HasSettings::getSettingsInstance() - Code Metrics - Inspection of "Feature related to #21" - zachleigh/laravel-property-bag - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Pull Request — master (#22)

unknown

created 2019-01-22 12:11 UTC

HasSettings::getSettingsInstance() A

↳ Parent: HasSettings

Complexity

Conditions	2
Paths	2

Size

Total Lines

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
dl	0
loc	10
rs	9.9332
c	0
b	0
f	0
cc	2
nc	2
nop	0

<?php

namespace LaravelPropertyBag\Settings;

use LaravelPropertyBag\Helpers\NameResolver;
use LaravelPropertyBag\Exceptions\ResourceNotFound;

trait HasSettings
{
    /**
     * Instance of Settings.
     *
     * @var LaravelPropertyBag\Settings\Settings
     */
    protected $settings = null;

    /**
     * A resource has many settings in a property bag.
     *
     * @return \Illuminate\Database\Eloquent\Relations\MorphMany
     */
    public function propertyBag()
    {
        return $this->morphMany(PropertyBag::class, 'resource');
trait Idable {
    public function equalIds(Idable $other) {
        return $this->getId() === $other->getId();
    }
}
    }

    /**
     * If passed is string, get settings class for the resource or return value
     * for given key. If passed is array, set the key value pair.
     *
     * @param string|array $passed
     *
     * @return LaravelPropertyBag\Settings\Settings|mixed
     */
    public function settings($passed = null)
    {
        if (is_array($passed)) {
            return $this->setSettings($passed);
        } elseif (!is_null($passed)) {
            $settings = $this->getSettingsInstance();

            return $settings->get($passed);
        }

        return $this->getSettingsInstance();
    }

    /**
     * Get settings off this or create new instance.
     *
     * @return LaravelPropertyBag\Settings\Settings
     */
    protected function getSettingsInstance()
    {
        if (isset($this->settings)) {
            return $this->settings;
        }

        $settingsConfig = $this->getSettingsConfig();

        return $this->settings = new Settings($settingsConfig, $this);

    }

    /**
     * Get the settings class name.
     *
     * @throws ResourceNotFound
     *
     * @return LaravelPropertyBag\Settings\ResourceConfig
     */
    protected function getSettingsConfig()
    {
        if (isset($this->settingsConfig)) {
            $fullNamespace = $this->settingsConfig;

        } else {
            $className = $this->getShortClassName();

            $fullNamespace = NameResolver::makeConfigFileName($className);
        }

        if (class_exists($fullNamespace)) {
            return new $fullNamespace($this);
        }

        throw ResourceNotFound::resourceConfigNotFound($fullNamespace);
    }

    /**
     * Get the short name of the model.
     *
     * @return string
     */
    protected function getShortClassName()
    {
        $reflection = new \ReflectionClass($this);

        return $reflection->getShortName();
    }

    /**
     * Set settings.
     *
     * @param array $attributes
     *
     * @return LaravelPropertyBag\Settings\Settings
     */
    public function setSettings(array $attributes)
    {
        return $this->settings()->set($attributes);
    }

    /**
     * Set all allowed settings by Request.
     *
     * @return LaravelPropertyBag\Settings\Settings
     */
    public function setSettingsByRequest()
    {
        $allAllowedSettings = array_keys($this->allSettings()->toArray());

        return $this->settings()->set(request()->only($allAllowedSettings));
if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) {
    throw new \InvalidArgumentException('This input is not allowed.');
}
    }

    /**
     * Get all settings.
     *
     * @return \Illuminate\Support\Collection
     */
    public function allSettings()
    {
        return $this->settings()->all();
    }

    /**
     * Get all default settings or default setting for single key if given.
     *
     * @param string $key
     *
     * @return \Illuminate\Support\Collection|mixed
     */
    public function defaultSetting($key = null)
    {
        if (!is_null($key)) {
            return $this->settings()->getDefault($key);
        }

        return $this->settings()->allDefaults();
    }

    /**
     * Get all allowed settings or allowed settings for single ke if given.
     *
     * @param string $key
     *
     * @return \Illuminate\Support\Collection
     */
    public function allowedSetting($key = null)
    {
        if (!is_null($key)) {
            return $this->settings()->getAllowed($key);
        }

        return $this->settings()->allAllowed();
    }

    /**
     * Get an array with all stored rows with a given setting and/or value.
     *
     * @param $key
     * @param null $value
     *
     * @return \Illuminate\Support\Collection
     */
    public static function withSetting($key, $value = null)
    {
        return static::all()->filter(function($row) use ($key, $value) {
            $setting = $row->settings($key);
            if (!is_null($value)) {
                return !is_null($setting) && $setting === $value;
            }
            return !is_null($setting);
        });
    }
}


