laravel-securitylisted

# Laravel Security Audit Audit Laravel PHP applications (9, 10, 11, 12). ## When this skill applies - Reviewing Laravel models, controllers, requests, middleware - Auditing mass assignment patterns - Reviewing Blade templates for XSS - Checking auth setup (Sanctum, Passport, Breeze, Jetstream) - Auditing `.env` handling and config caching ## Workflow Follow `../_shared/audit-workflow.md`. ### Phase 1: Stack detection ```bash grep -E '"laravel/framework"' composer.json php artisan --version 2>/dev/null ``` ### Phase 2: Inventory ```bash # Models find app/Models -name '*.php' 2>/dev/null # Controllers find app/Http/Controllers -name '*.php' | head # Middleware find app/Http/Middleware -name '*.php' # Routes cat routes/web.php routes/api.php 2>/dev/null | head -100 # Auth config cat config/auth.php 2>/dev/null # .env presence and gitignore cat .gitignore | grep -i env ``` ### Phase 3: Detection — the checks #### Eloquent mass assignment - **LRV-MA-1** Every Eloquent model has `$fillable` (allowlist) or `$guarded` set. Default `$guarded = []` allows everything. - **LRV-MA-2** Sensitive fields (`password`, `is_admin`, `email_verified_at`, foreign keys to other users) NOT in `$fillable`. - **LRV-MA-3** No `Model::unguard()` or `Model::unguarded(fn() => ...)` in production paths. ```php class User extends Model { // GOOD — explicit allow-list protected $fillable = ['name', 'email']; // password is set via setPasswordAttribute (mutator) with bcrypt