feature symfony#61173 [HttpFoundation][HttpKernel][WebProfilerBundle] Add support for the QUERY HTTP method (alexandre-daubois)

This PR was merged into the 7.4 branch.

Discussion
----------

[HttpFoundation][HttpKernel][WebProfilerBundle] Add support for the `QUERY` HTTP method

| Q             | A
| ------------- | ---
| Branch?       | 7.4
| Bug fix?      | no
| New feature?  | yes
| Deprecations? | no
| Issues        | Fix symfony#60521
| License       | MIT

Not much difference from `GET`, appart that the request body is used to generate the cache key in `HttpCache`.

Webprofiler integration:

<img width="2072" height="778" alt="image" src="https://github.com/user-attachments/assets/4a5c8c3a-e15b-4b96-9a7f-6edafecb67d8" />

Commits
-------

466c5d7 [HttpFoundation][HttpKernel][WebProfilerBundle] Add support for the `QUERY` HTTP method

Author: fabpot

src/Symfony/Bundle/WebProfilerBundle/CHANGELOG.md

@@ -1,6 +1,11 @@
 CHANGELOG
 =========
 
+7.4
+---
+
+ * Add support for the `QUERY` HTTP method in the profiler
+
 7.3
 ---
 

src/Symfony/Bundle/WebProfilerBundle/Resources/views/Profiler/search.html.twig

@@ -25,7 +25,7 @@
                     {% if 'command' == profile_type %}
                         {% set methods = ['BATCH', 'INTERACTIVE'] %}
                     {% else %}
-                        {% set methods = ['DELETE', 'GET', 'HEAD', 'PATCH', 'POST', 'PUT'] %}
+                        {% set methods = ['DELETE', 'GET', 'HEAD', 'PATCH', 'POST', 'PUT', 'QUERY'] %}
                     {% endif %}
                     {% for m in methods %}
                         <option {{ m == method ? 'selected="selected"' }}>{{ m }}</option>

src/Symfony/Component/HttpFoundation/CHANGELOG.md

@@ -5,6 +5,7 @@ CHANGELOG
 ---
 
  * Deprecate using `Request::sendHeaders()` after headers have already been sent; use a `StreamedResponse` instead
+ * Add support for the `QUERY` HTTP method
 
 7.3
 ---

src/Symfony/Component/HttpFoundation/Request.php

@@ -62,6 +62,7 @@ class Request
     public const METHOD_OPTIONS = 'OPTIONS';
     public const METHOD_TRACE = 'TRACE';
     public const METHOD_CONNECT = 'CONNECT';
+    public const METHOD_QUERY = 'QUERY';
 
     /**
      * @var string[]
@@ -254,7 +255,7 @@ public static function createFromGlobals(): static
         $request = self::createRequestFromFactory($_GET, $_POST, [], $_COOKIE, $_FILES, $_SERVER);
 
         if (str_starts_with($request->headers->get('CONTENT_TYPE', ''), 'application/x-www-form-urlencoded')
-            && \in_array(strtoupper($request->server->get('REQUEST_METHOD', 'GET')), ['PUT', 'DELETE', 'PATCH'], true)
+            && \in_array(strtoupper($request->server->get('REQUEST_METHOD', 'GET')), ['PUT', 'DELETE', 'PATCH', 'QUERY'], true)
         ) {
             parse_str($request->getContent(), $data);
             $request->request = new InputBag($data);
@@ -350,6 +351,7 @@ public static function create(string $uri, string $method = 'GET', array $parame
             case 'POST':
             case 'PUT':
             case 'DELETE':
+            case 'QUERY':
                 if (!isset($server['CONTENT_TYPE'])) {
                     $server['CONTENT_TYPE'] = 'application/x-www-form-urlencoded';
                 }
@@ -1175,7 +1177,7 @@ public function getMethod(): string
 
         $method = strtoupper($method);
 
-        if (\in_array($method, ['GET', 'HEAD', 'POST', 'PUT', 'DELETE', 'CONNECT', 'OPTIONS', 'PATCH', 'PURGE', 'TRACE'], true)) {
+        if (\in_array($method, ['GET', 'HEAD', 'POST', 'PUT', 'DELETE', 'CONNECT', 'OPTIONS', 'PATCH', 'PURGE', 'TRACE', 'QUERY'], true)) {
             return $this->method = $method;
         }
 
