config/csrf_config.php
isAjax accesses the super-global variable $_SERVER. Open
Open
public static function isAjax()
{
if (!empty($_SERVER['HTTP_X_REQUESTED_WITH'])) {
return true;
}- Read upRead up
- Exclude checks
Superglobals
Since: 0.2
Accessing a super-global variable directly is considered a bad practice. These variables should be encapsulated in objects that are provided by a framework, for instance.
Example
class Foo {
public function bar() {
$name = $_POST['foo'];
}
}Source
Missing class import via use statement (line '22', column '14'). Open
Open
throw new \App\Exceptions\Csrf('Invalid request - Response For Illegal Access', 403);- Read upRead up
- Exclude checks
MissingImport
Since: 2.7.0
Importing all external classes in a file through use statements makes them clearly visible.
Example
function make() {
return new \stdClass();
}Source http://phpmd.org/rules/cleancode.html#MissingImport
Avoid using static access to class '\App\Config' in method 'startup'. Open
Open
\CsrfMagic\Csrf::$expires = \App\Config::security('csrfLifetimeToken', 7200);- Read upRead up
- Exclude checks
StaticAccess
Since: 1.4.0
Static access causes unexchangeable dependencies to other classes and leads to hard to test code. Avoid using static access at all costs and instead inject dependencies through the constructor. The only case when static access is acceptable is when used for factory methods.
Example
class Foo
{
public function bar()
{
Bar::baz();
}
}Source https://phpmd.org/rules/cleancode.html#staticaccess
Avoid using static access to class '\App\Session' in method 'startup'. Open
Open
\CsrfMagic\Csrf::$cspToken = \App\Session::get('CSP_TOKEN');- Read upRead up
- Exclude checks
StaticAccess
Since: 1.4.0
Static access causes unexchangeable dependencies to other classes and leads to hard to test code. Avoid using static access at all costs and instead inject dependencies through the constructor. The only case when static access is acceptable is when used for factory methods.
Example
class Foo
{
public function bar()
{
Bar::baz();
}
}Source https://phpmd.org/rules/cleancode.html#staticaccess
Remove the unused function parameter "$tokens". Open
Open
\CsrfMagic\Csrf::$callback = function ($tokens) {- Read upRead up
- Exclude checks
Unused parameters are misleading. Whatever the value passed to such parameters is, the behavior will be the same.
Noncompliant Code Example
function doSomething($a, $b) { // "$a" is unused
return compute($b);
}
Compliant Solution
function doSomething($b) {
return compute($b);
}
Exceptions
Functions in classes that override a class or implement interfaces are ignored.
class C extends B {
function doSomething($a, $b) { // no issue reported on $b
compute($a);
}
}
See
- MISRA C++:2008, 0-1-11 - There shall be no unused parameters (named or unnamed) in nonvirtual functions.
- MISRA C:2012, 2.7 - There should be no unused parameters in functions
- CERT, MSC12-C. - Detect and remove code that has no effect or is never executed
- CERT, MSC12-CPP. - Detect and remove code that has no effect
Avoid unused parameters such as '$tokens'. Open
Open
\CsrfMagic\Csrf::$callback = function ($tokens) {- Read upRead up
- Exclude checks
UnusedFormalParameter
Since: 0.2
Avoid passing parameters to methods or constructors and then not using those parameters.
Example
class Foo
{
private function bar($howdy)
{
// $howdy is not used
}
}Source https://phpmd.org/rules/unusedcode.html#unusedformalparameter
Reference to static property callback from undeclared class \CsrfMagic\Csrf Open
Open
\CsrfMagic\Csrf::$callback = function ($tokens) {- Exclude checks
Reference to static property rewriteJs from undeclared class \CsrfMagic\Csrf Open
Open
\CsrfMagic\Csrf::$rewriteJs = $js;- Exclude checks
Reference to static property rewriteJs from undeclared class \CsrfMagic\Csrf Open
Open
\CsrfMagic\Csrf::$rewriteJs = null;- Exclude checks
Reference to static property defer from undeclared class \CsrfMagic\Csrf Open
Open
\CsrfMagic\Csrf::$defer = true;- Exclude checks
Reference to static property expires from undeclared class \CsrfMagic\Csrf Open
Open
\CsrfMagic\Csrf::$expires = \App\Config::security('csrfLifetimeToken', 7200);- Exclude checks
Reference to static property dirSecret from undeclared class \CsrfMagic\Csrf Open
Open
\CsrfMagic\Csrf::$dirSecret = __DIR__;- Exclude checks
Reference to static property frameBreaker from undeclared class \CsrfMagic\Csrf Open
Open
\CsrfMagic\Csrf::$frameBreaker = false;- Exclude checks
Reference to static property cspToken from undeclared class \CsrfMagic\Csrf Open
Open
\CsrfMagic\Csrf::$cspToken = \App\Session::get('CSP_TOKEN');- Exclude checks
Reference to static property windowVerification from undeclared class \CsrfMagic\Csrf Open
Open
\CsrfMagic\Csrf::$windowVerification = \Config\Security::$csrfFrameBreakerWindow;- Exclude checks
Reference to static property frameBreaker from undeclared class \CsrfMagic\Csrf Open
Open
\CsrfMagic\Csrf::$frameBreaker = \Config\Security::$csrfFrameBreaker;- Exclude checks
Each class must be in a namespace of at least one level (a top-level vendor name) Open
Open
class CSRFConfig- Exclude checks
Avoid variables with short names like $js. Configured minimum length is 3. Open
Open
$js = 'vendor/yetiforce/csrf-magic/src/Csrf.min.js';- Read upRead up
- Exclude checks
ShortVariable
Since: 0.2
Detects when a field, local, or parameter has a very short name.
