mirror of
https://github.com/HolgerHatGarKeineNode/einundzwanzig-app.git
synced 2026-06-11 02:50:29 +00:00
✨ **Enhance input validation and error handling across APIs**
- 🛠️ Refactored controllers to utilize `FiltersNumericIds` concern, ensuring secure numeric ID filtering and avoiding type-sensitive errors in queries. - ➕ Added feature tests to validate robust input hardening for non-numeric or malformed query parameters (`user_id`, `selected[]`). - 🔒 Introduced `PublicPropertyNotFoundException` handling in Livewire, returning 400 for invalid property probes and suppressing unnecessary log entries. - ❌ Updated `MeetupEventController` to handle invalid date formats gracefully, aborting with a 400 response instead of 500. - ✅ Expanded exception handling pipeline for enhanced resilience against malformed input, bot noise, and exploitable probes.
This commit is contained in:
HolgerHatGarKeineNode
@@ -2,6 +2,7 @@
|
||||
|
||||
namespace App\Http\Controllers\Api;
|
||||
|
||||
use App\Http\Controllers\Api\Concerns\FiltersNumericIds;
|
||||
use App\Http\Controllers\Controller;
|
||||
use App\Http\Requests\Api\StoreCityRequest;
|
||||
use App\Http\Requests\Api\UpdateCityRequest;
|
||||
@@ -20,6 +21,8 @@ use Symfony\Component\HttpFoundation\Response;
|
||||
#[Group(name: 'Stammdaten', weight: 5)]
|
||||
class CityController extends Controller
|
||||
{
|
||||
use FiltersNumericIds;
|
||||
|
||||
/**
|
||||
* Städte auflisten und durchsuchen
|
||||
*
|
||||
@@ -40,8 +43,7 @@ class CityController extends Controller
|
||||
)
|
||||
->when(
|
||||
$request->exists('selected'),
|
||||
fn (Builder $query) => $query->whereIn('id',
|
||||
$request->input('selected', [])),
|
||||
fn (Builder $query) => $query->whereIn('id', $this->numericIds($request)),
|
||||
fn (Builder $query) => $query->limit(10)
|
||||
)
|
||||
->get();
|
||||
|
||||
@@ -0,0 +1,24 @@
|
||||
<?php
|
||||
|
||||
namespace App\Http\Controllers\Api\Concerns;
|
||||
|
||||
use Illuminate\Http\Request;
|
||||
|
||||
trait FiltersNumericIds
|
||||
{
|
||||
/**
|
||||
* Reduziert einen Query-Parameter auf seine numerischen Werte als Integer-Liste.
|
||||
*
|
||||
* Schuetzt typsensitive whereIn('id', ...)-Klauseln vor nicht-numerischer Eingabe.
|
||||
*
|
||||
* @return array<int, int>
|
||||
*/
|
||||
protected function numericIds(Request $request, string $key = 'selected'): array
|
||||
{
|
||||
return $request->collect($key)
|
||||
->filter(fn ($id) => is_numeric($id))
|
||||
->map(fn ($id) => (int) $id)
|
||||
->values()
|
||||
->all();
|
||||
}
|
||||
}
|
||||
@@ -2,6 +2,7 @@
|
||||
|
||||
namespace App\Http\Controllers\Api;
|
||||
|
||||
use App\Http\Controllers\Api\Concerns\FiltersNumericIds;
|
||||
use App\Http\Controllers\Controller;
|
||||
use App\Models\Course;
|
||||
use Dedoc\Scramble\Attributes\ExcludeRouteFromDocs;
|
||||
@@ -16,6 +17,8 @@ use Symfony\Component\HttpFoundation\Response;
|
||||
#[Group(name: 'Kurse', weight: 1)]
|
||||
class CourseController extends Controller
|
||||
{
|
||||
use FiltersNumericIds;
|
||||
|
||||
/**
|
||||
* Kurse auflisten und durchsuchen
|
||||
*
|
||||
@@ -32,7 +35,7 @@ class CourseController extends Controller
|
||||
->select('id', 'name')
|
||||
->orderBy('name')
|
||||
->when($request->has('user_id'),
|
||||
fn (Builder $query) => $query->where('created_by', $request->user_id))
|
||||
fn (Builder $query) => $query->where('created_by', $request->integer('user_id')))
|
||||
->when(
|
||||
$request->search,
|
||||
