Laravel-mongodb: After update laravel to 6.18.35, i got error in model that has $guarded attribute

Created on 10 Aug 2020  路  4Comments  路  Source: jenssegers/laravel-mongodb
  • Laravel-mongodb Version: 3.6.4
  • PHP Version: 7.3.21
  • Database Driver & Version: mongodb 1.5.5

Description:

Recently, was merged https://github.com/laravel/framework/pull/33777. Since then, I'm getting an error when I try to use the create method with a model that has $guarded attribute

Steps to reproduce

  1. Have a Model that has $guarded attribute:
class Tester extends \Moloquent
{
    protected $guarded = [
        'test',
    ];
}
  1. call Tester::create(['foo' => 'bar']);

Expected behaviour

It should create a object with property 'foo' in database

Actual behaviour

PHP Error: Call to a member function compileColumnListing() on null in /home/project/vendor/laravel/framework/src/Illuminate/Database/Schema/Builder.php on line 136

bug
Source
picture uesley
👍3

All 4 comments

PRs welcome 馃憤

I might take a closer look but probably on Sunday.

Thanks!

divine picture divine on 11 Aug 2020
👍1

Same issue here. i have to downgrade to laravel/framework v6.18.32

with composer require laravel/framework:6.18.32

But be patient this release has the vulnerability wich is fixed with the v6.18.35 and actual not working with this package

laravel/framework (v6.18.32)
----------------------------
 * [CVE-NONE-0001][]: Guard bypass in Eloquent models
[CVE-NONE-0001]: https://blog.laravel.com/security-release-laravel-61834-7232
jansgescheit picture jansgescheit on 11 Aug 2020
👍1

I had the same problem here.

I fixed the version.

geidsonc picture geidsonc on 11 Aug 2020

Edit: I noticed what I posted below gets mentioned on the PR. Leaving it in as-is, but it is known.

To continue where @Jannnnnn left off, the exact fix that causes this error, is mentioned on the 6.18.35 / 7.25.0 release announcement.

Today's patch fixes this and other potential unexpected behaviors by comparing the column that is being updated with an actual list of database columns that exist on the database table.

Since this involves a security fix that fixes some protected JSON assignments (like foo->bar whilst foo is guarded), it's good to cross-check this against code known to exploit stuff like this. Maybe mocking such a request in a unit test.

An easy fix is also suggested:

As a personal recommendation, I recommend always using $fillable instead of $guarded

roelofr picture roelofr on 20 Aug 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

BlakeGardner picture BlakeGardner  路  3Comments
yupangestu picture yupangestu  路  3Comments
Idnan picture Idnan  路  3Comments
sebastiaanluca picture sebastiaanluca  路  3Comments
bastiendonjon picture bastiendonjon  路  3Comments