PHPC-2219: Prohibit serializing PackedArray as root documents (#1480)

* PHPC-2219: Prohibit serializing PackedArray as root documents

This adds logic to php_phongo_zval_to_bson_internal() to prohibit serializing PackedArray instances as a root document. Since this function is also used in specific cases to encode a BSON array, a PHONGO_BSON_ALLOW_ROOT_ARRAY flag is introduced to relax the restriction.

* Check if existing field_path element must be freed before overwriting

* Remove function name from Javascript code strings

Author: jmikola

src/BSON/Document.c

@@ -160,7 +160,9 @@ static PHP_METHOD(MongoDB_BSON_Document, fromPHP)
 	intern = Z_DOCUMENT_OBJ_P(&zv);
 
 	intern->bson = bson_new();
-	php_phongo_zval_to_bson(data, PHONGO_BSON_NONE, intern->bson, NULL);
+
+	// Explicitly allow constructing a Document from a PackedArray
+	php_phongo_zval_to_bson(data, PHONGO_BSON_ALLOW_ROOT_ARRAY, intern->bson, NULL);
 
 	RETURN_ZVAL(&zv, 1, 1);
 }

src/MongoDB/BulkWrite.c

@@ -157,7 +157,8 @@ static bool php_phongo_bulkwrite_opts_append_array(bson_t* opts, const char* key
 		return false;
 	}
 
-	php_phongo_zval_to_bson(value, PHONGO_BSON_NONE, &b, NULL);
+	// Explicitly allow MongoDB\BSON\PackedArray for array values
+	php_phongo_zval_to_bson(value, PHONGO_BSON_ALLOW_ROOT_ARRAY, &b, NULL);
 
 	if (EG(exception)) {
 		bson_destroy(&b);
@@ -441,7 +442,8 @@ static PHP_METHOD(MongoDB_Driver_BulkWrite, update)
 		goto cleanup;
 	}
 
-	php_phongo_zval_to_bson(zupdate, PHONGO_BSON_NONE, &bupdate, NULL);
+	// Explicitly allow MongoDB\BSON\PackedArray for update pipelines
+	php_phongo_zval_to_bson(zupdate, PHONGO_BSON_ALLOW_ROOT_ARRAY, &bupdate, NULL);
 
 	if (EG(exception)) {
 		goto cleanup;

src/phongo_bson.c

@@ -21,6 +21,7 @@
 #include <Zend/zend_enum.h>
 #endif
 #include <Zend/zend_interfaces.h>
+#include <Zend/zend_portability.h>
 
 #include "php_array_api.h"
 
@@ -162,6 +163,13 @@ void php_phongo_field_path_write_item_at_current_level(php_phongo_field_path* fi
 	php_phongo_field_path_ensure_allocation(field_path, field_path->size);
 
 	if (field_path->owns_elements) {
+		/* Note: owns_elements is only used for field paths parsed from a type
+		 * map, so it's unlikely that an element would already have been
+		 * allocated here. This is in contrast to BSON encoding/decoding, which
+		 * frequently updates the field path and does not own elements. */
+		if (UNEXPECTED(field_path->elements[field_path->size])) {
+			efree(field_path->elements[field_path->size]);
+		}
 		field_path->elements[field_path->size] = estrdup(element);
 	} else {
 		field_path->elements[field_path->size] = (char*) element;

src/phongo_bson_encode.c

@@ -466,6 +466,15 @@ static void php_phongo_zval_to_bson_internal(zval* data, php_phongo_field_path*
 			}
 
 			if (instanceof_function(Z_OBJCE_P(data), php_phongo_packedarray_ce)) {
+				/* If we are at the root-level, PackedArray instances should be
+				 * prohibited unless PHONGO_BSON_ALLOW_ROOT_ARRAY is set. */
+				bool is_root_level = (field_path->size == 0);
+
+				if (is_root_level && !(flags & PHONGO_BSON_ALLOW_ROOT_ARRAY)) {
+					phongo_throw_exception(PHONGO_ERROR_UNEXPECTED_VALUE, "%s cannot be serialized as a root document", ZSTR_VAL(Z_OBJCE_P(data)->name));
+					return;
+				}
+
 				php_phongo_packedarray_t* intern = Z_PACKEDARRAY_OBJ_P(data);
 
 				phongo_bson_copy_to_noinit(intern->bson, bson);

