Issues in Config.php (master) - Issues in master - thinktomorrow/locale - Measure and Improve Code Quality continuously with Scrutinizer

Issues (20)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Values/Config.php (1 issue)

Labels

Coding Style 1

Severity

Informational 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php

namespace Thinktomorrow\Locale\Values;

use Thinktomorrow\Locale\Exceptions\InvalidConfig;

class Config implements \ArrayAccess

{
    /**
     * @var array
     */
    private $config;

    private function __construct(array $config)
    {
        $this->validate($config);

        $this->config = $this->sanitize($config);
    }

    public static function from(array $config)
    {
        return new static($config);
    }

    public function get($key, $default = null)
    {
        if (!isset($this->config[$key])) {
            return $default;
        }

        return $this->config[$key];
    }

    public function all(): array
    {
        return $this->config;
    }

    private function sanitize(array $config): array
    {
        // Sanitize locales
        $locales = $config['locales'];
        $locales = $this->convertSingleEntryToDefault($locales);
        $locales = $this->removeSlashes($locales);
        $locales = $this->removeTrailingDomainSlashes($locales);
        $config['locales'] = $locales;

        // Compute canonicals for all locales
        $config['canonicals'] = $this->computeCanonicals($config);

        return $config;
    }

    private function computeCanonicals(array $config): array
    {
        $canonicals = $config['canonicals'] ?? [];

        foreach ($config['locales'] as $rootKey => $locales) {

            // wildcard domains are not accepted as canonicals as we cannot know to which root this should resolve to.
            if (false !== strpos($rootKey, '*')) {
                continue;
            }

            foreach ($locales as $locale) {
                if (!isset($canonicals[$locale])) {
                    $canonicals[$locale] = $rootKey;
                }
            }
        }

        return $canonicals;
    }

    /**
     * @param array $locales
     *
     * @return array
     */
    private function removeSlashes(array $locales): array
    {
        foreach ($locales as $group => $segments) {
            foreach ($segments as $segment => $locale) {
                // remove slashes if any e.g. '/nl' will be sanitized to 'nl'
                if ($segment != '/' && false !== strpos($segment, '/')) {
                    $_segment = str_replace('/', '', $segment);

                    unset($locales[$group][$segment]);
                    $locales[$group][$_segment] = $locale;
                }
            }
        }

        return $locales;
    }

    /**
     * e.g. example.com/ will be sanitized to example.com.
     *
     * @param array $locales
     *
     * @return array
     */
    private function removeTrailingDomainSlashes(array $locales)
    {
        foreach ($locales as $scopeKey => $segments) {
            unset($locales[$scopeKey]);
            $locales[rtrim($scopeKey, '/')] = $segments;
        }

        return $locales;
    }

    /**
     * @param array $locales
     *
     * @return array
     */
    private function convertSingleEntryToDefault(array $locales): array
    {
        foreach ($locales as $group => $segments) {
            // If single locale is passed, it's considered the default for this group
            if (!is_array($segments)) {
                $locales[$group] = $segments = ['/' => $segments];
            }
        }

        return $locales;
    }

    /**
     * @param array $config
     */
    private function validate(array $config)
    {
        if (!isset($config['locales'])) {
            throw new InvalidConfig('Value [Locales] is missing for config structure.');
        }

        $locales = $config['locales'];

        if (!isset($locales['*'])) {
            throw new InvalidConfig('Default group [*] is missing for locales structure.');
        }

        if (is_array($locales['*']) && !isset($locales['*']['/'])) {
            throw new InvalidConfig('Group [default] is missing the default locale. e.g. ["/" => "en"]');
        }

        foreach ($locales as $group => $segments) {
            if (!is_string($group)) {
                throw new InvalidConfig('Invalid config structure for locales group ['.$group.']');
            }
        }