1			<?php
2
3			namespace LaravelPropertyBag\Settings;
4
5			use LaravelPropertyBag\Helpers\NameResolver;
6			use LaravelPropertyBag\Exceptions\ResourceNotFound;
7
8			trait HasSettings
9			{
10			/**
11			* Instance of Settings.
12			*
13			* @var LaravelPropertyBag\Settings\Settings
14			*/
15			protected $settings = null;
16
17			/**
18			* A resource has many settings in a property bag.
19			*
20			* @return \Illuminate\Database\Eloquent\Relations\MorphMany
21			*/
22			public function propertyBag()
23			{
24			return $this->morphMany(PropertyBag::class, 'resource');
			0 ignored issues – show Bug introduced 2017-01-28 14:09 UTC by Report Bug Copy Issue Report It seems like `morphMany()` must be provided by classes using this trait. How about adding it as abstract method to this trait? This check looks for methods that are used by a trait but not required by it. To illustrate, let’s look at the following code example trait Idable { public function equalIds(Idable $other) { return $this->getId() === $other->getId(); } } The trait `Idable` provides a method `equalsId` that in turn relies on the method `getId()`. If this method does not exist on a class mixing in this trait, the method will fail. Adding the `getId()` as an abstract method to the trait will make sure it is available. Loading history...
25			}
26
27			/**
28			* If passed is string, get settings class for the resource or return value
29			* for given key. If passed is array, set the key value pair.
30			*
31			* @param string\|array $passed
32			*
33			* @return LaravelPropertyBag\Settings\Settings\|mixed
34			*/
35			public function settings($passed = null)
36			{
37			if (is_array($passed)) {
38			return $this->setSettings($passed);
39			} elseif (!is_null($passed)) {
40			$settings = $this->getSettingsInstance();
41
42			return $settings->get($passed);
43			}
44
45			return $this->getSettingsInstance();
46			}
47
48			/**
49			* Get settings off this or create new instance.
50			*
51			* @return LaravelPropertyBag\Settings\Settings
52			*/
53			protected function getSettingsInstance()
54			{
55			if (isset($this->settings)) {
56			return $this->settings;
57			}
58
59			$settingsConfig = $this->getSettingsConfig();
60
61			return $this->settings = new Settings($settingsConfig, $this);
			0 ignored issues – show Documentation Bug introduced 2017-01-28 14:09 UTC by Report Bug Copy Issue Report It seems like `new \LaravelPropertyBag\...$settingsConfig, $this)` of type `object<LaravelPropertyBag\Settings\Settings>` is incompatible with the declared type `object<LaravelPropertyBa...yBag\Settings\Settings>` of property `$settings`. Our type inference engine has found an assignment to a property that is incompatible with the declared type of that property. Either this assignment is in error or the assigned type should be added to the documentation/type hint for that property.. Loading history...
62			}
63
64			/**
65			* Get the settings class name.
66			*
67			* @throws ResourceNotFound
68			*
69			* @return LaravelPropertyBag\Settings\ResourceConfig
70			*/
71			protected function getSettingsConfig()
72			{
73			if (isset($this->settingsConfig)) {
74			$fullNamespace = $this->settingsConfig;
			0 ignored issues – show Bug introduced 2017-01-28 14:09 UTC by Report Bug Copy Issue Report The property `settingsConfig` does not seem to exist. Did you mean `settings`? An attempt at access to an undefined property has been detected. This may either be a typographical error or the property has been renamed but there are still references to its old name. If you really want to allow access to undefined properties, you can define magic methods to allow access. See the php core documentation on Overloading. Loading history...
75			} else {
76			$className = $this->getShortClassName();
77
78			$fullNamespace = NameResolver::makeConfigFileName($className);
79			}
80
81			if (class_exists($fullNamespace)) {
82			return new $fullNamespace($this);
83			}
84
85			throw ResourceNotFound::resourceConfigNotFound($fullNamespace);
86			}
87
88			/**
89			* Get the short name of the model.
90			*
91			* @return string
92			*/
93			protected function getShortClassName()
94			{
95			$reflection = new \ReflectionClass($this);
96
97			return $reflection->getShortName();
98			}
99
100			/**
101			* Set settings.
102			*
103			* @param array $attributes
104			*
105			* @return LaravelPropertyBag\Settings\Settings
106			*/
107			public function setSettings(array $attributes)
108			{
109			return $this->settings()->set($attributes);
110			}
111
112			/**
113			* Set all allowed settings by Request.
114			*
115			* @return LaravelPropertyBag\Settings\Settings
116			*/
117			public function setSettingsByRequest()
118			{
119			$allAllowedSettings = array_keys($this->allSettings()->toArray());
120
121			return $this->settings()->set(request()->only($allAllowedSettings));
