Throw an exception when signing route if a parameter key is 'expires'

Sébastien Nikolaou · Sébastien Nikolaou · commit cd49e7e24a22 · 2021-07-23T02:38:26.000+03:00
diff --git a/src/Illuminate/Routing/UrlGenerator.php b/src/Illuminate/Routing/UrlGenerator.php
@@ -328,6 +328,12 @@ public function signedRoute($name, $parameters = [], $expiration = null, $absolu
             );
         }
 
+        if (array_key_exists('expires', $parameters)) {
+            throw new InvalidArgumentException(
+                '"Expires" is a reserved parameter when generating signed routes. Please rename your route parameter.'
+            );
+        }
+
         if ($expiration) {
             $parameters = $parameters + ['expires' => $this->availableAt($expiration)];
         }
diff --git a/tests/Integration/Routing/UrlSigningTest.php b/tests/Integration/Routing/UrlSigningTest.php
@@ -8,6 +8,7 @@
 use Illuminate\Support\Carbon;
 use Illuminate\Support\Facades\Route;
 use Illuminate\Support\Facades\URL;
+use InvalidArgumentException;
 use Orchestra\Testbench\TestCase;
 
 /**
@@ -41,14 +42,14 @@ public function testTemporarySignedUrls()
 
     public function testTemporarySignedUrlsWithExpiresParameter()
     {
+        $this->expectException(InvalidArgumentException::class);
+        $this->expectExceptionMessage('reserved');
+
         Route::get('/foo/{id}', function (Request $request, $id) {
             return $request->hasValidSignature() ? 'valid' : 'invalid';
         })->name('foo');
 
-        Carbon::setTestNow(Carbon::create(2018, 1, 1));
-        $this->assertIsString($url = URL::temporarySignedRoute('foo', now()->addMinutes(5), ['id' => 1, 'expires' => 253402300799]));
-        Carbon::setTestNow(Carbon::create(2018, 1, 1)->addMinutes(10));
-        $this->assertSame('invalid', $this->get($url)->original);
+        URL::temporarySignedRoute('foo', now()->addMinutes(5), ['id' => 1, 'expires' => 253402300799]);
     }
 
     public function testSignedUrlWithUrlWithoutSignatureParameter()
diff --git a/tests/Routing/RoutingUrlGeneratorTest.php b/tests/Routing/RoutingUrlGeneratorTest.php
@@ -664,6 +664,27 @@ public function testSignedUrlParameterCannotBeNamedSignature()
 
         Request::create($url->signedRoute('foo', ['signature' => 'bar']));
     }
+
+    public function testSignedUrlParameterCannotBeNamedExpires()
+    {
+        $url = new UrlGenerator(
+            $routes = new RouteCollection,
+            $request = Request::create('http://www.foo.com/')
+        );
+        $url->setKeyResolver(function () {
+            return 'secret';
+        });
+
+        $route = new Route(['GET'], 'foo/{expires}', ['as' => 'foo', function () {
+            //
+        }]);
+        $routes->add($route);
+
+        $this->expectException(InvalidArgumentException::class);
+        $this->expectExceptionMessage('reserved');
+
+        Request::create($url->signedRoute('foo', ['expires' => 253402300799]));
+    }
 }
 
 class RoutableInterfaceStub implements UrlRoutable

Original file line number	Diff line number	Diff line change
`@@ -328,6 +328,12 @@ public function signedRoute($name, $parameters = [], $expiration = null, $absolu`
`328`	`328`	`);`
`329`	`329`	`}`
`330`	`330`
	`331`	`+ if (array_key_exists('expires', $parameters)) {`
	`332`	`+ throw new InvalidArgumentException(`
	`333`	`+ '"Expires" is a reserved parameter when generating signed routes. Please rename your route parameter.'`
	`334`	`+ );`
	`335`	`+ }`
	`336`	`+`
`331`	`337`	`if ($expiration) {`
`332`	`338`	`$parameters = $parameters + ['expires' => $this->availableAt($expiration)];`
`333`	`339`	`}`