Issues in Dispatcher.php (develop) - Issues in develop - timw4mail/HummingBirdAnimeClient - Measure and Improve Code Quality continuously with Scrutinizer

Issues (287)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

src/Dispatcher.php (1 issue)

Labels

Documentation 1

Severity

Minor 1

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php declare(strict_types=1);
/**
 * Hummingbird Anime Client
 *
 * An API client for Hummingbird to manage anime and manga watch lists
 *
 * PHP version 7
 *
 * @package     HummingbirdAnimeClient
 * @author      Timothy J. Warren <[email protected]>
 * @copyright   2015 - 2016  Timothy J. Warren
 * @license     http://www.opensource.org/licenses/mit-license.html  MIT License
 * @version     3.1
 * @link        https://github.com/timw4mail/HummingBirdAnimeClient
 */

namespace Aviat\AnimeClient;

use const Aviat\AnimeClient\{
	DEFAULT_CONTROLLER,
	DEFAULT_CONTROLLER_NAMESPACE,
	ERROR_MESSAGE_METHOD,
	NOT_FOUND_METHOD,
	SRC_DIR
};

use Aviat\Ion\Di\ContainerInterface;
use Aviat\Ion\Friend;

/**
 * Basic routing/ dispatch
 */
class Dispatcher extends RoutingBase {

	/**
	 * The route-matching object
	 * @var object $router
	 */
	protected $router;

	/**
	 * The route matcher
	 * @var object $matcher
	 */
	protected $matcher;

	/**
	 * Class wrapper for input superglobals
	 * @var Psr\Http\Message\ServerRequestInterface
	 */
	protected $request;

	/**
	 * Routes added to router
	 * @var array $output_routes
	 */
	protected $output_routes;

	/**
	 * Constructor
	 *
	 * @param ContainerInterface $container
	 */
	public function __construct(ContainerInterface $container)
	{
		parent::__construct($container);
		$this->router = $container->get('aura-router')->getMap();
		$this->matcher = $container->get('aura-router')->getMatcher();
		$this->request = $container->get('request');

		$this->output_routes = $this->_setupRoutes();
	}

	/**
	 * Get the current route object, if one matches
	 *
	 * @return object
	 */
	public function getRoute()
	{
		$logger = $this->container->getLogger('default');

		$raw_route = $this->request->getUri()->getPath();
		$route_path = "/" . trim($raw_route, '/');

		$logger->info('Dispatcher - Routing data from get_route method');
		$logger->info(print_r([
			'route_path' => $route_path
		], TRUE));

		return $this->matcher->match($this->request);
	}

	/**
	 * Get list of routes applied
	 *
	 * @return array
	 */
	public function getOutputRoutes()
	{
		return $this->output_routes;
	}

	/**
	 * Handle the current route
	 *
	 * @codeCoverageIgnore
	 * @param object|null $route
	 * @return void
	 */
	public function __invoke($route = NULL)
	{
		$logger = $this->container->getLogger('default');

		if (is_null($route))
		{
			$route = $this->getRoute();

			$logger->info('Dispatcher - Route invoke arguments');
			$logger->info(print_r($route, TRUE));
		}

		if ($route)
		{
			$parsed = $this->processRoute(new Friend($route));
function acceptsInteger($int) { }

$x = '123'; // string "123"

// Instead of
acceptsInteger($x);

// we recommend to use
acceptsInteger((integer) $x);
			$controllerName = $parsed['controller_name'];
			$actionMethod = $parsed['action_method'];
			$params = $parsed['params'];
		}
		else
		{
			// If not route was matched, return an appropriate http
			// error message
			$error_route = $this->getErrorParams();
			$controllerName = DEFAULT_CONTROLLER;
			$actionMethod = $error_route['action_method'];
			$params = $error_route['params'];
		}

