Slim I want to automatically load the corresponding class file via URI


#1

we know
$app->get(’[/{params:.*}]’, ‘\HomeController:home’);
Alternatively, you can take advantage of PHP’s ::class operator which works well with IDE lookup systems and produces the same result:

But I want to implement this: load the corresponding class file by URI

example:
$app->get(’[/{params:.*}]’, ‘{params1}:{params2}’);
URI = /App/MyClass routes function = \App\MyClass

How can I achieve it? Thank you.


#2

You need to be very careful if you’re going to implement a solution like that. You’re essentially allowing a remote user to arbitrarily load in any class that they want, and that could lead to compromising your application. It would be similar to having an include argument in your query string that allows an attacker to load in any file that they like.

So if you wanted to do something similar, presumably to build in a convention-over-configuration solution, so you don’t need to define every route manually (a la CodeIgniter, Ruby on Rails etc), you would need to either implement in middleware to check that the desired route resolves to an allowed class, or maybe with a callback in your route definition instead:

$app->get('/{params:.*}/', function ($request, $response, $args) {
    // Do your checks here and throw a 404 if not an allowed class
});

But ultimately you’re likely to end up with a white-list of allowed classes, in which case you’d probably be better off just specifying the route manually anyway.

Personally, I would just go for manually defining the routes, or at least have some kind of whitelist.


#3

Yes, I want to access the corresponding control class through the URI, regardless of whether it will be attacked, because the corresponding class file does not exist will report an error.


#4

As @Antnee said, you should rethink this routing concept for security reasons. If you want to stick with it, there might be a first approach here:


#5

I think you might misunderstand me. If it’s open to ANY class, with no sanitising and validation, and depending on your error reporting, it can be possible for an attacker to glean all sorts of information, possibly even injecting their own code if they’re able to use arguments to perform an object injection attack. What happens if someone manages to output the app config, for example? They may be able to call a PDO endpoint and get access to your DB… this isn’t a safe solution. I work for a cyber security company and I can assure you, there is zero chance that our security team would allow something this risky out there. I implore you to reconsider.


#9

Your solution should never be open to any class
That’s why I use a routeresolver, which can filter the crap out of the request :slight_smile:
it is the same as with a router.yaml file, only this solution works without ever have to write a router config file because it autodetects my controllers. (that is the reflection part which also recognize the accessible methods) But I could advice you not to go this path, and wite something that automatically update your routes.yaml file if you feel more secure about that.
I’m just a lazy guy hahaha


#10

I want to make the development work elegant, as long as the corresponding controller is added to the corresponding folder to work properly, without having to configure a single path is too much trouble.