Fixed bug that RequiredIf can be exploited to generate gadget chains for deserialization vulnerabiltiies. (#3724)

huangzhhui · web-flow · commit 7808ad0e7d2f · 2021-06-23T08:33:27.000+08:00
diff --git a/src/Rules/RequiredIf.php b/src/Rules/RequiredIf.php
@@ -11,6 +11,8 @@
  */
 namespace Hyperf\Validation\Rules;
 
+use InvalidArgumentException;
+
 class RequiredIf
 {
     /**
@@ -27,7 +29,11 @@ class RequiredIf
      */
     public function __construct($condition)
     {
-        $this->condition = $condition;
+        if (! is_string($condition)) {
+            $this->condition = $condition;
+        } else {
+            throw new InvalidArgumentException('The provided condition must be a callable or boolean.');
+        }
     }
 
     /**

Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,8 @@`
`11`	`11`	`*/`
`12`	`12`	`namespace Hyperf\Validation\Rules;`
`13`	`13`
	`14`	`+use InvalidArgumentException;`
	`15`	`+`
`14`	`16`	`class RequiredIf`
`15`	`17`	`{`
`16`	`18`	`/**`
`@@ -27,7 +29,11 @@ class RequiredIf`
`27`	`29`	`*/`
`28`	`30`	`public function __construct($condition)`
`29`	`31`	`{`
`30`		`- $this->condition = $condition;`
	`32`	`+ if (! is_string($condition)) {`
	`33`	`+ $this->condition = $condition;`
	`34`	`+ } else {`
	`35`	`+ throw new InvalidArgumentException('The provided condition must be a callable or boolean.');`
	`36`	`+ }`
`31`	`37`	`}`
`32`	`38`
`33`	`39`	`/**`