		$this->call($controllerName, $actionMethod, $params);
	}

	/**
	 * Parse out the arguments for the appropriate controller for
	 * the current route
	 *
	 * @param \Aura\Router\Route $route
	 * @throws \LogicException
	 * @return array
	 */
	protected function processRoute($route)
	{
		if (array_key_exists('controller', $route->attributes))
		{
			$controller_name = $route->attributes['controller'];
		}
		else
		{
			throw new \LogicException("Missing controller");
		}

		// Get the full namespace for a controller if a short name is given
		if (strpos($controller_name, '\\') === FALSE)
		{
			$map = $this->getControllerList();
			$controller_name = $map[$controller_name];
		}

		$action_method = (array_key_exists('action', $route->attributes))
			? $route->attributes['action']
			: NOT_FOUND_METHOD;

		$params = [];
		if ( ! empty($route->__get('tokens')))
		{
			$tokens = array_keys($route->__get('tokens'));
			foreach ($tokens as $param)
			{
				if (array_key_exists($param, $route->attributes))
				{
					$params[$param] = $route->attributes[$param];
				}
			}
		}
		$logger = $this->container->getLogger('default');
		$logger->info(json_encode($params));

		return [
			'controller_name' => $controller_name,
			'action_method' => $action_method,
			'params' => $params
		];
	}

	/**
	 * Get the type of route, to select the current controller
	 *
	 * @return string
	 */
	public function getController()
	{
		$route_type = $this->__get('default_list');
		$request_uri = $this->request->getUri()->getPath();
		$path = trim($request_uri, '/');

		$segments = explode('/', $path);
		$controller = reset($segments);

		if (empty($controller))
		{
			$controller = $route_type;
		}

		return $controller;
	}

	/**
	 * Get the list of controllers in the default namespace
	 *
	 * @return array
	 */
	public function getControllerList()
	{
		$default_namespace = DEFAULT_CONTROLLER_NAMESPACE;
		$path = str_replace('\\', '/', $default_namespace);
		$path = str_replace('Aviat/AnimeClient/', '', $path);
		$path = trim($path, '/');
		$actual_path = realpath(_dir(SRC_DIR, $path));
		$class_files = glob("{$actual_path}/*.php");

		$controllers = [];

		foreach ($class_files as $file)
		{
			$raw_class_name = basename(str_replace(".php", "", $file));
			$path = strtolower(basename($raw_class_name));
			$class_name = trim($default_namespace . '\\' . $raw_class_name, '\\');

			$controllers[$path] = $class_name;
		}

		return $controllers;
	}

	/**
	 * Create the controller object and call the appropriate
	 * method
	 *
	 * @param  string $controllerName - The full namespace of the controller class
	 * @param  string $method
	 * @param  array  $params
	 * @return void
	 */
	protected function call($controllerName, $method, array $params)
	{
		$logger = $this->container->getLogger('default');

		$controller = new $controllerName($this->container);

		// Run the appropriate controller method
		$logger->debug('Dispatcher - controller arguments');
		$logger->debug(print_r($params, TRUE));
		call_user_func_array([$controller, $method], $params);
	}

	/**
	 * Get the appropriate params for the error page
	 * pased on the failed route
	 *
	 * @return array|false
	 */
	protected function getErrorParams()
	{
		$logger = $this->container->getLogger('default');
		$failure = $this->matcher->getFailedRoute();

		$logger->info('Dispatcher - failed route');
		$logger->info(print_r($failure, TRUE));

		$action_method = ERROR_MESSAGE_METHOD;

		$params = [];

		switch($failure->failedRule) {
			case 'Aura\Router\Rule\Allows':
				$params = [
					'http_code' => 405,
					'title' => '405 Method Not Allowed',
					'message' => 'Invalid HTTP Verb'
				];
			break;

			case 'Aura\Router\Rule\Accepts':
				$params = [
					'http_code' => 406,
					'title' => '406 Not Acceptable',
					'message' => 'Unacceptable content type'
				];
			break;

			default:
				// Fall back to a 404 message
				$action_method = NOT_FOUND_METHOD;
			break;
		}

		return [
			'params' => $params,
			'action_method' => $action_method
		];
	}

	/**
	 * Select controller based on the current url, and apply its relevent routes
	 *
	 * @return array
	 */
	protected function _setupRoutes()
	{
		$route_type = $this->getController();