        $this->validateEachCanonicalLocaleExists($config);
    }

    /**
     * Each custom canonical entry should point to an existing locale.
     *
     * @param array $config
     */
    private function validateEachCanonicalLocaleExists(array $config)
    {
        $canonicals = $config['canonicals'] ?? [];
        foreach ($canonicals as $locale => $canonical) {
            if (!$this->existsAsLocale($config['locales'], $locale)) {
                throw new InvalidConfig('Canonical key '.$locale.' is not present as locale.');
            }
        }
    }

    private function existsAsLocale($existing_locales, $locale): bool
    {
        $flag = false;

        foreach ($existing_locales as $existing_locale) {
            if (is_array($existing_locale)) {
                if (true === $this->existsAsLocale($existing_locale, $locale)) {
                    $flag = true;
                    break;
                }
            }

            if ($existing_locale === $locale) {
                $flag = true;
                break;
            }
        }

        return $flag;
    }

    public function offsetExists($offset)
    {
        if (!is_string($offset) && !is_int($offset)) {
            return false;
        }

        return array_key_exists($offset, $this->config);
    }

    public function offsetGet($offset)
    {
        return $this->config[$offset];
    }

    public function offsetSet($offset, $value)
    {
        if (is_null($offset)) {
            $this->config[] = $value;
        } else {
            $this->config[$offset] = $value;
        }
    }

    public function offsetUnset($offset)
    {
        unset($this->config[$offset]);
    }