@@ -1351,15 +1353,15 @@ public function isMethod(string $method): bool
      */
     public function isMethodSafe(): bool
     {
-        return \in_array($this->getMethod(), ['GET', 'HEAD', 'OPTIONS', 'TRACE'], true);
+        return \in_array($this->getMethod(), ['GET', 'HEAD', 'OPTIONS', 'TRACE', 'QUERY'], true);
     }
 
     /**
      * Checks whether or not the method is idempotent.
      */
     public function isMethodIdempotent(): bool
     {
-        return \in_array($this->getMethod(), ['HEAD', 'GET', 'PUT', 'DELETE', 'TRACE', 'OPTIONS', 'PURGE'], true);
+        return \in_array($this->getMethod(), ['HEAD', 'GET', 'PUT', 'DELETE', 'TRACE', 'OPTIONS', 'PURGE', 'QUERY'], true);
     }
 
     /**
@@ -1369,7 +1371,7 @@ public function isMethodIdempotent(): bool
      */
     public function isMethodCacheable(): bool
     {
-        return \in_array($this->getMethod(), ['GET', 'HEAD'], true);
+        return \in_array($this->getMethod(), ['GET', 'HEAD', 'QUERY'], true);
     }
 
     /**

src/Symfony/Component/HttpFoundation/Tests/RequestTest.php

@@ -2285,6 +2285,7 @@ public static function methodIdempotentProvider()
             ['OPTIONS', true],
             ['TRACE', true],
             ['CONNECT', false],
+            ['QUERY', true],
         ];
     }
 
@@ -2309,6 +2310,7 @@ public static function methodSafeProvider()
             ['OPTIONS', true],
             ['TRACE', true],
             ['CONNECT', false],
+            ['QUERY', true],
         ];
     }
 
@@ -2333,6 +2335,7 @@ public static function methodCacheableProvider()
             ['OPTIONS', false],
             ['TRACE', false],
             ['CONNECT', false],
+            ['QUERY', true],
         ];
     }
 

src/Symfony/Component/HttpKernel/CHANGELOG.md

@@ -4,6 +4,7 @@ CHANGELOG
 7.4
 ---
 
+ * Add support for the `QUERY` HTTP method
  * Deprecate implementing `__sleep/wakeup()` on kernels; use `__(un)serialize()` instead
  * Deprecate implementing `__sleep/wakeup()` on data collectors; use `__(un)serialize()` instead
  * Make `Profile` final and `Profiler::__sleep()` internal

src/Symfony/Component/HttpKernel/HttpCache/Store.php

@@ -427,7 +427,15 @@ public function getPath(string $key): string
      */
     protected function generateCacheKey(Request $request): string
     {
-        return 'md'.hash('sha256', $request->getUri());
+        $key = $request->getUri();
+
+        if ('QUERY' === $request->getMethod()) {
+            // add null byte to separate the URI from the body and avoid boundary collisions
+            // which could lead to cache poisoning
+            $key .= "\0".$request->getContent();
+        }
+
+        return 'md'.hash('sha256', $key);
     }
 
