Merge pull request #6905 from firefly-iii/fix-validation

Catch various validation errors
2025-02-25 18:45:27 -06:00 · 2023-01-20 22:09:19 +01:00 · 2023-01-20 22:09:19 +01:00 · afca023767
commit afca023767
parent 1502c5de94 cd408e581b
7 changed files with 68 additions and 15 deletions
--- a/app/Api/V1/Controllers/Controller.php
+++ b/app/Api/V1/Controllers/Controller.php
@ -31,10 +31,12 @@ use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
 use Illuminate\Foundation\Bus\DispatchesJobs;
 use Illuminate\Foundation\Validation\ValidatesRequests;
 use Illuminate\Routing\Controller as BaseController;
+use Illuminate\Support\Facades\Log;
 use League\Fractal\Manager;
 use League\Fractal\Serializer\JsonApiSerializer;
 use Psr\Container\ContainerExceptionInterface;
 use Psr\Container\NotFoundExceptionInterface;
+use Symfony\Component\HttpFoundation\Exception\BadRequestException;
 use Symfony\Component\HttpFoundation\ParameterBag;

 /**
@ -95,7 +97,13 @@ abstract class Controller extends BaseController
        // some date fields:
        $dates = ['start', 'end', 'date'];
        foreach ($dates as $field) {
+            try {
                $date = request()->query->get($field);
+            } catch(BadRequestException $e) {
+                Log::error(sprintf('Request field "%s" contains a non-scalar value. Value set to NULL.', $field));
+                Log::error($e->getMessage());
+                $value = null;
+            }
            $obj  = null;
            if (null !== $date) {
                try {
@ -111,7 +119,13 @@ abstract class Controller extends BaseController
        // integer fields:
        $integers = ['limit'];
        foreach ($integers as $integer) {
+            try {
                $value = request()->query->get($integer);
+            } catch(BadRequestException $e) {
+                Log::error(sprintf('Request field "%s" contains a non-scalar value. Value set to NULL.', $integer));
+                Log::error($e->getMessage());
+                $value = null;
+            }
            if (null !== $value) {
                $bag->set($integer, (int)$value);
            }
@ -129,7 +143,13 @@ abstract class Controller extends BaseController
    private function getSortParameters(ParameterBag $bag): ParameterBag
    {
        $sortParameters = [];
+        try {
            $param          = (string)request()->query->get('sort');
+        } catch(BadRequestException $e) {
+            Log::error('Request field "sort" contains a non-scalar value. Value set to NULL.');
+            Log::error($e->getMessage());
+            $param = '';
+        }
        if ('' === $param) {
            return $bag;
        }
--- a/app/Api/V2/Controllers/Controller.php
+++ b/app/Api/V2/Controllers/Controller.php
@ -32,6 +32,7 @@ use Illuminate\Database\Eloquent\Model;
 use Illuminate\Pagination\LengthAwarePaginator;
 use Illuminate\Routing\Controller as BaseController;
 use Illuminate\Support\Collection;
+use Illuminate\Support\Facades\Log;
 use League\Fractal\Manager;
 use League\Fractal\Pagination\IlluminatePaginatorAdapter;
 use League\Fractal\Resource\Collection as FractalCollection;
@ -39,6 +40,7 @@ use League\Fractal\Resource\Item;
 use League\Fractal\Serializer\JsonApiSerializer;
 use Psr\Container\ContainerExceptionInterface;
 use Psr\Container\NotFoundExceptionInterface;
+use Symfony\Component\HttpFoundation\Exception\BadRequestException;
 use Symfony\Component\HttpFoundation\ParameterBag;

 /**
@ -90,7 +92,13 @@ class Controller extends BaseController

        // some date fields:
        foreach ($dates as $field) {
+            try {
                $date = request()->query->get($field);
+            } catch(BadRequestException $e) {
+                Log::error(sprintf('Request field "%s" contains a non-scalar value. Value set to NULL.', $field));
+                Log::error($e->getMessage());
+                $value = null;
+            }
            $obj  = null;
            if (null !== $date) {
                try {
@ -105,7 +113,13 @@ class Controller extends BaseController

