Laravel-mongodb: After update laravel to 6.18.35, i got error in model that has $guarded attribute

Created on 10 Aug 2020  路  4Comments  路  Source: jenssegers/laravel-mongodb

  • Laravel-mongodb Version: 3.6.4
  • PHP Version: 7.3.21
  • Database Driver & Version: mongodb 1.5.5

Description:

Recently, was merged https://github.com/laravel/framework/pull/33777. Since then, I'm getting an error when I try to use the create method with a model that has $guarded attribute

Steps to reproduce

  1. Have a Model that has $guarded attribute:
class Tester extends \Moloquent
{
    protected $guarded = [
        'test',
    ];
}
  1. call Tester::create(['foo' => 'bar']);

Expected behaviour

It should create a object with property 'foo' in database

Actual behaviour

PHP Error: Call to a member function compileColumnListing() on null in /home/project/vendor/laravel/framework/src/Illuminate/Database/Schema/Builder.php on line 136

bug

All 4 comments

PRs welcome 馃憤

I might take a closer look but probably on Sunday.

Thanks!

Same issue here. i have to downgrade to laravel/framework v6.18.32

with composer require laravel/framework:6.18.32

But be patient this release has the vulnerability wich is fixed with the v6.18.35 and actual not working with this package

laravel/framework (v6.18.32)
----------------------------
 * [CVE-NONE-0001][]: Guard bypass in Eloquent models
[CVE-NONE-0001]: https://blog.laravel.com/security-release-laravel-61834-7232

I had the same problem here.

I fixed the version.

Edit: I noticed what I posted below gets mentioned on the PR. Leaving it in as-is, but it is known.


To continue where @Jannnnnn left off, the exact fix that causes this error, is mentioned on the 6.18.35 / 7.25.0 release announcement.

Today's patch fixes this and other potential unexpected behaviors by comparing the column that is being updated with an actual list of database columns that exist on the database table.

Since this involves a security fix that fixes some protected JSON assignments (like foo->bar whilst foo is guarded), it's good to cross-check this against code known to exploit stuff like this. Maybe mocking such a request in a unit test.

An easy fix is also suggested:

As a personal recommendation, I recommend always using $fillable instead of $guarded

Was this page helpful?
0 / 5 - 0 ratings

Related issues

trololosha4real picture trololosha4real  路  20Comments

supaheckafresh picture supaheckafresh  路  40Comments

adnanfajr picture adnanfajr  路  23Comments

dhananjaygoel picture dhananjaygoel  路  17Comments

klferreira picture klferreira  路  35Comments