Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validation in / not in breaks with values ending in backslash #50712

Closed
vkwbpo opened this issue Mar 22, 2024 · 4 comments
Closed

Validation in / not in breaks with values ending in backslash #50712

vkwbpo opened this issue Mar 22, 2024 · 4 comments
Labels
help wanted

Comments

@vkwbpo
Copy link

vkwbpo commented Mar 22, 2024

Laravel Version

10.29.0

PHP Version

8.2.14

Database Driver & Version

No response

Description

In and NotIn validation rules do not work correctly for values ending in backslash.

Steps To Reproduce

Execute the following tinker commands:

Validator::make(['a' => 'b\\'], ['a' => Illuminate\Validation\Rule::notIn('b\\')])->passes();
Validator::make(['a' => 'b\\c'], ['a' => Illuminate\Validation\Rule::notIn('b\\c')])->passes();

First validator passes, seconds fails as expected. First should fail too.
@github-actions GitHub Actions
Copy link

Thank you for reporting this issue!

As Laravel is an open source project, we rely on the community to help us diagnose and fix issues as it is not possible to research and fix every issue reported to us via GitHub.

If possible, please make a pull request fixing the issue you have described, along with corresponding tests. All pull requests are promptly reviewed by the Laravel team.

Thank you!

@Katalam
Copy link
Contributor

Katalam commented Mar 22, 2024

The Validator uses the function str_getcsv($parameter) inside the validation cycle to hydrate the Validation Rules based on a string. In your example not_in:"b\" the problem is, that the function str_getcsv uses \" as an escape and enclose character. So the value the parser will output will be b\" and that is not b\ so the validation passes. I don't really have an idea on how to fix this

But the probleme is here:

framework/src/Illuminate/Validation/ValidationRuleParser.php

Line 283 in fc453b9

return static::ruleIsRegex($rule) ? [$parameter] : str_getcsv($parameter);

@PaperTurtle
Copy link

PaperTurtle commented Mar 23, 2024
edited
Loading

This might not be a pretty or perfect solution, but it seems to work.

protected static function parseParameters($rule, $parameter)
{
    return array_map(function ($param) { return str_replace('\\\\', '\\', $param); },
        static::ruleIsRegex($rule) ? [$parameter] : str_getcsv(str_replace('\\', '\\\\', $parameter), ',', '"', "\\")
    );
}

I don't know if there are any security concerns or if this might cause bugs for other cases. But it passes the tests

This was referenced Mar 23, 2024
Closed
Closed
@crynobone crynobone linked a pull request Mar 25, 2024 that will close this issue
[10.x] Fixed Validation in / not in breaks with values ending in backslash #50725
Closed
@driesvints
Copy link
Member

Looks like for now, we're not going to support this, sorry.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted
Projects
None yet
Milestone
No milestone
4 participants
@driesvints @Katalam @PaperTurtle @vkwbpo