fn (Builder $query) => $query
|
||||
@@ -40,8 +43,7 @@ class CourseController extends Controller
|
||||
)
|
||||
->when(
|
||||
$request->exists('selected'),
|
||||
fn (Builder $query) => $query->whereIn('id',
|
||||
$request->input('selected', [])),
|
||||
fn (Builder $query) => $query->whereIn('id', $this->numericIds($request)),
|
||||
fn (Builder $query) => $query->limit(10)
|
||||
)
|
||||
->get()
|
||||
|
||||
@@ -2,6 +2,7 @@
|
||||
|
||||
namespace App\Http\Controllers\Api;
|
||||
|
||||
use App\Http\Controllers\Api\Concerns\FiltersNumericIds;
|
||||
use App\Http\Controllers\Controller;
|
||||
use App\Http\Requests\Api\StoreLecturerRequest;
|
||||
use App\Http\Requests\Api\UpdateLecturerRequest;
|
||||
@@ -20,6 +21,8 @@ use Symfony\Component\HttpFoundation\Response;
|
||||
#[Group(name: 'Referenten', weight: 4)]
|
||||
class LecturerController extends Controller
|
||||
{
|
||||
use FiltersNumericIds;
|
||||
|
||||
/**
|
||||
* Referenten auflisten und durchsuchen
|
||||
*
|
||||
@@ -32,8 +35,6 @@ class LecturerController extends Controller
|
||||
return Lecturer::query()
|
||||
->select('id', 'name')
|
||||
->orderBy('name')
|
||||
// ->when($request->has('user_id'),
|
||||
// fn(Builder $query) => $query->where('created_by', $request->user_id))
|
||||
->when(
|
||||
$request->search,
|
||||
fn (Builder $query) => $query
|
||||
@@ -41,8 +42,7 @@ class LecturerController extends Controller
|
||||
)
|
||||
->when(
|
||||
$request->exists('selected'),
|
||||
fn (Builder $query) => $query->whereIn('id',
|
||||
$request->input('selected', [])),
|
||||
fn (Builder $query) => $query->whereIn('id', $this->numericIds($request)),
|
||||
fn (Builder $query) => $query->limit(10)
|
||||
)
|
||||
->get()
|
||||
|
||||
@@ -2,6 +2,7 @@
|
||||
|
||||
namespace App\Http\Controllers\Api;
|
||||
|
||||
use App\Http\Controllers\Api\Concerns\FiltersNumericIds;
|
||||
use App\Http\Controllers\Controller;
|
||||
use App\Http\Requests\Api\StoreMeetupRequest;
|
||||
use App\Http\Requests\Api\UpdateMeetupRequest;
|
||||
@@ -20,6 +21,8 @@ use Illuminate\Support\Facades\Gate;
|
||||
#[Group(name: 'Meetups', weight: 3)]
|
||||
class MeetupController extends Controller
|
||||
{
|
||||
use FiltersNumericIds;
|
||||
|
||||
#[ExcludeRouteFromDocs]
|
||||
public function ical()
|
||||
{
|
||||
@@ -58,7 +61,7 @@ class MeetupController extends Controller
|
||||
)
|
||||
->when(
|
||||
$request->exists('selected'),
|
||||
fn (Builder $query) => $query->whereIn('id', $request->input('selected', [])),
|
||||
fn (Builder $query) => $query->whereIn('id', $this->numericIds($request)),
|
||||
fn (Builder $query) => $query->limit(10),
|
||||
)
|
||||
->get()
|
||||
|
||||
@@ -8,6 +8,7 @@ use App\Http\Requests\Api\UpdateMeetupEventRequest;
|
||||
use App\Http\Resources\MeetupEventResource;
|
||||
use App\Models\MeetupEvent;
|
||||
use Carbon\Carbon;
|
||||
use Carbon\Exceptions\InvalidFormatException;
|
||||
use Dedoc\Scramble\Attributes\Group;
|
||||
use Dedoc\Scramble\Attributes\PathParameter;
|
||||
use Dedoc\Scramble\Attributes\Response as ResponseAttribute;
|
||||
@@ -30,10 +31,15 @@ class MeetupEventController extends Controller
|
||||
* @return Collection<int, array<string, mixed>>
|
||||
*/
|
||||
#[PathParameter(name: 'date', description: 'Optionales Datum (Y-m-d); filtert auf den Monat dieses Datums.', required: false, type: 'string')]
|
||||
#[ResponseAttribute(status: 400, description: 'Das übergebene Datum ist nicht parsebar (erwartet wird Y-m-d).')]
