AC-10815 - API Input validation

Author: sreenia806

lib/internal/Magento/Framework/Webapi/ServiceInputProcessor.php

@@ -228,10 +228,6 @@ public function process($serviceClassName, $serviceMethodName, array $inputArray
     private function getConstructorData(string $className, array $data): array
     {
         $preferenceClass = $this->config->getPreference($className);
-        if (is_subclass_of($preferenceClass, \SimpleXMLElement::class)
-            || is_subclass_of($preferenceClass, \DOMElement::class)) {
-            return [];
-        }
         $class = new ClassReflection($preferenceClass ?: $className);
 
         try {
@@ -270,7 +266,7 @@ private function getConstructorData(string $className, array $data): array
      *
      * @param string $className
      * @param array $data
-     * @return object the newly created and populated object
+     * @return object|null the newly created and populated object
      * @throws \Exception
      * @throws SerializationException
      * @SuppressWarnings(PHPMD.NPathComplexity)
@@ -282,6 +278,10 @@ protected function _createFromArray($className, $data)
         // convert to string directly to avoid situations when $className is object
         // which implements __toString method like \ReflectionObject
         $className = (string) $className;
+        if (is_subclass_of($className, \SimpleXMLElement::class)
+            || is_subclass_of($className, \DOMElement::class)) {
+            return null;
+        }
         $class = new ClassReflection($className);
         if (is_subclass_of($className, self::EXTENSION_ATTRIBUTES_TYPE)) {
             $className = substr($className, 0, -strlen('Interface'));