protect table names and guarded

laravel · Aug 6, 2020 · 9240404 · 9240404
1 parent c6f9ae2
commit 9240404
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 1 deletion.
diff --git a/src/Illuminate/Database/Eloquent/Model.php b/src/Illuminate/Database/Eloquent/Model.php
@@ -17,6 +17,7 @@
 use Illuminate\Support\Str;
 use Illuminate\Support\Traits\ForwardsCalls;
 use JsonSerializable;
+use LogicException;
 
 abstract class Model implements Arrayable, ArrayAccess, Jsonable, JsonSerializable, QueueableEntity, UrlRoutable
 {
@@ -375,7 +376,16 @@ public function qualifyColumn($column)
      */
     protected function removeTableFromKey($key)
     {
-        return Str::contains($key, '.') ? last(explode('.', $key)) : $key;
+        if (strpos($key, '.') !== false) {
+            if (! empty($this->getGuarded()) &&
+                $this->getGuarded() !== ['*']) {
+                throw new LogicException("Mass assignment of Eloquent attributes including table names is unsafe when guarding attributes.");
+            }
+
+            return last(explode('.', $key));
+        }
+
+        return $key;
     }
 
     /**

diff --git a/tests/Integration/Database/EloquentModelTest.php b/tests/Integration/Database/EloquentModelTest.php
@@ -47,6 +47,15 @@ public function testCantUpdateGuardedAttributeUsingJson()
         $this->assertNull($model->id);
     }
 
+    public function testCantMassFillAttributesWithTableNamesWhenUsingGuarded()
+    {
+        $this->expectException(\LogicException::class);
+
+        $model = new TestModel2;
+
+        $model->fill(['foo.bar' => 123]);
+    }
+
     public function testUserCanUpdateNullableDate()
     {
         $user = TestModel1::create([