        // integer fields:
        foreach ($integers as $integer) {
+            try {
                $value = request()->query->get($integer);
+            } catch(BadRequestException $e) {
+                Log::error(sprintf('Request field "%s" contains a non-scalar value. Value set to NULL.', $integer));
+                Log::error($e->getMessage());
+                $value = null;
+            }
            if (null !== $value) {
                $bag->set($integer, (int)$value);
            }
--- a/app/Http/Controllers/SearchController.php
+++ b/app/Http/Controllers/SearchController.php
@ -106,7 +106,11 @@ class SearchController extends Controller
     */
    public function search(Request $request, SearchInterface $searcher): JsonResponse
    {
-        $fullQuery = (string)$request->get('query');
+        $entry = $request->get('query');
+        if (!is_scalar($entry)) {
+            $entry = '';
+        }
+        $fullQuery = (string)$entry;
        $page      = 0 === (int)$request->get('page') ? 1 : (int)$request->get('page');

        $searcher->parseQuery($fullQuery);
--- a/app/Http/Requests/ReportFormRequest.php
+++ b/app/Http/Requests/ReportFormRequest.php
@ -215,7 +215,12 @@ class ReportFormRequest extends FormRequest
        $repository = app(TagRepositoryInterface::class);
        $set        = $this->get('tag');
        $collection = new Collection();
-        Log::debug('Set is:', $set ?? []);
+        if (is_array($set)) {
+            Log::debug('Set is:', $set);
+        }
+        if (!is_array($set)) {
+            Log::error(sprintf('Set is not an array! "%s"', $set));
+        }
        if (is_array($set)) {
            foreach ($set as $tagTag) {
                Log::debug(sprintf('Now searching for "%s"', $tagTag));
--- a/app/Support/Request/ConvertsDataTypes.php
+++ b/app/Support/Request/ConvertsDataTypes.php
@ -50,6 +50,7 @@ trait ConvertsDataTypes
     * @return mixed
     */
    abstract public function has($key);
+
    /**
     * Return integer value.
     *
@ -71,7 +72,11 @@ trait ConvertsDataTypes
     */
    public function convertString(string $field): string
    {
-        return $this->clearString((string)($this->get($field) ?? ''), false);
+        $entry = $this->get($field);
+        if (!is_scalar($entry)) {
+            return '';
+        }
+        return $this->clearString((string)$entry, false);
    }

    /**
@ -85,6 +90,8 @@ trait ConvertsDataTypes
        if (null === $string) {
            return null;
        }
+        var_dump($string);
+
        $search  = [
            "\0", // NUL
            "\f", // form feed
@ -137,12 +144,15 @@ trait ConvertsDataTypes
        ];
        $replace = "\x20"; // plain old normal space
        $string  = str_replace($search, $replace, $string);
+
        $secondSearch = $keepNewlines ? ["\r"] : ["\r", "\n", "\t", "\036", "\025"];
        $string       = str_replace($secondSearch, '', $string);

        // clear zalgo text (TODO also in API v2)
        $string = preg_replace('/\pM/u', '', $string);
-
+        if (null === $string) {
+            return null;
+        }
        return trim($string);
    }

--- a/app/Support/Search/OperatorQuerySearch.php
+++ b/app/Support/Search/OperatorQuerySearch.php
@ -162,7 +162,7 @@ class OperatorQuerySearch implements SearchInterface
        } catch (TypeError|LogicException $e) {
            Log::error($e->getMessage());
            Log::error(sprintf('Could not parse search: "%s".', $query));
-            throw new FireflyException('Invalid search value. See the logs.', 0, $e);
+            throw new FireflyException(sprintf('Invalid search value "%s". See the logs.', e($query)), 0, $e);
        }

        Log::debug(sprintf('Found %d node(s)', count($query1->getNodes())));