[Serializer] Fix unexpected allowed attributes

mtarld · mtarld · commit ee9ccde7f55a · 2023-12-12T14:27:05.000+01:00
diff --git a/src/Symfony/Bundle/FrameworkBundle/Resources/config/serializer.php b/src/Symfony/Bundle/FrameworkBundle/Resources/config/serializer.php
@@ -137,6 +137,8 @@
                 service('property_info')->ignoreOnInvalid(),
                 service('serializer.mapping.class_discriminator_resolver')->ignoreOnInvalid(),
                 null,
+                [],
+                service('property_info')->ignoreOnInvalid(),
             ])
 
         ->alias(PropertyNormalizer::class, 'serializer.normalizer.property')
diff --git a/src/Symfony/Component/Serializer/Normalizer/AbstractNormalizer.php b/src/Symfony/Component/Serializer/Normalizer/AbstractNormalizer.php
@@ -217,8 +217,10 @@ protected function handleCircularReference(object $object, string $format = null
      *
      * @throws LogicException if the 'allow_extra_attributes' context variable is false and no class metadata factory is provided
      */
-    protected function getAllowedAttributes($classOrObject, array $context, bool $attributesAsString = false)
+    protected function getAllowedAttributes($classOrObject, array $context, bool $attributesAsString = false /* , bool $read = true */)
     {
+        $read = \func_get_args()[3] ?? true;
+
         $allowExtraAttributes = $context[self::ALLOW_EXTRA_ATTRIBUTES] ?? $this->defaultContext[self::ALLOW_EXTRA_ATTRIBUTES];
         if (!$this->classMetadataFactory) {
             if (!$allowExtraAttributes) {
@@ -241,7 +243,7 @@ protected function getAllowedAttributes($classOrObject, array $context, bool $at
             if (
                 !$ignore &&
                 ([] === $groups || array_intersect(array_merge($attributeMetadata->getGroups(), ['*']), $groups)) &&
-                $this->isAllowedAttribute($classOrObject, $name = $attributeMetadata->getName(), null, $context)
+                $this->isAllowedAttribute($classOrObject, $name = $attributeMetadata->getName(), null, $context, $read)
             ) {
                 $allowedAttributes[] = $attributesAsString ? $name : $attributeMetadata;
             }
@@ -269,7 +271,7 @@ protected function getGroups(array $context): array
      *
      * @return bool
      */
-    protected function isAllowedAttribute($classOrObject, string $attribute, string $format = null, array $context = [])
+    protected function isAllowedAttribute($classOrObject, string $attribute, string $format = null, array $context = [] /* , bool $read = true */)
     {
         $ignoredAttributes = $context[self::IGNORED_ATTRIBUTES] ?? $this->defaultContext[self::IGNORED_ATTRIBUTES];
         if (\in_array($attribute, $ignoredAttributes)) {
@@ -360,7 +362,7 @@ protected function instantiateObject(array &$data, string $class, array &$contex
                 $context['deserialization_path'] = $objectDeserializationPath ? $objectDeserializationPath.'.'.$paramName : $paramName;
 
                 $allowed = false === $allowedAttributes || \in_array($paramName, $allowedAttributes);
-                $ignored = !$this->isAllowedAttribute($class, $paramName, $format, $context);
+                $ignored = !$this->isAllowedAttribute($class, $paramName, $format, $context, false);
                 if ($constructorParameter->isVariadic()) {
                     if ($allowed && !$ignored && (isset($data[$key]) || \array_key_exists($key, $data))) {
                         if (!\is_array($data[$key])) {
diff --git a/src/Symfony/Component/Serializer/Normalizer/AbstractObjectNormalizer.php b/src/Symfony/Component/Serializer/Normalizer/AbstractObjectNormalizer.php
@@ -159,7 +159,7 @@ public function normalize($object, string $format = null, array $context = [])
 
