From cd49e7e24a22251e97ca27224e08bf444d35a8a4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Nikolaou?= <sebastien@stonewave.net>
Date: Fri, 23 Jul 2021 02:38:26 +0300
Subject: [PATCH] Throw an exception when signing route if a parameter key is
 'expires'

---
 src/Illuminate/Routing/UrlGenerator.php      |  6 ++++++
 tests/Integration/Routing/UrlSigningTest.php |  9 +++++----
 tests/Routing/RoutingUrlGeneratorTest.php    | 21 ++++++++++++++++++++
 3 files changed, 32 insertions(+), 4 deletions(-)

diff --git a/src/Illuminate/Routing/UrlGenerator.php b/src/Illuminate/Routing/UrlGenerator.php
index 63e344aca213..7a87d5118297 100755
--- a/src/Illuminate/Routing/UrlGenerator.php
+++ b/src/Illuminate/Routing/UrlGenerator.php
@@ -328,6 +328,12 @@ public function signedRoute($name, $parameters = [], $expiration = null, $absolu
             );
         }
 
+        if (array_key_exists('expires', $parameters)) {
+            throw new InvalidArgumentException(
+                '"Expires" is a reserved parameter when generating signed routes. Please rename your route parameter.'
+            );
+        }
+
         if ($expiration) {
             $parameters = $parameters + ['expires' => $this->availableAt($expiration)];
         }
diff --git a/tests/Integration/Routing/UrlSigningTest.php b/tests/Integration/Routing/UrlSigningTest.php
index b6a70608aab8..3abe7e572a28 100644
--- a/tests/Integration/Routing/UrlSigningTest.php
+++ b/tests/Integration/Routing/UrlSigningTest.php
@@ -8,6 +8,7 @@
 use Illuminate\Support\Carbon;
 use Illuminate\Support\Facades\Route;
 use Illuminate\Support\Facades\URL;
+use InvalidArgumentException;
 use Orchestra\Testbench\TestCase;
 
 /**
@@ -41,14 +42,14 @@ public function testTemporarySignedUrls()
 
     public function testTemporarySignedUrlsWithExpiresParameter()
     {
+        $this->expectException(InvalidArgumentException::class);
+        $this->expectExceptionMessage('reserved');
+
         Route::get('/foo/{id}', function (Request $request, $id) {
             return $request->hasValidSignature() ? 'valid' : 'invalid';
         })->name('foo');
 
-        Carbon::setTestNow(Carbon::create(2018, 1, 1));
-        $this->assertIsString($url = URL::temporarySignedRoute('foo', now()->addMinutes(5), ['id' => 1, 'expires' => 253402300799]));
-        Carbon::setTestNow(Carbon::create(2018, 1, 1)->addMinutes(10));
-        $this->assertSame('invalid', $this->get($url)->original);
+        URL::temporarySignedRoute('foo', now()->addMinutes(5), ['id' => 1, 'expires' => 253402300799]);
     }
 
     public function testSignedUrlWithUrlWithoutSignatureParameter()
diff --git a/tests/Routing/RoutingUrlGeneratorTest.php b/tests/Routing/RoutingUrlGeneratorTest.php
index 39362e9c2244..17aefd4494b2 100755
--- a/tests/Routing/RoutingUrlGeneratorTest.php
+++ b/tests/Routing/RoutingUrlGeneratorTest.php
@@ -664,6 +664,27 @@ public function testSignedUrlParameterCannotBeNamedSignature()
 
         Request::create($url->signedRoute('foo', ['signature' => 'bar']));
     }
+
+    public function testSignedUrlParameterCannotBeNamedExpires()
+    {
+        $url = new UrlGenerator(
+            $routes = new RouteCollection,
+            $request = Request::create('http://www.foo.com/')
+        );
+        $url->setKeyResolver(function () {
+            return 'secret';
+        });
+
+        $route = new Route(['GET'], 'foo/{expires}', ['as' => 'foo', function () {
+            //
+        }]);
+        $routes->add($route);
+
+        $this->expectException(InvalidArgumentException::class);
+        $this->expectExceptionMessage('reserved');
+
+        Request::create($url->signedRoute('foo', ['expires' => 253402300799]));
+    }
 }
 
 class RoutableInterfaceStub implements UrlRoutable