Missing handling of SuspiciousOperationException in RouteCollection

[jnoordsij]

Laravel Version

10.45.0 (also 11.x-dev)

PHP Version

8.3.3

Database Driver & Version

N/A

Description

Recently a request was sent to my application with POST method, but with the body including a (malicious) _method: __construct parameter. By default HttpMethodParameterOverride is enabled by in the Laravel request pipeline, see:

framework/src/Illuminate/Http/Request.php

Lines 59 to 69 in f1fb9a6

	/**
	* Create a new Illuminate HTTP request from server variables.
	*
	* @return static
	*/
	public static function capture()
	{
	static::enableHttpMethodParameterOverride();
	return static::createFromBase(SymfonyRequest::createFromGlobals());
	}

Within the scope of handling the request, the method is then obtained within the scope of the match method on the RouteCollection class, which results in a SuspiciousOperationException being thrown here:
https://github.com/symfony/symfony/blob/37d91c760bd91c431f91999c243d3d2ee76853dc/src/Symfony/Component/HttpFoundation/Request.php#L1166-L1168

After this being unhandled in any manner, the result is the application rendering a 404 response. However, this in my eyes has two issues:

• 404 seems to be an inappropriate response code here; either 405 or 400 as suggested per https://github.com/symfony/symfony/blob/7.1/src/Symfony/Component/HttpFoundation/Exception/RequestExceptionInterface.php is probably more appropriate.
• Due to the request being invalid and me trying to access the request within the scope of my 404 Blade template, a nested exception was thrown; this is a bit unfortunate, however probably not solvable on it's own and maybe not relevant. However, solving the first point should probably ensure that it's safe that request (and thus request path) are available on 404 responses.

Steps To Reproduce

Send a POST request to any endpoint on the application, with an "invalid" value for _method in the body.

[driesvints]

Hey @jnoordsij. I agree we should use 400 here. Would appreciate a PR!

[github-actions]

Thank you for reporting this issue!

As Laravel is an open source project, we rely on the community to help us diagnose and fix issues as it is not possible to research and fix every issue reported to us via GitHub.

If possible, please make a pull request fixing the issue you have described, along with corresponding tests. All pull requests are promptly reviewed by the Laravel team.

Thank you!

[Jimbolino]

Would it make sense to disable the call to enableHttpMethodParameterOverride()
Or add a config() or env to enable/disable it?

[jnoordsij]

Would it make sense to disable the call to enableHttpMethodParameterOverride() Or add a config() or env to enable/disable it?

This is definitely something that sounds like a reasonable follow-up in my opinion.

However given this issue has been solved with #50735 I'll close this now; feel free to create a PR for your suggestion.