27070429539

Committed 06 Jun 2026 06:30PM UTC coverage: 96.432% (-0.3%) from 96.768%

Build # 27070429539

Build Type

push

github

Committed by

web-flow

Commit Message

Security hardening

Coverage Stats

46 of 48 new or added lines in 9 files covered. (95.83%)

1 existing line in 1 file now uncovered.

919 of 953 relevant lines covered (96.43%)

35.3 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

90.48

/Slim/Middleware/XmlBodyParserMiddleware.php

<?php

/**
 * Slim Framework (https://slimframework.com)
 *
 * @license https://github.com/slimphp/Slim/blob/5.x/LICENSE.md (MIT License)
 */

declare(strict_types=1);

namespace Slim\Middleware;

use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\MiddlewareInterface;
use Psr\Http\Server\RequestHandlerInterface;
use Slim\Exception\HttpBadRequestException;

final class XmlBodyParserMiddleware implements MiddlewareInterface
{
    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
    {
        $method = $request->getMethod();
        $contentType = $request->getHeaderLine('Content-Type');

        if (!in_array($method, ['POST', 'PUT', 'PATCH', 'DELETE'], true)) {
            return $handler->handle($request);
        }

        if ($this->isXmlMediaType($contentType)) {
            $body = (string)$request->getBody();

            $options = LIBXML_NONET;

            // PHP 8.4+ provides explicit XXE hardening flag.
            if (defined('LIBXML_NO_XXE')) {
                $options |= LIBXML_NO_XXE;
            }

            $backup = libxml_use_internal_errors(true);
            $xml = simplexml_load_string($body, 'SimpleXMLElement', $options);

            libxml_clear_errors();
            libxml_use_internal_errors($backup);

            if ($xml === false) {
                throw new HttpBadRequestException($request, 'Invalid XML body');
            }

            $request = $request->withParsedBody($xml);
        }

        return $handler->handle($request);
    }

    private function isXmlMediaType(string $contentType): bool
    {
        $contentType = strtolower(trim(explode(';', $contentType)[0]));

        return $contentType === 'application/xml'
            || $contentType === 'text/xml'
            || str_ends_with($contentType, '+xml');
    }
}

1	<?php
2
3	/**
4	* Slim Framework (https://slimframework.com)
5	*
6	* @license https://github.com/slimphp/Slim/blob/5.x/LICENSE.md (MIT License)
7	*/
8
9	declare(strict_types=1);
10
11	namespace Slim\Middleware;
12
13	use Psr\Http\Message\ResponseInterface;
14	use Psr\Http\Message\ServerRequestInterface;
15	use Psr\Http\Server\MiddlewareInterface;
16	use Psr\Http\Server\RequestHandlerInterface;
17	use Slim\Exception\HttpBadRequestException;
18
19	final class XmlBodyParserMiddleware implements MiddlewareInterface
20	{
21	public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
22	{
23	$method = $request->getMethod();	4✔
24	$contentType = $request->getHeaderLine('Content-Type');	4✔
25
26	if (!in_array($method, ['POST', 'PUT', 'PATCH', 'DELETE'], true)) {	4✔
27	return $handler->handle($request);	×
28	}
29
30	if ($this->isXmlMediaType($contentType)) {	4✔
31	$body = (string)$request->getBody();	3✔
32
33	$options = LIBXML_NONET;	3✔
34
35	// PHP 8.4+ provides explicit XXE hardening flag.
36	if (defined('LIBXML_NO_XXE')) {	3✔
NEW 37	$options \|= LIBXML_NO_XXE;	×
38	}
39
40	$backup = libxml_use_internal_errors(true);	3✔
41	$xml = simplexml_load_string($body, 'SimpleXMLElement', $options);	3✔
42
43	libxml_clear_errors();	3✔
44	libxml_use_internal_errors($backup);	3✔
45
46	if ($xml === false) {	3✔
47	throw new HttpBadRequestException($request, 'Invalid XML body');	1✔
48	}
49
50	$request = $request->withParsedBody($xml);	2✔
51	}
52
53	return $handler->handle($request);	3✔
54	}
55
56	private function isXmlMediaType(string $contentType): bool
57	{
58	$contentType = strtolower(trim(explode(';', $contentType)[0]));	4✔
59
60	return $contentType === 'application/xml'	4✔
61	\|\| $contentType === 'text/xml'	4✔
62	\|\| str_ends_with($contentType, '+xml');	4✔
63	}
64	}

slimphp / Slim / 27070429539

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous