Cookie: add input validation #609
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This was referenced Nov 14, 2021
Closed
jrfnl
force-pushed
the
feature/cookie-add-input-validation
branch
from
23375ae
to
1d9062e
Compare
This commit adds input validation for all parameters of the `Cookie::__construct()` method: * For `$name` and `$value`, I've chosen to only accept plain strings and not `Stringable` objects. * The `$attributes` parameter accepts an array or an instance of `CaseInsensitiveDictionary` according to the docs, but the important thing about the `CaseInsensitiveDictionary` part is that if the parameter is passed as an object, it needs to have both `ArrayAccess`, as well as be `Traversable`, so the input validation checks for those characteristics rather than hard-requiring an instance of `CaseInsensitiveDictionary`. * As the `$flags` parameter is used with `array_merge()`, we cannot accept objects, so an array is the only valid input type. * As for `$reference_time`: as the default value is set using `time()`, which returns an integer time stamp, I've implemented the input validation to expect an integer. Includes tests for these new exceptions.
As this method only returns `boolean`, we may as well return boolean `false` instead of throwing an exception. Includes tests.
As this method only returns `boolean`, we may as well return boolean `false` instead of throwing an exception. The input validation in this case is not done at the very start of the function to prevent changing the behaviour of the function for those cases which were already being handled by the method. This is also the reason for using `is_scalar()` instead of `is_string()`. Includes tests.
jrfnl
force-pushed
the
feature/cookie-add-input-validation
branch
from
1d9062e
to
10c5b15
Compare
This adds input validation to the `Cookie::parse()` method for the `$cookie_header` and `$name` parameters. As the `$reference_time` parameter is not directly used in this method, but only passed through to the `Cookie::__construct()` method, no input validation has been added, as it will be validated by the `Cookie::__construct()` method. Includes tests for the new exceptions + a test to safeguard that the "fall through validation for the `$reference_time`" actually happens. Includes fixing up two tests which were passing the wrong value type for an optional parameter.
The first and second argument for the `Cookie::parse_from_headers()` method already have (class-based) type declarations. The third argument - `$time` - is only used to pass it through to the `parse()` method, which will subsequently pass it through to the class constructor which contains input validation for the parameter. This just adds a test to safeguard that the "fall through" validation for the `$time` parameter actually happens.
jrfnl
force-pushed
the
feature/cookie-add-input-validation
branch
from
10c5b15
to
3aa2065
Compare
schlessera
approved these changes
Nov 15, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Cookie::__construct(): add input validation
This commit adds input validation for all parameters of the
Cookie::__construct()method:$nameand$value, I've chosen to only accept plain strings and notStringableobjects.$attributesparameter accepts an array or an instance ofCaseInsensitiveDictionaryaccording to the docs, but the important thing about theCaseInsensitiveDictionarypart is that if the parameter is passed as an object, it needs to have bothArrayAccess, as well as beTraversable, so the input validation checks for those characteristics rather than hard-requiring an instance ofCaseInsensitiveDictionary.$flagsparameter is used witharray_merge(), we cannot accept objects, so an array is the only valid input type.$reference_time: as the default value is set usingtime(), which returns an integer time stamp, I've implemented the input validation to expect an integer.Includes tests for these new exceptions.
Cookie::domain_matches(): add input validation
As this method only returns
boolean, we may as well return booleanfalseinstead of throwing an exception.Includes tests.
Cookie::path_matches(): add input validation
As this method only returns
boolean, we may as well return booleanfalseinstead of throwing an exception.The input validation in this case is not done at the very start of the function to prevent changing the behaviour of the function for those cases which were already being handled by the method. This is also the reason for using
is_scalar()instead ofis_string().Includes tests.
Cookie::parse(): add input validation
This adds input validation to the
Cookie::parse()method for the$cookie_headerand$nameparameters.As the
$reference_timeparameter is not directly used in this method, but only passed through to theCookie::__construct()method, no input validation has been added, as it will be validated by theCookie::__construct()method.Includes tests for the new exceptions + a test to safeguard that the "fall through validation for the
$reference_time" actually happens.Includes fixing up two tests which were passing the wrong value type for an optional parameter.
Cookie::parse_from_headers(): add test safeguarding input validation
The first and second argument for the
Cookie::parse_from_headers()method already have (class-based) type declarations.The third argument -
$time- is only used to pass it through to theparse()method, which will subsequently pass it through to the class constructor which contains input validation for the parameter.This just adds a test to safeguard that the "fall through" validation for the
$timeparameter actually happens.Regarding the other
publicmethods:uri_matches()method already has a class based type declaration.publicmethods do not take parameters.