Merge pull request #9 from macropay-solutions/fix-eagerloading-data-leak-issue-51825

macropay-solutions · web-flow · commit 9c63a999dffe · 2025-07-07T08:57:25.000+03:00
Fix laravel/framework#51825
diff --git a/illuminate/Database/Eloquent/Builder.php b/illuminate/Database/Eloquent/Builder.php
@@ -808,11 +808,14 @@ public function getRelation($name)
         // and error prone. We don't want constraints because we add eager ones.
         $relation = Relation::noConstraints(function () use ($name) {
             try {
-                return $this->getModel()->newInstance()->$name();
+                $model = $this->getModel()->newInstance();
+                $model->nowEagerLoadingRelationNameWithNoConstraints = $name;
+
+                return $model->$name();
             } catch (BadMethodCallException) {
                 throw RelationNotFoundException::make($this->getModel(), $name);
             }
-        });
+        }, $name);
 
         $nested = $this->relationsNestedUnder($name);
 
diff --git a/illuminate/Database/Eloquent/Concerns/HasRelationships.php b/illuminate/Database/Eloquent/Concerns/HasRelationships.php
@@ -25,6 +25,8 @@
 
 trait HasRelationships
 {
+    public ?string $nowEagerLoadingRelationNameWithNoConstraints = null;
+
     /**
      * The loaded relationships for the model.
      *
diff --git a/illuminate/Database/Eloquent/Concerns/QueriesRelationships.php b/illuminate/Database/Eloquent/Concerns/QueriesRelationships.php
@@ -277,12 +277,16 @@ public function hasMorph(
     protected function getBelongsToRelation(MorphTo $relation, $type)
     {
         $belongsTo = Relation::noConstraints(function () use ($relation, $type) {
-            return $this->model->belongsTo(
+            $model = $this->getModel();
+            $model->nowEagerLoadingRelationNameWithNoConstraints = $relation->getRelationName();
+
+            return $model->belongsTo(
                 $type,
                 $relation->getForeignKeyName(),
-                $relation->getOwnerKeyName()
+                $relation->getOwnerKeyName(),
+                $relation->getRelationName(),
             );
-        });
+        }, $relation->getRelationName());
 
         $belongsTo->getQuery()->mergeConstraintsFrom($relation->getQuery());
 
@@ -895,8 +899,11 @@ protected function addWhereCountQuery(QueryBuilder $query, $operator = '>=', $co
     protected function getRelationWithoutConstraints($relation)
     {
         return Relation::noConstraints(function () use ($relation) {
-            return $this->getModel()->{$relation}();
-        });
+            $model = $this->getModel();
+            $model->nowEagerLoadingRelationNameWithNoConstraints = $relation;
+
+            return $model->{$relation}();
+        }, $relation);
     }
 
     /**
diff --git a/illuminate/Database/Eloquent/Relations/HasMany.php b/illuminate/Database/Eloquent/Relations/HasMany.php
@@ -3,6 +3,7 @@
 namespace Illuminate\Database\Eloquent\Relations;
 
 use Illuminate\Database\Eloquent\Collection;
+use Illuminate\Support\Str;
 
 class HasMany extends HasOneOrMany
 {
@@ -13,13 +14,21 @@ class HasMany extends HasOneOrMany
      */
     public function one()
     {
+        $relationName = Str::uuid()->toString();
+
 //        return HasOne::noConstraints(fn () => new HasOne(
-        return HasOne::noConstraints(fn() => \app(HasOne::class, [
-            $this->getQuery(),
-            $this->parent,
-            $this->foreignKey,
-            $this->localKey,
-        ]));
+        return HasOne::noConstraints(function () use ($relationName): HasOne {
+            $this->parent->nowEagerLoadingRelationNameWithNoConstraints = $relationName;
+            $builder = $this->getQuery()->clone();
+            $builder->setQuery($builder->getQuery()->clone());
+
+            return \app(HasOne::class, [
+                $builder,
+                $this->parent,
+                $this->foreignKey,
+                $this->localKey,
+            ]);
+        }, $relationName);
     }
 
     /**
diff --git a/illuminate/Database/Eloquent/Relations/HasManyThrough.php b/illuminate/Database/Eloquent/Relations/HasManyThrough.php
@@ -11,6 +11,7 @@
 use Illuminate\Database\Eloquent\Relations\Concerns\InteractsWithDictionary;
 use Illuminate\Database\Eloquent\SoftDeletes;
 use Illuminate\Database\UniqueConstraintViolationException;
+use Illuminate\Support\Str;
 
 class HasManyThrough extends Relation
 {
@@ -86,7 +87,7 @@ public function __construct(
         $this->throughParent = $throughParent;
         $this->secondLocalKey = $secondLocalKey;
 
-        parent::__construct($query, $throughParent);
+        parent::__construct($query, $throughParent, $farParent);
     }
 
     /**
@@ -96,16 +97,24 @@ public function __construct(
      */
     public function one()
     {
+        $relationName = Str::uuid()->toString();
+
 //        return HasOneThrough::noConstraints(fn () => new HasOneThrough(
-        return HasOneThrough::noConstraints(fn() => \app(HasOneThrough::class, [
-            $this->getQuery(),
-            $this->farParent,
-            $this->throughParent,
-            $this->getFirstKeyName(),
-            $this->secondKey,
-            $this->getLocalKeyName(),
-            $this->getSecondLocalKeyName(),
-        ]));
+        return HasOneThrough::noConstraints(function () use ($relationName): HasOneThrough {
+            $this->farParent->nowEagerLoadingRelationNameWithNoConstraints = $relationName;
+            $builder = $this->getQuery()->clone();
+            $builder->setQuery($builder->getQuery()->clone());
+
+            return \app(HasOneThrough::class, [
+                \tap($builder, fn (Builder $query): array => $query->getQuery()->joins = []),
+                $this->farParent,
+                $this->throughParent,
+                $this->getFirstKeyName(),
+                $this->secondKey,
+                $this->getLocalKeyName(),
+                $this->getSecondLocalKeyName(),
+            ]);
+        }, $relationName);
     }
 
