Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[Serializer] Handle invalid mapping type property type #60296

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: 7.2
Choose a base branch
from
Open

[Serializer] Handle invalid mapping type property type #60296

wants to merge 5 commits into from
+73 −1

Conversation

KorvinSzanto
Copy link
Contributor

Q A
Branch? 7.2
Bug fix? yes
New feature? no
Deprecations? no
Issues
License MIT

When using #[MapRequestPayload] along with a type that uses a #[DescriminatorMap] it's possible for a user to craft a payload that triggers a TypeError by passing the wrong type for the "type" property.

For example, a class that has:

#[DiscriminatorMap('field', ['a' => AController::class, 'b' => BController::class])]

and a request comes in with:

Content-Type: application/json

{"field":{}}

will trigger a 500 because AbstractObjectNormalizer doesn't validate the field type before passing it to ->getClassForType which typehints for string.

This PR adds a conditional that filters anything other than strings or objects that have a __toString method.

@KorvinSzanto KorvinSzanto requested a review from dunglas as a code owner April 28, 2025 21:55
@carsonbot carsonbot added this to the 7.3 milestone Apr 28, 2025
@carsonbot

This comment was marked as outdated.

Sign in to view
@KorvinSzanto KorvinSzanto changed the title Handle invalid mapping type property type [Serializer] Handle invalid mapping type property type Apr 28, 2025
@KorvinSzanto KorvinSzanto changed the base branch from 7.3 to 7.2 April 28, 2025 21:59
@KorvinSzanto KorvinSzanto changed the base branch from 7.2 to 7.3 April 28, 2025 21:59
@KorvinSzanto KorvinSzanto force-pushed the handle-invalid-type-type branch from 355794e to ebad77f Compare April 28, 2025 22:04
@KorvinSzanto KorvinSzanto changed the base branch from 7.3 to 7.2 April 28, 2025 22:04
@lyrixx lyrixx removed their request for review April 29, 2025 10:27
lyrixx
lyrixx reviewed Apr 29, 2025
View reviewed changes
Copy link
Member

@lyrixx lyrixx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add a test case for this?

@mtarld mtarld modified the milestones: 7.3, 7.2 Apr 29, 2025
mtarld
mtarld reviewed Apr 30, 2025
View reviewed changes
src/Symfony/Component/Serializer/Tests/Normalizer/AbstractObjectNormalizerTest.php
$discriminatorResolver = new ClassDiscriminatorFromClassMetadata($loaderMock);
$normalizer = new AbstractObjectNormalizerDummy($factory, null, new PhpDocExtractor(), $discriminatorResolver);
$serializer = new Serializer([$normalizer]);
$normalizer->setSerializer($serializer);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this needed?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes a denormalizer is required

nicolas-grekas
nicolas-grekas reviewed Jun 27, 2025
View reviewed changes
Copy link
Member

@nicolas-grekas nicolas-grekas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@KorvinSzanto can you please check pending comments?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nicolas-grekas nicolas-grekas nicolas-grekas left review comments

@lyrixx lyrixx lyrixx left review comments

@mtarld mtarld mtarld left review comments

@dunglas dunglas Awaiting requested review from dunglas dunglas is a code owner

@xabbuh xabbuh Awaiting requested review from xabbuh

@yceruto yceruto Awaiting requested review from yceruto

@welcoMattic welcoMattic Awaiting requested review from welcoMattic

@kbond kbond Awaiting requested review from kbond

@chalasr chalasr Awaiting requested review from chalasr

@OskarStark OskarStark Awaiting requested review from OskarStark

@jderusse jderusse Awaiting requested review from jderusse

Assignees
No one assigned
Labels
Bug Status: Needs Review
Projects
None yet
Milestone
7.2
Development

Successfully merging this pull request may close these issues.
5 participants
@KorvinSzanto @carsonbot @nicolas-grekas @lyrixx @mtarld