Merge branch '2.3'

dunglas · dunglas · commit 78c9bdbef842 · 2019-01-15T17:11:36.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -34,6 +34,7 @@
 
 ## 2.3.6
 
+* /!\ Security: a vulnerability impacting the GraphQL subsystem was allowing users authorized to run mutations for a specific resource type, to execute it on any resource, of any type
 * Fix normalization of raw collections (not API resources)
 * Fix content negotiation format matching
 
@@ -116,6 +117,10 @@
 * GraphQL: Add a `totalCount` field in GraphQL paginated collections
 * JSONAPI: Allow inclusion of related resources
 
+## 2.2.10
+
+* /!\ Security: a vulnerability impacting the GraphQL subsystem was allowing users authorized to run mutations for a specific resource type, to execute it on any resource, of any type
+
 ## 2.2.9
 
 * Fix `ExistsFilter` for inverse side of OneToOne association
diff --git a/features/graphql/mutation.feature b/features/graphql/mutation.feature
@@ -135,7 +135,7 @@ Feature: GraphQL mutation support
     Then the response status code should be 200
     And the response should be in JSON
     And the header "Content-Type" should be equal to "application/json"
-    And the JSON node "errors[0].message" should be equal to 'Item "/dummies/1" did not match expected type "ApiPlatform\Core\Tests\Fixtures\TestBundle\Entity\Foo".'
+    And the JSON node "errors[0].message" should be equal to 'Item "/dummies/1" did not match expected type "Foo".'
 
   Scenario: Delete an item with composite identifiers through a mutation
     Given there are Composite identifier objects
diff --git a/src/GraphQl/Resolver/Factory/ItemMutationResolverFactory.php b/src/GraphQl/Resolver/Factory/ItemMutationResolverFactory.php
@@ -87,7 +87,7 @@ public function __invoke(string $resourceClass = null, string $rootClass = null,
                 }
 
                 if ($resourceClass !== $this->getObjectClass($item)) {
-                    throw Error::createLocatedError(sprintf('Item "%s" did not match expected type "%s".', $args['input']['id'], $resourceClass), $info->fieldNodes, $info->path);
+                    throw Error::createLocatedError(sprintf('Item "%s" did not match expected type "%s".', $args['input']['id'], $resourceMetadata->getShortName()), $info->fieldNodes, $info->path);
                 }
             }
 

Original file line number	Diff line number	Diff line change
`@@ -87,7 +87,7 @@ public function __invoke(string $resourceClass = null, string $rootClass = null,`
`87`	`87`	`}`
`88`	`88`
`89`	`89`	`if ($resourceClass !== $this->getObjectClass($item)) {`
`90`		`- throw Error::createLocatedError(sprintf('Item "%s" did not match expected type "%s".', $args['input']['id'], $resourceClass), $info->fieldNodes, $info->path);`
	`90`	`+ throw Error::createLocatedError(sprintf('Item "%s" did not match expected type "%s".', $args['input']['id'], $resourceMetadata->getShortName()), $info->fieldNodes, $info->path);`
`91`	`91`	`}`
`92`	`92`	`}`
`93`	`93`