     /**

src/Symfony/Component/HttpKernel/Tests/HttpCache/HttpCacheTest.php

@@ -2062,6 +2062,93 @@ public function testTraceLevelShort()
         $this->assertTrue($this->response->headers->has('X-Symfony-Cache'));
         $this->assertEquals('miss', $this->response->headers->get('X-Symfony-Cache'));
     }
+
+    public function testQueryMethodIsCacheable()
+    {
+        $this->setNextResponse(200, ['Cache-Control' => 'public, max-age=10000'], 'Query result', function (Request $request) {
+            $this->assertSame('QUERY', $request->getMethod());
+
+            return '{"query": "users"}' === $request->getContent();
+        });
+
+        $this->kernel->reset();
+        $this->store = $this->createStore();
+        $this->cacheConfig['debug'] = true;
+        $this->cache = new HttpCache($this->kernel, $this->store, null, $this->cacheConfig);
+
+        $request1 = Request::create('/', 'QUERY', [], [], [], [], '{"query": "users"}');
+        $this->response = $this->cache->handle($request1, HttpKernelInterface::MAIN_REQUEST, $this->catch);
+
+        $this->assertSame(200, $this->response->getStatusCode());
+        $this->assertTraceContains('miss');
+        $this->assertSame('Query result', $this->response->getContent());
+
+        $request2 = Request::create('/', 'QUERY', [], [], [], [], '{"query": "users"}');
+        $this->response = $this->cache->handle($request2, HttpKernelInterface::MAIN_REQUEST, $this->catch);
+
+        $this->assertSame(200, $this->response->getStatusCode());
+        $this->assertTrue($this->response->headers->has('Age'));
+        $this->assertSame('Query result', $this->response->getContent());
+    }
+
+    public function testQueryMethodDifferentBodiesCreateDifferentCacheEntries()
+    {
+        $this->setNextResponses([
+            [
+                'status' => 200,
+                'body' => 'Users result',
+                'headers' => ['Cache-Control' => 'public, max-age=10000'],
+            ],
+            [
+                'status' => 200,
+                'body' => 'Posts result',
+                'headers' => ['Cache-Control' => 'public, max-age=10000'],
+            ],
+        ]);
+
+        $this->store = $this->createStore();
+        $this->cacheConfig['debug'] = true;
+        $this->cache = new HttpCache($this->kernel, $this->store, null, $this->cacheConfig);
+
+        $request1 = Request::create('/', 'QUERY', [], [], [], [], '{"query": "users"}');
+        $this->response = $this->cache->handle($request1, HttpKernelInterface::MAIN_REQUEST, $this->catch);
+
+        $this->assertSame('Users result', $this->response->getContent());
+        $this->assertTraceContains('miss');
+
+        $request2 = Request::create('/', 'QUERY', [], [], [], [], '{"query": "posts"}');
+        $this->response = $this->cache->handle($request2, HttpKernelInterface::MAIN_REQUEST, $this->catch);
+
+        $this->assertSame('Posts result', $this->response->getContent());
+        $this->assertTraceContains('miss');
+
+        $request3 = Request::create('/', 'QUERY', [], [], [], [], '{"query": "users"}');
+        $this->response = $this->cache->handle($request3, HttpKernelInterface::MAIN_REQUEST, $this->catch);
+
+        $this->assertSame('Users result', $this->response->getContent());
+        $this->assertTrue($this->response->headers->has('Age'));
+    }
+
+    public function testQueryMethodWithEmptyBodyIsCacheable()
+    {
+        $this->setNextResponse(200, ['Cache-Control' => 'public, max-age=10000'], 'Empty query result');
+        $this->kernel->reset();
+        $this->store = $this->createStore();
+        $this->cacheConfig['debug'] = true;
+        $this->cache = new HttpCache($this->kernel, $this->store, null, $this->cacheConfig);
+
+        $request1 = Request::create('/', 'QUERY', [], [], [], [], '');
+        $this->response = $this->cache->handle($request1, HttpKernelInterface::MAIN_REQUEST, $this->catch);
+
+        $this->assertSame(200, $this->response->getStatusCode());
+        $this->assertTraceContains('miss');
+
+        $request2 = Request::create('/', 'QUERY', [], [], [], [], '');
+        $this->response = $this->cache->handle($request2, HttpKernelInterface::MAIN_REQUEST, $this->catch);
+
+        $this->assertSame(200, $this->response->getStatusCode());
+        $this->assertTrue($this->response->headers->has('Age'));
+    }
 }
 
 class TestKernel implements HttpKernelInterface

src/Symfony/Component/HttpKernel/Tests/HttpCache/StoreTest.php

@@ -378,4 +378,87 @@ protected function getStorePath($key)
 
