feature #49193 [Security] Return 403 instead of 500 when no firewall is defined (nicolas-grekas)

chalasr · chalasr · commit 01864eda8c7d · 2023-02-07T14:47:12.000+01:00
This PR was merged into the 6.3 branch. Discussion ---------- [Security] Return 403 instead of 500 when no firewall is defined | Q | A | ------------- | --- | Branch? | 6.3 | Bug fix? | no | New feature? | yes | Deprecations? | no | Tickets | #34148 | License | MIT | Doc PR | - Looks like ranting on Twitter may pay of sometimes ;) https://twitter.com/zodman/status/1620954291187097600 The changes on ErrorListener make `#[WithHttpStatus]` and `#[WithLogLevel]` propagate to child classes. Best reviewed [ignoring white spaces](https://github.com/symfony/symfony/pull/49193/files?w=1). Commits ------- c021ce7 [Security] Return 403 instead of 500 when no firewall is defined
diff --git a/src/Symfony/Component/HttpKernel/EventListener/ErrorListener.php b/src/Symfony/Component/HttpKernel/EventListener/ErrorListener.php
@@ -71,15 +71,17 @@ public function logKernelException(ExceptionEvent $event)
         // There's no specific status code defined in the configuration for this exception
         if (!$throwable instanceof HttpExceptionInterface) {
             $class = new \ReflectionClass($throwable);
-            $attributes = $class->getAttributes(WithHttpStatus::class, \ReflectionAttribute::IS_INSTANCEOF);
 
-            if ($attributes) {
-                /** @var WithHttpStatus $instance */
-                $instance = $attributes[0]->newInstance();
+            do {
+                if ($attributes = $class->getAttributes(WithHttpStatus::class, \ReflectionAttribute::IS_INSTANCEOF)) {
+                    /** @var WithHttpStatus $instance */
+                    $instance = $attributes[0]->newInstance();
 
-                $throwable = new HttpException($instance->statusCode, $throwable->getMessage(), $throwable, $instance->headers);
-                $event->setThrowable($throwable);
-            }
+                    $throwable = new HttpException($instance->statusCode, $throwable->getMessage(), $throwable, $instance->headers);
+                    $event->setThrowable($throwable);
+                    break;
+                }
+            } while ($class = $class->getParentClass());
         }
 
         $e = FlattenException::createFromThrowable($throwable);
@@ -185,14 +187,16 @@ private function resolveLogLevel(\Throwable $throwable): string
             }
         }
 
-        $attributes = (new \ReflectionClass($throwable))->getAttributes(WithLogLevel::class);
+        $class = new \ReflectionClass($throwable);
 
-        if ($attributes) {
-            /** @var WithLogLevel $instance */
-            $instance = $attributes[0]->newInstance();
+        do {
+            if ($attributes = $class->getAttributes(WithLogLevel::class)) {
+                /** @var WithLogLevel $instance */
+                $instance = $attributes[0]->newInstance();
 
-            return $instance->level;
-        }
+                return $instance->level;
+            }
+        } while ($class = $class->getParentClass());
 
         if (!$throwable instanceof HttpExceptionInterface || $throwable->getStatusCode() >= 500) {
             return LogLevel::CRITICAL;
diff --git a/src/Symfony/Component/HttpKernel/Tests/EventListener/ErrorListenerTest.php b/src/Symfony/Component/HttpKernel/Tests/EventListener/ErrorListenerTest.php
@@ -123,7 +123,7 @@ public function testHandleWithLoggerAndCustomConfiguration()
     public function testHandleWithLogLevelAttribute()
     {
         $request = new Request();
-        $event = new ExceptionEvent(new TestKernel(), $request, HttpKernelInterface::MAIN_REQUEST, new WarningWithLogLevelAttribute());
+        $event = new ExceptionEvent(new TestKernel(), $request, HttpKernelInterface::MAIN_REQUEST, new ChildOfWarningWithLogLevelAttribute());
         $logger = new TestLogger();
         $l = new ErrorListener('not used', $logger);
 
@@ -280,6 +280,7 @@ public static function exceptionWithAttributeProvider()
     {
         yield [new WithCustomUserProvidedAttribute(), 208, ['name' => 'value']];
         yield [new WithGeneralAttribute(), 412, ['some' => 'thing']];
+        yield [new ChildOfWithGeneralAttribute(), 412, ['some' => 'thing']];
     }
 }
 
@@ -341,7 +342,15 @@ class WithGeneralAttribute extends \Exception
 {
 }
 
+class ChildOfWithGeneralAttribute extends WithGeneralAttribute
+{
+}
+
 #[WithLogLevel(LogLevel::WARNING)]
 class WarningWithLogLevelAttribute extends \Exception
 {
 }
+
+class ChildOfWarningWithLogLevelAttribute extends WarningWithLogLevelAttribute
+{
+}
diff --git a/src/Symfony/Component/Security/Core/Exception/AccessDeniedException.php b/src/Symfony/Component/Security/Core/Exception/AccessDeniedException.php
@@ -11,11 +11,14 @@
 
 namespace Symfony\Component\Security\Core\Exception;
 
