fix: whitelist classes to be injected into plugin

Signed-off-by: tbreuss <[email protected]>
getherbie · Dec 28, 2022 · ddba464 · ddba464
1 parent 261eb95
commit ddba464
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 7 deletions.
diff --git a/system/Application.php b/system/Application.php
@@ -134,7 +134,7 @@ public function runCli(): void
 
         /** @var class-string<PluginInterface> $command */
         foreach ($this->getPluginManager()->getConsoleCommands() as $command) {
-            $params = get_constructor_params_to_inject($command, $this->container);
+            $params = di_constructor_params_from_container($command, $this->container, di_class_whitelist());
             /** @var Command $commandInstance */
             $commandInstance = new $command(...$params);
             $application->add($commandInstance);

diff --git a/system/InstallablePlugin.php b/system/InstallablePlugin.php
@@ -45,9 +45,10 @@ public function getType(): string
 
     public function createPluginInstance(ContainerInterface $container): PluginInterface
     {
-        $constructorParams = get_constructor_params_to_inject(
+        $constructorParams = di_constructor_params_from_container(
             $this->className,
-            $container
+            $container,
+            di_class_whitelist()
         );
 
         /** @var PluginInterface */

diff --git a/system/functions.php b/system/functions.php
@@ -4,16 +4,21 @@
 
 namespace herbie;
 
+use Ausi\SlugGenerator\SlugGenerator;
 use Closure;
 use Composer\InstalledVersions;
 use Psr\Container\ContainerExceptionInterface;
 use Psr\Container\ContainerInterface;
 use Psr\Container\NotFoundExceptionInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Log\LoggerInterface;
+use Psr\SimpleCache\CacheInterface;
 use ReflectionClass;
 use ReflectionException;
 use ReflectionFunction;
 use ReflectionNamedType;
 use RuntimeException;
+use Tebe\HttpFactory\HttpFactory;
 use Throwable;
 use UnexpectedValueException;
 
@@ -355,13 +360,17 @@ function get_callable_name($callable): array
 
 /**
  * @param class-string<PluginInterface> $pluginClassName
+ * @param string[] $whitelist
  * @return array<int, object>
  * @throws ContainerExceptionInterface
  * @throws NotFoundExceptionInterface
  * @throws ReflectionException
  */
-function get_constructor_params_to_inject(string $pluginClassName, ContainerInterface $container): array
-{
+function di_constructor_params_from_container(
+    string $pluginClassName,
+    ContainerInterface $container,
+    array $whitelist = []
+): array {
     $reflectedClass = new ReflectionClass($pluginClassName);
     $constructor = $reflectedClass->getConstructor();
     if (!$constructor) {
@@ -379,11 +388,39 @@ function get_constructor_params_to_inject(string $pluginClassName, ContainerInte
         if (in_array($classNameToInject, ['string'])) {
             continue;
         }
-        $constructorParams[] = $container->get($classNameToInject);
+        if (empty($whitelist) || in_array($classNameToInject, $whitelist)) {
+            $constructorParams[] = $container->get($classNameToInject);
+        } else {
+            $constructorParams[] = null;
+        }
     }
     return $constructorParams;
 }
 
+function di_class_whitelist(): array
+{
+    return [
+        Application::class,
+        Alias::class,
+        Assets::class,
+        CacheInterface::class,
+        Config::class,
+        DataRepositoryInterface::class,
+        EventManager::class,
+        HttpFactory::class,
+        LoggerInterface::class,
+        MiddlewareDispatcher::class,
+        PageRepositoryInterface::class,
+        PluginManager::class,
+        ServerRequestInterface::class,
+        Site::class,
+        SlugGenerator::class,
+        Translator::class,
+        TwigRenderer::class,
+        UrlManager::class
+    ];
+}
+
 function file_mtime(string $path): int
 {
     $timestamp = filemtime($path);

diff --git a/tests/acceptance/HerbieInfoCest.php b/tests/acceptance/HerbieInfoCest.php
@@ -24,11 +24,12 @@ public function testNumberAndSortingOfPhpFunctions(AcceptanceTester $I)
             'herbie\defined_classes',
             'herbie\defined_constants',
             'herbie\defined_functions',
+            'herbie\di_class_whitelist',
+            'herbie\di_constructor_params_from_container',
             'herbie\file_mtime',
             'herbie\file_read',
             'herbie\file_size',
             'herbie\get_callable_name',
-            'herbie\get_constructor_params_to_inject',
             'herbie\get_type',
             'herbie\handle_internal_webserver_assets',
             'herbie\is_digit',