Refactor: use ParameterBag::filter() for scalar type validation in RequestAttributeValueResolver

mudassaralichouhan · mudassaralichouhan · commit 07701bce8b9a · 2025-08-19T23:43:21.000+05:00
diff --git a/src/Symfony/Bundle/FrameworkBundle/Resources/config/web.php b/src/Symfony/Bundle/FrameworkBundle/Resources/config/web.php
@@ -20,7 +20,6 @@
 use Symfony\Component\HttpKernel\Controller\ArgumentResolver\DateTimeValueResolver;
 use Symfony\Component\HttpKernel\Controller\ArgumentResolver\DefaultValueResolver;
 use Symfony\Component\HttpKernel\Controller\ArgumentResolver\QueryParameterValueResolver;
-use Symfony\Component\HttpKernel\Controller\ArgumentResolver\RequestAttributeScalarValueResolver;
 use Symfony\Component\HttpKernel\Controller\ArgumentResolver\RequestAttributeValueResolver;
 use Symfony\Component\HttpKernel\Controller\ArgumentResolver\RequestPayloadValueResolver;
 use Symfony\Component\HttpKernel\Controller\ArgumentResolver\RequestValueResolver;
@@ -56,9 +55,6 @@
                 abstract_arg('targeted value resolvers'),
             ])
 
-        ->set('argument_resolver.request_attribute_scalar', RequestAttributeScalarValueResolver::class)
-            ->tag('controller.argument_value_resolver', ['priority' => 150, 'name' => RequestAttributeScalarValueResolver::class])
-
         ->set('argument_resolver.backed_enum_resolver', BackedEnumValueResolver::class)
             ->tag('controller.argument_value_resolver', ['priority' => 100, 'name' => BackedEnumValueResolver::class])
 
diff --git a/src/Symfony/Component/HttpKernel/Controller/ArgumentResolver.php b/src/Symfony/Component/HttpKernel/Controller/ArgumentResolver.php
@@ -131,7 +131,6 @@ public function getArguments(Request $request, callable $controller, ?\Reflectio
     public static function getDefaultArgumentValueResolvers(): iterable
     {
         return [
-            new ArgumentResolver\RequestAttributeScalarValueResolver(),
             new RequestAttributeValueResolver(),
             new RequestValueResolver(),
             new SessionValueResolver(),
diff --git a/src/Symfony/Component/HttpKernel/Controller/ArgumentResolver/RequestAttributeValueResolver.php b/src/Symfony/Component/HttpKernel/Controller/ArgumentResolver/RequestAttributeValueResolver.php
@@ -14,6 +14,7 @@
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpKernel\Controller\ValueResolverInterface;
 use Symfony\Component\HttpKernel\ControllerMetadata\ArgumentMetadata;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 
 /**
  * Yields a non-variadic argument's value from the request attributes.
@@ -24,6 +25,61 @@ final class RequestAttributeValueResolver implements ValueResolverInterface
 {
     public function resolve(Request $request, ArgumentMetadata $argument): array
     {
-        return !$argument->isVariadic() && $request->attributes->has($argument->getName()) ? [$request->attributes->get($argument->getName())] : [];
+        if ($argument->isVariadic()) {
+            return [];
+        }
+
+        $name = $argument->getName();
+        if (!$request->attributes->has($name)) {
+            return [];
+        }
+
+        $type = $argument->getType();
+
+        // Skip when no type declaration or complex types; fall back to other resolvers/defaults
+        if (null === $type || str_contains($type, '|') || str_contains($type, '&')) {
+            return [$value];
+        }
+
+        // Let the dedicated resolver handle backed enums
+        if (is_subclass_of($type, \BackedEnum::class, true)) {
+            return [];
+        }
+
+        // Only enforce safe casting for int/float/bool here using ParameterBag::filter()
+        switch ($type) {
+            case 'int':
+                $filtered = $request->attributes->filter($name, null, \FILTER_VALIDATE_INT, [
+                    'flags' => \FILTER_NULL_ON_FAILURE | \FILTER_REQUIRE_SCALAR,
+                ]);
+                if (null === $filtered) {
+                    throw new NotFoundHttpException(\sprintf('The value for the "%s" route parameter is invalid.', $name));
+                }
+
+                return [$filtered];
+
+            case 'float':
+                $filtered = $request->attributes->filter($name, null, \FILTER_VALIDATE_FLOAT, [
+                    'flags' => \FILTER_NULL_ON_FAILURE | \FILTER_REQUIRE_SCALAR,
+                ]);
+                if (null === $filtered) {
+                    throw new NotFoundHttpException(\sprintf('The value for the "%s" route parameter is invalid.', $name));
+                }
+
+                return [$filtered];
+
+            case 'bool':
+                $filtered = $request->attributes->filter($name, null, \FILTER_VALIDATE_BOOL, [
+                    'flags' => \FILTER_NULL_ON_FAILURE | \FILTER_REQUIRE_SCALAR,
+                ]);
+                if (null === $filtered) {
+                    throw new NotFoundHttpException(\sprintf('The value for the "%s" route parameter is invalid.', $name));
+                }
+
+                return [$filtered];
+        }
+
+        // Strings and any other types: keep default behavior
+        return [$request->attributes->get($name)];
     }
 }
diff --git a/src/Symfony/Component/HttpKernel/Tests/Controller/ArgumentResolver/RequestAttributeScalarValueResolverTest.php b/src/Symfony/Component/HttpKernel/Tests/Controller/ArgumentResolver/RequestAttributeScalarValueResolverTest.php
@@ -13,15 +13,15 @@
 