     /**
diff --git a/illuminate/Database/Eloquent/Relations/MorphMany.php b/illuminate/Database/Eloquent/Relations/MorphMany.php
@@ -4,6 +4,7 @@
 
 use Illuminate\Database\Eloquent\Collection;
 use Illuminate\Database\Eloquent\Model;
+use Illuminate\Support\Str;
 
 class MorphMany extends MorphOneOrMany
 {
@@ -14,14 +15,22 @@ class MorphMany extends MorphOneOrMany
      */
     public function one()
     {
+        $relationName = Str::uuid()->toString();
+
 //        return MorphOne::noConstraints(fn () => new MorphOne(
-        return MorphOne::noConstraints(fn() => \app(MorphOne::class, [
-            $this->getQuery(),
-            $this->getParent(),
-            $this->morphType,
-            $this->foreignKey,
-            $this->localKey,
-        ]));
+        return MorphOne::noConstraints(function () use ($relationName): MorphOne {
+            $this->getParent()->nowEagerLoadingRelationNameWithNoConstraints = $relationName;
+            $builder = $this->getQuery()->clone();
+            $builder->setQuery($builder->getQuery()->clone());
+
+            return \app(MorphOne::class, [
+                $builder,
+                $this->getParent(),
+                $this->morphType,
+                $this->foreignKey,
+                $this->localKey,
+            ]);
+        }, $relationName);
     }
 
     /**
diff --git a/illuminate/Database/Eloquent/Relations/Relation.php b/illuminate/Database/Eloquent/Relations/Relation.php
@@ -2,7 +2,6 @@
 
 namespace Illuminate\Database\Eloquent\Relations;
 
-use Closure;
 use Illuminate\Contracts\Database\Eloquent\Builder as BuilderContract;
 use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Database\Eloquent\Collection;
@@ -76,41 +75,71 @@ abstract class Relation implements BuilderContract
      */
     protected static $selfJoinCount = 0;
 
+    protected static ?string $noConstraintsForRelationName = null;
+
     /**
      * Create a new relation instance.
      *
      * @param \Illuminate\Database\Eloquent\Builder $query
      * @param \Illuminate\Database\Eloquent\Model $parent
+     * @param \Illuminate\Database\Eloquent\Model|null $resourceModel
      * @return void
      */
-    public function __construct(Builder $query, Model $parent)
+    public function __construct(Builder $query, Model $parent, ?Model $resourceModel = null)
     {
         $this->query = $query;
         $this->parent = $parent;
         $this->related = $query->getModel();
+        $resourceModel ??= $parent;
+
+        if (
+            '' !== (string)static::$noConstraintsForRelationName
+            || '' !== (string)$resourceModel->nowEagerLoadingRelationNameWithNoConstraints
+        ) {
+            /**
+             *   1st execution is for ExampleModel $exampleModel on 'rel' relation
+             * with nowEagerLoadingRelationNameWithNoConstraints = 'rel'
+             *           and with $noConstraintsForRelationName = 'rel'
+             */
+            /*   2nd execution is for UserModel $userModel on 'categories' relation
+                with nowEagerLoadingRelationNameWithNoConstraints = null
+                         and with $noConstraintsForRelationName = 'rel' */
+
+
+            /*    1st execution is for ExampleModel $exampleModel on 'children' relation
+                with nowEagerLoadingRelationNameWithNoConstraints = null
+                          and with $noConstraintsForRelationName = 'rel' */
+            /**
+             *   2nd execution is for ExampleModel $exampleModel on 'rel' relation
+             * with nowEagerLoadingRelationNameWithNoConstraints = 'rel'
+             *           and with $noConstraintsForRelationName = 'rel'
+             */
+            /* 3rd execution is for UserModel $userModel on 'categories' relation
+                with nowEagerLoadingRelationNameWithNoConstraints = null
+                   and with $noConstraintsForRelationName = 'rel' */
+            static::$constraints =
+                static::$noConstraintsForRelationName !== $resourceModel->nowEagerLoadingRelationNameWithNoConstraints;
+        }
 
         $this->addConstraints();
     }
 
     /**
      * Run a callback with constraints disabled on the relation.
      *
-     * @param \Closure $callback
      * @return mixed
      */
-    public static function noConstraints(Closure $callback)
+    public static function noConstraints(\Closure $callback, string $relationName)
     {
         $previous = static::$constraints;
+        $previousNoConstraintsForRelationName = static::$noConstraintsForRelationName;
+        static::$noConstraintsForRelationName = $relationName;
 
-        static::$constraints = false;
-
-        // When resetting the relation where clause, we want to shift the first element
-        // off of the bindings, leaving only the constraints that the developers put
-        // as "extra" on the relationships, and not original relation constraints.
         try {
             return $callback();
         } finally {
             static::$constraints = $previous;
+            static::$noConstraintsForRelationName = $previousNoConstraintsForRelationName;
         }
     }
 

Original file line number	Diff line number	Diff line change
`@@ -25,6 +25,8 @@`
`25`	`25`
`26`	`26`	`trait HasRelationships`
`27`	`27`	`{`
	`28`	`+ public ?string $nowEagerLoadingRelationNameWithNoConstraints = null;`
	`29`	`+`
`28`	`30`	`/**`
`29`	`31`	`* The loaded relationships for the model.`
`30`	`32`	`*`