!$this->redirectNotFoundArticles || !$exception instanceof ArticleNotFoundException) {
            return;
        }

        $route = 'homepage';
        if ($request->attributes->has('routeMeta')) {
            $route = $request->attributes->get('routeMeta');
        }

        $event->setResponse(new RedirectResponse(
            $this->router->generate($route, [], UrlGeneratorInterface::ABSOLUTE_URL),
// for HTML
$sanitized = htmlentities($tainted, ENT_QUOTES);

// for URLs
$sanitized = urlencode($tainted);
            Response::HTTP_MOVED_PERMANENTLY
        ));
    }
}


Push — master ( d01ad3...6b97e6 )

ArticleNotFoundListener::onKernelException() A

Complexity

Size

Duplication

Importance

4 paths for user data to reach this point

Used in output context

Preventing Cross-Site-Scripting Attacks

General Strategies to prevent injection

1			<?php
2
3			declare(strict_types=1);
4
5			/*
6			* This file is part of the Superdesk Web Publisher Content Bundle.
7			*
8			* Copyright 2017 Sourcefabric z.ú. and contributors.
9			*
10			* For the full copyright and license information, please see the
11			* AUTHORS and LICENSE files distributed with this source code.
12			*
13			* @copyright 2017 Sourcefabric z.ú
14			* @license http://www.superdesk.org/license
15			*/
16
17			namespace SWP\Bundle\ContentBundle\EventListener;
18
19			use SWP\Component\Common\Exception\ArticleNotFoundException;
20			use Symfony\Component\HttpFoundation\RedirectResponse;
21			use Symfony\Component\HttpFoundation\Response;
22			use Symfony\Component\HttpKernel\Event\ExceptionEvent;
23			use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
24			use Symfony\Component\Routing\RouterInterface;
25
26			final class ArticleNotFoundListener
27			{
28			private $router;
29
30			private $redirectNotFoundArticles;
31
32			public function __construct(RouterInterface $router, bool $redirectNotFoundArticles)
33			{
34			$this->router = $router;
35			$this->redirectNotFoundArticles = $redirectNotFoundArticles;
36			}
37
38			public function onKernelException(ExceptionEvent $event)
39			{
40			$exception = $event->getException();
41			$request = $event->getRequest();
42			if (!$this->redirectNotFoundArticles \|\| !$exception instanceof ArticleNotFoundException) {
43			return;
44			}
45
46			$route = 'homepage';
47			if ($request->attributes->has('routeMeta')) {
48			$route = $request->attributes->get('routeMeta');
49			}
50
51			$event->setResponse(new RedirectResponse(
52			$this->router->generate($route, [], UrlGeneratorInterface::ABSOLUTE_URL),
			0 ignored issues – show Security Cross-Site Scripting introduced 2019-08-28 13:17 UTC by Report Bug Copy Issue Report `$this->router->generate(...nterface::ABSOLUTE_URL)` can contain request data and is used in output context(s) leading to a potential security vulnerability. 4 paths for user data to reach this point 1. Path: `$this->parameters['HTTP_AUTHORIZATION']` seems to return tainted data, and `$authorizationHeader` is assigned in ServerBag.php on line 62 `$this->parameters['HTTP_AUTHORIZATION']` seems to return tainted data, and `$authorizationHeader` is assigned in vendor/ServerBag.php on line 62 ParameterBag::$parameters is assigned in vendor/ServerBag.php on line 77 Tainted property ParameterBag::$parameters is read in vendor/ParameterBag.php on line 84 ParameterBag::get() returns tainted data, and `$baseUrl` is assigned in vendor/Request.php on line 1770 `$baseUrl` is passed through rtrim() in vendor/Request.php on line 1826 Request::prepareBaseUrl() returns tainted data, and Request::$baseUrl is assigned in vendor/Request.php on line 882 Tainted property Request::$baseUrl is read in vendor/Request.php on line 885 Request::getBaseUrl() returns tainted data, and `$request->getBaseUrl()` is passed to RequestContext::setBaseUrl() in vendor/RequestContext.php on line 55 RequestContext::$baseUrl is assigned in vendor/RequestContext.php on line 86 Tainted property RequestContext::$baseUrl is read in vendor/RequestContext.php on line 74 RequestContext::getBaseUrl() returns