|
||||
public function __invoke(?string $date = null): Collection
|
||||
{
|
||||
if ($date) {
|
||||
$date = Carbon::parse($date);
|
||||
try {
|
||||
$date = Carbon::parse($date);
|
||||
} catch (InvalidFormatException) {
|
||||
abort(Response::HTTP_BAD_REQUEST, 'Ungültiges Datum. Erwartet wird das Format Y-m-d.');
|
||||
}
|
||||
}
|
||||
$events = MeetupEvent::query()
|
||||
->with([
|
||||
|
||||
@@ -2,6 +2,7 @@
|
||||
|
||||
namespace App\Http\Controllers\Api;
|
||||
|
||||
use App\Http\Controllers\Api\Concerns\FiltersNumericIds;
|
||||
use App\Http\Controllers\Controller;
|
||||
use App\Http\Requests\Api\StoreVenueRequest;
|
||||
use App\Http\Requests\Api\UpdateVenueRequest;
|
||||
@@ -20,6 +21,8 @@ use Symfony\Component\HttpFoundation\Response;
|
||||
#[Group(name: 'Stammdaten', weight: 5)]
|
||||
class VenueController extends Controller
|
||||
{
|
||||
use FiltersNumericIds;
|
||||
|
||||
/**
|
||||
* Veranstaltungsorte auflisten und durchsuchen
|
||||
*
|
||||
@@ -42,8 +45,7 @@ class VenueController extends Controller
|
||||
)
|
||||
->when(
|
||||
$request->exists('selected'),
|
||||
fn (Builder $query) => $query->whereIn('id',
|
||||
$request->input('selected', [])),
|
||||
fn (Builder $query) => $query->whereIn('id', $this->numericIds($request)),
|
||||
fn (Builder $query) => $query->limit(10)
|
||||
)
|
||||
->get()
|
||||
|
||||
+20
-2
@@ -8,6 +8,7 @@ use Illuminate\Foundation\Configuration\Exceptions;
|
||||
use Illuminate\Foundation\Configuration\Middleware;
|
||||
use Illuminate\Http\Request;
|
||||
use Livewire\Exceptions\MethodNotFoundException;
|
||||
use Livewire\Exceptions\PublicPropertyNotFoundException;
|
||||
use Livewire\Features\SupportFileUploads\MissingFileUploadsTraitException;
|
||||
use Livewire\Features\SupportLifecycleHooks\DirectlyCallingLifecycleHooksNotAllowedException;
|
||||
use Livewire\Mechanisms\HandleComponents\CorruptComponentPayloadException;
|
||||
@@ -85,7 +86,16 @@ return Application::configure(basePath: dirname(__DIR__))
|
||||
return false;
|
||||
};
|
||||
|
||||
$exceptions->report(function (Throwable $e) use ($isStaleLivewireAsset, $isStaleCompiledView, $isMissingFileUploadsTrait, $isLivewireExploitProbe) {
|
||||
$isMalformedLivewirePropertyUpdate = function (Throwable $e): bool {
|
||||
// Bots replay `livewire/update` with a mutated snapshot that sets public
|
||||
// properties the target component never declared (e.g. `value` on `welcome`).
|
||||
// Livewire rejects the update; in production this is pure bot noise, so we
|
||||
// silence it. Locally we let it surface, so a genuinely undeclared property
|
||||
// binding is still caught during development.
|
||||
return $e instanceof PublicPropertyNotFoundException && ! app()->isLocal();
|
||||
};
|
||||
|
||||
$exceptions->report(function (Throwable $e) use ($isStaleLivewireAsset, $isStaleCompiledView, $isMissingFileUploadsTrait, $isLivewireExploitProbe, $isMalformedLivewirePropertyUpdate) {
|
||||
if ($isStaleLivewireAsset($e, request())) {
|
||||
return false;
|
||||
}
|
||||
@@ -102,6 +112,10 @@ return Application::configure(basePath: dirname(__DIR__))
|
||||
return false;
|
||||
}
|
||||
|
||||
if ($isMalformedLivewirePropertyUpdate($e)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Bots replay `/livewire/update` with a mutated snapshot whose HMAC
|
||||
// checksum no longer matches its [name, id, data]. Checksum::verify()
|
||||
// rejects these, so the rejection is the tamper signature, not an app
|
||||
@@ -114,7 +128,7 @@ return Application::configure(basePath: dirname(__DIR__))
|
||||
return null;
|
||||
});
|
||||
|
||||
$exceptions->render(function (Throwable $e, Request $request) use ($isStaleLivewireAsset, $isStaleCompiledView, $isMissingFileUploadsTrait, $isLivewireExploitProbe) {
|
||||
