bug symfony#60296 [Serializer] Handle invalid mapping type property type (KorvinSzanto)

fabpot · fabpot · commit de2a7ab9e6f2 · 2025-07-26T14:59:07.000+02:00
This PR was squashed before being merged into the 7.2 branch. Discussion ---------- [Serializer] Handle invalid mapping type property type | Q | A | ------------- | --- | Branch? | 7.2 | Bug fix? | yes | New feature? | no | Deprecations? | no | Issues | | License | MIT When using `#[MapRequestPayload]` along with a type that uses a `#[DescriminatorMap]` it's possible for a user to craft a payload that triggers a `TypeError` by passing the wrong type for the "type" property. For example, a class that has: ```php #[DiscriminatorMap('field', ['a' => AController::class, 'b' => BController::class])] ``` and a request comes in with: ``` Content-Type: application/json {"field":{}} ``` will trigger a 500 because `AbstractObjectNormalizer` doesn't validate the field type before passing it to `->getClassForType` which typehints for string. This PR adds a conditional that filters anything other than strings or objects that have a __toString method. Commits ------- 6ab0182 [Serializer] Handle invalid mapping type property type
diff --git a/src/Symfony/Component/Serializer/Normalizer/AbstractObjectNormalizer.php b/src/Symfony/Component/Serializer/Normalizer/AbstractObjectNormalizer.php
@@ -1184,6 +1184,10 @@ private function getMappedClass(array $data, string $class, array $context): str
             throw NotNormalizableValueException::createForUnexpectedDataType(\sprintf('Type property "%s" not found for the abstract object "%s".', $mapping->getTypeProperty(), $class), null, ['string'], isset($context['deserialization_path']) ? $context['deserialization_path'].'.'.$mapping->getTypeProperty() : $mapping->getTypeProperty(), false);
         }
 
+        if (!\is_string($type) && (!\is_object($type) || !method_exists($type, '__toString'))) {
+            throw NotNormalizableValueException::createForUnexpectedDataType(\sprintf('The type property "%s" for the abstract object "%s" must be a string or a stringable object.', $mapping->getTypeProperty(), $class), $type, ['string'], isset($context['deserialization_path']) ? $context['deserialization_path'].'.'.$mapping->getTypeProperty() : $mapping->getTypeProperty(), false);
+        }
+
         if (null === $mappedClass = $mapping->getClassForType($type)) {
             throw NotNormalizableValueException::createForUnexpectedDataType(\sprintf('The type "%s" is not a valid value.', $type), $type, ['string'], isset($context['deserialization_path']) ? $context['deserialization_path'].'.'.$mapping->getTypeProperty() : $mapping->getTypeProperty(), true);
         }
diff --git a/src/Symfony/Component/Serializer/Tests/Fixtures/Attributes/AbstractDummyFirstChild.php b/src/Symfony/Component/Serializer/Tests/Fixtures/Attributes/AbstractDummyFirstChild.php
@@ -16,6 +16,7 @@
 class AbstractDummyFirstChild extends AbstractDummy
 {
     public $bar;
+    public $baz;
 
     /** @var DummyFirstChildQuux|null */
     public $quux;
diff --git a/src/Symfony/Component/Serializer/Tests/Normalizer/AbstractObjectNormalizerTest.php b/src/Symfony/Component/Serializer/Tests/Normalizer/AbstractObjectNormalizerTest.php
@@ -528,6 +528,73 @@ private function getDenormalizerForStringCollection()
         return $denormalizer;
     }
 
