Merge branch 'master' into 2.2-merge

# Conflicts: # bin/release.sh # bin/split.sh # src/validation/src/Concerns/FormatsMessages.php
2024-12-02 11:48:08 +08:00 · 2021-06-28 09:40:51 +08:00 · 2021-06-28 09:40:51 +08:00 · 989c07ab55
commit 989c07ab55
parent c280028894 42366aa6c1
24 changed files with 116 additions and 24 deletions
--- a/CHANGELOG-2.1.md
+++ b/CHANGELOG-2.1.md
@ -1,4 +1,17 @@
-# v2.1.21 - TBD
+# v2.1.23 - TBD
+
+# v2.1.22 - 2021-06-28
+
+## Security
+
+- [#3723](https://github.com/hyperf/hyperf/pull/3723) Fixed the active_url rule for validation in input fails to correctly check dns record with dns_get_record resulting in bypassing the validation.
+- [#3724](https://github.com/hyperf/hyperf/pull/3724) Fixed bug that `RequiredIf` can be exploited to generate gadget chains for deserialization vulnerabiltiies.
+
+## Fixed
+
+- [#3721](https://github.com/hyperf/hyperf/pull/3721) Fixed the `in` and `not in` rule for validation in input fails to correctly check `in:00` rule when passing `0`.
+
+# v2.1.21 - 2021-06-21

 ## Fixed

--- a/bin/release.sh
+++ b/bin/release.sh
@ -9,7 +9,7 @@ then
 fi

 NOW=$(date +%s)
-CURRENT_BRANCH="2.2"
+CURRENT_BRANCH=$(git rev-parse --abbrev-ref HEAD)
 VERSION=$1
 BASEPATH=$(cd `dirname $0`; cd ../src/; pwd)

--- a/bin/split.sh
+++ b/bin/split.sh
@ -3,7 +3,7 @@
 set -e
 set -x

-CURRENT_BRANCH="2.2"
+CURRENT_BRANCH=$(git rev-parse --abbrev-ref HEAD)
 BASEPATH=$(cd `dirname $0`; cd ../src/; pwd)
 REPOS=$@

--- a/docs/en/quick-start/install.md
+++ b/docs/en/quick-start/install.md
@ -4,7 +4,7 @@

 Hyperf has some requirements for the system environment, it can only run under Linux and Mac environment, but due to the development of Docker virtualization technology, Docker for Windows can also be used as the running environment under Windows. Generally, in Mac environment, we are more A local environment deployment is recommended, to avoid the problem of slowly I/O  of shared disks, this will causing Hyperf to start up slowly. 

-The various versions of Dockerfile have been prepared for you in the [hyperf\hyperf-docker](https://github.com/hyperf/hyperf-docker) project, or directly based on the already built [hyperf\ Hyperf] (https://hub.docker.com/r/hyperf/hyperf) Image to run.
+The various versions of Dockerfile have been prepared for you in the [hyperf/hyperf-docker](https://github.com/hyperf/hyperf-docker) project, or directly based on the already built [hyperf\ Hyperf] (https://hub.docker.com/r/hyperf/hyperf) Image to run.

 When you don't want to use Docker as the basis for your running environment, you need to make sure that your operating environment meets the following requirements:  

--- a/docs/en/validation.md
+++ b/docs/en/validation.md
@ -888,11 +888,14 @@ The `Validation` component uses an event mechanism to implement custom validatio
 ```php
 namespace App\Listener;

-
+use Hyperf\Event\Annotation\Listener;
 use Hyperf\Event\Contract\ListenerInterface;
 use Hyperf\Validation\Contract\ValidatorFactoryInterface;
 use Hyperf\Validation\Event\ValidatorFactoryResolved;

+/**
+ * @Listener
+ */
 class ValidatorFactoryResolvedListener implements ListenerInterface
 {

--- a/docs/en/view-engine.md
+++ b/docs/en/view-engine.md
@ -82,7 +82,7 @@ When defining a subview, use the `@extends` directive of `Blade` to specify the
 As shown in the previous example, the content of these fragments will be controlled and displayed by the `@yield` directive in the layout:

 ```blade
-<!-- Stored in resources/views/child.blade.php -->
+<!-- Stored in storage/view/child.blade.php -->

@extends('layouts.app')

--- a/docs/zh-cn/amqp.md
+++ b/docs/zh-cn/amqp.md
@ -142,13 +142,14 @@ namespace App\Amqp\Consumers;
 use Hyperf\Amqp\Annotation\Consumer;
 use Hyperf\Amqp\Message\ConsumerMessage;
 use Hyperf\Amqp\Result;
+use PhpAmqpLib\Message\AMQPMessage;

 /**
 * @Consumer(exchange="hyperf", routingKey="hyperf", queue="hyperf", nums=1)
 */
 class DemoConsumer extends ConsumerMessage
 {
-    public function consume($data): string
+    public function consumeMessage($data, AMQPMessage $message): string
    {
        print_r($data);
        return Result::ACK;
@ -173,13 +174,14 @@ namespace App\Amqp\Consumers;
 use Hyperf\Amqp\Annotation\Consumer;
 use Hyperf\Amqp\Message\ConsumerMessage;
 use Hyperf\Amqp\Result;
+use PhpAmqpLib\Message\AMQPMessage;

 /**
 * @Consumer(exchange="hyperf", routingKey="hyperf", queue="hyperf", nums=1, enable=false)
 */
 class DemoConsumer extends ConsumerMessage
 {
-    public function consume($data): string
+    public function consumeMessage($data, AMQPMessage $message): string
    {
        print_r($data);
        return Result::ACK;
--- a/docs/zh-cn/changelog.md
+++ b/docs/zh-cn/changelog.md
@ -1,5 +1,22 @@
 # 版本更新记录

+# v2.1.22 - 2021-06-28
+
+## 安全性更新
+
+- [#3723](https://github.com/hyperf/hyperf/pull/3723) 修复验证器规则 `active_url` 无法正确检查 `dns` 记录，从而导致绕过验证的问题。
+- [#3724](https://github.com/hyperf/hyperf/pull/3724) 修复可以利用 `RequiredIf` 规则生成用于反序列化漏洞的小工具链的问题。
+
+## 修复
+
+- [#3721](https://github.com/hyperf/hyperf/pull/3721) 修复了验证器规则 `in` 和 `not in` 判断有误的问题，例如规则为 `in:00` 时，`0`不应该被允许通过。
+
+# v2.1.21 - 2021-06-21
+
+## 修复
+
+- [#3684](https://github.com/hyperf/hyperf/pull/3684) 修复使用熔断器时，成功次数和失败次数的界限判断有误的问题。
+
 # v2.1.20 - 2021-06-07

 ## 修复
--- a/docs/zh-cn/quick-start/install.md
+++ b/docs/zh-cn/quick-start/install.md
@ -4,7 +4,7 @@

 Hyperf 对系统环境有一些要求，仅可运行于 Linux 和 Mac 环境下，但由于 Docker 虚拟化技术的发展，在 Windows 下也可以通过 Docker for Windows 来作为运行环境，通常来说 Mac 环境下，我们更推荐本地环境部署，以避免 Docker 共享磁盘缓慢导致 Hyperf 启动速度慢的问题。   

-[hyperf\hyperf-docker](https://github.com/hyperf/hyperf-docker) 项目内已经为您准备好了各种版本的 Dockerfile ，或直接基于已经构建好的 [hyperf\hyperf](https://hub.docker.com/r/hyperf/hyperf) 镜像来运行。   
+[hyperf/hyperf-docker](https://github.com/hyperf/hyperf-docker) 项目内已经为您准备好了各种版本的 Dockerfile ，或直接基于已经构建好的 [hyperf/hyperf](https://hub.docker.com/r/hyperf/hyperf) 镜像来运行。   