			0 ignored issues – show Security File Exposure introduced 2019-01-22 12:24 UTC by Report Bug Copy Issue Report `$allAllowedSettings` can contain request data and is used in file inclusion context(s) leading to a potential security vulnerability. 4 paths for user data to reach this point 1. Path: `$this->parameters['HTTP_AUTHORIZATION']` seems to return tainted data, and `$authorizationHeader` is assigned in ServerBag.php on line 62 `$this->parameters['HTTP_AUTHORIZATION']` seems to return tainted data, and `$authorizationHeader` is assigned in vendor/ServerBag.php on line 62 ParameterBag::$parameters is assigned in vendor/ServerBag.php on line 77 Iterating property ParameterBag::$parameters, and `$item` is assigned in vendor/src/Illuminate/Support/Collection.php on line 1355 `$item` is passed to Collection::push() in vendor/src/Illuminate/Support/Collection.php on line 1356 `$value` is passed to Collection::offsetSet() in vendor/src/Illuminate/Support/Collection.php on line 1340 Collection::$items is assigned in vendor/src/Illuminate/Support/Collection.php on line 1936 Tainted property Collection::$items is read, and `$this->items` is passed through array_map() in vendor/src/Illuminate/Support/Collection.php on line 1829 Collection::toArray() returns tainted data, and `$this->allSettings()->toArray()` is passed through array_keys(), and `$allAllowedSettings` is assigned in src/Settings/HasSettings.php on line 119 2. Path: Read from `$_POST,` and `$_POST` is passed to Request::createRequestFromFactory() in Request.php on line 281 Read from `$_POST,` and `$_POST` is passed to Request::createRequestFromFactory() in vendor/Request.php on line 281 `$request` is passed to Request::__construct() in vendor/Request.php on line 1928 `$request` is passed to Request::initialize() in vendor/Request.php on line 235 `$request` is passed to ParameterBag::__construct() in vendor/Request.php on line 253 ParameterBag::$parameters is assigned in vendor/ParameterBag.php on line 31 Iterating property ParameterBag::$parameters, and `$item` is assigned in vendor/src/Illuminate/Support/Collection.php on line 1355 `$item` is passed to Collection::push() in vendor/src/Illuminate/Support/Collection.php on line 1356 `$value` is passed to Collection::offsetSet() in vendor/src/Illuminate/Support/Collection.php on line 1340 Collection::$items is assigned in vendor/src/Illuminate/Support/Collection.php on line 1936 Tainted property Collection::$items is read, and `$this->items` is passed through array_map() in vendor/src/Illuminate/Support/Collection.php on line 1829 Collection::toArray() returns tainted data, and `$this->allSettings()->toArray()` is passed through array_keys(), and `$allAllowedSettings` is assigned in src/Settings/HasSettings.php on line 119 3. Path: `$this->parameters['PHP_AUTH_USER']` seems to return tainted data, and `$headers` is assigned in ServerBag.php on line 43 `$this->parameters['PHP_AUTH_USER']` seems to return tainted data, and `$headers` is assigned in vendor/ServerBag.php on line 43 `$headers` is assigned in vendor/ServerBag.php on line 44 ServerBag::getHeaders() returns tainted data, and `$this->server->getHeaders()` is passed to HeaderBag::__construct() in vendor/Request.php on line 259 `$values` is assigned in vendor/HeaderBag.php on line 29 `$values` is passed to HeaderBag::set() in vendor/HeaderBag.php on line 30 `$values` is passed through array_values(), and `$values` is assigned in vendor/HeaderBag.php on line 142 HeaderBag::$headers is assigned in vendor/HeaderBag.php on line 145 Iterating property HeaderBag::$headers, and `$item` is assigned in vendor/src/Illuminate/Support/Collection.php on line 1355 `$item` is passed to Collection::push() in vendor/src/Illuminate/Support/Collection.php on line 1356 `$value` is passed to Collection::offsetSet() in vendor/src/Illuminate/Support/Collection.php on line 1340 Collection::$items is assigned in vendor/src/Illuminate/Support/Collection.php on line 1936 Tainted property Collection::$items is read, and `$this->items` is passed through array_map() in vendor/src/Illuminate/Support/Collection.php on line 1829 Collection::toArray() returns tainted data, and `$this->allSettings()->toArray()` is passed through array_keys(), and `$allAllowedSettings` is assigned in src/Settings/HasSettings.php on line 119 4. Path: `$this->parameters['PHP_AUTH_PW']` seems to return tainted data, and `$headers` is assigned in ServerBag.php on line 44 `$this->parameters['PHP_AUTH_PW']` seems to return tainted data, and `$headers` is assigned in vendor/ServerBag.php on line 44 ServerBag::getHeaders() returns tainted data, and `$this->server->getHeaders()` is passed to HeaderBag::__construct() in vendor/Request.php on line 259 `$values` is assigned in vendor/HeaderBag.php on line 29 `$values` is passed to HeaderBag::set() in vendor/HeaderBag.php on line 30 `$values` is passed through array_values(), and `$values` is assigned in vendor/HeaderBag.php on line 142 HeaderBag::$headers is assigned in vendor/HeaderBag.php on line 145 Iterating property HeaderBag::$headers, and `$item` is assigned in vendor/src/Illuminate/Support/Collection.php on line 1355 `$item` is passed to Collection::push() in vendor/src/Illuminate/Support/Collection.php on line 1356 `$value` is passed to Collection::offsetSet() in vendor/src/Illuminate/Support/Collection.php on line 1340 Collection::$items is assigned in