Apply Controller Method Injection #7
Description
This will have a double edge effect in validation and data assignment for repositories. Current issue is that, if a field is defined in any of the following properties fillable, guarded, hidden, any request can leverage this to assign field with a forged value, therefore creating a loophole resulting into a security flaw.
Coggr\Application\Repository
$fields = array_unique(
array_merge($entity->getFillable(), $entity->getHidden(), $entity->getGuarded())
);
foreach($inserts as $key => $val)
{
if ( in_array($key, $fields) ) {
$entity->{$key} = $val;
}
}