🚑️ rules exploit (#172)

Author: GautierDele

src/Concerns/Resource/Relationable.php

@@ -12,11 +12,9 @@ trait Relationable
     /**
      * Get a relation by name.
      *
-     * @param string $name
-     *
      * @return Relation|null
      */
-    public function relation($name)
+    public function relation(string $name)
     {
         $name = relation_without_pivot($name);
 

src/Http/Requests/MutateRequest.php

@@ -2,7 +2,7 @@
 
 namespace Lomkit\Rest\Http\Requests;
 
-use Lomkit\Rest\Rules\MutateRules;
+use Lomkit\Rest\Rules\Mutate\Mutate;
 
 class MutateRequest extends RestRequest
 {
@@ -16,14 +16,11 @@ class MutateRequest extends RestRequest
      */
     public function rules()
     {
+        $resource = $this->route()->controller::newResource();
+
         return [
-            'mutate'   => ['required'],
-            'mutate.*' => new MutateRules(
-                $this->route()->controller::newResource(),
-                $this,
-                null,
-                true
-            ),
+            'mutate'   => 'required',
+            'mutate.*' => (new Mutate())->setResource($resource),
         ];
     }
 }

src/Http/Requests/OperateRequest.php

@@ -5,8 +5,8 @@
 use Illuminate\Validation\Rule;
 use Lomkit\Rest\Actions\Action;
 use Lomkit\Rest\Http\Resource;
-use Lomkit\Rest\Rules\ActionField;
-use Lomkit\Rest\Rules\SearchRules;
+use Lomkit\Rest\Rules\Operate\OperateField;
+use Lomkit\Rest\Rules\Search\Search;
 use Symfony\Component\HttpKernel\Exception\HttpException;
 
 class OperateRequest extends RestRequest
@@ -51,7 +51,7 @@ public function operateRules()
                 ],
             ] : [],
             !$operatedAction->isStandalone() ? [
-                'search' => [new SearchRules($this->resource, $this)],
+                'search' => [(new Search())->setResource($this->resource)],
             ] : [],
             [
                 'fields.*.name' => [
@@ -62,8 +62,7 @@ public function operateRules()
                     'array',
                 ],
                 'fields.*' => [
-                    ActionField::make()
-                        ->action($operatedAction),
+                    (new OperateField())->setAction($operatedAction),
                 ],
             ]
         );

src/Http/Requests/SearchRequest.php

@@ -2,7 +2,7 @@
 
 namespace Lomkit\Rest\Http\Requests;
 
-use Lomkit\Rest\Rules\SearchRules;
+use Lomkit\Rest\Rules\Search\Search;
 
 class SearchRequest extends RestRequest
 {
@@ -13,12 +13,10 @@ class SearchRequest extends RestRequest
      */
     public function rules()
     {
+        $resource = $this->route()->controller::newResource();
+
         return [
-            'search' => new SearchRules(
-                $this->route()->controller::newResource(),
-                $this,
-                true
-            ),
+            'search' => (new Search())->setResource($resource),
         ];
     }
 }

src/Relations/BelongsToMany.php

@@ -8,7 +8,7 @@
 use Lomkit\Rest\Contracts\RelationResource;
 use Lomkit\Rest\Http\Resource;
 use Lomkit\Rest\Relations\Traits\HasMultipleResults;
-use Lomkit\Rest\Rules\ArrayWith;
+use Lomkit\Rest\Rules\ArrayWithKey;
 
 class BelongsToMany extends Relation implements RelationResource
 {
@@ -30,7 +30,7 @@ public function rules(Resource $resource, string $prefix)
             [
                 $prefix.'.*.pivot' => [
                     'prohibited_if:'.$prefix.'.*.operation,detach',
-                    new ArrayWith($this->getPivotFields()),
+                    new ArrayWithKey($this->getPivotFields()),
                 ],
             ]
         );

src/Relations/MorphToMany.php

@@ -8,7 +8,7 @@
 use Lomkit\Rest\Contracts\RelationResource;
 use Lomkit\Rest\Http\Resource;
 use Lomkit\Rest\Relations\Traits\HasMultipleResults;
-use Lomkit\Rest\Rules\ArrayWith;
+use Lomkit\Rest\Rules\ArrayWithKey;
 
 class MorphToMany extends MorphRelation implements RelationResource
 {
@@ -30,7 +30,7 @@ public function rules(Resource $resource, string $prefix)
             [
                 $prefix.'.*.pivot' => [
                     'prohibited_if:'.$prefix.'.*.operation,detach',
-                    new ArrayWith($this->getPivotFields()),
+                    new ArrayWithKey($this->getPivotFields()),
                 ],
             ]
         );

src/Relations/MorphedByMany.php

@@ -8,7 +8,7 @@
 use Lomkit\Rest\Contracts\RelationResource;
 use Lomkit\Rest\Http\Resource;
 use Lomkit\Rest\Relations\Traits\HasMultipleResults;
-use Lomkit\Rest\Rules\ArrayWith;
+use Lomkit\Rest\Rules\ArrayWithKey;
 
 class MorphedByMany extends MorphRelation implements RelationResource
 {
@@ -30,7 +30,7 @@ public function rules(Resource $resource, string $prefix)
             [
                 $prefix.'.*.pivot' => [
                     'prohibited_if:'.$prefix.'.*.operation,detach',
-                    new ArrayWith($this->getPivotFields()),
+                    new ArrayWithKey($this->getPivotFields()),
                 ],
             ]
         );

src/Relations/Relation.php

@@ -22,10 +22,8 @@ class Relation implements \JsonSerializable
 
     /**
      * The displayable name of the relation.
-     *
-     * @var string
      */
-    public $name;
+    public string $name;
 
     protected Resource $fromResource;
 
@@ -42,7 +40,7 @@ public function __construct($relation, $type)
      */
     public function name()
     {
-        return $this->name ?: (new \ReflectionClass($this))->getShortName();
+        return $this->name ?? (new \ReflectionClass($this))->getShortName();
     }
 
     /**