From 9f633e693b4a24965db1f26c3fa23d0326cc4b1d Mon Sep 17 00:00:00 2001
From: Stephan Vock <stephan.vock@gmail.com>
Date: Mon, 26 Feb 2024 11:24:51 +0000
Subject: [PATCH] Fix: non-scalar value submitted as recaptcha value

---
 src/Recaptcha/RecaptchaVerifier.php       |  7 ++++++-
 tests/Recaptcha/RecaptchaVerifierTest.php | 18 ++++++++++++++++++
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/src/Recaptcha/RecaptchaVerifier.php b/src/Recaptcha/RecaptchaVerifier.php
index 4526988..bcbbb9f 100644
--- a/src/Recaptcha/RecaptchaVerifier.php
+++ b/src/Recaptcha/RecaptchaVerifier.php
@@ -4,6 +4,7 @@
 
 use ReCaptcha\ReCaptcha;
 use ReCaptcha\Response;
+use Symfony\Component\HttpFoundation\Exception\BadRequestException;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\RequestStack;
 
@@ -30,7 +31,11 @@ public function verify(?string $recaptchaValue = null): void
         // If empty, we use the default input drawn by google JS we need to get
         // the value with hardcoded variable
         if (empty($recaptchaValue) && $request->request->has(self::GOOGLE_DEFAULT_INPUT)) {
-            $recaptchaValue = $request->request->get(self::GOOGLE_DEFAULT_INPUT);
+            try {
+                $recaptchaValue = $request->request->get(self::GOOGLE_DEFAULT_INPUT);
+            } catch (BadRequestException) {
+                throw new RecaptchaException(new Response(false));
+            }
         }
 
         if (!is_string($recaptchaValue)) {
diff --git a/tests/Recaptcha/RecaptchaVerifierTest.php b/tests/Recaptcha/RecaptchaVerifierTest.php
index 903f53c..48b85fc 100644
--- a/tests/Recaptcha/RecaptchaVerifierTest.php
+++ b/tests/Recaptcha/RecaptchaVerifierTest.php
@@ -73,4 +73,22 @@ public function testVerifyFailure(): void
         $verifier = new RecaptchaVerifier($this->recaptcha, $this->stack);
         $verifier->verify('captcha-response');
     }
+
+    public function testVerifyRecaptchaValueSubmitted(): void
+    {
+        $this->expectException(RecaptchaException::class);
+
+        $request = new Request();
+        $request->request->set('g-recaptcha-response', []);
+
+        if (\is_callable([$this->stack, 'getMainRequest'])) {
+            $this->stack->expects(self::once())->method('getMainRequest')->willReturn($request);
+        } else {
+            $this->stack->expects(self::once())->method('getMasterRequest')->willReturn($request);
+        }
+        $this->request->expects(self::never())->method('getClientIp');
+
+        $verifier = new RecaptchaVerifier($this->recaptcha, $this->stack);
+        $verifier->verify();
+    }
 }