tainted data, and `$url` is assigned in vendor/Generator/UrlGenerator.php on line 279 UrlGenerator::doGenerate() returns tainted data in vendor/Generator/CompiledUrlGenerator.php on line 56 CompiledUrlGenerator::generate() returns tainted data in vendor/Router.php on line 254 Router::generate() returns tainted data in src/SWP/Bundle/ContentBundle/EventListener/ArticleNotFoundListener.php on line 52 2. Path: Read from `$_POST,` and `$_POST` is passed to Request::createRequestFromFactory() in Request.php on line 281 Read from `$_POST,` and `$_POST` is passed to Request::createRequestFromFactory() in vendor/Request.php on line 281 `$request` is passed to Request::__construct() in vendor/Request.php on line 1953 `$request` is passed to Request::initialize() in vendor/Request.php on line 235 `$request` is passed to ParameterBag::__construct() in vendor/Request.php on line 253 ParameterBag::$parameters is assigned in vendor/ParameterBag.php on line 31 Tainted property ParameterBag::$parameters is read in vendor/ParameterBag.php on line 84 ParameterBag::get() returns tainted data, and `$baseUrl` is assigned in vendor/Request.php on line 1770 `$baseUrl` is passed through rtrim() in vendor/Request.php on line 1826 Request::prepareBaseUrl() returns tainted data, and Request::$baseUrl is assigned in vendor/Request.php on line 882 Tainted property Request::$baseUrl is read in vendor/Request.php on line 885 Request::getBaseUrl() returns tainted data, and `$request->getBaseUrl()` is passed to RequestContext::setBaseUrl() in vendor/RequestContext.php on line 55 RequestContext::$baseUrl is assigned in vendor/RequestContext.php on line 86 Tainted property RequestContext::$baseUrl is read in vendor/RequestContext.php on line 74 RequestContext::getBaseUrl() returns tainted data, and `$url` is assigned in vendor/Generator/UrlGenerator.php on line 279 UrlGenerator::doGenerate() returns tainted data in vendor/Generator/CompiledUrlGenerator.php on line 56 CompiledUrlGenerator::generate() returns tainted data in vendor/Router.php on line 254 Router::generate() returns tainted data in src/SWP/Bundle/ContentBundle/EventListener/ArticleNotFoundListener.php on line 52 3. Path: `$this->parameters['PHP_AUTH_USER']` seems to return tainted data, and `$headers` is assigned in ServerBag.php on line 43 `$this->parameters['PHP_AUTH_USER']` seems to return tainted data, and `$headers` is assigned in vendor/ServerBag.php on line 43 `$headers` is assigned in vendor/ServerBag.php on line 44 ServerBag::getHeaders() returns tainted data, and `$this->server->getHeaders()` is passed to HeaderBag::__construct() in vendor/Request.php on line 259 `$values` is assigned in vendor/HeaderBag.php on line 29 `$values` is passed to HeaderBag::set() in vendor/HeaderBag.php on line 30 `$values` is passed through array_values(), and `$values` is assigned in vendor/HeaderBag.php on line 142 HeaderBag::$headers is assigned in vendor/HeaderBag.php on line 145 Tainted property HeaderBag::$headers is read in vendor/HeaderBag.php on line 65 HeaderBag::all() returns tainted data, and `$headers` is assigned in vendor/HeaderBag.php on line 113 HeaderBag::get() returns tainted data, and `$host` is assigned in vendor/Request.php on line 1149 `$host` is passed through trim(), and `trim($host)` is passed through preg_replace(), and `preg_replace('/:\\d+$/', '', trim($host))` is passed through strtolower(), and `$host` is assigned in vendor/Request.php on line 1157 Request::getHost() returns tainted data, and `$request->getHost()` is passed to RequestContext::setHost() in vendor/RequestContext.php on line 58 `$host` is passed through strtolower(), and RequestContext::$host is assigned in vendor/RequestContext.php on line 162 Tainted property RequestContext::$host is read in vendor/RequestContext.php on line 150 RequestContext::getHost() returns tainted data, and `$uri` is assigned in src/SWP/Bundle/ContentBundle/Manager/MediaManager.php on line 83 MediaManager::getMediaUri() returns tainted data in src/SWP/Bundle/ContentBundle/Manager/MediaManager.php