$exceptions->render(function (Throwable $e, Request $request) use ($isStaleLivewireAsset, $isStaleCompiledView, $isMissingFileUploadsTrait, $isLivewireExploitProbe, $isMalformedLivewirePropertyUpdate) {
|
||||
if ($isStaleLivewireAsset($e, $request)) {
|
||||
return response('', 404);
|
||||
}
|
||||
@@ -131,6 +145,10 @@ return Application::configure(basePath: dirname(__DIR__))
|
||||
return response('', 400);
|
||||
}
|
||||
|
||||
if ($isMalformedLivewirePropertyUpdate($e)) {
|
||||
return response('', 400);
|
||||
}
|
||||
|
||||
return null;
|
||||
});
|
||||
})->create();
|
||||
|
||||
@@ -0,0 +1,29 @@
|
||||
<?php
|
||||
|
||||
use App\Models\Course;
|
||||
use App\Models\Venue;
|
||||
|
||||
it('drops non-numeric selected values on GET /api/courses instead of erroring', function () {
|
||||
$course = Course::factory()->create();
|
||||
|
||||
$response = $this->getJson('/api/courses?selected[]='.$course->id.'&selected[]=foo');
|
||||
|
||||
$response->assertSuccessful();
|
||||
expect(collect($response->json())->pluck('id')->all())->toBe([$course->id]);
|
||||
});
|
||||
|
||||
it('casts a non-numeric user_id to an empty filter on GET /api/courses', function () {
|
||||
Course::factory()->create();
|
||||
|
||||
$this->getJson('/api/courses?user_id=abc')
|
||||
->assertSuccessful()
|
||||
->assertJsonCount(0);
|
||||
});
|
||||
|
||||
it('tolerates a non-array selected value on GET /api/venues without a 500', function () {
|
||||
Venue::factory()->create();
|
||||
|
||||
$this->getJson('/api/venues?selected=foo')
|
||||
->assertSuccessful()
|
||||
->assertJsonCount(0);
|
||||
});
|
||||
@@ -94,3 +94,11 @@ it('filters /api/meetup-events by date when one is supplied', function () {
|
||||
$response->assertSuccessful();
|
||||
expect($response->json())->toBeArray()->not->toBeEmpty();
|
||||
});
|
||||
|
||||
it('returns 400 instead of 500 when the date path segment is not parseable', function () {
|
||||
$this->getJson('/api/meetup-events/'.urlencode('{date}'))
|
||||
->assertStatus(400);
|
||||
|
||||
$this->getJson('/api/meetup-events/not-a-date')
|
||||
->assertStatus(400);
|
||||
});
|
||||
|
||||
@@ -3,6 +3,7 @@
|
||||
use Illuminate\Support\Facades\Log;
|
||||
use Illuminate\Support\Facades\Route;
|
||||
use Livewire\Exceptions\MethodNotFoundException;
|
||||
use Livewire\Exceptions\PublicPropertyNotFoundException;
|
||||
use Livewire\Features\SupportLifecycleHooks\DirectlyCallingLifecycleHooksNotAllowedException;
|
||||
use Livewire\Mechanisms\HandleComponents\CorruptComponentPayloadException;
|
||||
|
||||
@@ -44,6 +45,28 @@ it('still surfaces genuine method-not-found bugs', function () {
|
||||
expect($this->get('/_test/livewire-real-method-not-found')->status())->not->toBe(400);
|
||||
});
|
||||
|
||||
it('returns 400 for setting an undeclared public property instead of 500', function () {
|
||||
Route::get('/_test/livewire-undeclared-property', function () {
|
||||
throw new PublicPropertyNotFoundException('value', 'welcome');
|
||||
});
|
||||
|
||||
expect($this->get('/_test/livewire-undeclared-property')->status())->toBe(400);
|
||||
});
|
||||
|
||||
it('does not report undeclared-property probes to the logs', function () {
|
||||
Log::spy();
|
||||
|
||||
Route::get('/_test/livewire-undeclared-property-log', function () {
|
||||
throw new PublicPropertyNotFoundException('value', 'welcome');
|
||||
});
|
||||
|
||||
$this->get('/_test/livewire-undeclared-property-log')->assertStatus(400);
|
||||
|
||||
Log::shouldNotHaveReceived('error');
|
||||
Log::shouldNotHaveReceived('critical');
|
||||
Log::shouldNotHaveReceived('emergency');
|
||||
});
|
||||
|
||||
it('does not report corrupt Livewire snapshot payloads', function () {
|
||||
Log::spy();
|
||||
|
||||
|
||||
Reference in New Issue
Block a user