         $data = [];
         $stack = [];
-        $attributes = $this->getAttributes($object, $format, $context);
+        $attributes = $this->getAttributes($object, $format, $context, true);
         $class = $this->objectClassResolver ? ($this->objectClassResolver)($object) : \get_class($object);
         $attributesMetadata = $this->classMetadataFactory ? $this->classMetadataFactory->getMetadataFor($class)->getAttributesMetadata() : null;
         if (isset($context[self::MAX_DEPTH_HANDLER])) {
@@ -300,8 +300,10 @@ protected function instantiateObject(array &$data, string $class, array &$contex
      *
      * @return string[]
      */
-    protected function getAttributes(object $object, ?string $format, array $context)
+    protected function getAttributes(object $object, ?string $format, array $context /* , bool $read = true */)
     {
+        $read = \func_get_args()[3] ?? true;
+
         $class = $this->objectClassResolver ? ($this->objectClassResolver)($object) : \get_class($object);
         $key = $class.'-'.$context['cache_key'];
 
@@ -319,7 +321,7 @@ protected function getAttributes(object $object, ?string $format, array $context
             return $allowedAttributes;
         }
 
-        $attributes = $this->extractAttributes($object, $format, $context);
+        $attributes = $this->extractAttributes($object, $format, $context, $read);
 
         if ($this->classDiscriminatorResolver && $mapping = $this->classDiscriminatorResolver->getMappingForMappedObject($object)) {
             array_unshift($attributes, $mapping->getTypeProperty());
@@ -337,7 +339,7 @@ protected function getAttributes(object $object, ?string $format, array $context
      *
      * @return string[]
      */
-    abstract protected function extractAttributes(object $object, string $format = null, array $context = []);
+    abstract protected function extractAttributes(object $object, string $format = null, array $context = [] /* , bool $read = true */);
 
     /**
      * Gets the attribute value.
@@ -384,7 +386,7 @@ public function denormalize($data, string $type, string $format = null, array $c
 
             $attributeContext = $this->getAttributeDenormalizationContext($resolvedClass, $attribute, $context);
 
-            if ((false !== $allowedAttributes && !\in_array($attribute, $allowedAttributes)) || !$this->isAllowedAttribute($resolvedClass, $attribute, $format, $context)) {
+            if ((false !== $allowedAttributes && !\in_array($attribute, $allowedAttributes)) || !$this->isAllowedAttribute($resolvedClass, $attribute, $format, $context, false)) {
                 if (!($context[self::ALLOW_EXTRA_ATTRIBUTES] ?? $this->defaultContext[self::ALLOW_EXTRA_ATTRIBUTES])) {
                     $extraAttributes[] = $attribute;
                 }
diff --git a/src/Symfony/Component/Serializer/Normalizer/GetSetMethodNormalizer.php b/src/Symfony/Component/Serializer/Normalizer/GetSetMethodNormalizer.php
@@ -36,22 +36,23 @@
  */
 class GetSetMethodNormalizer extends AbstractObjectNormalizer
 {
+    private static $reflectionCache = [];
     private static $setterAccessibleCache = [];
 
     /**
      * {@inheritdoc}
      */
     public function supportsNormalization($data, string $format = null)
     {
-        return parent::supportsNormalization($data, $format) && $this->supports(\get_class($data));
+        return parent::supportsNormalization($data, $format) && $this->supports(\get_class($data), true);
     }
 
     /**
      * {@inheritdoc}
      */
     public function supportsDenormalization($data, string $type, string $format = null)
     {
-        return parent::supportsDenormalization($data, $type, $format) && $this->supports($type);
+        return parent::supportsDenormalization($data, $type, $format) && $this->supports($type, false);
     }
 
     /**
@@ -63,22 +64,28 @@ public function hasCacheableSupportsMethod(): bool
     }
 