 当您不想采用 Docker 来作为运行的环境基础时，您需要确保您的运行环境达到了以下的要求：   

--- a/docs/zh-cn/validation.md
+++ b/docs/zh-cn/validation.md
@ -888,11 +888,14 @@ $validator = $this->validationFactory->make($request->all(), [
 ```php
 namespace App\Listener;

-
+use Hyperf\Event\Annotation\Listener;
 use Hyperf\Event\Contract\ListenerInterface;
 use Hyperf\Validation\Contract\ValidatorFactoryInterface;
 use Hyperf\Validation\Event\ValidatorFactoryResolved;

+/**
+ * @Listener
+ */
 class ValidatorFactoryResolvedListener implements ListenerInterface
 {

--- a/docs/zh-cn/view-engine.md
+++ b/docs/zh-cn/view-engine.md
@ -82,7 +82,7 @@ return [
 就如前面的示例中所示，这些片段的内容将由布局中的 `@yield` 指令控制显示：

 ```blade
-<!-- Stored in resources/views/child.blade.php -->
+<!-- Stored in storage/view/child.blade.php -->

@extends('layouts.app')

--- a/docs/zh-hk/amqp.md
+++ b/docs/zh-hk/amqp.md
@ -142,13 +142,14 @@ namespace App\Amqp\Consumers;
 use Hyperf\Amqp\Annotation\Consumer;
 use Hyperf\Amqp\Message\ConsumerMessage;
 use Hyperf\Amqp\Result;
+use PhpAmqpLib\Message\AMQPMessage;

 /**
 * @Consumer(exchange="hyperf", routingKey="hyperf", queue="hyperf", nums=1)
 */
 class DemoConsumer extends ConsumerMessage
 {
-    public function consume($data): string
+    public function consumeMessage($data, AMQPMessage $message): string
    {
        print_r($data);
        return Result::ACK;
@ -173,13 +174,14 @@ namespace App\Amqp\Consumers;
 use Hyperf\Amqp\Annotation\Consumer;
 use Hyperf\Amqp\Message\ConsumerMessage;
 use Hyperf\Amqp\Result;
+use PhpAmqpLib\Message\AMQPMessage;

 /**
 * @Consumer(exchange="hyperf", routingKey="hyperf", queue="hyperf", nums=1, enable=false)
 */
 class DemoConsumer extends ConsumerMessage
 {
-    public function consume($data): string
+    public function consumeMessage($data, AMQPMessage $message): string
    {
        print_r($data);
        return Result::ACK;
--- a/docs/zh-hk/changelog.md
+++ b/docs/zh-hk/changelog.md
@ -1,5 +1,22 @@
 # 版本更新記錄

+# v2.1.22 - 2021-06-28
+
+## 安全性更新
+
+- [#3723](https://github.com/hyperf/hyperf/pull/3723) 修復驗證器規則 `active_url` 無法正確檢查 `dns` 記錄，從而導致繞過驗證的問題。
+- [#3724](https://github.com/hyperf/hyperf/pull/3724) 修復可以利用 `RequiredIf` 規則生成用於反序列化漏洞的小工具鏈的問題。
+
+## 修復
+
+- [#3721](https://github.com/hyperf/hyperf/pull/3721) 修復了驗證器規則 `in` 和 `not in` 判斷有誤的問題，例如規則為 `in:00` 時，`0`不應該被允許通過。
+
+# v2.1.21 - 2021-06-21
+
+## 修復
+
+- [#3684](https://github.com/hyperf/hyperf/pull/3684) 修復使用熔斷器時，成功次數和失敗次數的界限判斷有誤的問題。
+
 # v2.1.20 - 2021-06-07

 ## 修復
--- a/docs/zh-hk/quick-start/install.md
+++ b/docs/zh-hk/quick-start/install.md
@ -4,7 +4,7 @@

 Hyperf 對系統環境有一些要求，僅可運行於 Linux 和 Mac 環境下，但由於 Docker 虛擬化技術的發展，在 Windows 下也可以通過 Docker for Windows 來作為運行環境，通常來説 Mac 環境下，我們更推薦本地環境部署，以避免 Docker 共享磁盤緩慢導致 Hyperf 啟動速度慢的問題。   

-[hyperf\hyperf-docker](https://github.com/hyperf/hyperf-docker) 項目內已經為您準備好了各種版本的 Dockerfile ，或直接基於已經構建好的 [hyperf\hyperf](https://hub.docker.com/r/hyperf/hyperf) 鏡像來運行。   
+[hyperf/hyperf-docker](https://github.com/hyperf/hyperf-docker) 項目內已經為您準備好了各種版本的 Dockerfile ，或直接基於已經構建好的 [hyperf/hyperf](https://hub.docker.com/r/hyperf/hyperf) 鏡像來運行。   