         return $m->invoke($this->store, $key);
     }
+
+    public function testQueryMethodCacheKeyIncludesBody()
+    {
+        $response = new Response('test', 200, ['Cache-Control' => 'max-age=420']);
+
+        $request1 = Request::create('/', 'QUERY', [], [], [], [], '{"query": "users"}');
+        $request2 = Request::create('/', 'QUERY', [], [], [], [], '{"query": "posts"}');
+        $request3 = Request::create('/', 'QUERY', [], [], [], [], '{"query": "users"}');
+
+        $key1 = $this->store->write($request1, $response);
+        $key2 = $this->store->write($request2, $response);
+        $key3 = $this->store->write($request3, $response);
+
+        $this->assertNotSame($key1, $key2);
+        $this->assertSame($key1, $key3);
+
+        $this->assertNotEmpty($this->getStoreMetadata($key1));
+        $this->assertNotEmpty($this->getStoreMetadata($key2));
+
+        $this->assertNotNull($this->store->lookup($request1));
+        $this->assertNotNull($this->store->lookup($request2));
+        $this->assertNotNull($this->store->lookup($request3));
+    }
+
+    public function testQueryMethodCacheKeyDiffersFromGet()
+    {
+        $response = new Response('test', 200, ['Cache-Control' => 'max-age=420']);
+
+        $getRequest = Request::create('/');
+        $queryRequest = Request::create('/', 'QUERY', [], [], [], [], '{"query": "test"}');
+
+        $getKey = $this->store->write($getRequest, $response);
+        $queryKey = $this->store->write($queryRequest, $response);
+
+        $this->assertNotSame($getKey, $queryKey);
+
+        $this->assertNotEmpty($this->getStoreMetadata($getKey));
+        $this->assertNotEmpty($this->getStoreMetadata($queryKey));
+
+        $this->assertNotNull($this->store->lookup($getRequest));
+        $this->assertNotNull($this->store->lookup($queryRequest));
+    }
+
+    public function testOtherMethodsCacheKeyIgnoresBody()
+    {
+        $response1 = new Response('test 1', 200, ['Cache-Control' => 'max-age=420']);
+        $response2 = new Response('test 2', 200, ['Cache-Control' => 'max-age=420']);
+
+        $getRequest1 = Request::create('/', 'GET', [], [], [], [], '{"data": "test"}');
+        $getRequest2 = Request::create('/', 'GET', [], [], [], [], '{"data": "different"}');
+
+        $key1 = $this->store->write($getRequest1, $response1);
+        $key2 = $this->store->write($getRequest2, $response2);
+
+        $this->assertSame($key1, $key2);
+
+        $lookup1 = $this->store->lookup($getRequest1);
+        $lookup2 = $this->store->lookup($getRequest2);
+        $this->assertNotNull($lookup1);
+        $this->assertNotNull($lookup2);
+
+        $this->assertCount(1, $this->getStoreMetadata($key1));
+        $this->assertSame($lookup1->getContent(), $lookup2->getContent());
+    }
+
+    public function testQueryMethodCacheKeyAvoidsBoundaryCollisions()
+    {
+        $response = new Response('test', 200, ['Cache-Control' => 'max-age=420']);
+
+        $request1 = Request::create('/api/query', 'QUERY', [], [], [], [], 'test');
+        $request2 = Request::create('/api/que', 'QUERY', [], [], [], [], 'rytest');
+
+        $key1 = $this->store->write($request1, $response);
+        $key2 = $this->store->write($request2, $response);
+
+        $this->assertNotSame($key1, $key2);
+
+        $this->assertNotEmpty($this->getStoreMetadata($key1));
+        $this->assertNotEmpty($this->getStoreMetadata($key2));
+
+        $this->assertNotNull($this->store->lookup($request1));
+        $this->assertNotNull($this->store->lookup($request2));
+    }
 }

src/Symfony/Component/HttpKernel/composer.json

@@ -20,7 +20,7 @@
         "symfony/deprecation-contracts": "^2.5|^3",
         "symfony/error-handler": "^6.4|^7.0|^8.0",
         "symfony/event-dispatcher": "^7.3|^8.0",
-        "symfony/http-foundation": "^7.3|^8.0",
+        "symfony/http-foundation": "^7.4|^8.0",
         "symfony/polyfill-ctype": "^1.8",
         "psr/log": "^1|^2|^3"
     },