     /**
-     * Checks if the given class has any getter method.
+     * Checks if the given class has any getter or setter method.
      */
-    private function supports(string $class): bool
+    private function supports(string $class, bool $read): bool
     {
         if (null !== $this->classDiscriminatorResolver && $this->classDiscriminatorResolver->getMappingForClass($class)) {
             return true;
         }
 
-        $class = new \ReflectionClass($class);
-        $methods = $class->getMethods(\ReflectionMethod::IS_PUBLIC);
-        foreach ($methods as $method) {
-            if ($this->isGetMethod($method)) {
-                return true;
-            }
+        if (!isset(self::$reflectionCache[$class])) {
+            self::$reflectionCache[$class] = new \ReflectionClass($class);
         }
 
+        $reflection = self::$reflectionCache[$class];
+
+        do {
+            foreach ($reflection->getMethods(\ReflectionMethod::IS_PUBLIC) as $reflectionMethod) {
+                if ($read && $this->isGetMethod($reflectionMethod) || !$read && $this->isSetMethod($reflectionMethod)) {
+                    return true;
+                }
+            }
+        } while ($reflection = $reflection->getParentClass());
+
         return false;
     }
 
@@ -95,11 +102,24 @@ private function isGetMethod(\ReflectionMethod $method): bool
             );
     }
 
+    /**
+     * Checks if a method's name matches /^set.+$/ and can be called non-statically with one parameter.
+     */
+    private function isSetMethod(\ReflectionMethod $method): bool
+    {
+        return !$method->isStatic()
+            && (\PHP_VERSION_ID < 80000 || !$method->getAttributes(Ignore::class))
+            && 1 === $method->getNumberOfRequiredParameters()
+            && str_starts_with($method->name, 'set');
+    }
+
     /**
      * {@inheritdoc}
      */
-    protected function extractAttributes(object $object, string $format = null, array $context = [])
+    protected function extractAttributes(object $object, string $format = null, array $context = [] /* , bool $read = true */)
     {
+        $read = \func_get_args()[3] ?? true;
+
         $reflectionObject = new \ReflectionObject($object);
         $reflectionMethods = $reflectionObject->getMethods(\ReflectionMethod::IS_PUBLIC);
 
@@ -111,7 +131,7 @@ protected function extractAttributes(object $object, string $format = null, arra
 
             $attributeName = lcfirst(substr($method->name, str_starts_with($method->name, 'is') ? 2 : 3));
 
