[6.x] Type hinted arguments for Illuminate\Validation\Rules\RequiredIf #37688
Conversation
|
Thank you @taylorotwell, can you please validate the report and patch on huntr.dev as well (https://www.huntr.dev/bounties/3-laravel/framework/). It helps me earn a living for the contribution I do to open source projects. |
GrahamCampbell
changed the title
| @@ -29,4 +29,30 @@ public function testItClousureReturnsFormatsAStringVersionOfTheRule() | |||
|
|
|||
| $this->assertSame('', (string) $rule); | |||
| } | |||
|
|
|||
| public function testItOnlyCallableAndBooleanAreAcceptableArgumentsOfTheRule() | |||
There was a problem hiding this comment.
This test would lead to false/positives.
expectException will succeed if one of the 3 rules hit
it would be better to test with a data provider or separate tests.
There was a problem hiding this comment.
oh my bad, will fix it.
|
not sure what the security issues was, I assume it's related to I consider this as a breaking change because before it was possible to have something like this Validator::make($request->all(), [
'role_id' => Rule::requiredIf(optional($request->user())->is_admin),
]);This will fail now if it's |
I agree this is a breaking change if people are using null to pass as false. But as the docblock says, the function only accepts a callable or boolean. I am unsure if allowing |
Yes, i think it is ok to cast if(!is_callable($condition) || ! (bool)$condition){
} |
or maybe just check for argument not being a if (! is_string($condition)) {
$this->condition = $condition;
} |
Fixes a security issue as explained in https://www.huntr.dev/bounties/3-laravel/framework/
If the argument to Illuminate\Validation\Rules\RequiredIf is not boolean or callable, it will throw InvalidArgumentException.
Added tests to check