		// Add routes
		$routes = [];
		foreach ($this->routes as $name => &$route)
		{
			$path = $route['path'];
			unset($route['path']);

			$controller_map = $this->getControllerList();
			$controller_class = (array_key_exists($route_type, $controller_map))
				? $controller_map[$route_type]
				: DEFAULT_CONTROLLER;

			if (array_key_exists($route_type, $controller_map))
			{
				$controller_class = $controller_map[$route_type];
			}

			// Prepend the controller to the route parameters
			$route['controller'] = $controller_class;

			// Select the appropriate router method based on the http verb
			$add = (array_key_exists('verb', $route))
				? strtolower($route['verb'])
				: "get";

			// Add the route to the router object
			if ( ! array_key_exists('tokens', $route))
			{
				$routes[] = $this->router->$add($name, $path)->defaults($route);
			}
			else
			{
				$tokens = $route['tokens'];
				unset($route['tokens']);

				$routes[] = $this->router->$add($name, $path)
					->defaults($route)
					->tokens($tokens);
			}
		}

		return $routes;
	}
}
// End of Dispatcher.php

1			<?php declare(strict_types=1);
2			/**
3			* Hummingbird Anime Client
4			*
5			* An API client for Hummingbird to manage anime and manga watch lists
6			*
7			* PHP version 7
8			*
9			* @package HummingbirdAnimeClient
10			* @author Timothy J. Warren <[email protected]>
11			* @copyright 2015 - 2016 Timothy J. Warren
12			* @license http://www.opensource.org/licenses/mit-license.html MIT License
13			* @version 3.1
14			* @link https://github.com/timw4mail/HummingBirdAnimeClient
15			*/
16
17			namespace Aviat\AnimeClient;
18
19			use const Aviat\AnimeClient\{
20			DEFAULT_CONTROLLER,
21			DEFAULT_CONTROLLER_NAMESPACE,
22			ERROR_MESSAGE_METHOD,
23			NOT_FOUND_METHOD,
24			SRC_DIR
25			};
26
27			use Aviat\Ion\Di\ContainerInterface;
28			use Aviat\Ion\Friend;
29
30			/**
31			* Basic routing/ dispatch
32			*/
33			class Dispatcher extends RoutingBase {
34
35			/**
36			* The route-matching object
37			* @var object $router
38			*/
39			protected $router;
40
41			/**
42			* The route matcher
43			* @var object $matcher
44			*/
45			protected $matcher;
46
47			/**
48			* Class wrapper for input superglobals
49			* @var Psr\Http\Message\ServerRequestInterface
50			*/
51			protected $request;
52
53			/**
54			* Routes added to router
55			* @var array $output_routes
56			*/
57			protected $output_routes;
58
59			/**
60			* Constructor
61			*
62			* @param ContainerInterface $container
63			*/
64			public function __construct(ContainerInterface $container)
65			{
66			parent::__construct($container);
67			$this->router = $container->get('aura-router')->getMap();
68			$this->matcher = $container->get('aura-router')->getMatcher();
69			$this->request = $container->get('request');
70
71			$this->output_routes = $this->_setupRoutes();
72			}
73
74			/**
75			* Get the current route object, if one matches
76			*
77			* @return object
78			*/
79			public function getRoute()
80			{
81			$logger = $this->container->getLogger('default');
82
83			$raw_route = $this->request->getUri()->getPath();
84			$route_path = "/" . trim($raw_route, '/');
85
86			$logger->info('Dispatcher - Routing data from get_route method');
87			$logger->info(print_r([
88			'route_path' => $route_path
89			], TRUE));
90
91			return $this->matcher->match($this->request);
92			}
93
94			/**
95			* Get list of routes applied
96			*
97			* @return array
98			*/
99			public function getOutputRoutes()
100			{
101			return $this->output_routes;
102			}
103
104			/**
105			* Handle the current route
106			*
107			* @codeCoverageIgnore
108			* @param object\|null $route
109			* @return void
110			*/
111			public function __invoke($route = NULL)
112			{
113			$logger = $this->container->getLogger('default');
114
115			if (is_null($route))
116			{
