Merge pull request #155 from codebar-ag/main

StanBarrows · web-flow · commit fe0a6e3ab647 · 2026-03-22T22:21:12.000+01:00
main/production
diff --git a/app/Providers/AppServiceProvider.php b/app/Providers/AppServiceProvider.php
@@ -31,6 +31,7 @@
 use Illuminate\Foundation\Application;
 use Illuminate\Support\Facades\Route;
 use Illuminate\Support\ServiceProvider;
+use Symfony\Component\HttpFoundation\Request as SymfonyRequest;
 
 class AppServiceProvider extends ServiceProvider
 {
@@ -39,7 +40,8 @@ class AppServiceProvider extends ServiceProvider
      */
     public function register(): void
     {
-        //
+        // Ignore malformed _method / X-HTTP-Method-Override values (bots) instead of throwing SuspiciousOperationException.
+        SymfonyRequest::setAllowedHttpMethodOverride(['PUT', 'PATCH', 'DELETE']);
     }
 
     /**
diff --git a/tests/Feature/HttpMethodOverrideTest.php b/tests/Feature/HttpMethodOverrideTest.php
@@ -0,0 +1,19 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Tests\Feature;
+
+use App\Http\Middleware\VerifyCsrfToken;
+use Tests\TestCase;
+
+class HttpMethodOverrideTest extends TestCase
+{
+    public function test_malicious_method_override_does_not_throw(): void
+    {
+        $response = $this->withoutMiddleware(VerifyCsrfToken::class)
+            ->post('/', ['_method' => 'FOO123']);
+
+        $response->assertStatus(405);
+    }
+}
diff --git a/tests/Feature/ProfileInformationTest.php b/tests/Feature/ProfileInformationTest.php
@@ -5,6 +5,7 @@
 namespace Tests\Feature;
 
 use App\Enums\Weekday;
+use App\Http\Middleware\VerifyCsrfToken;
 use App\Models\User;
 use App\Service\TimezoneService;
 use Illuminate\Foundation\Testing\RefreshDatabase;
@@ -50,4 +51,23 @@ public function test_profile_information_can_be_updated(): void
         $this->assertEquals($timezone, $user->timezone);
         $this->assertEquals(Weekday::Sunday, $user->week_start);
     }
+
+    public function test_profile_information_can_be_updated_via_post_with_method_spoofing(): void
+    {
+        $user = User::factory()->create();
+        $timezone = app(TimezoneService::class)->getTimezones()[0];
+        $this->actingAs($user);
+
+        $response = $this->withoutMiddleware(VerifyCsrfToken::class)
+            ->post('/user/profile-information', [
+                '_method' => 'PUT',
+                'name' => 'Spoofed Put Name',
+                'email' => $user->email,
+                'timezone' => $timezone,
+                'week_start' => Weekday::Sunday->value,
+            ]);
+
+        $response->assertValid(errorBag: 'updateProfileInformation');
+        $this->assertSame('Spoofed Put Name', $user->fresh()->name);
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -31,6 +31,7 @@`
`31`	`31`	`use Illuminate\Foundation\Application;`
`32`	`32`	`use Illuminate\Support\Facades\Route;`
`33`	`33`	`use Illuminate\Support\ServiceProvider;`
	`34`	`+use Symfony\Component\HttpFoundation\Request as SymfonyRequest;`
`34`	`35`
`35`	`36`	`class AppServiceProvider extends ServiceProvider`
`36`	`37`	`{`
`@@ -39,7 +40,8 @@ class AppServiceProvider extends ServiceProvider`
`39`	`40`	`*/`
`40`	`41`	`public function register(): void`
`41`	`42`	`{`
`42`		`- //`
	`43`	`+ // Ignore malformed _method / X-HTTP-Method-Override values (bots) instead of throwing SuspiciousOperationException.`
	`44`	`+ SymfonyRequest::setAllowedHttpMethodOverride(['PUT', 'PATCH', 'DELETE']);`
`43`	`45`	`}`
`44`	`46`
`45`	`47`	`/**`