Example
class Something {
private $q = 15; // VIOLATION - Field
public static function main( array $as ) { // VIOLATION - Formal
$r = 20 + $this->q; // VIOLATION - Local
for (int $i = 0; $i < 10; $i++) { // Not a Violation (inside FOR)
$r += $this->q;
}
}
}Source https://phpmd.org/rules/naming.html#shortvariable
Spaces must be used to indent lines; tabs are not allowed Open
Open
public static function startup()- Exclude checks
Spaces must be used to indent lines; tabs are not allowed Open
Open
*/- Exclude checks
Spaces must be used to indent lines; tabs are not allowed Open
Open
{- Exclude checks
Spaces must be used to indent lines; tabs are not allowed Open
Open
\CsrfMagic\Csrf::$expires = \App\Config::security('csrfLifetimeToken', 7200);- Exclude checks
Spaces must be used to indent lines; tabs are not allowed Open
Open
$js = 'public_html/' . $js;- Exclude checks
Spaces must be used to indent lines; tabs are not allowed Open
Open
\CsrfMagic\Csrf::$defer = true;- Exclude checks
Spaces must be used to indent lines; tabs are not allowed Open
Open
$js = 'vendor/yetiforce/csrf-magic/src/Csrf.min.js';- Exclude checks
Spaces must be used to indent lines; tabs are not allowed Open
Open
\CsrfMagic\Csrf::$dirSecret = __DIR__;- Exclude checks
Spaces must be used to indent lines; tabs are not allowed Open
Open
}- Exclude checks
Spaces must be used to indent lines; tabs are not allowed Open
Open
* Specific custom config startup for CSRF.- Exclude checks
Spaces must be used to indent lines; tabs are not allowed Open
Open
throw new \App\Exceptions\Csrf('Invalid request - Response For Illegal Access', 403);- Exclude checks
Spaces must be used to indent lines; tabs are not allowed Open
Open
if (!IS_PUBLIC_DIR) {- Exclude checks
Spaces must be used to indent lines; tabs are not allowed Open
Open
\CsrfMagic\Csrf::$frameBreaker = false;- Exclude checks
Spaces must be used to indent lines; tabs are not allowed Open
Open
if ('Install' === \App\Process::$requestMode) {- Exclude checks
Spaces must be used to indent lines; tabs are not allowed Open
Open
\CsrfMagic\Csrf::$frameBreaker = \Config\Security::$csrfFrameBreaker;- Exclude checks
Spaces must be used to indent lines; tabs are not allowed Open
Open
\CsrfMagic\Csrf::$rewriteJs = null;- Exclude checks
Spaces must be used to indent lines; tabs are not allowed Open
Open
return false;- Exclude checks
Spaces must be used to indent lines; tabs are not allowed Open
Open
return true;- Exclude checks
Spaces must be used to indent lines; tabs are not allowed Open
Open
\CsrfMagic\Csrf::$windowVerification = \Config\Security::$csrfFrameBreakerWindow;- Exclude checks
Spaces must be used to indent lines; tabs are not allowed Open
Open
}- Exclude checks
Spaces must be used to indent lines; tabs are not allowed Open
Open
\CsrfMagic\Csrf::$callback = function ($tokens) {- Exclude checks
Spaces must be used to indent lines; tabs are not allowed Open
Open
/**- Exclude checks
Spaces must be used to indent lines; tabs are not allowed Open
Open
}- Exclude checks
Spaces must be used to indent lines; tabs are not allowed Open
Open
\CsrfMagic\Csrf::$rewriteJs = $js;- Exclude checks
Spaces must be used to indent lines; tabs are not allowed Open
Open
\CsrfMagic\Csrf::$cspToken = \App\Session::get('CSP_TOKEN');- Exclude checks
Spaces must be used to indent lines; tabs are not allowed Open
Open
}- Exclude checks
Spaces must be used to indent lines; tabs are not allowed Open
Open
}- Exclude checks
Spaces must be used to indent lines; tabs are not allowed Open
Open
// Override the default expire time of token- Exclude checks
Spaces must be used to indent lines; tabs are not allowed Open
Open
};- Exclude checks
Spaces must be used to indent lines; tabs are not allowed Open
Open
{- Exclude checks
Spaces must be used to indent lines; tabs are not allowed Open
Open
$js = '../' . $js;- Exclude checks
Spaces must be used to indent lines; tabs are not allowed Open
Open
}- Exclude checks
Spaces must be used to indent lines; tabs are not allowed Open
Open
public static function isAjax()- Exclude checks
Spaces must be used to indent lines; tabs are not allowed Open
Open
/*- Exclude checks
Spaces must be used to indent lines; tabs are not allowed Open
Open
if (static::isAjax()) {- Exclude checks
Spaces must be used to indent lines; tabs are not allowed Open
Open
if (!empty($_SERVER['HTTP_X_REQUESTED_WITH'])) {- Exclude checks