on line 70 MediaManager::getMediaPublicUrl() returns tainted data in src/SWP/Bundle/CoreBundle/Routing/ArticleAuthorMediaRouter.php on line 47 ArticleAuthorMediaRouter::generate() returns tainted data in src/SWP/Bundle/ContentBundle/EventListener/ArticleNotFoundListener.php on line 52 4. Path: `$this->parameters['PHP_AUTH_PW']` seems to return tainted data, and `$headers` is assigned in ServerBag.php on line 44 `$this->parameters['PHP_AUTH_PW']` seems to return tainted data, and `$headers` is assigned in vendor/ServerBag.php on line 44 ServerBag::getHeaders() returns tainted data, and `$this->server->getHeaders()` is passed to HeaderBag::__construct() in vendor/Request.php on line 259 `$values` is assigned in vendor/HeaderBag.php on line 29 `$values` is passed to HeaderBag::set() in vendor/HeaderBag.php on line 30 `$values` is passed through array_values(), and `$values` is assigned in vendor/HeaderBag.php on line 142 HeaderBag::$headers is assigned in vendor/HeaderBag.php on line 145 Tainted property HeaderBag::$headers is read in vendor/HeaderBag.php on line 65 HeaderBag::all() returns tainted data, and `$headers` is assigned in vendor/HeaderBag.php on line 113 HeaderBag::get() returns tainted data, and `$host` is assigned in vendor/Request.php on line 1149 `$host` is passed through trim(), and `trim($host)` is passed through preg_replace(), and `preg_replace('/:\\d+$/', '', trim($host))` is passed through strtolower(), and `$host` is assigned in vendor/Request.php on line 1157 Request::getHost() returns tainted data, and `$request->getHost()` is passed to RequestContext::setHost() in vendor/RequestContext.php on line 58 `$host` is passed through strtolower(), and RequestContext::$host is assigned in vendor/RequestContext.php on line 162 Tainted property RequestContext::$host is read in vendor/RequestContext.php on line 150 RequestContext::getHost() returns tainted data, and `$uri` is assigned in src/SWP/Bundle/ContentBundle/Manager/MediaManager.php on line 83 MediaManager::getMediaUri() returns tainted data in src/SWP/Bundle/ContentBundle/Manager/MediaManager.php on line 70 MediaManager::getMediaPublicUrl() returns tainted data in src/SWP/Bundle/CoreBundle/Routing/ArticleAuthorMediaRouter.php on line 47 ArticleAuthorMediaRouter::generate() returns tainted data in src/SWP/Bundle/ContentBundle/EventListener/ArticleNotFoundListener.php on line 52 Used in output context RedirectResponse::__construct() uses RedirectResponse::setTargetUrl() ($url) in vendor/RedirectResponse.php on line 39 RedirectResponse::setTargetUrl() uses Response::setContent() ($content) in vendor/RedirectResponse.php on line 92 Response::setContent() uses property Response::$content for writing in vendor/Response.php on line 404 Property Response::$content is used in echo in vendor/Response.php on line 363 Preventing Cross-Site-Scripting Attacks Cross-Site-Scripting allows an attacker to inject malicious code into your website - in particular Javascript code, and have that code executed with the privileges of a visiting user. This can be used to obtain data, or perform actions on behalf of that visiting user. In order to prevent this, make sure to escape all user-provided data: // for HTML $sanitized = htmlentities($tainted, ENT_QUOTES); // for URLs $sanitized = urlencode($tainted); General Strategies to prevent injection In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values: if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) { throw new \InvalidArgumentException('This input is not allowed.'); } For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted; Loading history...
53			Response::HTTP_MOVED_PERMANENTLY
54			));
55			}
56			}
57

superdesk / web-publisher

Push — master ( d01ad3...6b97e6 )

ArticleNotFoundListener::onKernelException() A

Complexity

Size

Duplication

Importance

4 paths for user data to reach this point

Used in output context

Preventing Cross-Site-Scripting Attacks

General Strategies to prevent injection

Duplication Side-by-Side

Filter issues like