vendor/src/Illuminate/Support/Collection.php on line 1936 Tainted property Collection::$items is read, and `$this->items` is passed through array_map() in vendor/src/Illuminate/Support/Collection.php on line 1829 Collection::toArray() returns tainted data, and `$this->allSettings()->toArray()` is passed through array_keys(), and `$allAllowedSettings` is assigned in src/Settings/HasSettings.php on line 119 Used in path-read context InteractsWithInput::only() uses data_get() ($key) in vendor/src/Illuminate/Http/Concerns/InteractsWithInput.php on line 228 data_get() uses Arr::exists() ($key) in vendor/src/Illuminate/Support/helpers.php on line 475 Arr::exists() uses Repository::offsetExists() ($key) in vendor/src/Illuminate/Support/Arr.php on line 148 Repository::offsetExists() uses Repository::has() ($key) in vendor/src/Illuminate/Cache/Repository.php on line 520 Repository::has() uses Repository::get() ($key) in vendor/src/Illuminate/Cache/Repository.php on line 70 Repository::get() uses FileStore::get() ($key) in vendor/src/Illuminate/Cache/Repository.php on line 97 FileStore::get() uses FileStore::getPayload() ($key) in vendor/src/Illuminate/Cache/FileStore.php on line 49 FileStore::getPayload() uses Filesystem::get() ($path) in vendor/src/Illuminate/Cache/FileStore.php on line 172 Filesystem::get() uses file_get_contents() ($filename) in vendor/src/Illuminate/Filesystem/Filesystem.php on line 38 General Strategies to prevent injection In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values: if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) { throw new \InvalidArgumentException('This input is not allowed.'); } For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted; Loading history... Security File Manipulation introduced 2019-01-22 12:24 UTC by Report Bug Copy Issue Report `$allAllowedSettings` can contain request data and is used in file manipulation context(s) leading to a potential security vulnerability. 4 paths for user data to reach this point 1. Path: `$this->parameters['HTTP_AUTHORIZATION']` seems to return tainted data, and `$authorizationHeader` is assigned in ServerBag.php on line 62 `$this->parameters['HTTP_AUTHORIZATION']` seems to return tainted data, and `$authorizationHeader` is assigned in vendor/ServerBag.php on line 62 ParameterBag::$parameters is assigned in vendor/ServerBag.php on line 77 Iterating property ParameterBag::$parameters, and `$item` is assigned in vendor/src/Illuminate/Support/Collection.php on line 1355 `$item` is passed to Collection::push() in vendor/src/Illuminate/Support/Collection.php on line 1356 `$value` is passed to Collection::offsetSet() in vendor/src/Illuminate/Support/Collection.php on line 1340 Collection::$items is assigned in vendor/src/Illuminate/Support/Collection.php on line 1936 Tainted property Collection::$items is read, and `$this->items` is passed through array_map() in vendor/src/Illuminate/Support/Collection.php on line 1829 Collection::toArray() returns tainted data, and `$this->allSettings()->toArray()` is passed through array_keys(), and `$allAllowedSettings` is assigned in src/Settings/HasSettings.php on line 119 2. Path: Read from `$_POST,` and `$_POST` is passed to Request::createRequestFromFactory() in Request.php on line 281 Read from `$_POST,` and `$_POST` is passed to Request::createRequestFromFactory() in vendor/Request.php on line 281 `$request` is passed to Request::__construct() in vendor/Request.php on line 1928 `$request` is passed to Request::initialize() in vendor/Request.php on line 235 `$request` is passed to ParameterBag::__construct() in vendor/Request.php on line 253 ParameterBag::$parameters is assigned in vendor/ParameterBag.php on line 31 Iterating property ParameterBag::$parameters, and `$item` is assigned in vendor/src/Illuminate/Support/Collection.php on line 1355 `$item` is passed to Collection::push() in vendor/src/Illuminate/Support/Collection.php on line 1356 `$value` is passed to Collection::offsetSet() in vendor/src/Illuminate/Support/Collection.php on line 1340 Collection::$items is assigned in vendor/src/Illuminate/Support/Collection.php on line 1936 Tainted property Collection::$items is read, and `$this->items` is passed through array_map() in vendor/src/Illuminate/Support/Collection.php on line 1829 Collection::toArray() returns tainted data, and `$this->allSettings()->toArray()` is passed through array_keys(), and `$allAllowedSettings` is assigned in src/Settings/HasSettings.php on line 119 3. Path: `$this->parameters['PHP_AUTH_USER']` seems to return tainted data, and `$headers` is assigned in ServerBag.php on line 43 `$this->parameters['PHP_AUTH_USER']` seems to return tainted data, and `$headers` is assigned in vendor/ServerBag.php on line 43 `$headers` is assigned in vendor/ServerBag.php on line 44 ServerBag::getHeaders() returns tainted data, and `$this->server->getHeaders()` is passed to HeaderBag::__construct() in vendor/Request.php on line 259 `$values` is assigned in vendor/HeaderBag.php on line 29 `$values` is passed to HeaderBag::set() in vendor/HeaderBag.php on line 30 `$values` is passed through array_values(), and `$values` is assigned in vendor/HeaderBag.php