[6.x] Fix validation bypass via spoofed Precognition-Validate-Only header (#14557)

duncanmcclean · claude · jasonvarga · web-flow · commit cff13ff4861f · 2026-04-28T09:44:11.000-04:00
Co-authored-by: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
Co-authored-by: Jason Varga &lt;jason@pixelfear.com&gt;
diff --git a/src/Fields/Validator.php b/src/Fields/Validator.php
@@ -2,7 +2,6 @@
 
 namespace Statamic\Fields;
 
-use Illuminate\Support\Collection;
 use Illuminate\Support\Facades\Validator as LaravelValidator;
 use Statamic\Support\Arr;
 use Statamic\Support\Str;
@@ -186,12 +185,10 @@ public function filterPrecognitiveRules($rules)
     {
         $request = request();
 
-        if (! $request->headers->has('Precognition-Validate-Only')) {
+        if (! $request->isPrecognitive()) {
             return $rules;
         }
 
-        return Collection::make($rules)
-            ->only(explode(',', $request->header('Precognition-Validate-Only')))
-            ->all();
+        return $request->filterPrecognitiveRules($rules);
     }
 }
diff --git a/tests/Tags/Form/FormCreateAlpineTest.php b/tests/Tags/Form/FormCreateAlpineTest.php
@@ -3,6 +3,7 @@
 namespace Tests\Tags\Form;
 
 use PHPUnit\Framework\Attributes\Test;
+use Statamic\Facades\Form;
 use Statamic\Statamic;
 
 class FormCreateAlpineTest extends FormTestCase
@@ -932,6 +933,32 @@ public function it_dynamically_renders_precognition_text_field_x_on_change()
         $this->assertFieldRendersHtml(['<input id="[[form-handle]]-form-name-field" type="text" name="name" value="" x-model="form.name" @change="form.validate(\'name\')">'], $config, [], ['js' => 'alpine_precognition']);
     }
 
+    #[Test]
+    public function it_validates_precognitive_requests()
+    {
+        $this
+            ->withPrecognition()
+            ->withHeaders(['Precognition-Validate-Only' => 'email'])
+            ->postJson('/!/forms/contact', ['email' => ''])
+            ->assertStatus(422)
+            ->assertJsonValidationErrors(['email'])
+            ->assertJsonMissingValidationErrors(['message']);
+    }
+
+    #[Test]
+    public function it_wont_submit_form_when_precognition_validate_only_header_is_spoofed()
+    {
+        $this->assertEmpty(Form::find('contact')->submissions());
+
+        $this
+            ->withHeaders(['Precognition-Validate-Only' => 'foo'])
+            ->post('/!/forms/contact', [])
+            ->assertSessionHasErrors(['email'], null, 'form.contact')
+            ->assertLocation('/');
+
+        $this->assertEmpty(Form::find('contact')->submissions());
+    }
+
     private function jsonEncode($data)
     {
         return Statamic::modify($data)->toJson()->entities();

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,6 @@`
`2`	`2`
`3`	`3`	`namespace Statamic\Fields;`
`4`	`4`
`5`		`-use Illuminate\Support\Collection;`
`6`	`5`	`use Illuminate\Support\Facades\Validator as LaravelValidator;`
`7`	`6`	`use Statamic\Support\Arr;`
`8`	`7`	`use Statamic\Support\Str;`
`@@ -186,12 +185,10 @@ public function filterPrecognitiveRules($rules)`
`186`	`185`	`{`
`187`	`186`	`$request = request();`
`188`	`187`
`189`		`- if (! $request->headers->has('Precognition-Validate-Only')) {`
	`188`	`+ if (! $request->isPrecognitive()) {`
`190`	`189`	`return $rules;`
`191`	`190`	`}`
`192`	`191`
`193`		`- return Collection::make($rules)`
`194`		`- ->only(explode(',', $request->header('Precognition-Validate-Only')))`
`195`		`- ->all();`
	`192`	`+ return $request->filterPrecognitiveRules($rules);`
`196`	`193`	`}`
`197`	`194`	`}`