-            if ($this->isAllowedAttribute($object, $attributeName, $format, $context)) {
+            if ($this->isAllowedAttribute($object, $attributeName, $format, $context, $read)) {
                 $attributes[] = $attributeName;
             }
         }
@@ -160,4 +180,51 @@ protected function setAttributeValue(object $object, string $attribute, $value,
             $object->$setter($value);
         }
     }
+
+    protected function isAllowedAttribute($classOrObject, string $attribute, string $format = null, array $context = [] /* , bool $read = true */)
+    {
+        $read = \func_get_args()[4] ?? true;
+
+        if (!parent::isAllowedAttribute($classOrObject, $attribute, $format, $context, $read)) {
+            return false;
+        }
+
+        $class = \is_object($classOrObject) ? \get_class($classOrObject) : $classOrObject;
+
+        if (!isset(self::$reflectionCache[$class])) {
+            self::$reflectionCache[$class] = new \ReflectionClass($class);
+        }
+
+        $reflection = self::$reflectionCache[$class];
+
+        do {
+            if ($read) {
+                foreach (['get', 'is', 'has'] as $getterPrefix) {
+                    $getter = $getterPrefix.ucfirst($attribute);
+                    $reflectionMethod = $reflection->hasMethod($getter) ? $reflection->getMethod($getter) : null;
+                    if ($reflectionMethod && $this->isGetMethod($reflectionMethod)) {
+                        return true;
+                    }
+                }
+            } else {
+                $setter = 'set'.ucfirst($attribute);
+                $reflectionMethod = $reflection->hasMethod($setter) ? $reflection->getMethod($setter) : null;
+                if ($reflectionMethod && $this->isSetMethod($reflectionMethod)) {
+                    return true;
+                }
+
+                $constructor = $reflection->getConstructor();
+
+                if ($constructor && $constructor->isPublic()) {
+                    foreach ($constructor->getParameters() as $parameter) {
+                        if ($parameter->getName() === $attribute) {
+                            return true;
+                        }
+                    }
+                }
+            }
+        } while ($reflection = $reflection->getParentClass());
+
+        return false;
+    }
 }
diff --git a/src/Symfony/Component/Serializer/Normalizer/ObjectNormalizer.php b/src/Symfony/Component/Serializer/Normalizer/ObjectNormalizer.php
@@ -14,7 +14,10 @@
 use Symfony\Component\PropertyAccess\Exception\NoSuchPropertyException;
 use Symfony\Component\PropertyAccess\PropertyAccess;
 use Symfony\Component\PropertyAccess\PropertyAccessorInterface;
+use Symfony\Component\PropertyInfo\Extractor\ReflectionExtractor;
+use Symfony\Component\PropertyInfo\PropertyInfoExtractorInterface;
 use Symfony\Component\PropertyInfo\PropertyTypeExtractorInterface;
+use Symfony\Component\PropertyInfo\PropertyWriteInfo;
 use Symfony\Component\Serializer\Exception\LogicException;
 use Symfony\Component\Serializer\Mapping\AttributeMetadata;
 use Symfony\Component\Serializer\Mapping\ClassDiscriminatorResolverInterface;
@@ -29,10 +32,11 @@
 class ObjectNormalizer extends AbstractObjectNormalizer
 {
     protected $propertyAccessor;
+    protected $propertyInfoExtractor;
 
     private $objectClassResolver;
 
-    public function __construct(ClassMetadataFactoryInterface $classMetadataFactory = null, NameConverterInterface $nameConverter = null, PropertyAccessorInterface $propertyAccessor = null, PropertyTypeExtractorInterface $propertyTypeExtractor = null, ClassDiscriminatorResolverInterface $classDiscriminatorResolver = null, callable $objectClassResolver = null, array $defaultContext = [])
+    public function __construct(ClassMetadataFactoryInterface $classMetadataFactory = null, NameConverterInterface $nameConverter = null, PropertyAccessorInterface $propertyAccessor = null, PropertyTypeExtractorInterface $propertyTypeExtractor = null, ClassDiscriminatorResolverInterface $classDiscriminatorResolver = null, callable $objectClassResolver = null, array $defaultContext = [], PropertyInfoExtractorInterface $propertyInfoExtractor = null)
     {
         if (!class_exists(PropertyAccess::class)) {
             throw new LogicException('The ObjectNormalizer class requires the "PropertyAccess" component. Install "symfony/property-access" to use it.');
@@ -45,6 +49,8 @@ public function __construct(ClassMetadataFactoryInterface $classMetadataFactory
         $this->objectClassResolver = $objectClassResolver ?? function ($class) {
             return \is_object($class) ? \get_class($class) : $class;
         };
+
+        $this->propertyInfoExtractor = $propertyInfoExtractor ?: new ReflectionExtractor();
     }
 
     /**
@@ -58,8 +64,10 @@ public function hasCacheableSupportsMethod(): bool
     /**
      * {@inheritdoc}
      */
-    protected function extractAttributes(object $object, string $format = null, array $context = [])
+    protected function extractAttributes(object $object, string $format = null, array $context = [] /* , bool $read = true */)
     {
+        $read = \func_get_args()[3] ?? true;
+
         if (\stdClass::class === \get_class($object)) {
             return array_keys((array) $object);
         }
@@ -100,7 +108,7 @@ protected function extractAttributes(object $object, string $format = null, arra
                 }
             }
 
