Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FormRequest::validated() returns all params in nested params. #25102

Closed
ttsuru opened this issue Aug 6, 2018 · 2 comments
Closed

FormRequest::validated() returns all params in nested params. #25102

ttsuru opened this issue Aug 6, 2018 · 2 comments

Comments

@ttsuru
Copy link
Contributor

ttsuru commented Aug 6, 2018

  • Laravel Version: 5.6.27

Description:

FormRequest::validated() returns only validated params method.
But all nested values ​​will be returned.
If validated method returns not validated values, this cause security probrem.

Steps To Reproduce:

FormRequest

<?php

namespace App\Http\Requests;

use Illuminate\Foundation\Http\FormRequest;

class AdminRequest extends FormRequest
{
    /**
     * Determine if the user is authorized to make this request.
     *
     * @return bool
     */
    public function authorize()
    {
        return true;
    }

    /**
     * Get the validation rules that apply to the request.
     *
     * @return array
     */
    public function rules()
    {
        return [
            'foo' => 'required',
            'bar' => 'required',
            'user.name' => 'required|max:255',
            'user.email' => 'required|max:255|email',
        ];
    }
}

In Controller

<?php

namespace App\Http\Controllers;

use App\Admin;
use App\Http\Requests\AdminRequest;
use App\Http\Resources\AdminResource;
use Illuminate\Contracts\Support\Responsable;

class AdminController extends Controller
{
    /**
     * Store a newly created resource in storage.
     *
     * @param  \Illuminate\Http\Request  $request
     * @return \Illuminate\Http\Response|Responsable
     */
    public function store(AdminRequest $request)
    {
        var_dump($request->validated());
    }

Request data

array (size=3)
  'foo' => string 'foo' (length=3)
  'bar' => string 'bar' (length=3)
  'user' => 
    array (size=5)
      'id' => int 1
      'name' => string 'name' (length=4)
      'email' => string 'bar@example.org' (length=15)
      'created_at' => string '2001-01-01 00:00:00' (length=19)
      'updated_at' => string '2001-01-01 00:00:00' (length=19)

Return data

array (size=3)
  'foo' => string 'foo' (length=3)
  'bar' => string 'bar' (length=3)
  'user' => 
    array (size=5)
      'id' => int 1
      'name' => string 'name' (length=4)
      'email' => string 'bar@example.org' (length=15)
      'created_at' => string '2001-01-01 00:00:00' (length=19)
      'updated_at' => string '2001-01-01 00:00:00' (length=19)

Expected data

array (size=3)
  'foo' => string 'foo' (length=3)
  'bar' => string 'bar' (length=3)
  'user' => 
    array (size=2)
      'name' => string 'name' (length=4)
      'email' => string 'bar@example.org' (length=15)
@ttsuru ttsuru changed the title FormRequest::validated() returns all params with nested params. FormRequest::validated() returns all params in nested params. Aug 6, 2018
@X-Coder264
Copy link
Contributor

This has already been fixed for 5.7 -> #23708

Since this is a breaking change, it couldn't be merged into 5.6.

@ttsuru
Copy link
Contributor Author

ttsuru commented Aug 6, 2018

@X-Coder264

Thanks for your reply.
But I found this pull request probrem. So comment that ticket.

@ttsuru ttsuru closed this as completed Aug 6, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ttsuru @X-Coder264