[Serializer] Fix NameConverter not detecting wrong input format with allow_extra_attributes=false (fixes #62725)

xersion22 · nicolas-grekas · commit ddf7926e52ec · 2026-01-12T09:24:24.000+01:00
diff --git a/src/Symfony/Component/Serializer/Normalizer/AbstractObjectNormalizer.php b/src/Symfony/Component/Serializer/Normalizer/AbstractObjectNormalizer.php
@@ -358,6 +358,20 @@ public function denormalize(mixed $data, string $type, ?string $format = null, a
                 if (isset($nestedData[$notConverted]) && !isset($originalNestedData[$attribute])) {
                     throw new LogicException(\sprintf('Duplicate values for key "%s" found. One value is set via the SerializedPath attribute: "%s", the other one is set via the SerializedName attribute: "%s".', $notConverted, implode('->', $nestedAttributes[$notConverted]->getElements()), $attribute));
                 }
+
+                // If nameConverter didn't transform the input, check if the format was wrong
+                if ($attribute === $notConverted
+                    && !($context[self::ALLOW_EXTRA_ATTRIBUTES] ?? $this->defaultContext[self::ALLOW_EXTRA_ATTRIBUTES])
+                    && (false === $allowedAttributes || \in_array($attribute, $allowedAttributes, true))
+                ) {
+                    // Property exists - check if it requires a different serialized format
+                    $normalizedVersion = $this->nameConverter->normalize($attribute, $resolvedClass, $format, $context);
+                    if ($normalizedVersion !== $attribute) {
+                        // Input was in wrong format (e.g., camelCase when snake_case expected)
+                        $extraAttributes[] = $notConverted;
+                        continue;
+                    }
+                }
             }
 
             $attributeContext = $this->getAttributeDenormalizationContext($resolvedClass, $attribute, $context);
diff --git a/src/Symfony/Component/Serializer/Tests/Normalizer/ObjectNormalizerTest.php b/src/Symfony/Component/Serializer/Tests/Normalizer/ObjectNormalizerTest.php
@@ -1202,6 +1202,115 @@ public function testDiscriminatorWithAllowExtraAttributesFalse()
         $this->assertInstanceOf(DiscriminatorDummyTypeA::class, $obj);
     }
 
+    public function testNameConverterWithWrongCaseAndAllowExtraAttributesFalse()
+    {
+        // When using a name converter with allow_extra_attributes=false,
+        // wrongly cased properties should trigger an exception
+        $classMetadataFactory = new ClassMetadataFactory(new AttributeLoader());
+        $normalizer = new ObjectNormalizer(
+            $classMetadataFactory,
+            new CamelCaseToSnakeCaseNameConverter()
+        );
+
+        // This should work - correct snake_case format
+        $result = $normalizer->denormalize(
+            ['some_camel_case_property' => 1],
+            NameConverterTestDummy::class,
+            null,
+            [AbstractNormalizer::ALLOW_EXTRA_ATTRIBUTES => false]
+        );
+        $this->assertSame(1, $result->someCamelCaseProperty);
+
+        // This should throw an exception - wrong camelCase format when snake_case is expected
+        $this->expectException(\Symfony\Component\Serializer\Exception\ExtraAttributesException:: class);
+        $normalizer->denormalize(
+            ['someCamelCaseProperty' => 1],
+            NameConverterTestDummy::class,
+            null,
+            [AbstractNormalizer::ALLOW_EXTRA_ATTRIBUTES => false]
+        );
+    }
+
+    public function testNameConverterWithWrongCaseAndAllowExtraAttributesTrue()
+    {
+        // When allow_extra_attributes=true (default), wrong format should be silently ignored
+        $classMetadataFactory = new ClassMetadataFactory(new AttributeLoader());
+        $normalizer = new ObjectNormalizer(
+            $classMetadataFactory,
+            new CamelCaseToSnakeCaseNameConverter()
+        );
+
+        // Wrong format should be ignored, property uses default value
+        $result = $normalizer->denormalize(
+            ['someCamelCaseProperty' => 999],
+            NameConverterTestDummy::class,
+            null,
+            [AbstractNormalizer::ALLOW_EXTRA_ATTRIBUTES => true]
+        );
+        // Property should have default value since 'someCamelCaseProperty' was ignored
+        $this->assertSame(0, $result->someCamelCaseProperty);
+
+        // Correct format should work normally
+        $result = $normalizer->denormalize(
+            ['some_camel_case_property' => 42],
+            NameConverterTestDummy::class,
+            null,
+            [AbstractNormalizer::ALLOW_EXTRA_ATTRIBUTES => true]
+        );
+        $this->assertSame(42, $result->someCamelCaseProperty);
+    }
+
+    public function testNameConverterWithMixedCorrectAndIncorrectFormat()
+    {
+        // Test with multiple properties where some are correct, some are wrong
+        $classMetadataFactory = new ClassMetadataFactory(new AttributeLoader());
+        $normalizer = new ObjectNormalizer(
+            $classMetadataFactory,
+            new CamelCaseToSnakeCaseNameConverter()
+        );
+
+        // Mix of correct (snake_case) and incorrect (camelCase) should fail
+        $this->expectException(\Symfony\Component\Serializer\Exception\ExtraAttributesException::class);
+        $this->expectExceptionMessage('someCamelCaseProperty');
+
+        $normalizer->denormalize(
+            [
+                'some_camel_case_property' => 1,  // Correct format
+                'someCamelCaseProperty' => 2,      // Wrong format - should trigger exception
+                'another_property' => 3,           // Correct format
+            ],
+            NameConverterTestDummyMultiple::class,
+            null,
+            [AbstractNormalizer:: ALLOW_EXTRA_ATTRIBUTES => false]
+        );
+    }
+
+    public function testNameConverterWithoutStrictModeStillWorks()
+    {
+        // Ensure the default behavior (without allow_extra_attributes context) still works
+        $classMetadataFactory = new ClassMetadataFactory(new AttributeLoader());
+        $normalizer = new ObjectNormalizer(
+            $classMetadataFactory,
+            new CamelCaseToSnakeCaseNameConverter()
+        );
+
+        // Correct snake_case format should work
+        $result1 = $normalizer->denormalize(
+            ['some_camel_case_property' => 1],
+            NameConverterTestDummy::class
+        );
+        $this->assertSame(1, $result1->someCamelCaseProperty);
+
+        // Wrong format (camelCase instead of snake_case) is silently ignored
+        // when allow_extra_attributes is not set (defaults to true)
+        $result2 = $normalizer->denormalize(
+            ['someCamelCaseProperty' => 2],
+            NameConverterTestDummy::class
+        );
+        // Property keeps default value since wrong format was ignored
+        $this->assertSame(0, $result2->someCamelCaseProperty);
+    }
+
     public function testNormalizeObjectWithGroupsAndIsPrefixedProperty()
     {
         $classMetadataFactory = new ClassMetadataFactory(new AttributeLoader());
@@ -1756,3 +1865,20 @@ public function visibleGroup()
         return $this->visibleGroup;
     }
 }
+
+class NameConverterTestDummy
+{
+    public function __construct(
+        public readonly int $someCamelCaseProperty = 0,
+    ) {
+    }
+}
+
+class NameConverterTestDummyMultiple
+{
+    public function __construct(
+        public readonly int $someCamelCaseProperty = 0,
+        public readonly int $anotherProperty = 0,
+    ) {
+    }
+}