src/phongo_bson_encode.h

@@ -22,9 +22,10 @@
 #include <php.h>
 
 typedef enum {
-	PHONGO_BSON_NONE      = 0x00,
-	PHONGO_BSON_ADD_ID    = 0x01,
-	PHONGO_BSON_RETURN_ID = 0x02
+	PHONGO_BSON_NONE             = 0,
+	PHONGO_BSON_ADD_ID           = (1 << 0),
+	PHONGO_BSON_RETURN_ID        = (1 << 1),
+	PHONGO_BSON_ALLOW_ROOT_ARRAY = (1 << 2)
 } php_phongo_bson_flags_t;
 
 void php_phongo_zval_to_bson(zval* data, php_phongo_bson_flags_t flags, bson_t* bson, bson_t** bson_out);

tests/bson/bson-fromPHP-001.phpt

@@ -34,7 +34,8 @@ $tests = array(
     array('foo' => 'bar'),
     (object) array(1, 2, 3),
     (object) array('foo' => 'bar'),
-    # The PackedArray check will fail for instances of Persistable
+    /* PackedArray cannot be serialized as a root document. Additionally, it
+     * will fail return type validation for Persistable::bsonSerialize(). */
     MongoDB\BSON\PackedArray::fromPHP([1, 2, 3]),
     MongoDB\BSON\Document::fromPHP(['foo' => 'bar']),
 );
@@ -44,20 +45,28 @@ echo "Testing top-level objects\n";
 foreach ($tests as $test) {
     try {
         echo toJson(fromPHP(new MyDocument($test))), "\n";
+    } catch (Exception $e) {
+        printf("%s: %s\n", get_class($e), $e->getMessage());
+    }
+    try {
         echo toJson(fromPHP(new MyPersistableDocument($test))), "\n";
-    } catch (MongoDB\Driver\Exception\UnexpectedValueException $e) {
-        echo $e->getMessage(), "\n";
+    } catch (Exception $e) {
+        printf("%s: %s\n", get_class($e), $e->getMessage());
     }
 }
 
 echo "\nTesting nested objects\n";
 
 foreach ($tests as $test) {
     try {
-        echo toJson(fromPHP(new MyDocument(array('nested' => new MyDocument($test))))), "\n";
-        echo toJson(fromPHP(new MyDocument(array('nested' => new MyPersistableDocument($test))))), "\n";
-    } catch (MongoDB\Driver\Exception\UnexpectedValueException $e) {
-        echo $e->getMessage(), "\n";
+        echo toJson(fromPHP(new MyDocument(['nested' => new MyDocument($test)]))), "\n";
+    } catch (Exception $e) {
+        printf("%s: %s\n", get_class($e), $e->getMessage());
+    }
+    try {
+        echo toJson(fromPHP(new MyDocument(['nested' => new MyPersistableDocument($test)]))), "\n";
+    } catch (Exception $e) {
+        printf("%s: %s\n", get_class($e), $e->getMessage());
     }
 }
 
@@ -74,8 +83,8 @@ Testing top-level objects
 { "__pclass" : { "$binary" : "TXlQZXJzaXN0YWJsZURvY3VtZW50", "$type" : "80" }, "0" : 1, "1" : 2, "2" : 3 }
 { "foo" : "bar" }
 { "__pclass" : { "$binary" : "TXlQZXJzaXN0YWJsZURvY3VtZW50", "$type" : "80" }, "foo" : "bar" }
-{ "0" : 1, "1" : 2, "2" : 3 }
-Expected MyPersistableDocument::bsonSerialize() to return an array, stdClass, or MongoDB\BSON\Document, MongoDB\BSON\PackedArray given
+MongoDB\Driver\Exception\UnexpectedValueException: MongoDB\BSON\PackedArray cannot be serialized as a root document
+MongoDB\Driver\Exception\UnexpectedValueException: Expected MyPersistableDocument::bsonSerialize() to return an array, stdClass, or MongoDB\BSON\Document, MongoDB\BSON\PackedArray given
 { "foo" : "bar" }
 { "__pclass" : { "$binary" : "TXlQZXJzaXN0YWJsZURvY3VtZW50", "$type" : "80" }, "foo" : "bar" }
 