on line 142 HeaderBag::$headers is assigned in vendor/HeaderBag.php on line 145 Iterating property HeaderBag::$headers, and `$item` is assigned in vendor/src/Illuminate/Support/Collection.php on line 1355 `$item` is passed to Collection::push() in vendor/src/Illuminate/Support/Collection.php on line 1356 `$value` is passed to Collection::offsetSet() in vendor/src/Illuminate/Support/Collection.php on line 1340 Collection::$items is assigned in vendor/src/Illuminate/Support/Collection.php on line 1936 Tainted property Collection::$items is read, and `$this->items` is passed through array_map() in vendor/src/Illuminate/Support/Collection.php on line 1829 Collection::toArray() returns tainted data, and `$this->allSettings()->toArray()` is passed through array_keys(), and `$allAllowedSettings` is assigned in src/Settings/HasSettings.php on line 119 4. Path: `$this->parameters['PHP_AUTH_PW']` seems to return tainted data, and `$headers` is assigned in ServerBag.php on line 44 `$this->parameters['PHP_AUTH_PW']` seems to return tainted data, and `$headers` is assigned in vendor/ServerBag.php on line 44 ServerBag::getHeaders() returns tainted data, and `$this->server->getHeaders()` is passed to HeaderBag::__construct() in vendor/Request.php on line 259 `$values` is assigned in vendor/HeaderBag.php on line 29 `$values` is passed to HeaderBag::set() in vendor/HeaderBag.php on line 30 `$values` is passed through array_values(), and `$values` is assigned in vendor/HeaderBag.php on line 142 HeaderBag::$headers is assigned in vendor/HeaderBag.php on line 145 Iterating property HeaderBag::$headers, and `$item` is assigned in vendor/src/Illuminate/Support/Collection.php on line 1355 `$item` is passed to Collection::push() in vendor/src/Illuminate/Support/Collection.php on line 1356 `$value` is passed to Collection::offsetSet() in vendor/src/Illuminate/Support/Collection.php on line 1340 Collection::$items is assigned in vendor/src/Illuminate/Support/Collection.php on line 1936 Tainted property Collection::$items is read, and `$this->items` is passed through array_map() in vendor/src/Illuminate/Support/Collection.php on line 1829 Collection::toArray() returns tainted data, and `$this->allSettings()->toArray()` is passed through array_keys(), and `$allAllowedSettings` is assigned in src/Settings/HasSettings.php on line 119 Used in path-write context InteractsWithInput::only() uses data_get() ($key) in vendor/src/Illuminate/Http/Concerns/InteractsWithInput.php on line 228 data_get() uses Arr::exists() ($key) in vendor/src/Illuminate/Support/helpers.php on line 475 Arr::exists() uses Repository::offsetExists() ($key) in vendor/src/Illuminate/Support/Arr.php on line 148 Repository::offsetExists() uses Repository::has() ($key) in vendor/src/Illuminate/Cache/Repository.php on line 520 Repository::has() uses Repository::get() ($key) in vendor/src/Illuminate/Cache/Repository.php on line 70 Repository::get() uses FileStore::get() ($key) in vendor/src/Illuminate/Cache/Repository.php on line 97 FileStore::get() uses FileStore::getPayload() ($key) in vendor/src/Illuminate/Cache/FileStore.php on line 49 FileStore::getPayload() uses FileStore::forget() ($key) in vendor/src/Illuminate/Cache/FileStore.php on line 182 FileStore::forget() uses Filesystem::delete() ($paths) in vendor/src/Illuminate/Cache/FileStore.php on line 131 Filesystem::delete() uses unlink() ($filename) in vendor/src/Illuminate/Filesystem/Filesystem.php on line 207 General Strategies to prevent injection In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values: if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) { throw new \InvalidArgumentException('This input is not allowed.'); } For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted; Loading history... Security Object Injection introduced 2019-01-22 12:24 UTC by Report Bug Copy Issue Report `$allAllowedSettings` can contain request data and is used in unserialized context(s) leading to a potential security vulnerability. 4 paths for user data to reach this point 1. Path: `$this->parameters['HTTP_AUTHORIZATION']` seems to return tainted data, and `$authorizationHeader` is assigned in ServerBag.php on line 62 `$this->parameters['HTTP_AUTHORIZATION']` seems to return tainted data, and `$authorizationHeader` is assigned in vendor/ServerBag.php on line 62 ParameterBag::$parameters is assigned in vendor/ServerBag.php on line 77 Iterating property ParameterBag::$parameters, and `$item` is assigned in vendor/src/Illuminate/Support/Collection.php on line 1355 `$item` is passed to Collection::push() in vendor/src/Illuminate/Support/Collection.php on line 1356 `$value` is passed to Collection::offsetSet() in vendor/src/Illuminate/Support/Collection.php on line 1340 Collection::$items is assigned in vendor/src/Illuminate/Support/Collection.php on line 1936 Tainted property Collection::$items is read, and `$this->items` is passed through array_map() in vendor/src/Illuminate/Support/Collection.php on line 1829 Collection::toArray() returns tainted data, and `$this->allSettings()->toArray()` is passed through array_keys(), and `$allAllowedSettings` is assigned in src/Settings/HasSettings.php on line 119 2. Path: Read from `$_POST,` and `$_POST` is passed to Request::createRequestFromFactory() in Request.php on line 281 Read from `$_POST,` and `$_POST` is passed to Request::createRequestFromFactory() in vendor/Request.php on line 281 `$request` is passed to Request::__construct() in vendor/Request.php on line 1928 `$request` is passed to Request::initialize() in vendor/Request.php on line 235 `$request` is passed to ParameterBag::__construct() in vendor/Request.php on line 253 ParameterBag::$parameters is assigned in vendor/ParameterBag.php on line 31 Iterating property ParameterBag::$parameters, and `$item` is assigned in vendor/src/Illuminate/Support/Collection.php on line 1355 `$item` is passed to Collection::push() in vendor/src/Illuminate/Support/Collection.php on line 1356 `$value` is passed to Collection::offsetSet() in vendor/src/Illuminate/Support/Collection.php on line 1340 Collection::$items is assigned in vendor/src/Illuminate/Support/Collection.php on line 1936 Tainted property Collection::$items is read, and `$this->items` is passed through array_map() in vendor/src/Illuminate/Support/Collection.php on line 1829 Collection::toArray() returns tainted data, and `$this->allSettings()->toArray()` is passed through array_keys(), and `$allAllowedSettings` is assigned in src/Settings/HasSettings.php on line 119 3. Path: `$this->parameters['PHP_AUTH_USER']` seems to return tainted data, and `$headers` is assigned in ServerBag.php on line 43 `$this->parameters['PHP_AUTH_USER']` seems to return tainted data, and `$headers` is assigned in vendor/ServerBag.php on line 43 `$headers` is assigned in vendor/ServerBag.php on line 44 ServerBag::getHeaders() returns tainted data, and `$this->server->getHeaders()` is passed to HeaderBag::__construct() in vendor/Request.php on line 259 `$values` is assigned in vendor/HeaderBag.php on line 29 `$values` is passed to HeaderBag::set() in vendor/HeaderBag.php on line 30 `$values` is passed through array_values(), and `$values` is assigned in vendor/HeaderBag.php on line 142 HeaderBag::$headers is assigned in vendor/HeaderBag.php on line 145 Iterating property HeaderBag::$headers, and `$item` is assigned in vendor/src/Illuminate/Support/Collection.php on line 1355 `$item` is passed to Collection::push() in vendor/src/Illuminate/Support/Collection.php on line 1356 `$value` is passed to Collection::offsetSet() in vendor/src/Illuminate/Support/Collection.php on line 1340 Collection::$items is assigned in vendor/src/Illuminate/Support/Collection.php on line 1936 Tainted property Collection::$items is read, and `$this->items` is passed through array_map() in vendor/src/Illuminate/Support/Collection.php on line 1829 Collection::toArray() returns tainted data, and `$this->allSettings()->toArray()` is passed through array_keys(), and `$allAllowedSettings` is assigned in src/Settings/HasSettings.php on line 119 4. Path: `$this->parameters['PHP_AUTH_PW']` seems to return tainted data, and `$headers` is assigned in ServerBag.php on line 44 `$this->parameters['PHP_AUTH_PW']` seems to return tainted data, and `$headers` is assigned in vendor/ServerBag.php on line 44 ServerBag::getHeaders() returns tainted data, and `$this->server->getHeaders()` is passed to HeaderBag::__construct() in vendor/Request.php on line 259 `$values` is assigned in vendor/HeaderBag.php on line 29 `$values` is passed to HeaderBag::set() in vendor/HeaderBag.php on line 30 `$values` is passed through array_values(), and `$values` is assigned in vendor/HeaderBag.php on line 142 HeaderBag::$headers is assigned in vendor/HeaderBag.php on line 145 Iterating property HeaderBag::$headers, and `$item` is assigned in vendor/src/Illuminate/Support/Collection.php on line 1355 `$item` is passed to Collection::push() in vendor/src/Illuminate/Support/Collection.php on line 1356 `$value` is passed to Collection::offsetSet() in vendor/src/Illuminate/Support/Collection.php on line 1340 Collection::$items is assigned in vendor/src/Illuminate/Support/Collection.php on line 1936 Tainted property Collection::$items is read, and `$this->items` is passed through array_map() in vendor/src/Illuminate/Support/Collection.php on line 1829 Collection::toArray() returns tainted data, and `$this->allSettings()->toArray()` is passed through array_keys(), and `$allAllowedSettings` is assigned in src/Settings/HasSettings.php on line 119 Used in unserialized context InteractsWithInput::only() uses data_get() ($key) in vendor/src/Illuminate/Http/Concerns/InteractsWithInput.php on line 228 data_get() uses Arr::exists() ($key) in vendor/src/Illuminate/Support/helpers.php on line 475 Arr::exists() uses Repository::offsetExists() ($key) in vendor/src/Illuminate/Support/Arr.php on line 148 Repository::offsetExists() uses Repository::has() ($key) in vendor/src/Illuminate/Cache/Repository.php on line 520 Repository::has() uses Repository::get() ($key) in vendor/src/Illuminate/Cache/Repository.php on line 70 Repository::get() uses FileStore::get() ($key) in vendor/src/Illuminate/Cache/Repository.php on line 97 FileStore::get() uses FileStore::getPayload() ($key) in