Throw an exception when signing route if a parameter key is 'expires'

laravel · Jul 22, 2021 · cd49e7e · cd49e7e
1 parent f625e62
commit cd49e7e
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 4 deletions.
diff --git a/src/Illuminate/Routing/UrlGenerator.php b/src/Illuminate/Routing/UrlGenerator.php
@@ -328,6 +328,12 @@ public function signedRoute($name, $parameters = [], $expiration = null, $absolu
             );
         }
 
+        if (array_key_exists('expires', $parameters)) {
+            throw new InvalidArgumentException(
+                '"Expires" is a reserved parameter when generating signed routes. Please rename your route parameter.'
+            );
+        }
+
         if ($expiration) {
             $parameters = $parameters + ['expires' => $this->availableAt($expiration)];
         }

diff --git a/tests/Integration/Routing/UrlSigningTest.php b/tests/Integration/Routing/UrlSigningTest.php
@@ -8,6 +8,7 @@
 use Illuminate\Support\Carbon;
 use Illuminate\Support\Facades\Route;
 use Illuminate\Support\Facades\URL;
+use InvalidArgumentException;
 use Orchestra\Testbench\TestCase;
 
 /**
@@ -41,14 +42,14 @@ public function testTemporarySignedUrls()
 
     public function testTemporarySignedUrlsWithExpiresParameter()
     {
+        $this->expectException(InvalidArgumentException::class);
+        $this->expectExceptionMessage('reserved');
+
         Route::get('/foo/{id}', function (Request $request, $id) {
             return $request->hasValidSignature() ? 'valid' : 'invalid';
         })->name('foo');
 
-        Carbon::setTestNow(Carbon::create(2018, 1, 1));
-        $this->assertIsString($url = URL::temporarySignedRoute('foo', now()->addMinutes(5), ['id' => 1, 'expires' => 253402300799]));
-        Carbon::setTestNow(Carbon::create(2018, 1, 1)->addMinutes(10));
-        $this->assertSame('invalid', $this->get($url)->original);
+        URL::temporarySignedRoute('foo', now()->addMinutes(5), ['id' => 1, 'expires' => 253402300799]);
     }
 
     public function testSignedUrlWithUrlWithoutSignatureParameter()

diff --git a/tests/Routing/RoutingUrlGeneratorTest.php b/tests/Routing/RoutingUrlGeneratorTest.php
@@ -664,6 +664,27 @@ public function testSignedUrlParameterCannotBeNamedSignature()
 
         Request::create($url->signedRoute('foo', ['signature' => 'bar']));
     }
+
+    public function testSignedUrlParameterCannotBeNamedExpires()
+    {
+        $url = new UrlGenerator(
+            $routes = new RouteCollection,
+            $request = Request::create('http://www.foo.com/')
+        );
+        $url->setKeyResolver(function () {
+            return 'secret';
+        });
+
+        $route = new Route(['GET'], 'foo/{expires}', ['as' => 'foo', function () {
+            //
+        }]);
+        $routes->add($route);
+
+        $this->expectException(InvalidArgumentException::class);
+        $this->expectExceptionMessage('reserved');
+
+        Request::create($url->signedRoute('foo', ['expires' => 253402300799]));
+    }
 }
 
 class RoutableInterfaceStub implements UrlRoutable