-            if (null !== $attributeName && $this->isAllowedAttribute($object, $attributeName, $format, $context)) {
+            if (null !== $attributeName && $this->isAllowedAttribute($object, $attributeName, $format, $context, $read)) {
                 $attributes[$attributeName] = true;
             }
         }
@@ -111,7 +119,7 @@ protected function extractAttributes(object $object, string $format = null, arra
                 continue;
             }
 
-            if ($reflProperty->isStatic() || !$this->isAllowedAttribute($object, $reflProperty->name, $format, $context)) {
+            if ($reflProperty->isStatic() || !$this->isAllowedAttribute($object, $reflProperty->name, $format, $context, $read)) {
                 continue;
             }
 
@@ -174,4 +182,21 @@ protected function getAllowedAttributes($classOrObject, array $context, bool $at
 
         return $allowedAttributes;
     }
+
+    protected function isAllowedAttribute($classOrObject, string $attribute, string $format = null, array $context = [] /* , bool $read = true */)
+    {
+        $read = \func_get_args()[4] ?? true;
+
+        if (!parent::isAllowedAttribute($classOrObject, $attribute, $format, $context, $read)) {
+            return false;
+        }
+        $class = \is_object($classOrObject) ? \get_class($classOrObject) : $classOrObject;
+
+        if ($read) {
+            return $this->propertyInfoExtractor->isReadable($class, $attribute);
+        }
+
+        return $this->propertyInfoExtractor->isWritable($class, $attribute)
+            || null !== ($writeInfo = $this->propertyInfoExtractor->getWriteInfo($class, $attribute)) && PropertyWriteInfo::TYPE_NONE !== $writeInfo->getType();
+    }
 }
diff --git a/src/Symfony/Component/Serializer/Normalizer/PropertyNormalizer.php b/src/Symfony/Component/Serializer/Normalizer/PropertyNormalizer.php
@@ -82,9 +82,11 @@ private function supports(string $class): bool
     /**
      * {@inheritdoc}
      */
-    protected function isAllowedAttribute($classOrObject, string $attribute, string $format = null, array $context = [])
+    protected function isAllowedAttribute($classOrObject, string $attribute, string $format = null, array $context = [] /* , bool $read = true */)
     {
-        if (!parent::isAllowedAttribute($classOrObject, $attribute, $format, $context)) {
+        $read = \func_get_args()[4] ?? true;
+
+        if (!parent::isAllowedAttribute($classOrObject, $attribute, $format, $context, $read)) {
             return false;
         }
 
@@ -103,14 +105,16 @@ protected function isAllowedAttribute($classOrObject, string $attribute, string
     /**
      * {@inheritdoc}
      */
-    protected function extractAttributes(object $object, string $format = null, array $context = [])
+    protected function extractAttributes(object $object, string $format = null, array $context = [] /* , bool $read = true */)
     {
+        $read = \func_get_args()[3] ?? true;
+
         $reflectionObject = new \ReflectionObject($object);
         $attributes = [];
 
         do {
             foreach ($reflectionObject->getProperties() as $property) {
-                if (!$this->isAllowedAttribute($reflectionObject->getName(), $property->name, $format, $context)) {
+                if (!$this->isAllowedAttribute($reflectionObject->getName(), $property->name, $format, $context, $read)) {
                     continue;
                 }
 
diff --git a/src/Symfony/Component/Serializer/Tests/Normalizer/AbstractObjectNormalizerTest.php b/src/Symfony/Component/Serializer/Tests/Normalizer/AbstractObjectNormalizerTest.php
diff --git a/src/Symfony/Component/Serializer/Tests/Normalizer/GetSetMethodNormalizerTest.php b/src/Symfony/Component/Serializer/Tests/Normalizer/GetSetMethodNormalizerTest.php
diff --git a/src/Symfony/Component/Serializer/Tests/Normalizer/ObjectNormalizerTest.php b/src/Symfony/Component/Serializer/Tests/Normalizer/ObjectNormalizerTest.php