 use PHPUnit\Framework\TestCase;
 use Symfony\Component\HttpFoundation\Request;
-use Symfony\Component\HttpKernel\Controller\ArgumentResolver\RequestAttributeScalarValueResolver;
+use Symfony\Component\HttpKernel\Controller\ArgumentResolver\RequestAttributeValueResolver;
 use Symfony\Component\HttpKernel\ControllerMetadata\ArgumentMetadata;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 
 class RequestAttributeScalarValueResolverTest extends TestCase
 {
     public function testValidIntWithinRangeWorks()
     {
-        $resolver = new RequestAttributeScalarValueResolver();
+        $resolver = new RequestAttributeValueResolver();
         $request = new Request();
         $request->attributes->set('id', '123');
         $metadata = new ArgumentMetadata('id', 'int', false, false, null);
@@ -33,7 +33,7 @@ public function testValidIntWithinRangeWorks()
 
     public function testInvalidStringBecomes404()
     {
-        $resolver = new RequestAttributeScalarValueResolver();
+        $resolver = new RequestAttributeValueResolver();
         $request = new Request();
         $request->attributes->set('id', 'abc');
         $metadata = new ArgumentMetadata('id', 'int', false, false, null);
@@ -44,7 +44,7 @@ public function testInvalidStringBecomes404()
 
     public function testOutOfRangeIntBecomes404()
     {
-        $resolver = new RequestAttributeScalarValueResolver();
+        $resolver = new RequestAttributeValueResolver();
         $request = new Request();
         // one more than PHP_INT_MAX on 64-bit (string input)
         $request->attributes->set('id', '9223372036854775808');

Original file line number	Diff line number	Diff line change
`@@ -131,7 +131,6 @@ public function getArguments(Request $request, callable $controller, ?\Reflectio`
`131`	`131`	`public static function getDefaultArgumentValueResolvers(): iterable`
`132`	`132`	`{`
`133`	`133`	`return [`
`134`		`- new ArgumentResolver\RequestAttributeScalarValueResolver(),`
`135`	`134`	`new RequestAttributeValueResolver(),`
`136`	`135`	`new RequestValueResolver(),`
`137`	`136`	`new SessionValueResolver(),`