Feature/form request strict mode (#59430)

NurullahDemirel · taylorotwell · web-flow · commit 9f92a159e9b1 · 2026-04-06T08:37:34.000-05:00
* strict mode for validation

* delete validation.php file

* formated

* formatting

* formatting

* more tests

---------

Co-authored-by: Taylor Otwell &lt;taylor@laravel.com&gt;
diff --git a/src/Illuminate/Foundation/Http/Attributes/FailOnUnknownFields.php b/src/Illuminate/Foundation/Http/Attributes/FailOnUnknownFields.php
@@ -0,0 +1,13 @@
+<?php
+
+namespace Illuminate\Foundation\Http\Attributes;
+
+use Attribute;
+
+#[Attribute(Attribute::TARGET_CLASS)]
+class FailOnUnknownFields
+{
+    public function __construct(public bool $value = true)
+    {
+    }
+}
diff --git a/src/Illuminate/Foundation/Http/FormRequest.php b/src/Illuminate/Foundation/Http/FormRequest.php
@@ -9,11 +9,13 @@
 use Illuminate\Contracts\Validation\ValidatesWhenResolved;
 use Illuminate\Contracts\Validation\Validator;
 use Illuminate\Foundation\Http\Attributes\ErrorBag;
+use Illuminate\Foundation\Http\Attributes\FailOnUnknownFields;
 use Illuminate\Foundation\Http\Attributes\RedirectTo;
 use Illuminate\Foundation\Http\Attributes\RedirectToRoute;
 use Illuminate\Foundation\Http\Attributes\StopOnFirstFailure;
 use Illuminate\Http\Request;
 use Illuminate\Routing\Redirector;
+use Illuminate\Support\Arr;
 use Illuminate\Validation\ValidatesWhenResolvedTrait;
 use ReflectionClass;
 
@@ -77,6 +79,13 @@ class FormRequest extends Request implements ValidatesWhenResolved
      */
     protected $validator;
 
+    /**
+     * Indicates if unknown fields should be rejected for all form requests.
+     *
+     * @var bool
+     */
+    protected static bool $globalFailOnUnknownFields = false;
+
     /**
      * Get the validator instance for the request.
      *
@@ -109,6 +118,12 @@ protected function getValidatorInstance()
             ));
         }
 
+        if ($this->shouldFailOnUnknownFields()) {
+            $validator->after(function (Validator $validator) {
+                $this->validateNoUnknownFields($validator);
+            });
+        }
+
         $this->setValidator($validator);
 
         return $this->validator;
@@ -144,6 +159,7 @@ protected function configureFromAttributes()
         if (count($errorBag) > 0) {
             $this->errorBag = $errorBag[0]->newInstance()->name;
         }
+
     }
 
     /**
@@ -192,6 +208,66 @@ protected function validationRules()
         return method_exists($this, 'rules') ? $this->container->call([$this, 'rules']) : [];
     }
 
+    /**
+     * Determine if fields not present in rules should fail validation.
+     *
+     * @return bool
+     */
+    protected function shouldFailOnUnknownFields(): bool
+    {
+        $failOnUnknownFields = (new ReflectionClass($this))->getAttributes(FailOnUnknownFields::class);
+
+        return $failOnUnknownFields !== []
+            ? $failOnUnknownFields[0]->newInstance()->value
+            : static::$globalFailOnUnknownFields;
+    }
+
+    /**
+     * Validate that no unknown fields were sent as input.
+     *
+     * @param  \Illuminate\Contracts\Validation\Validator  $validator
+     * @return void
+     */
+    protected function validateNoUnknownFields(Validator $validator): void
+    {
+        $allowedKeys = array_keys($this->validationRules());
+
+        foreach (array_keys(Arr::dot($this->all())) as $inputKey) {
+            if (! $this->isKnownField($inputKey, $allowedKeys)) {
+                $validator->errors()->add($inputKey, trans('validation.prohibited', [
+                    'attribute' => str_replace('_', ' ', $inputKey),
+                ]));
+            }
+        }
+    }
+
+    /**
+     * Determine if the given input key is an allowed key based on the validation rules.
+     *
+     * @param  string  $inputKey
+     * @param  array  $allowedKeys
+     * @return bool
+     */
+    protected function isKnownField(string $inputKey, array $allowedKeys): bool
+    {
+        foreach ($allowedKeys as $ruleKey) {
+            if ($ruleKey === $inputKey) {
+                return true;
+            }
+
+            if (str_contains($ruleKey, '*')) {
+                $pattern = '/^'.str_replace('\*', '[^.]+', preg_quote($ruleKey, '/')).'$/';
+
+                if (preg_match($pattern, $inputKey)) {
+                    return true;
+                }
+            }
+
+        }
+
+        return false;
+    }
+
     /**
      * Handle a failed validation attempt.
      *
@@ -304,6 +380,17 @@ public function attributes()
         return [];
     }
 
+    /**
+     * Enable or disable unknown-field rejection globally for all form requests.
+     *
+     * @param  bool  $value
+     * @return void
+     */
+    public static function failOnUnknownFields(bool $value = true): void
+    {
+        static::$globalFailOnUnknownFields = $value;
+    }
+
     /**
      * Set the Validator instance.
      *
diff --git a/tests/Foundation/FoundationFormRequestTest.php b/tests/Foundation/FoundationFormRequestTest.php
