Ensured sensitive properties like $slot and $_attributes are no longer public

titonova · titonova · commit 321c7115091d · 2023-10-12T13:11:23.000+01:00
Previously, the $slot and $_attributes properties were public and thus appeared in the `wire:snapshot` directive in livewire components.

This is obviously a security risk, so this commits creates a workaround to ensure that is no longer the case, while still maintaining previous functionality
diff --git a/resources/views/components/livewire.blade.php b/resources/views/components/livewire.blade.php
@@ -3,7 +3,7 @@
               :component="$attributes->get('_')"
               :slot="serialize($slot)"
               :laravel-slots="serialize($__laravel_slots)"
-              :attributes="serialize($attributes)"
+              :_attributes="serialize($attributes)"
     />
 
 
diff --git a/src/Components/XLivewireBaseComponent.php b/src/Components/XLivewireBaseComponent.php
@@ -9,7 +9,10 @@ class XLivewireBaseComponent extends Component
 {
 
     public string $slot;
-    public string $attributes;
+    protected string $_slot = '';
+
+    public string $_attributes;
+    protected string $__attributes = '';
 
 
     /**
@@ -20,20 +23,21 @@ class XLivewireBaseComponent extends Component
      * @var string
      */
     public string $laravelSlots;
+    protected string $_laravelSlots = '';
 
     public function slot()
     {
-        return unserialize($this->slot);
+        return unserialize($this->_slot);
     }
 
     public function attributes()
     {
-        return unserialize($this->attributes);
+        return unserialize($this->__attributes);
     }
 
     public function laravelSlots()
     {
-        return unserialize($this->laravelSlots);
+        return unserialize($this->_laravelSlots);
     }
 
 
@@ -67,9 +71,15 @@ public function mount(){
      */
     public function setProps(): void
     {
+        $this->__attributes = $this->_attributes;
+        $this->_slot = $this->slot;
+        $this->_laravelSlots = $this->laravelSlots;
+
+        $attributes = $this->attributes();//->getAttributes();
+
         // The collection of all attributes that were set in the x-livewire tag.
         // We name it this way to avoid conflicts with the component's actual  $attributes property.
-        $this->attributesCollection =  collect($this->attributes());
+        $this->attributesCollection =  collect($attributes);
 
         // Get a collection of the names of all the public properties.
         $r_object = new \ReflectionObject($this);
@@ -101,6 +111,9 @@ public function setProps(): void
             }
         }
 
+        // To hide all these properties from the frontend, we unset them.
+        unset($this->_attributes, $this->laravelSlots, $this->slot);
+
 
     }
 

Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,10 @@ class XLivewireBaseComponent extends Component`
`9`	`9`	`{`
`10`	`10`
`11`	`11`	`public string $slot;`
`12`		`- public string $attributes;`
	`12`	`+ protected string $_slot = '';`
	`13`	`+`
	`14`	`+ public string $_attributes;`
	`15`	`+ protected string $__attributes = '';`
`13`	`16`
`14`	`17`
`15`	`18`	`/**`
`@@ -20,20 +23,21 @@ class XLivewireBaseComponent extends Component`
`20`	`23`	`* @var string`
`21`	`24`	`*/`
`22`	`25`	`public string $laravelSlots;`
	`26`	`+ protected string $_laravelSlots = '';`
`23`	`27`
`24`	`28`	`public function slot()`
`25`	`29`	`{`
`26`		`- return unserialize($this->slot);`
	`30`	`+ return unserialize($this->_slot);`
`27`	`31`	`}`
`28`	`32`
`29`	`33`	`public function attributes()`
`30`	`34`	`{`
`31`		`- return unserialize($this->attributes);`
	`35`	`+ return unserialize($this->__attributes);`
`32`	`36`	`}`
`33`	`37`
`34`	`38`	`public function laravelSlots()`
`35`	`39`	`{`
`36`		`- return unserialize($this->laravelSlots);`
	`40`	`+ return unserialize($this->_laravelSlots);`
`37`	`41`	`}`
`38`	`42`
`39`	`43`
`@@ -67,9 +71,15 @@ public function mount(){`
`67`	`71`	`*/`
`68`	`72`	`public function setProps(): void`
`69`	`73`	`{`
	`74`	`+ $this->__attributes = $this->_attributes;`
	`75`	`+ $this->_slot = $this->slot;`
	`76`	`+ $this->_laravelSlots = $this->laravelSlots;`
	`77`	`+`
	`78`	`+ $attributes = $this->attributes();//->getAttributes();`
	`79`	`+`
`70`	`80`	`// The collection of all attributes that were set in the x-livewire tag.`
`71`	`81`	`// We name it this way to avoid conflicts with the component's actual $attributes property.`
`72`		`- $this->attributesCollection = collect($this->attributes());`
	`82`	`+ $this->attributesCollection = collect($attributes);`
`73`	`83`
`74`	`84`	`// Get a collection of the names of all the public properties.`
`75`	`85`	`$r_object = new \ReflectionObject($this);`
`@@ -101,6 +111,9 @@ public function setProps(): void`
`101`	`111`	`}`
`102`	`112`	`}`
`103`	`113`
	`114`	`+ // To hide all these properties from the frontend, we unset them.`
	`115`	`+ unset($this->_attributes, $this->laravelSlots, $this->slot);`
	`116`	`+`
`104`	`117`
`105`	`118`	`}`
`106`	`119`