Issues in CsrfProtection.php (master) - Issues in master - webstream-framework/Annotation - Measure and Improve Code Quality continuously with Scrutinizer

Issues (70)

Attributes/CsrfProtection.php (2 issues)

Labels

Bug 2

Severity

Major 2

<?php

namespace WebStream\Annotation\Attributes;

use WebStream\Annotation\Base\Annotation;
use WebStream\Annotation\Base\IAnnotatable;
use WebStream\Annotation\Base\IMethod;
use WebStream\Container\Container;
filter:
    dependency_paths: ["lib/*"]
use WebStream\Exception\Extend\CsrfException;
filter:
    dependency_paths: ["lib/*"]

/**
 * CsrfProtection
 * @author Ryuichi TANAKA.
 * @since 2015/05/08
 * @version 0.7
 *
 * @Annotation
 * @Target("METHOD")
 */
class CsrfProtection extends Annotation implements IMethod
{
    /**
     * @var array<string, string> CSRF定数定義
     */
    private array $csrfProtectionDefinitions = [
        'tokenKey' => '__CSRF_TOKEN__',
        'tokenHeader' => 'X-CSRF-Token'
    ];

    /**
     * {@inheritdoc}
     */
    public function onInject(array $injectAnnotation)
    {
    }

    /**
     * {@inheritdoc}
     */
    public function onMethodInject(IAnnotatable $instance, \ReflectionMethod $method, Container $container)
    {
        $tokenByRequest = null;
        if (array_key_exists($this->csrfProtectionDefinitions['tokenKey'], $container->post)) {
            $tokenByRequest = $container->post[$this->csrfProtectionDefinitions['tokenKey']];
        } elseif (array_key_exists($this->csrfProtectionDefinitions['tokenHeader'], $container->header)) {
            $tokenByRequest = $container->header[$this->csrfProtectionDefinitions['tokenHeader']];
        }

        $tokenInSession = $container->session->get($this->csrfProtectionDefinitions['tokenKey']);
        $container->session->delete($this->csrfProtectionDefinitions['tokenKey']);

        // POSTリクエスト以外はチェックしない
        if ($container->requestMethod !== 'POST') {
            return;
        }

        // リクエストトークン、セッショントークンが両方空はNG
        if ($tokenInSession === null && $tokenByRequest === null) {
            throw new CsrfException("Sent invalid CSRF token");
        }

        // リクエストトークンとセッショントークンが一致しない場合NG
        if ($tokenInSession !== $tokenByRequest) {
            throw new CsrfException("Sent invalid CSRF token");
        }
    }
}


1		<?php
2
3		namespace WebStream\Annotation\Attributes;
4
5		use WebStream\Annotation\Base\Annotation;
6		use WebStream\Annotation\Base\IAnnotatable;
7		use WebStream\Annotation\Base\IMethod;
8		use WebStream\Container\Container;
		0 ignored issues – show Bug introduced 2017-10-22 11:58 UTC by Report Bug Copy Issue Report Show Similar Issues like this The type `WebStream\Container\Container` was not found. Maybe you did not declare it correctly or list all dependencies? The issue could also be caused by a filter entry in the build configuration. If the path has been excluded in your configuration, e.g. `excluded_paths: ["lib/"]`, you can move it to the dependency path list as follows: filter: dependency_paths: ["lib/"] For further information see https://scrutinizer-ci.com/docs/tools/php/php-scrutinizer/#list-dependency-paths Loading history...
9		use WebStream\Exception\Extend\CsrfException;
		0 ignored issues – show Bug introduced 2017-10-22 11:58 UTC by Report Bug Copy Issue Report Show Similar Issues like this The type `WebStream\Exception\Extend\CsrfException` was not found. Maybe you did not declare it correctly or list all dependencies? The issue could also be caused by a filter entry in the build configuration. If the path has been excluded in your configuration, e.g. `excluded_paths: ["lib/"]`, you can move it to the dependency path list as follows: filter: dependency_paths: ["lib/"] For further information see https://scrutinizer-ci.com/docs/tools/php/php-scrutinizer/#list-dependency-paths Loading history...
10
11		/**
12		* CsrfProtection
13		* @author Ryuichi TANAKA.
14		* @since 2015/05/08
15		* @version 0.7
16		*
17		* @Annotation
18		* @Target("METHOD")
19		*/
20		class CsrfProtection extends Annotation implements IMethod
21		{
22		/**
23		* @var array<string, string> CSRF定数定義
24		*/
25		private array $csrfProtectionDefinitions = [
26		'tokenKey' => '__CSRF_TOKEN__',
27		'tokenHeader' => 'X-CSRF-Token'
28		];
29
30		/**
31		* {@inheritdoc}
32		*/
33	6	public function onInject(array $injectAnnotation)
34		{
35		}
36
37		/**
38		* {@inheritdoc}
39		*/
40	6	public function onMethodInject(IAnnotatable $instance, \ReflectionMethod $method, Container $container)
41		{
42	6	$tokenByRequest = null;
43	6	if (array_key_exists($this->csrfProtectionDefinitions['tokenKey'], $container->post)) {
44	2	$tokenByRequest = $container->post[$this->csrfProtectionDefinitions['tokenKey']];
45	4	} elseif (array_key_exists($this->csrfProtectionDefinitions['tokenHeader'], $container->header)) {
46	2	$tokenByRequest = $container->header[$this->csrfProtectionDefinitions['tokenHeader']];
47		}
48
49	6	$tokenInSession = $container->session->get($this->csrfProtectionDefinitions['tokenKey']);
50	6	$container->session->delete($this->csrfProtectionDefinitions['tokenKey']);
51
52		// POSTリクエスト以外はチェックしない
53	6	if ($container->requestMethod !== 'POST') {
54	1	return;
55		}
56
57		// リクエストトークン、セッショントークンが両方空はNG
58	5	if ($tokenInSession === null && $tokenByRequest === null) {
59		throw new CsrfException("Sent invalid CSRF token");
60		}
61
62		// リクエストトークンとセッショントークンが一致しない場合NG
63	5	if ($tokenInSession !== $tokenByRequest) {
64	3	throw new CsrfException("Sent invalid CSRF token");
65		}
66		}
67		}
68

webstream-framework / Annotation

Issues (70)

Attributes/CsrfProtection.php (2 issues)

Labels

Severity

Introduced By

Duplication Side-by-Side

Filter issues like