[Serializer] Handle invalid mapping type property type #60296
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This comment was marked as outdated.
This comment was marked as outdated.
KorvinSzanto
requested review from
xabbuh,
lyrixx,
yceruto,
welcoMattic,
kbond,
chalasr,
OskarStark and
jderusse
as code owners
KorvinSzanto
force-pushed
the
handle-invalid-type-type
branch
from
355794e to
ebad77f
Compare
lyrixx
reviewed
Apr 29, 2025
mtarld
reviewed
Apr 30, 2025
| $normalizedData = $normalizer->denormalize(['foo' => 'foo', 'baz' => 'baz', 'quux' => ['value' => 'quux'], 'type' => $typeValue], AbstractDummy::class); | ||
|
|
||
| if ($shouldFail) { | ||
| $this->fail('Expected exception not thrown.'); |
There was a problem hiding this comment.
This is not needed because of the exceptException above
| }; | ||
|
|
||
| $discriminatorResolver = new ClassDiscriminatorFromClassMetadata($loaderMock); | ||
| $normalizer = new AbstractObjectNormalizerDummy($factory, null, new PhpDocExtractor(), $discriminatorResolver); |
There was a problem hiding this comment.
I'm not sure you need the PhpDocExtractor here
| $discriminatorResolver = new ClassDiscriminatorFromClassMetadata($loaderMock); | ||
| $normalizer = new AbstractObjectNormalizerDummy($factory, null, new PhpDocExtractor(), $discriminatorResolver); | ||
| $serializer = new Serializer([$normalizer]); | ||
| $normalizer->setSerializer($serializer); |
|
|
||
| return [ | ||
| [[], true], | ||
| [new StdClass(), true], |
There was a problem hiding this comment.
Suggested change
| [new StdClass(), true], | |
| [new \stdClass(), true], |
| $this->assertInstanceOf(DummyFirstChildQuux::class, $normalizedData->quux); | ||
| } | ||
|
|
||
| public function provideInvalidDiscriminatorTypes() |
There was a problem hiding this comment.
Suggested change
| public function provideInvalidDiscriminatorTypes() | |
| /** | |
| * @return iterable<array{0: mixed, 1: bool}> | |
| */ | |
| public function provideInvalidDiscriminatorTypes(): iterable |
| @@ -1159,6 +1159,10 @@ private function getMappedClass(array $data, string $class, array $context): str | |||
| throw NotNormalizableValueException::createForUnexpectedDataType(\sprintf('Type property "%s" not found for the abstract object "%s".', $mapping->getTypeProperty(), $class), null, ['string'], isset($context['deserialization_path']) ? $context['deserialization_path'].'.'.$mapping->getTypeProperty() : $mapping->getTypeProperty(), false); | |||
| } | |||
|
|
|||
| if (!is_string($type) && (!is_object($type) || !method_exists($type, '__toString'))) { | |||
| throw NotNormalizableValueException::createForUnexpectedDataType(\sprintf('The type property "%s" for the abstract object "%s" must be a string.', $mapping->getTypeProperty(), $class), $type, ['string'], isset($context['deserialization_path']) ? $context['deserialization_path'].'.'.$mapping->getTypeProperty() : $mapping->getTypeProperty(), false); | |||
There was a problem hiding this comment.
Suggested change
| throw NotNormalizableValueException::createForUnexpectedDataType(\sprintf('The type property "%s" for the abstract object "%s" must be a string.', $mapping->getTypeProperty(), $class), $type, ['string'], isset($context['deserialization_path']) ? $context['deserialization_path'].'.'.$mapping->getTypeProperty() : $mapping->getTypeProperty(), false); | |
| throw NotNormalizableValueException::createForUnexpectedDataType(\sprintf('The type property "%s" for the abstract object "%s" must be a string or a stringable object.', $mapping->getTypeProperty(), $class), $type, ['string'], isset($context['deserialization_path']) ? $context['deserialization_path'].'.'.$mapping->getTypeProperty() : $mapping->getTypeProperty(), false); |
maybe?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When using
#[MapRequestPayload]along with a type that uses a#[DescriminatorMap]it's possible for a user to craft a payload that triggers aTypeErrorby passing the wrong type for the "type" property.For example, a class that has:
and a request comes in with:
will trigger a 500 because
AbstractObjectNormalizerdoesn't validate the field type before passing it to->getClassForTypewhich typehints for string.This PR adds a conditional that filters anything other than strings or objects that have a __toString method.