Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[12.x] Add option to hide detailed validation errors in JSON responses #59125

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
MElkmeshi wants to merge 1 commit into
base: 12.x
Choose a base branch
from
Draft

[12.x] Add option to hide detailed validation errors in JSON responses #59125

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions config/app.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,19 @@

'debug' => (bool) env('APP_DEBUG', false),

/*
|--------------------------------------------------------------------------
| Hide Validation Errors
|--------------------------------------------------------------------------
|
| When enabled, detailed validation error messages and field names will
| not be included in JSON error responses. This prevents attackers from
| discovering your API's expected fields by sending empty requests.
|
*/

'hide_validation_errors' => (bool) env('HIDE_VALIDATION_ERRORS', false),

/*
|--------------------------------------------------------------------------
| Application URL
Expand Down
10 changes: 6 additions & 4 deletions src/Illuminate/Foundation/Exceptions/Handler.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -793,10 +793,12 @@ protected function invalid($request, ValidationException $exception)
*/
protected function invalidJson($request, ValidationException $exception)
{
return response()->json([
'message' => $exception->getMessage(),
'errors' => $exception->errors(),
], $exception->status);
return response()->json(array_filter([
'message' => config('app.hide_validation_errors')
? $exception->validator->getTranslator()->get('The given data was invalid.')
: $exception->getMessage(),
'errors' => config('app.hide_validation_errors') ? null : $exception->errors(),
]), $exception->status);
}

/**
Expand Down
43 changes: 43 additions & 0 deletions tests/Foundation/Configuration/ExceptionsTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,10 +4,19 @@

use Exception;
use Illuminate\Container\Container;
use Illuminate\Contracts\Routing\ResponseFactory as ResponseFactoryContract;
use Illuminate\Contracts\View\Factory as ViewFactory;
use Illuminate\Database\Eloquent\ModelNotFoundException;
use Illuminate\Foundation\Configuration\Exceptions;
use Illuminate\Foundation\Exceptions\Handler;
use Illuminate\Http\Request;
use Illuminate\Routing\Redirector;
use Illuminate\Routing\ResponseFactory;
use Illuminate\Translation\ArrayLoader;
use Illuminate\Translation\Translator;
use Illuminate\Validation\ValidationException;
use Illuminate\Validation\Validator;
use Mockery as m;
use PHPUnit\Framework\TestCase;
use Symfony\Component\HttpKernel\Exception\HttpException;

Expand Down Expand Up @@ -49,4 +58,38 @@ public function testShouldRenderJsonWhen()
$shouldReturnJson = (fn () => $this->shouldReturnJson(new Request, new Exception()))->call($exceptions->handler);
$this->assertFalse($shouldReturnJson);
}

public function testHideValidationErrors()
{
$container = Container::setInstance(new Container);
$config = new \Illuminate\Config\Repository;
$container->instance('config', $config);
$container->instance(ViewFactory::class, $viewFactory = m::mock(ViewFactory::class));
$container->instance(ResponseFactoryContract::class, new ResponseFactory(
$viewFactory,
m::mock(Redirector::class)
));

$handler = new Handler($container);

$translator = new Translator(new ArrayLoader, 'en');
$validator = new Validator($translator, ['name' => ''], ['name' => 'required']);
$validator->fails();
$validationException = new ValidationException($validator);

// By default, validation errors are included.
$response = (fn () => $this->invalidJson(new Request, $validationException))->call($handler);
$data = json_decode($response->getContent(), true);
$this->assertArrayHasKey('errors', $data);
$this->assertArrayHasKey('name', $data['errors']);

// When HIDE_VALIDATION_ERRORS is enabled, errors should be omitted.
$config->set('app.hide_validation_errors', true);
$response = (fn () => $this->invalidJson(new Request, $validationException))->call($handler);
$data = json_decode($response->getContent(), true);
$this->assertArrayNotHasKey('errors', $data);
$this->assertEquals('The given data was invalid.', $data['message']);

Container::setInstance(null);
}
}
Loading