+    /**
+     * @dataProvider provideInvalidDiscriminatorTypes
+     */
+    public function testDenormalizeWithDiscriminatorMapHandlesInvalidTypeValue(mixed $typeValue, bool $shouldFail)
+    {
+        if ($shouldFail) {
+            $this->expectException(NotNormalizableValueException::class);
+            $this->expectExceptionMessage(
+                'The type property "type" for the abstract object "Symfony\Component\Serializer\Tests\Fixtures\Attributes\AbstractDummy" must be a string or a stringable object.'
+            );
+        }
+
+        $factory = new ClassMetadataFactory(new AttributeLoader());
+
+        $loaderMock = new class implements ClassMetadataFactoryInterface {
+            public function getMetadataFor($value): ClassMetadataInterface
+            {
+                if (AbstractDummy::class === $value) {
+                    return new ClassMetadata(
+                        AbstractDummy::class,
+                        new ClassDiscriminatorMapping('type', [
+                            'first' => AbstractDummyFirstChild::class,
+                            'second' => AbstractDummySecondChild::class,
+                        ])
+                    );
+                }
+
+                throw new InvalidArgumentException();
+            }
+
+            public function hasMetadataFor($value): bool
+            {
+                return AbstractDummy::class === $value;
+            }
+        };
+
+        $discriminatorResolver = new ClassDiscriminatorFromClassMetadata($loaderMock);
+        $normalizer = new AbstractObjectNormalizerDummy($factory, null, new ReflectionExtractor(), $discriminatorResolver);
+        $serializer = new Serializer([$normalizer]);
+        $normalizer->setSerializer($serializer);
+        $normalizedData = $normalizer->denormalize(['foo' => 'foo', 'baz' => 'baz', 'quux' => ['value' => 'quux'], 'type' => $typeValue], AbstractDummy::class);
+
+        $this->assertInstanceOf(DummyFirstChildQuux::class, $normalizedData->quux);
+    }
+
+    /**
+     * @return iterable<array{0: mixed, 1: bool}>
+     */
+    public static function provideInvalidDiscriminatorTypes(): array
+    {
+        $toStringObject = new class {
+            public function __toString()
+            {
+                return 'first';
+            }
+        };
+
+        return [
+            [[], true],
+            [new \stdClass(), true],
+            [123, true],
+            [false, true],
+            ['first', false],
+            [$toStringObject, false],
+        ];
+    }
+
     public function testDenormalizeWithDiscriminatorMapUsesCorrectClassname()
     {
         $factory = new ClassMetadataFactory(new AttributeLoader());
diff --git a/src/Symfony/Component/Serializer/Tests/SerializerTest.php b/src/Symfony/Component/Serializer/Tests/SerializerTest.php
@@ -452,7 +452,7 @@ public function hasMetadataFor($value): bool
         $discriminatorResolver = new ClassDiscriminatorFromClassMetadata($loaderMock);
         $serializer = new Serializer([new ObjectNormalizer(null, null, null, new PhpDocExtractor(), $discriminatorResolver)], ['json' => new JsonEncoder()]);
 
-        $jsonData = '{"type":"first","quux":{"value":"quux"},"bar":"bar-value","foo":"foo-value"}';
+        $jsonData = '{"type":"first","quux":{"value":"quux"},"bar":"bar-value","baz":null,"foo":"foo-value"}';
 
         $deserialized = $serializer->deserialize($jsonData, AbstractDummy::class, 'json');
         $this->assertEquals($example, $deserialized);

Original file line number	Diff line number	Diff line change
`@@ -1184,6 +1184,10 @@ private function getMappedClass(array $data, string $class, array $context): str`
`1184`	`1184`	`throw NotNormalizableValueException::createForUnexpectedDataType(\sprintf('Type property "%s" not found for the abstract object "%s".', $mapping->getTypeProperty(), $class), null, ['string'], isset($context['deserialization_path']) ? $context['deserialization_path'].'.'.$mapping->getTypeProperty() : $mapping->getTypeProperty(), false);`
`1185`	`1185`	`}`
`1186`	`1186`
	`1187`	`+ if (!\is_string($type) && (!\is_object($type) \|\| !method_exists($type, '__toString'))) {`
	`1188`	`+ throw NotNormalizableValueException::createForUnexpectedDataType(\sprintf('The type property "%s" for the abstract object "%s" must be a string or a stringable object.', $mapping->getTypeProperty(), $class), $type, ['string'], isset($context['deserialization_path']) ? $context['deserialization_path'].'.'.$mapping->getTypeProperty() : $mapping->getTypeProperty(), false);`
	`1189`	`+ }`
	`1190`	`+`
`1187`	`1191`	`if (null === $mappedClass = $mapping->getClassForType($type)) {`
`1188`	`1192`	`throw NotNormalizableValueException::createForUnexpectedDataType(\sprintf('The type "%s" is not a valid value.', $type), $type, ['string'], isset($context['deserialization_path']) ? $context['deserialization_path'].'.'.$mapping->getTypeProperty() : $mapping->getTypeProperty(), true);`
`1189`	`1193`	`}`
Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,7 @@`
`16`	`16`	`class AbstractDummyFirstChild extends AbstractDummy`
`17`	`17`	`{`
`18`	`18`	`public $bar;`
	`19`	`+ public $baz;`
`19`	`20`
`20`	`21`	`/** @var DummyFirstChildQuux\|null */`
`21`	`22`	`public $quux;`