 當您不想採用 Docker 來作為運行的環境基礎時，您需要確保您的運行環境達到了以下的要求：   

--- a/docs/zh-hk/validation.md
+++ b/docs/zh-hk/validation.md
@ -888,11 +888,14 @@ $validator = $this->validationFactory->make($request->all(), [
 ```php
 namespace App\Listener;

-
+use Hyperf\Event\Annotation\Listener;
 use Hyperf\Event\Contract\ListenerInterface;
 use Hyperf\Validation\Contract\ValidatorFactoryInterface;
 use Hyperf\Validation\Event\ValidatorFactoryResolved;

+/**
+ * @Listener
+ */
 class ValidatorFactoryResolvedListener implements ListenerInterface
 {

--- a/docs/zh-hk/view-engine.md
+++ b/docs/zh-hk/view-engine.md
@ -82,7 +82,7 @@ return [
 就如前面的示例中所示，這些片段的內容將由佈局中的 `@yield` 指令控制顯示：

 ```blade
-<!-- Stored in resources/views/child.blade.php -->
+<!-- Stored in storage/view/child.blade.php -->

@extends('layouts.app')

--- a/docs/zh-tw/amqp.md
+++ b/docs/zh-tw/amqp.md
@ -142,13 +142,14 @@ namespace App\Amqp\Consumers;
 use Hyperf\Amqp\Annotation\Consumer;
 use Hyperf\Amqp\Message\ConsumerMessage;
 use Hyperf\Amqp\Result;
+use PhpAmqpLib\Message\AMQPMessage;

 /**
 * @Consumer(exchange="hyperf", routingKey="hyperf", queue="hyperf", nums=1)
 */
 class DemoConsumer extends ConsumerMessage
 {
-    public function consume($data): string
+    public function consumeMessage($data, AMQPMessage $message): string
    {
        print_r($data);
        return Result::ACK;
@ -173,13 +174,14 @@ namespace App\Amqp\Consumers;
 use Hyperf\Amqp\Annotation\Consumer;
 use Hyperf\Amqp\Message\ConsumerMessage;
 use Hyperf\Amqp\Result;
+use PhpAmqpLib\Message\AMQPMessage;

 /**
 * @Consumer(exchange="hyperf", routingKey="hyperf", queue="hyperf", nums=1, enable=false)
 */
 class DemoConsumer extends ConsumerMessage
 {
-    public function consume($data): string
+    public function consumeMessage($data, AMQPMessage $message): string
    {
        print_r($data);
        return Result::ACK;
--- a/docs/zh-tw/changelog.md
+++ b/docs/zh-tw/changelog.md
@ -1,5 +1,22 @@
 # 版本更新記錄

+# v2.1.22 - 2021-06-28
+
+## 安全性更新
+
+- [#3723](https://github.com/hyperf/hyperf/pull/3723) 修復驗證器規則 `active_url` 無法正確檢查 `dns` 記錄，從而導致繞過驗證的問題。
+- [#3724](https://github.com/hyperf/hyperf/pull/3724) 修復可以利用 `RequiredIf` 規則生成用於反序列化漏洞的小工具鏈的問題。
+
+## 修復
+
+- [#3721](https://github.com/hyperf/hyperf/pull/3721) 修復了驗證器規則 `in` 和 `not in` 判斷有誤的問題，例如規則為 `in:00` 時，`0`不應該被允許通過。
+
+# v2.1.21 - 2021-06-21
+
+## 修復
+
+- [#3684](https://github.com/hyperf/hyperf/pull/3684) 修復使用熔斷器時，成功次數和失敗次數的界限判斷有誤的問題。
+
 # v2.1.20 - 2021-06-07

