Fixed bug that RequiredIf can be exploited to generate gadget chains for deserialization vulnerabiltiies. (#3724)

CHANGELOG-2.1.md

@@ -3,6 +3,7 @@
 ## Security
 
 - [#3723](https://github.com/hyperf/hyperf/pull/3723) Fixed the active_url rule for validation in input fails to correctly check dns record with dns_get_record resulting in bypassing the validation.
+- [#3724](https://github.com/hyperf/hyperf/pull/3724) Fixed bug that `RequiredIf` can be exploited to generate gadget chains for deserialization vulnerabiltiies.
 
 ## Fixed
 

src/validation/src/Rules/RequiredIf.php

@@ -11,6 +11,8 @@ declare(strict_types=1);
  */
 namespace Hyperf\Validation\Rules;
 
+use InvalidArgumentException;
+
 class RequiredIf
 {
     /**
@@ -27,7 +29,11 @@ class RequiredIf
      */
     public function __construct($condition)
     {
-        $this->condition = $condition;
+        if (! is_string($condition)) {
+            $this->condition = $condition;
+        } else {
+            throw new InvalidArgumentException('The provided condition must be a callable or boolean.');
+        }
     }
 
     /**