Ensure placeholders strictly matches roles

squrious · squrious · commit 495b2ce91784 · 2023-10-23T17:08:54.000+02:00
diff --git a/src/Symfony/Component/Security/Core/Role/RoleHierarchy.php b/src/Symfony/Component/Security/Core/Role/RoleHierarchy.php
@@ -134,6 +134,6 @@ private function getPlaceholderPattern(string $role): string|false
         /** @var int $count */
         $placeholderPattern = preg_replace(pattern: '/(?<=_)\\\\\*(?=_|$)/', replacement: '[^\*]*', subject: preg_quote($role), count: $count);
 
-        return ($count > 0) ? sprintf('/%s/', $placeholderPattern) : false;
+        return ($count > 0) ? sprintf('/^%s$/', $placeholderPattern) : false;
     }
 }
diff --git a/src/Symfony/Component/Security/Core/Tests/Role/RoleHierarchyTest.php b/src/Symfony/Component/Security/Core/Tests/Role/RoleHierarchyTest.php
@@ -37,6 +37,7 @@ public function testGetReachableRoleNamesWithPlaceholders()
             'ROLE_BAZ_*' => ['ROLE_USER'],
             'ROLE_FOO_*' => ['ROLE_BAZ_FOO'],
             'ROLE_BAR_*' => ['ROLE_BAZ_BAR'],
+            'ROLE_QUX_*_BAR' => ['ROLE_FOOBAR'],
         ]);
 
         $this->assertEquals(['ROLE_BAZ_A', 'ROLE_USER'], $role->getReachableRoleNames(['ROLE_BAZ_A']));
@@ -47,6 +48,10 @@ public function testGetReachableRoleNamesWithPlaceholders()
 
         // Multiple roles matching multiple placeholders
         $this->assertEquals(['ROLE_FOO_A', 'ROLE_BAR_A', 'ROLE_BAZ_FOO', 'ROLE_BAZ_BAR', 'ROLE_USER'], $role->getReachableRoleNames(['ROLE_FOO_A', 'ROLE_BAR_A']));
+
+        // Test placeholders don't match more than the pattern
+        $this->assertEquals(['FOO_ROLE_FOO_A'], $role->getReachableRoleNames(['FOO_ROLE_FOO_A'])); // Doesn't start with ROLE_FOO_
+        $this->assertEquals(['ROLE_QUX_A_BARA'], $role->getReachableRoleNames(['ROLE_QUX_A_BARA'])); // Doesn't end with _BAR
     }
 
     public function testGetReachableRoleNamesWithRecursivePlaceholders()

Original file line number	Diff line number	Diff line change
`@@ -134,6 +134,6 @@ private function getPlaceholderPattern(string $role): string\|false`
`134`	`134`	`/** @var int $count */`
`135`	`135`	`$placeholderPattern = preg_replace(pattern: '/(?<=_)\\\\\(?=_\|$)/', replacement: '[^\]*', subject: preg_quote($role), count: $count);`
`136`	`136`
`137`		`- return ($count > 0) ? sprintf('/%s/', $placeholderPattern) : false;`
	`137`	`+ return ($count > 0) ? sprintf('/^%s$/', $placeholderPattern) : false;`
`138`	`138`	`}`
`139`	`139`	`}`