    public function toArray(): array
    {
        return $this->config;
    }
}


1		<?php
2
3		namespace Thinktomorrow\Locale\Values;
4
5		use Thinktomorrow\Locale\Exceptions\InvalidConfig;
6
7		class Config implements \ArrayAccess
		0 ignored issues – show Coding Style introduced 2018-02-12 08:23 UTC by Report Bug Copy Issue Report Show Similar Issues like this Since you have declared the constructor as private, maybe you should also declare the class as final. Loading history...
8		{
9		/**
10		* @var array
11		*/
12		private $config;
13
14	117	private function __construct(array $config)
15		{
16	117	$this->validate($config);
17
18	105	$this->config = $this->sanitize($config);
19	105	}
20
21	117	public static function from(array $config)
22		{
23	117	return new static($config);
24		}
25
26	98	public function get($key, $default = null)
27		{
28	98	if (!isset($this->config[$key])) {
29	2	return $default;
30		}
31
32	96	return $this->config[$key];
33		}
34
35	1	public function all(): array
36		{
37	1	return $this->config;
38		}
39
40	105	private function sanitize(array $config): array
41		{
42		// Sanitize locales
43	105	$locales = $config['locales'];
44	105	$locales = $this->convertSingleEntryToDefault($locales);
45	105	$locales = $this->removeSlashes($locales);
46	105	$locales = $this->removeTrailingDomainSlashes($locales);
47	105	$config['locales'] = $locales;
48
49		// Compute canonicals for all locales
50	105	$config['canonicals'] = $this->computeCanonicals($config);
51
52	105	return $config;
53		}
54
55	105	private function computeCanonicals(array $config): array
56		{
57	105	$canonicals = $config['canonicals'] ?? [];
58
59	105	foreach ($config['locales'] as $rootKey => $locales) {
60
61		// wildcard domains are not accepted as canonicals as we cannot know to which root this should resolve to.
62	105	if (false !== strpos($rootKey, '*')) {
63	105	continue;
64		}
65
66	96	foreach ($locales as $locale) {
67	96	if (!isset($canonicals[$locale])) {
68	96	$canonicals[$locale] = $rootKey;
69		}
70		}
71		}
72
73	105	return $canonicals;
74		}
75
76		/**
77		* @param array $locales
78		*
79		* @return array
80		*/
81	105	private function removeSlashes(array $locales): array
82		{
83	105	foreach ($locales as $group => $segments) {
84	105	foreach ($segments as $segment => $locale) {
85		// remove slashes if any e.g. '/nl' will be sanitized to 'nl'
86	105	if ($segment != '/' && false !== strpos($segment, '/')) {
87	1	$_segment = str_replace('/', '', $segment);
88
89	1	unset($locales[$group][$segment]);
90	1	$locales[$group][$_segment] = $locale;
91		}
92		}
93		}
94
95	105	return $locales;
96		}
97
98		/**
99		* e.g. example.com/ will be sanitized to example.com.
100		*
101		* @param array $locales
102		*
103		* @return array
104		*/
105	105	private function removeTrailingDomainSlashes(array $locales)
106		{
107	105	foreach ($locales as $scopeKey => $segments) {
108	105	unset($locales[$scopeKey]);
109	105	$locales[rtrim($scopeKey, '/')] = $segments;
110		}
111
112	105	return $locales;
113		}
114
115		/**
116		* @param array $locales
117		*
118		* @return array
119		*/
120	105	private function convertSingleEntryToDefault(array $locales): array
121		{
122	105	foreach ($locales as $group => $segments) {
123		// If single locale is passed, it's considered the default for this group
124	105	if (!is_array($segments)) {
125	105	$locales[$group] = $segments = ['/' => $segments];
126		}
127		}
128
129	105	return $locales;
130		}
131
132		/**
133		* @param array $config
134		*/
135	117	private function validate(array $config)
136		{
137	117	if (!isset($config['locales'])) {
138	2	throw new InvalidConfig('Value [Locales] is missing for config structure.');
139		}
140
141	115	$locales = $config['locales'];
142
143	115	if (!isset($locales['*'])) {
144	8	throw new InvalidConfig('Default group [*] is missing for locales structure.');
145		}
146
147	107	if (is_array($locales['']) && !isset($locales['']['/'])) {
148	1	throw new InvalidConfig('Group [default] is missing the default locale. e.g. ["/" => "en"]');
149		}
150
151	106	foreach ($locales as $group => $segments) {
152	106	if (!is_string($group)) {
153		throw new InvalidConfig('Invalid config structure for locales group ['.$group.']');
154		}
155		}
156
157	106	$this->validateEachCanonicalLocaleExists($config);
158	105	}
159
160		/**
161		* Each custom canonical entry should point to an existing locale.
162		*
163		* @param array $config
164		*/
165	106	private function validateEachCanonicalLocaleExists(array $config)
166		{
167	106	$canonicals = $config['canonicals'] ?? [];
168	106	foreach ($canonicals as $locale => $canonical) {
169	85	if (!$this->existsAsLocale($config['locales'], $locale)) {
170	1	throw new InvalidConfig('Canonical key '.$locale.' is not present as locale.');
171		}
172		}
173	105	}
174
175	85	private function existsAsLocale($existing_locales, $locale): bool
176		{
177	85	$flag = false;
178
179	85	foreach ($existing_locales as $existing_locale) {
180	85	if (is_array($existing_locale)) {
181	82	if (true === $this->existsAsLocale($existing_locale, $locale)) {
182	82	$flag = true;
183	82	break;
184		}
185		}
186
187	85	if ($existing_locale === $locale) {
188	84	$flag = true;
189	84	break;
190		}
191		}
192
193	85	return $flag;
194		}
195
196	73	public function offsetExists($offset)
197		{
198	73	if (!is_string($offset) && !is_int($offset)) {
199		return false;
200		}
201
202	73	return array_key_exists($offset, $this->config);
203		}
204
205	72	public function offsetGet($offset)
206		{
207	72	return $this->config[$offset];
208		}
209
210	1	public function offsetSet($offset, $value)
211		{
212	1	if (is_null($offset)) {
213		$this->config[] = $value;
214		} else {
215	1	$this->config[$offset] = $value;
216		}
217	1	}
218
219	1	public function offsetUnset($offset)
220		{
221	1	unset($this->config[$offset]);
222	1	}
223
224	82	public function toArray(): array
225		{
226	82	return $this->config;
227		}
228		}
229

thinktomorrow / locale

Issues (20)

Security Analysis not enabled

src/Values/Config.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like