fix: add missing validation for placeholder field

Author: kenjis

system/Validation/Validation.php

@@ -16,8 +16,10 @@
 use CodeIgniter\HTTP\RequestInterface;
 use CodeIgniter\Validation\Exceptions\ValidationException;
 use CodeIgniter\View\RendererInterface;
+use Config\Services;
 use Config\Validation as ValidationConfig;
 use InvalidArgumentException;
+use LogicException;
 use TypeError;
 
 /**
@@ -660,47 +662,70 @@ public function loadRuleGroup(?string $group = null)
      *
      * and the following rule:
      *
-     *  'required|is_unique[users,email,id,{id}]'
+     *  'is_unique[users,email,id,{id}]'
      *
      * The value of {id} would be replaced with the actual id in the form data:
      *
-     *  'required|is_unique[users,email,id,13]'
+     *  'is_unique[users,email,id,13]'
      */
     protected function fillPlaceholders(array $rules, array $data): array
     {
-        $replacements = [];
+        foreach ($rules as &$rule) {
+            $ruleSet = $rule['rules'];
 
-        foreach ($data as $key => $value) {
-            $replacements["{{$key}}"] = $value;
-        }
+            foreach ($ruleSet as &$row) {
+                if (is_string($row)) {
+                    $placeholderFields = $this->retrievePlaceholders($row, $data);
+
+                    foreach ($placeholderFields as $field) {
+                        $validator ??= Services::validation(null, false);
 
-        if ($replacements !== []) {
-            foreach ($rules as &$rule) {
-                $ruleSet = $rule['rules'] ?? $rule;
+                        $placeholderRules = $rules[$field]['rules'] ?? null;
 
-                if (is_array($ruleSet)) {
-                    foreach ($ruleSet as &$row) {
-                        if (is_string($row)) {
-                            $row = strtr($row, $replacements);
+                        // Check if the validation rule for the placeholder exists
+                        if ($placeholderRules === null) {
+                            throw new LogicException(
+                                'No validation rules for the placeholder: ' . $field
+                            );
                         }
-                    }
-                }
 
-                if (is_string($ruleSet)) {
-                    $ruleSet = strtr($ruleSet, $replacements);
-                }
+                        // Check if the rule does not have placeholders
+                        foreach ($placeholderRules as $placeholderRule) {
+                            if ($this->retrievePlaceholders($placeholderRule, $data)) {
+                                throw new LogicException(
+                                    'The placeholder field cannot use placeholder: ' . $field
+                                );
+                            }
+                        }
+
+                        // Validate the placeholder field
+                        if (! $validator->check($data[$field], implode('|', $placeholderRules))) {
+                            // if fails, do nothing
+                            continue;
+                        }
 
-                if (isset($rule['rules'])) {
-                    $rule['rules'] = $ruleSet;
-                } else {
-                    $rule = $ruleSet;
+                        // Replace the placeholder in the rule
+                        $ruleSet = str_replace('{' . $field . '}', $data[$field], $ruleSet);
+                    }
                 }
             }
+
+            $rule['rules'] = $ruleSet;
         }
 
         return $rules;
     }
 
+    /**
+     * Retrieves valid placeholder fields.
+     */
+    private function retrievePlaceholders(string $rule, array $data): array
+    {
+        preg_match_all('/{(.+?)}/', $rule, $matches);
+
+        return array_intersect($matches[1], array_keys($data));
+    }
+
     /**
      * Checks to see if an error exists for the given field.
      */

tests/system/Validation/StrictRules/DatabaseRelatedRulesTest.php

@@ -121,7 +121,10 @@ public function testIsUniqueIgnoresParamsPlaceholders(): void
             'email' => '[email protected]',
         ];
 
-        $this->validation->setRules(['email' => 'is_unique[user.email,id,{id}]']);
+        $this->validation->setRules([
+            'id'    => 'is_natural_no_zero',
+            'email' => 'is_unique[user.email,id,{id}]',
+        ]);
         $this->assertTrue($this->validation->run($data));
     }
 
@@ -221,7 +224,10 @@ public function testIsNotUniqueIgnoresParamsPlaceholders(): void
             'id'    => $row->id,
             'email' => '[email protected]',
         ];
-        $this->validation->setRules(['email' => 'is_not_unique[user.email,id,{id}]']);
+        $this->validation->setRules([
+            'id'    => 'is_natural_no_zero',
+            'email' => 'is_not_unique[user.email,id,{id}]',
+        ]);
         $this->assertTrue($this->validation->run($data));
     }
 

tests/system/Validation/ValidationTest.php

@@ -1391,7 +1391,7 @@ public function provideStringRulesCases(): iterable
     protected function placeholderReplacementResultDetermination(string $placeholder = 'id', ?array $data = null)
     {
         if ($data === null) {
-            $data = [$placeholder => 'placeholder-value'];
+            $data = [$placeholder => '12'];
         }
 
         $validationRules = $this->getPrivateMethodInvoker($this->validation, 'fillPlaceholders')($this->validation->getRules(), $data);
@@ -1426,13 +1426,15 @@ public function testPlaceholderReplacementTestFails()
 
     public function testPlaceholderReplacementSetSingleRuleString()
     {
+        $this->validation->setRule('id', null, 'required|is_natural_no_zero');
         $this->validation->setRule('foo', null, 'required|filter[{id}]');
 
         $this->placeholderReplacementResultDetermination();
     }
 
     public function testPlaceholderReplacementSetSingleRuleArray()
     {
+        $this->validation->setRule('id', null, ['required', 'is_natural_no_zero']);
         $this->validation->setRule('foo', null, ['required', 'filter[{id}]']);
 
         $this->placeholderReplacementResultDetermination();
@@ -1441,6 +1443,7 @@ public function testPlaceholderReplacementSetSingleRuleArray()
     public function testPlaceholderReplacementSetMultipleRulesSimpleString()
     {
         $this->validation->setRules([
+            'id'  => 'required|is_natural_no_zero',
             'foo' => 'required|filter[{id}]',
         ]);
 
@@ -1450,6 +1453,7 @@ public function testPlaceholderReplacementSetMultipleRulesSimpleString()
     public function testPlaceholderReplacementSetMultipleRulesSimpleArray()
     {
         $this->validation->setRules([
+            'id'  => ['required', 'is_natural_no_zero'],
             'foo' => ['required', 'filter[{id}]'],
         ]);
 
@@ -1459,6 +1463,9 @@ public function testPlaceholderReplacementSetMultipleRulesSimpleArray()
     public function testPlaceholderReplacementSetMultipleRulesComplexString()
     {
         $this->validation->setRules([
+            'id' => [
+                'rules' => 'required|is_natural_no_zero',
+            ],
             'foo' => [
                 'rules' => 'required|filter[{id}]',
             ],
@@ -1470,6 +1477,9 @@ public function testPlaceholderReplacementSetMultipleRulesComplexString()
     public function testPlaceholderReplacementSetMultipleRulesComplexArray()
     {
         $this->validation->setRules([
+            'id' => [
+                'rules' => ['required', 'is_natural_no_zero'],
+            ],
             'foo' => [
                 'rules' => ['required', 'filter[{id}]'],
             ],