 ## 修復
--- a/docs/zh-tw/quick-start/install.md
+++ b/docs/zh-tw/quick-start/install.md
@ -4,7 +4,7 @@

 Hyperf 對系統環境有一些要求，僅可運行於 Linux 和 Mac 環境下，但由於 Docker 虛擬化技術的發展，在 Windows 下也可以通過 Docker for Windows 來作為執行環境，通常來說 Mac 環境下，我們更推薦本地環境部署，以避免 Docker 共享磁碟緩慢導致 Hyperf 啟動速度慢的問題。   

-[hyperf\hyperf-docker](https://github.com/hyperf/hyperf-docker) 專案內已經為您準備好了各種版本的 Dockerfile ，或直接基於已經構建好的 [hyperf\hyperf](https://hub.docker.com/r/hyperf/hyperf) 映象來執行。   
+[hyperf/hyperf-docker](https://github.com/hyperf/hyperf-docker) 專案內已經為您準備好了各種版本的 Dockerfile ，或直接基於已經構建好的 [hyperf/hyperf](https://hub.docker.com/r/hyperf/hyperf) 映象來執行。   

 當您不想採用 Docker 來作為執行的環境基礎時，您需要確保您的執行環境達到了以下的要求：   

--- a/docs/zh-tw/validation.md
+++ b/docs/zh-tw/validation.md
@ -888,11 +888,14 @@ $validator = $this->validationFactory->make($request->all(), [
 ```php
 namespace App\Listener;

-
+use Hyperf\Event\Annotation\Listener;
 use Hyperf\Event\Contract\ListenerInterface;
 use Hyperf\Validation\Contract\ValidatorFactoryInterface;
 use Hyperf\Validation\Event\ValidatorFactoryResolved;

+/**
+ * @Listener
+ */
 class ValidatorFactoryResolvedListener implements ListenerInterface
 {

--- a/docs/zh-tw/view-engine.md
+++ b/docs/zh-tw/view-engine.md
@ -82,7 +82,7 @@ return [
 就如前面的示例中所示，這些片段的內容將由佈局中的 `@yield` 指令控制顯示：

 ```blade
-<!-- Stored in resources/views/child.blade.php -->
+<!-- Stored in storage/view/child.blade.php -->

@extends('layouts.app')

--- a/src/validation/src/Concerns/ValidatesAttributes.php
+++ b/src/validation/src/Concerns/ValidatesAttributes.php
@ -58,7 +58,7 @@ trait ValidatesAttributes

        if ($url = parse_url($value, PHP_URL_HOST)) {
            try {
-                return count(dns_get_record($url, DNS_A | DNS_AAAA)) > 0;
+                return count(dns_get_record($url . '.', DNS_A | DNS_AAAA)) > 0;
            } catch (Exception $e) {
                return false;
            }
@ -630,7 +630,7 @@ trait ValidatesAttributes
            return count(array_diff($value, $parameters)) === 0;
        }

-        return ! is_array($value) && in_array((string) $value, $parameters);
+        return ! is_array($value) && in_array((string) $value, $parameters, true);
    }

    /**
--- a/src/validation/src/Rules/RequiredIf.php
+++ b/src/validation/src/Rules/RequiredIf.php
@ -11,6 +11,8 @@ declare(strict_types=1);
 */
 namespace Hyperf\Validation\Rules;

+use InvalidArgumentException;
+
 class RequiredIf
 {
    /**
@ -27,7 +29,11 @@ class RequiredIf
     */
    public function __construct($condition)
    {
+        if (! is_string($condition)) {
            $this->condition = $condition;
+        } else {
+            throw new InvalidArgumentException('The provided condition must be a callable or boolean.');
+        }
    }

    /**
--- a/src/validation/tests/Cases/ValidationValidatorTest.php
+++ b/src/validation/tests/Cases/ValidationValidatorTest.php
@ -1823,6 +1823,10 @@ class ValidationValidatorTest extends TestCase
        $v = new Validator($trans, ['name' => 0], ['name' => 'In:bar,baz']);
        $this->assertFalse($v->passes());

+        $trans = $this->getIlluminateArrayTranslator();
+        $v = new Validator($trans, ['name' => 0], ['name' => 'In:00,000']);
+        $this->assertFalse($v->passes());
+
        $v = new Validator($trans, ['name' => 'foo'], ['name' => 'In:foo,baz']);
        $this->assertTrue($v->passes());