[Serializer] Add FlattenExceptionNormalizer / Fix messenger used with the serializer component #33650
Conversation
574746d to
482551d
Compare
|
The failing test on 7.3 is due to the fact that Travis loads the deps from |
|
What with |
482551d to
ef0b8b3
Compare
ef0b8b3 to
733e404
Compare
|
@mleczakm That's fixed. Nice catch. |
|
This fix would also help in #33049 |
There was a problem hiding this comment.
Thanks for the PR!
I think this is the correct approach. I originally chose to use FlattenException because the purpose of it is to be a "serializable" exception. This, of course, works with Messenger's PhpSerializer. I think it makes sense to make it also work with Symfony's serializer. An alternative approach would be for Messenger to store the exception information in a simpler way (without using FlattenException), but that feels like reinventing the wheel: this is the purpose of FlattenException.
|
Wouldn't it better to serialize the error following/extending the formats defined by RFC 7807 or Hydra (as we do for validation errors: #22150)? Maybe that a better approach would be to:
There are several benefits to this approach:
At least, the error renderers should implement Serializer's interfaces (and these interfaces should probably moved to /cc @yceruto |
|
@dunglas I'm not sure I follow how you'd expect the same set of classes to satisfy the needs of both Messenger and ErrorRenderer as the use cases are totally different. Also, this PR is about fixing bugs in 4.3, so anything that involves components that haven't been released yet probably won't apply.
As for following RFC 7807 more closely, I'm all for it. However as some fields in the RFC only make sense in an HTTP context, there's not much we could do I guess. Would you have anything else than the following in mind ?
|
|
@dunglas I failed to see as well the approach described and its relationship with this PR + ErrorRenderer component in 4.4. The ErrorRenderer component is not (and should not be) concerned with the full normalization of the FlattenException object or its denormalization at all, but standardized error responses in different formats, included the HTML error/exception page. It's more like (https://github.com/filp/whoops) I don't know how all those features would fit into the Serializer component instead. |
They don't look that different to me. Also, the benefit of using JSON with Messenger (instead of the native PHP
It can be added to extra keys, as done by API Platform (such information could also be useful for developers trying to debug). See https://github.com/api-platform/core/blob/master/src/Hydra/Serializer/ErrorNormalizer.php#L58-L60 for instance.
Normalizers in API Platform currently only support normalization, but there are no technical reasons preventing to support deserialization.
We have all the infrastructure we need in the Serializer to deal with this. An option could be passed to the context (and we can now set default context options easily) to choose if debug informations for instance should be serialized or not.
Great. I indeed had something like that in mind.
For instance, in API Platform we already support generating standard error response for RFC 7807, JSON:API and Hydra using normalizers.
If the ErrorHandler component could use any class implementing the
For (advanced) HTML like this agree. Creating something like whoops is totally out of scope of the Symfony Serializer and should stay in ErrorRenderer. However, it's not the same case for non-HTML renderers. They should be moved to the Serializer component. |
|
@dunglas I renamed Regarding your other points, I now understand your point of view better, thank you. However, I believe this is a different discussion and don't think this should keep us from merging this PR, which is only for the We'll still be able to add support for the ErrorRenderer class and/or use the Serializer in the new components on 4.4 once this is done. |
|
ping @dunglas |
|
We can merge this one, but can we mark it as @experimental in case we have to modify it for ErrorHandler/ErrorRenderer? |
|
@dunglas Depending on what you decide to do, it might be best to create another normalizer for ErrorRenderer, and just retire this one with the Debug component in 5.0. Anyway, I added the |