117			$route = $this->getRoute();
118
119			$logger->info('Dispatcher - Route invoke arguments');
120			$logger->info(print_r($route, TRUE));
121			}
122
123			if ($route)
124			{
125			$parsed = $this->processRoute(new Friend($route));
			0 ignored issues – show Documentation introduced 2016-04-08 19:50 UTC by Report Bug Copy Issue Report Show Similar Issues like this `new \Aviat\Ion\Friend($route)` is of type `object<Aviat\Ion\Friend>`, but the function expects a `object<Aura\Router\Route>`. It seems like the type of the argument is not accepted by the function/method which you are calling. In some cases, in particular if PHP’s automatic type-juggling kicks in this might be fine. In other cases, however this might be a bug. We suggest to add an explicit type cast like in the following example: function acceptsInteger($int) { } $x = '123'; // string "123" // Instead of acceptsInteger($x); // we recommend to use acceptsInteger((integer) $x); Loading history...
126			$controllerName = $parsed['controller_name'];
127			$actionMethod = $parsed['action_method'];
128			$params = $parsed['params'];
129			}
130			else
131			{
132			// If not route was matched, return an appropriate http
133			// error message
134			$error_route = $this->getErrorParams();
135			$controllerName = DEFAULT_CONTROLLER;
136			$actionMethod = $error_route['action_method'];
137			$params = $error_route['params'];
138			}
139
140			$this->call($controllerName, $actionMethod, $params);
141			}
142
143			/**
144			* Parse out the arguments for the appropriate controller for
145			* the current route
146			*
147			* @param \Aura\Router\Route $route
148			* @throws \LogicException
149			* @return array
150			*/
151			protected function processRoute($route)
152			{
153			if (array_key_exists('controller', $route->attributes))
154			{
155			$controller_name = $route->attributes['controller'];
156			}
157			else
158			{
159			throw new \LogicException("Missing controller");
160			}
161
162			// Get the full namespace for a controller if a short name is given
163			if (strpos($controller_name, '\\') === FALSE)
164			{
165			$map = $this->getControllerList();
166			$controller_name = $map[$controller_name];
167			}
168
169			$action_method = (array_key_exists('action', $route->attributes))
170			? $route->attributes['action']
171			: NOT_FOUND_METHOD;
172
173			$params = [];
174			if ( ! empty($route->__get('tokens')))
175			{
176			$tokens = array_keys($route->__get('tokens'));
177			foreach ($tokens as $param)
178			{
179			if (array_key_exists($param, $route->attributes))
180			{
181			$params[$param] = $route->attributes[$param];
182			}
183			}
184			}
185			$logger = $this->container->getLogger('default');
186			$logger->info(json_encode($params));
187
188			return [
189			'controller_name' => $controller_name,
190			'action_method' => $action_method,
191			'params' => $params
192			];
193			}
194
195			/**
196			* Get the type of route, to select the current controller
197			*
198			* @return string
199			*/
200			public function getController()
201			{
202			$route_type = $this->__get('default_list');
203			$request_uri = $this->request->getUri()->getPath();
204			$path = trim($request_uri, '/');
205
206			$segments = explode('/', $path);
207			$controller = reset($segments);
208
209			if (empty($controller))
210			{
211			$controller = $route_type;
212			}
213
214			return $controller;
215			}
216
217			/**
218			* Get the list of controllers in the default namespace
219			*
220			* @return array
221			*/
222			public function getControllerList()
223			{
224			$default_namespace = DEFAULT_CONTROLLER_NAMESPACE;
225			$path = str_replace('\\', '/', $default_namespace);
226			$path = str_replace('Aviat/AnimeClient/', '', $path);
227			$path = trim($path, '/');
228			$actual_path = realpath(_dir(SRC_DIR, $path));
