Following-up tohttps://twitter.com/seldaek/status/1372450636361502721 - mostly to see if the build passes or if this breaks some undocumented/unclear-to-me assumptions.

Essentially using theValid constraint should only validate objects if they exist as objects. If a user sends a string and that gets assigned to a property,Valid should not attempt autoloading that user-given string.

As far as I can tell, this is used in two places:

symfony/src/Symfony/Component/Validator/Validator/RecursiveContextualValidator.php
Lines 364 to 365 inacb32dd
if (\is_object($value)) {
$this->validateObject(
where non-objects are anyway ignored, so this change is harmless there.

symfony/src/Symfony/Component/Validator/Validator/RecursiveContextualValidator.php

Lines 652 to 660 inacb32dd

	// If the value is a scalar, pass it anyway, because we want
	// a NoSuchMetadataException to be thrown in that case
	$this->validateObject(
	$value,
	$propertyPath,
	$cascadedGroups,
	$traversalStrategy,
	$context
	);

where it's explicitly passing anything in there to get the proper exception, so my change makes sure that exception is thrownbefore autoloading attempts. I am just not 100% sure if there are cases where validateGenericNode will receive a class name as a string to validate in $value. I can't imagine why it would but that doesn't mean it's true.

carsonbot added Status: Needs Review Bug labels

Mar 18, 2021

carsonbot added this to the4.4 milestone

Mar 18, 2021

nicolas-grekas reviewed

Mar 18, 2021

View reviewed changes

src/Symfony/Component/Validator/Validator/RecursiveContextualValidator.php OutdatedShow resolvedHide resolved

nicolas-grekas approved these changes

Mar 18, 2021

View reviewed changes

carsonbot added Status: Reviewed and removed Status: Needs Review labels

Mar 18, 2021

nicolas-grekas changed the title~~Avoid triggering the autoloader for user-input values~~[Validator] Avoid triggering the autoloader for user-input values

Mar 18, 2021

Ocramius suggested changes

Mar 18, 2021

View reviewed changes

src/Symfony/Component/Validator/Validator/RecursiveContextualValidator.php Outdated

		{
		try {
		if (!\is_object($object)) {
		thrownewNoSuchMetadataException(sprintf('Cannot create metadata for non-objects. Got: "%s".',\gettype($object)));

Copy link

Contributor

OcramiusMar 18, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

TBF, the validation layer should not throw here, but reject the payload with a validation error, but I suppose "one thing at a time"

src/Symfony/Component/Validator/Validator/RecursiveContextualValidator.php Outdated

		privatefunctionvalidateObject($object,string$propertyPath,array$groups,int$traversalStrategy,ExecutionContextInterface$context)
		{
		try {
		if (!\is_object($object)) {

Copy link

Contributor

OcramiusMar 18, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

This execution path is missing a test case.

Test case would probably:

register an autoloader
verify if said autoloader is triggered with malformed input
unregister autoloader

Copy link

MemberAuthor

SeldaekMar 18, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Yeah sorry but that goes beyond the time I'm willing to invest in this :D If someone wants to add a test please be my guest.

Copy link

Contributor

OcramiusMar 18, 2021•
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

That's understandable, it's not like these kind of issues appeared/regressed because of a lack of testing or such :trollface:

EDIT: to be clear, I fully understand/agree that time constraints are what they are. I just wouldn't merge without proper testing, not asking for random contributors to put more effort in it. Somebody else will pick it up, perhaps me, if I get to it.

Copy link

Contributor

ro0NLMar 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

@param object $object, so this seems suspicious :)

Copy link

Contributor

ro0NLMar 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

ohh too quick:

it's explicitly passing anything in there to get the proper exception

but still :)

Copy link

MemberAuthor

SeldaekMar 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Yes and no.. if you do expect an object and you have no type hint, validing that you did indeed get an object and throwing otherwise doesn't seem that unreasonable.

Copy link

Member

stofMar 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

but as we explicitly use that private method with non-objects to get the error message it generates, I would change the phpdoc tomixed instead (we don't want that exception to become a TypeError due to adding a nativeobject typehint)