…s (dunglas) This PR was merged into the 4.4 branch. Discussion ---------- [ErrorRenderer] Security fix: hide sensitive error messages | Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | yes | New feature? | no <!-- please update src/**/CHANGELOG.md files --> | Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files --> | Tickets | n/a | License | MIT | Doc PR | n/a This PR fixes a security issue. Exception messages must not be displayed except when debugging, because they can contain sensitive data including credentials. For instance, PDO and Doctrine throw exception with message such as `The details are: SQLSTATE[HY000] [1045] Access denied for user 'root'@'db.example.com' (using password: NO)` revealing internal details about the infrastructure usful for an attacker. Also, I still think that ErrorRenderer should be removed in favor of using the Serializer directly (see #33650 (comment)). I'll try to open some PRs to do that in tomorrow. Commits ------- d7d7f22 [ErrorRenderer] Security fix: hide sensitive error messages
|
Does #34312 change the approach proposed here? Can you please have a look for 4.4? |
|
I suppose the only thing needed to merge this PR is to change this PR to use the new error handler component (and remove symfony/debug old component) right and put this agaisn't 4.4? @weaverryan This fix will close #32719 . I tested this locally (to use the new error-handler component), but if I execute the command BTW, this exception does not discard the event from the queue, but without applying this PR fix, it discarded. What I'm using to test:
|
|
I found the problem with the error. For some reason the Flatten Normalizer in this PR was not being called when normalizing the You see there is a missing trace_as_string parameter, that's why the error. |
| @@ -31,6 +31,11 @@ | |||
| <service id="Symfony\Component\Serializer\Mapping\ClassDiscriminatorResolverInterface" alias="serializer.mapping.class_discriminator_resolver" /> | |||
|
|
|||
| <!-- Normalizer --> | |||
| <service id="serializer.normalizer.flatten_exception" class="Symfony\Component\Serializer\Normalizer\FlattenExceptionNormalizer"> | |||
| <!-- Run before serializer.normalizer.object --> | |||
| <tag name="serializer.normalizer" priority="-915" /> | |||
There was a problem hiding this comment.
If I remove the priority the normalize() method is called (in this PR with priority is not).
denormalize is called with our without the priority.
With this PR (the custom normalizer of this PR was not being called, that's why the trace_as_string was not being set). Result in xdebug:
(just did a throw new \InvalidArgumentException() in an handler to force failing)
| @@ -25,6 +25,7 @@ | |||
| "symfony/property-access": "~3.4|~4.0", | |||
| "symfony/http-foundation": "~3.4|~4.0", | |||
| "symfony/cache": "~3.4|~4.0", | |||
| "symfony/debug": "~3.4|~4.0", | |||
There was a problem hiding this comment.
switch to symfony/error-handler since this component is deprecated?
This PR was squashed before being merged into the 5.2-dev branch. Discussion ---------- [Messenger] Add FlattenException Normalizer | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | yes <!-- please update src/**/CHANGELOG.md files --> | Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files --> | Tickets | Fix #32719 ... <!-- prefix each issue number with "Fix #", if any --> | License | MIT | Doc PR | No docs ... <!-- required for new features --> <!-- Replace this notice by a short README for your feature/bugfix. This will help people understand your PR and can be used as a start for the documentation. Additionally (see https://symfony.com/releases): - Always add tests and ensure they pass. - Never break backward compatibility (see https://symfony.com/bc). - Bug fixes must be submitted against the lowest maintained branch where they apply (lowest branches are regularly merged to upper ones so they get the fixes too.) - Features and deprecations must be submitted against branch master. --> I have just duplicated the PR #33650 (from @skalpa) but using the new component ErrorHandler and removing the priority. Project that reproduces the bug on Symfony 5.2: https://github.com/monteiro/serializer-pr37087 (all steps are on the README). Since this adds a new class and changes behavior, we add this new feature on the 5.2 branch. Commits ------- 78fbd0a [Messenger] Add FlattenException Normalizer
This adds a new normalizer for
FlattenExceptionobjects.It is against 4.3 and marked as a bug fix, because the Serializer component's current inability to deserialize
FlattenExceptionobjects breaks Messenger when used with the component (see #32719 for details).The new FlattenException class of the ErrorRenderer component suffers from the same problem, so once merged it will probably have to be amended on 4.4 to support the ErrorRenderer as well.