229			$class_files = glob("{$actual_path}/*.php");
230
231			$controllers = [];
232
233			foreach ($class_files as $file)
234			{
235			$raw_class_name = basename(str_replace(".php", "", $file));
236			$path = strtolower(basename($raw_class_name));
237			$class_name = trim($default_namespace . '\\' . $raw_class_name, '\\');
238
239			$controllers[$path] = $class_name;
240			}
241
242			return $controllers;
243			}
244
245			/**
246			* Create the controller object and call the appropriate
247			* method
248			*
249			* @param string $controllerName - The full namespace of the controller class
250			* @param string $method
251			* @param array $params
252			* @return void
253			*/
254			protected function call($controllerName, $method, array $params)
255			{
256			$logger = $this->container->getLogger('default');
257
258			$controller = new $controllerName($this->container);
259
260			// Run the appropriate controller method
261			$logger->debug('Dispatcher - controller arguments');
262			$logger->debug(print_r($params, TRUE));
263			call_user_func_array([$controller, $method], $params);
264			}
265
266			/**
267			* Get the appropriate params for the error page
268			* pased on the failed route
269			*
270			* @return array\|false
271			*/
272			protected function getErrorParams()
273			{
274			$logger = $this->container->getLogger('default');
275			$failure = $this->matcher->getFailedRoute();
276
277			$logger->info('Dispatcher - failed route');
278			$logger->info(print_r($failure, TRUE));
279
280			$action_method = ERROR_MESSAGE_METHOD;
281
282			$params = [];
283
284			switch($failure->failedRule) {
285			case 'Aura\Router\Rule\Allows':
286			$params = [
287			'http_code' => 405,
288			'title' => '405 Method Not Allowed',
289			'message' => 'Invalid HTTP Verb'
290			];
291			break;
292
293			case 'Aura\Router\Rule\Accepts':
294			$params = [
295			'http_code' => 406,
296			'title' => '406 Not Acceptable',
297			'message' => 'Unacceptable content type'
298			];
299			break;
300
301			default:
302			// Fall back to a 404 message
303			$action_method = NOT_FOUND_METHOD;
304			break;
305			}
306
307			return [
308			'params' => $params,
309			'action_method' => $action_method
310			];
311			}
312
313			/**
314			* Select controller based on the current url, and apply its relevent routes
315			*
316			* @return array
317			*/
318			protected function _setupRoutes()
319			{
320			$route_type = $this->getController();
321
322			// Add routes
323			$routes = [];
324			foreach ($this->routes as $name => &$route)
325			{
326			$path = $route['path'];
327			unset($route['path']);
328
329			$controller_map = $this->getControllerList();
330			$controller_class = (array_key_exists($route_type, $controller_map))
331			? $controller_map[$route_type]
332			: DEFAULT_CONTROLLER;
333
334			if (array_key_exists($route_type, $controller_map))
335			{
336			$controller_class = $controller_map[$route_type];
337			}
338
339			// Prepend the controller to the route parameters
340			$route['controller'] = $controller_class;
341
342			// Select the appropriate router method based on the http verb
343			$add = (array_key_exists('verb', $route))
344			? strtolower($route['verb'])
345			: "get";
346
347			// Add the route to the router object
348			if ( ! array_key_exists('tokens', $route))
349			{
350			$routes[] = $this->router->$add($name, $path)->defaults($route);
351			}
352			else
353			{
354			$tokens = $route['tokens'];
355			unset($route['tokens']);
356
357			$routes[] = $this->router->$add($name, $path)
358			->defaults($route)
359			->tokens($tokens);
360			}
361			}
362
363			return $routes;
364			}
365			}
366			// End of Dispatcher.php

timw4mail / HummingBirdAnimeClient

Issues (287)

Security Analysis not enabled

src/Dispatcher.php (1 issue)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like