@@ -89,7 +98,7 @@ Testing nested objects
 { "nested" : { "foo" : "bar" } }
 { "nested" : { "__pclass" : { "$binary" : "TXlQZXJzaXN0YWJsZURvY3VtZW50", "$type" : "80" }, "foo" : "bar" } }
 { "nested" : [ 1, 2, 3 ] }
-Expected MyPersistableDocument::bsonSerialize() to return an array, stdClass, or MongoDB\BSON\Document, MongoDB\BSON\PackedArray given
+MongoDB\Driver\Exception\UnexpectedValueException: Expected MyPersistableDocument::bsonSerialize() to return an array, stdClass, or MongoDB\BSON\Document, MongoDB\BSON\PackedArray given
 { "nested" : { "foo" : "bar" } }
 { "nested" : { "__pclass" : { "$binary" : "TXlQZXJzaXN0YWJsZURvY3VtZW50", "$type" : "80" }, "foo" : "bar" } }
 ===DONE===

tests/bson/bson-fromPHP_error-003.phpt

@@ -10,7 +10,7 @@ class UnknownType implements MongoDB\BSON\Type {}
 $tests = array(
     new UnknownType,
     new MongoDB\BSON\Binary('foobar', MongoDB\BSON\Binary::TYPE_GENERIC),
-    new MongoDB\BSON\Javascript('function foo(bar) {var baz = bar; var bar = foo; return bar; }'),
+    new MongoDB\BSON\Javascript('function(bar) {var baz = bar; var bar = foo; return bar; }'),
     new MongoDB\BSON\MinKey,
     new MongoDB\BSON\MaxKey,
     new MongoDB\BSON\ObjectId,

tests/bson/bson-fromPHP_error-009.phpt

@@ -0,0 +1,18 @@
+--TEST--
+MongoDB\BSON\fromPHP(): PackedArray cannot be serialized as root document
+--FILE--
+<?php
+
+require_once __DIR__ . '/../utils/basic.inc';
+
+echo throws(function() {
+    fromPHP(MongoDB\BSON\PackedArray::fromPHP([]));
+}, MongoDB\Driver\Exception\UnexpectedValueException::class), "\n";
+
+?>
+===DONE===
+<?php exit(0); ?>
+--EXPECT--
+OK: Got MongoDB\Driver\Exception\UnexpectedValueException
+MongoDB\BSON\PackedArray cannot be serialized as a root document
+===DONE===

tests/bson/bson-javascript-001.phpt

@@ -5,8 +5,8 @@ MongoDB\BSON\Javascript #001
 
 require_once __DIR__ . '/../utils/basic.inc';
 
-$js = new MongoDB\BSON\Javascript("function foo(bar) {var baz = bar; var bar = foo; return bar; }");
-$jswscope = new MongoDB\BSON\Javascript("function foo(bar) {var baz = bar; var bar = foo; return bar; }", array("foo" => 42));
+$js = new MongoDB\BSON\Javascript("function(bar) {var baz = bar; var bar = foo; return bar; }");
+$jswscope = new MongoDB\BSON\Javascript("function(bar) {var baz = bar; var bar = foo; return bar; }", array("foo" => 42));
 $tests = array(
     array("js" => $js),
     array("js" => $jswscope),

tests/bson/bson-javascript-002.phpt

@@ -5,15 +5,15 @@ MongoDB\BSON\Javascript debug handler
 
 $tests = array(
     array(
-        'function foo(bar) { return bar; }',
+        'function(bar) { return bar; }',
         array(),
     ),
     array(
-        'function foo() { return foo; }',
+        'function() { return foo; }',
         array('foo' => 42),
     ),
     array(
-        'function foo() { return id; }',
+        'function() { return id; }',
         array('id' => new MongoDB\BSON\ObjectId('53e2a1c40640fd72175d4603')),
     ),
 );
@@ -31,14 +31,14 @@ foreach ($tests as $test) {
 --EXPECTF--
 object(MongoDB\BSON\Javascript)#%d (%d) {
   ["code"]=>
-  string(33) "function foo(bar) { return bar; }"
+  string(29) "function(bar) { return bar; }"
   ["scope"]=>
   object(stdClass)#%d (%d) {
   }
 }
 object(MongoDB\BSON\Javascript)#%d (%d) {
   ["code"]=>
-  string(30) "function foo() { return foo; }"
+  string(26) "function() { return foo; }"
   ["scope"]=>
   object(stdClass)#%d (%d) {
     ["foo"]=>
@@ -47,7 +47,7 @@ object(MongoDB\BSON\Javascript)#%d (%d) {
 }
 object(MongoDB\BSON\Javascript)#%d (%d) {
   ["code"]=>
-  string(29) "function foo() { return id; }"
+  string(25) "function() { return id; }"
   ["scope"]=>
   object(stdClass)#%d (%d) {
     ["id"]=>