[5.5] Security fixes (#33858)

* fix casing issue with guarded * block json mass assignment * formatting * add boolean * protect table names and guarded * Apply fixes from StyleCI (#33772) * dont allow mass filling with table names * Apply fixes from StyleCI (#33773) * [6.x] Verify column names are actual columns when using guarded (#33777) * verify column names are actual columns when using guarded * Apply fixes from StyleCI (#33778) * remove json check * Apply fixes from StyleCI (#33857) Co-authored-by: Taylor Otwell <[email protected]> Co-authored-by: Taylor Otwell <[email protected]>
laravel · Aug 13, 2020 · 40579ba · 40579ba
1 parent a81f23d
commit 40579ba
Show file tree

Hide file tree

Showing 7 changed files with 75 additions and 7 deletions.
diff --git a/src/Illuminate/Database/Eloquent/Concerns/GuardsAttributes.php b/src/Illuminate/Database/Eloquent/Concerns/GuardsAttributes.php
@@ -27,6 +27,13 @@ trait GuardsAttributes
  */
  protected static $unguarded = false;
 
+ /**
+ * The actual columns that exist on the database and can be guarded.
+ *
+ * @var array
+ */
+ protected static $guardableColumns = [];
+
  /**
  * Get the fillable attributes for the model.
  *
@@ -152,6 +159,7 @@ public function isFillable($key)
  }
 
  return empty($this->getFillable()) &&
+ strpos($key, '.') === false &&
  ! Str::startsWith($key, '_');
  }
 
@@ -163,7 +171,30 @@ public function isFillable($key)
  */
  public function isGuarded($key)
  {
- return in_array($key, $this->getGuarded()) || $this->getGuarded() == ['*'];
+ if (empty($this->getGuarded())) {
+ return false;
+ }
+
+ return $this->getGuarded() == ['*'] ||
+ ! empty(preg_grep('/^'.preg_quote($key).'$/i', $this->getGuarded())) ||
+ ! $this->isGuardableColumn($key);
+ }
+
+ /**
+ * Determine if the given column is a valid, guardable column.
+ *
+ * @param string $key
+ * @return bool
+ */
+ protected function isGuardableColumn($key)
+ {
+ if (! isset(static::$guardableColumns[get_class($this)])) {
+ static::$guardableColumns[get_class($this)] = $this->getConnection()
+ ->getSchemaBuilder()
+ ->getColumnListing($this->getTable());
+ }
+
+ return in_array($key, static::$guardableColumns[get_class($this)]);
  }
 
  /**

diff --git a/src/Illuminate/Database/Eloquent/Model.php b/src/Illuminate/Database/Eloquent/Model.php
@@ -272,7 +272,7 @@ public function qualifyColumn($column)
  */
  protected function removeTableFromKey($key)
  {
- return Str::contains($key, '.') ? last(explode('.', $key)) : $key;
+ return $key;
  }
 
  /**

diff --git a/src/Illuminate/Queue/Listener.php b/src/Illuminate/Queue/Listener.php
@@ -232,7 +232,7 @@ public function memoryExceeded($memoryLimit)
  */
  public function stop()
  {
- die;
+ exit;
  }
 
  /**

diff --git a/src/Illuminate/Support/Collection.php b/src/Illuminate/Support/Collection.php
@@ -275,7 +275,7 @@ public function dd(...$args)
 
  call_user_func_array([$this, 'dump'], $args);
 
- die(1);
+ exit(1);
  }
 
  /**

diff --git a/src/Illuminate/Support/helpers.php b/src/Illuminate/Support/helpers.php
@@ -559,7 +559,7 @@ function dd(...$args)
  (new Dumper)->dump($x);
  }
 
- die(1);
+ exit(1);
  }
 }
 

diff --git a/tests/Database/DatabaseEloquentModelTest.php b/tests/Database/DatabaseEloquentModelTest.php
@@ -919,11 +919,21 @@ public function testUnderscorePropertiesAreNotFilled()
  public function testGuarded()
  {
  $model = new EloquentModelStub;
+
+ EloquentModelStub::setConnectionResolver($resolver = m::mock('Illuminate\Database\ConnectionResolverInterface'));
+ $resolver->shouldReceive('connection')->andReturn($connection = m::mock(stdClass::class));
+ $connection->shouldReceive('getSchemaBuilder->getColumnListing')->andReturn(['name', 'age', 'foo']);
+
  $model->guard(['name', 'age']);
  $model->fill(['name' => 'foo', 'age' => 'bar', 'foo' => 'bar']);
  $this->assertFalse(isset($model->name));
  $this->assertFalse(isset($model->age));
- $this->assertEquals('bar', $model->foo);
+ $this->assertSame('bar', $model->foo);
+
+ $model = new EloquentModelStub;
+ $model->guard(['name', 'age']);
+ $model->fill(['Foo' => 'bar']);
+ $this->assertFalse(isset($model->Foo));
  }
 
  public function testFillableOverridesGuarded()
@@ -1829,7 +1839,7 @@ public function getDates()
 class EloquentModelSaveStub extends Model
 {
  protected $table = 'save_stub';
- protected $guarded = ['id'];
+ protected $guarded = [];
 
  public function save(array $options = [])
  {

diff --git a/tests/Integration/Database/EloquentModelTest.php b/tests/Integration/Database/EloquentModelTest.php
@@ -26,6 +26,33 @@ public function setUp()
  });
  }
 
+ public function test_cant_update_guarded_attributes_using_different_casing()
+ {
+ $model = new TestModel2;
+
+ $model->fill(['ID' => 123]);
+
+ $this->assertNull($model->ID);
+ }
+
+ public function test_cant_update_guarded_attribute_using_json()
+ {
+ $model = new TestModel2;
+
+ $model->fill(['id->foo' => 123]);
+
+ $this->assertNull($model->id);
+ }
+
+ public function test_cant_mass_fill_attributes_with_table_names_when_using_guarded()
+ {
+ $model = new TestModel2;
+
+ $model->fill(['foo.bar' => 123]);
+
+ $this->assertCount(0, $model->getAttributes());
+ }
+
  public function test_user_can_update_nullable_date()
  {
  $user = TestModel1::create([