+use Symfony\Component\HttpKernel\Attribute\WithHttpStatus;
+
 /**
  * AccessDeniedException is thrown when the account has not the required role.
  *
  * @author Fabien Potencier <fabien@symfony.com>
  */
+#[WithHttpStatus(403)]
 class AccessDeniedException extends RuntimeException
 {
     private array $attributes = [];
diff --git a/src/Symfony/Component/Security/Core/Exception/AuthenticationException.php b/src/Symfony/Component/Security/Core/Exception/AuthenticationException.php
@@ -11,6 +11,7 @@
 
 namespace Symfony\Component\Security\Core\Exception;
 
+use Symfony\Component\HttpKernel\Attribute\WithHttpStatus;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 
 /**
@@ -19,6 +20,7 @@
  * @author Fabien Potencier <fabien@symfony.com>
  * @author Alexander <iam.asm89@gmail.com>
  */
+#[WithHttpStatus(401)]
 class AuthenticationException extends RuntimeException
 {
     /** @internal */
diff --git a/src/Symfony/Component/Security/Http/EntryPoint/Exception/NotAnEntryPointException.php b/src/Symfony/Component/Security/Http/EntryPoint/Exception/NotAnEntryPointException.php
@@ -11,12 +11,15 @@
 
 namespace Symfony\Component\Security\Http\EntryPoint\Exception;
 
+use Symfony\Component\HttpKernel\Attribute\WithHttpStatus;
+
 /**
  * Thrown by generic decorators when a decorated authenticator does not implement
  * {@see AuthenticationEntryPointInterface}.
  *
  * @author Robin Chalas <robin.chalas@gmail.com>
  */
+#[WithHttpStatus(401)]
 class NotAnEntryPointException extends \RuntimeException
 {
 }

Original file line number	Diff line number	Diff line change
`@@ -123,7 +123,7 @@ public function testHandleWithLoggerAndCustomConfiguration()`
`123`	`123`	`public function testHandleWithLogLevelAttribute()`
`124`	`124`	`{`
`125`	`125`	`$request = new Request();`
`126`		`- $event = new ExceptionEvent(new TestKernel(), $request, HttpKernelInterface::MAIN_REQUEST, new WarningWithLogLevelAttribute());`
	`126`	`+ $event = new ExceptionEvent(new TestKernel(), $request, HttpKernelInterface::MAIN_REQUEST, new ChildOfWarningWithLogLevelAttribute());`
`127`	`127`	`$logger = new TestLogger();`
`128`	`128`	`$l = new ErrorListener('not used', $logger);`
`129`	`129`
`@@ -280,6 +280,7 @@ public static function exceptionWithAttributeProvider()`
`280`	`280`	`{`
`281`	`281`	`yield [new WithCustomUserProvidedAttribute(), 208, ['name' => 'value']];`
`282`	`282`	`yield [new WithGeneralAttribute(), 412, ['some' => 'thing']];`
	`283`	`+ yield [new ChildOfWithGeneralAttribute(), 412, ['some' => 'thing']];`
`283`	`284`	`}`
`284`	`285`	`}`
`285`	`286`
`@@ -341,7 +342,15 @@ class WithGeneralAttribute extends \Exception`
`341`	`342`	`{`
`342`	`343`	`}`
`343`	`344`
	`345`	`+class ChildOfWithGeneralAttribute extends WithGeneralAttribute`
	`346`	`+{`
	`347`	`+}`
	`348`	`+`
`344`	`349`	`#[WithLogLevel(LogLevel::WARNING)]`
`345`	`350`	`class WarningWithLogLevelAttribute extends \Exception`
`346`	`351`	`{`
`347`	`352`	`}`
	`353`	`+`
	`354`	`+class ChildOfWarningWithLogLevelAttribute extends WarningWithLogLevelAttribute`
	`355`	`+{`
	`356`	`+}`
Original file line number	Diff line number	Diff line change
`@@ -11,11 +11,14 @@`
`11`	`11`
`12`	`12`	`namespace Symfony\Component\Security\Core\Exception;`
`13`	`13`
	`14`	`+use Symfony\Component\HttpKernel\Attribute\WithHttpStatus;`
	`15`	`+`
`14`	`16`	`/**`
`15`	`17`	`* AccessDeniedException is thrown when the account has not the required role.`
`16`	`18`	`*`
`17`	`19`	`* @author Fabien Potencier <fabien@symfony.com>`
`18`	`20`	`*/`
	`21`	`+#[WithHttpStatus(403)]`
`19`	`22`	`class AccessDeniedException extends RuntimeException`
`20`	`23`	`{`
`21`	`24`	`private array $attributes = [];`
Original file line number	Diff line number	Diff line change
`@@ -11,12 +11,15 @@`
`11`	`11`
`12`	`12`	`namespace Symfony\Component\Security\Http\EntryPoint\Exception;`
`13`	`13`
	`14`	`+use Symfony\Component\HttpKernel\Attribute\WithHttpStatus;`
	`15`	`+`
`14`	`16`	`/**`
`15`	`17`	`* Thrown by generic decorators when a decorated authenticator does not implement`
`16`	`18`	`* {@see AuthenticationEntryPointInterface}.`
`17`	`19`	`*`
`18`	`20`	`* @author Robin Chalas <robin.chalas@gmail.com>`
`19`	`21`	`*/`
	`22`	`+#[WithHttpStatus(401)]`
`20`	`23`	`class NotAnEntryPointException extends \RuntimeException`
`21`	`24`	`{`
`22`	`25`	`}`