vendor/src/Illuminate/Cache/FileStore.php on line 49 FileStore::getPayload() uses unserialize() ($str) in vendor/src/Illuminate/Cache/FileStore.php on line 187 Preventing Object Injection Attacks If you pass raw user-data to `unserialize()` for example, this can be used to create an object of any class that is available in your local filesystem. For an attacker, classes that have magic methods like `__destruct` or `__wakeup` are particularly interesting in such a case, as they can be exploited very easily. We recommend to not pass user data to such a function. In case of `unserialize`, better use `JSON` to transfer data. General Strategies to prevent injection In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values: if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) { throw new \InvalidArgumentException('This input is not allowed.'); } For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted; Loading history... Security Code Execution introduced 2019-01-22 12:24 UTC by Report Bug Copy Issue Report `$allAllowedSettings` can contain request data and is used in code execution context(s) leading to a potential security vulnerability. 4 paths for user data to reach this point 1. Path: `$this->parameters['HTTP_AUTHORIZATION']` seems to return tainted data, and `$authorizationHeader` is assigned in ServerBag.php on line 62 `$this->parameters['HTTP_AUTHORIZATION']` seems to return tainted data, and `$authorizationHeader` is assigned in vendor/ServerBag.php on line 62 ParameterBag::$parameters is assigned in vendor/ServerBag.php on line 77 Iterating property ParameterBag::$parameters, and `$item` is assigned in vendor/src/Illuminate/Support/Collection.php on line 1355 `$item` is passed to Collection::push() in vendor/src/Illuminate/Support/Collection.php on line 1356 `$value` is passed to Collection::offsetSet() in vendor/src/Illuminate/Support/Collection.php on line 1340 Collection::$items is assigned in vendor/src/Illuminate/Support/Collection.php on line 1936 Tainted property Collection::$items is read, and `$this->items` is passed through array_map() in vendor/src/Illuminate/Support/Collection.php on line 1829 Collection::toArray() returns tainted data, and `$this->allSettings()->toArray()` is passed through array_keys(), and `$allAllowedSettings` is assigned in src/Settings/HasSettings.php on line 119 2. Path: Read from `$_POST,` and `$_POST` is passed to Request::createRequestFromFactory() in Request.php on line 281 Read from `$_POST,` and `$_POST` is passed to Request::createRequestFromFactory() in vendor/Request.php on line 281 `$request` is passed to Request::__construct() in vendor/Request.php on line 1928 `$request` is passed to Request::initialize() in vendor/Request.php on line 235 `$request` is passed to ParameterBag::__construct() in vendor/Request.php on line 253 ParameterBag::$parameters is assigned in vendor/ParameterBag.php on line 31 Iterating property ParameterBag::$parameters, and `$item` is assigned in vendor/src/Illuminate/Support/Collection.php on line 1355 `$item` is passed to Collection::push() in vendor/src/Illuminate/Support/Collection.php on line 1356 `$value` is passed to Collection::offsetSet() in vendor/src/Illuminate/Support/Collection.php on line 1340 Collection::$items is assigned in vendor/src/Illuminate/Support/Collection.php on line 1936 Tainted property Collection::$items is read, and `$this->items` is passed through array_map() in vendor/src/Illuminate/Support/Collection.php on line 1829 Collection::toArray() returns tainted data, and `$this->allSettings()->toArray()` is passed through array_keys(), and `$allAllowedSettings` is assigned in src/Settings/HasSettings.php on line 119 3. Path: `$this->parameters['PHP_AUTH_USER']` seems to return tainted data, and `$headers` is assigned in ServerBag.php on line 43 `$this->parameters['PHP_AUTH_USER']` seems to return tainted data, and `$headers` is assigned in vendor/ServerBag.php on line 43 `$headers` is assigned in vendor/ServerBag.php on line 44 ServerBag::getHeaders() returns tainted data, and `$this->server->getHeaders()` is passed to HeaderBag::__construct() in vendor/Request.php on line 259 `$values` is assigned in vendor/HeaderBag.php on line 29 `$values` is passed to HeaderBag::set() in vendor/HeaderBag.php on line 30 `$values` is passed through array_values(), and `$values` is assigned in vendor/HeaderBag.php on line 142 HeaderBag::$headers is assigned in vendor/HeaderBag.php on line 145 Iterating property HeaderBag::$headers, and `$item` is assigned in vendor/src/Illuminate/Support/Collection.php on line 1355 `$item` is passed to Collection::push() in vendor/src/Illuminate/Support/Collection.php on line 1356 `$value` is passed to Collection::offsetSet() in vendor/src/Illuminate/Support/Collection.php on line 1340 Collection::$items is assigned in vendor/src/Illuminate/Support/Collection.php on line 1936 Tainted property Collection::$items is read, and `$this->items` is passed through array_map() in vendor/src/Illuminate/Support/Collection.php on line 1829 Collection::toArray() returns tainted data, and `$this->allSettings()->toArray()` is passed through array_keys(), and `$allAllowedSettings` is assigned in src/Settings/HasSettings.php on line 119 4. Path: `$this->parameters['PHP_AUTH_PW']` seems to return tainted data, and `$headers` is assigned in ServerBag.php on line 44 `$this->parameters['PHP_AUTH_PW']` seems to return tainted data, and `$headers` is assigned in vendor/ServerBag.php on line 44 ServerBag::getHeaders() returns tainted data, and `$this->server->getHeaders()` is passed to HeaderBag::__construct() in vendor/Request.php on line 259 `$values` is assigned in vendor/HeaderBag.php on line 29 `$values` is passed to HeaderBag::set() in vendor/HeaderBag.php on line 30 `$values` is passed through array_values(), and `$values` is assigned in vendor/HeaderBag.php on line 142 HeaderBag::$headers is assigned in vendor/HeaderBag.php on line 145 Iterating property HeaderBag::$headers, and `$item` is assigned in vendor/src/Illuminate/Support/Collection.php on line 1355 `$item` is passed to Collection::push() in vendor/src/Illuminate/Support/Collection.php on line 1356 `$value` is passed to Collection::offsetSet() in vendor/src/Illuminate/Support/Collection.php on line 1340 Collection::$items is assigned in vendor/src/Illuminate/Support/Collection.php on line 1936 Tainted property Collection::$items is read, and `$this->items` is passed through array_map() in vendor/src/Illuminate/Support/Collection.php on line 1829 Collection::toArray() returns tainted data, and `$this->allSettings()->toArray()` is passed through array_keys(), and `$allAllowedSettings` is assigned in src/Settings/HasSettings.php on line 119 Used in code-execution context InteractsWithInput::only() uses data_get() ($key) in vendor/src/Illuminate/Http/Concerns/InteractsWithInput.php on line 228 data_get() uses Arr::exists() ($key) in vendor/src/Illuminate/Support/helpers.php on line 475 Arr::exists() uses Model::offsetExists() ($offset) in vendor/src/Illuminate/Support/Arr.php on line 148 Model::offsetExists() uses HasAttributes::getAttribute() ($key) in vendor/src/Illuminate/Database/Eloquent/Model.php on line 1536 HasAttributes::getAttribute() uses HasAttributes::getRelationValue() ($key) in vendor/src/Illuminate/Database/Eloquent/Concerns/HasAttributes.php on line 327 HasAttributes::getRelationValue() uses HasAttributes::getRelationshipFromMethod() ($method) in vendor/src/Illuminate/Database/Eloquent/Concerns/HasAttributes.php on line 397 HasAttributes::getRelationshipFromMethod() uses dynamic method call in vendor/src/Illuminate/Database/Eloquent/Concerns/HasAttributes.php on line 411 General Strategies to prevent injection In general, it is advisable to prevent any user-data to reach this point. This can be done by white-listing certain values: if ( ! in_array($value, array('this-is-allowed', 'and-this-too'), true)) { throw new \InvalidArgumentException('This input is not allowed.'); } For numeric data, we recommend to explicitly cast the data: $sanitized = (integer) $tainted; Loading history...
122			}
123
124			/**
125			* Get all settings.
126			*
127			* @return \Illuminate\Support\Collection
128			*/
129			public function allSettings()
130			{
131			return $this->settings()->all();
132			}
133
134			/**
135			* Get all default settings or default setting for single key if given.
136			*
137			* @param string $key
138			*
139			* @return \Illuminate\Support\Collection\|mixed
140			*/
141			public function defaultSetting($key = null)
142			{
143			if (!is_null($key)) {
144			return $this->settings()->getDefault($key);
145			}
146
147			return $this->settings()->allDefaults();
148			}
149
150			/**
151			* Get all allowed settings or allowed settings for single ke if given.
152			*
153			* @param string $key
154			*
155			* @return \Illuminate\Support\Collection
156			*/
157			public function allowedSetting($key = null)
158			{
159			if (!is_null($key)) {
160			return $this->settings()->getAllowed($key);
161			}
162
163			return $this->settings()->allAllowed();
164			}
165
166			/**
167			* Get an array with all stored rows with a given setting and/or value.
168			*
169			* @param $key
170			* @param null $value
171			*
172			* @return \Illuminate\Support\Collection
173			*/
174			public static function withSetting($key, $value = null)
175			{
176			return static::all()->filter(function($row) use ($key, $value) {
177			$setting = $row->settings($key);
178			if (!is_null($value)) {
179			return !is_null($setting) && $setting === $value;
180			}
181			return !is_null($setting);
182			});
183			}
184			}
185

zachleigh / laravel-property-bag

Pull Request — master (#22)

HasSettings::getSettingsInstance() A

Complexity

Size

Duplication

Importance

4 paths for user data to reach this point

Used in path-read context

General Strategies to prevent injection

4 paths for user data to reach this point

Used in path-write context

General Strategies to prevent injection

4 paths for user data to reach this point

Used in unserialized context

Preventing Object Injection Attacks

General Strategies to prevent injection

4 paths for user data to reach this point

Used in code-execution context

General Strategies to prevent injection

Duplication Side-by-Side

Filter issues like