Skip to content

[Validator] prevent hash collisions caused by reused object hashes #38387

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 13, 2020
Merged

[Validator] prevent hash collisions caused by reused object hashes #38387

merged 2 commits into from
Nov 13, 2020

Conversation

xabbuh
Copy link
Member

@xabbuh xabbuh commented Oct 2, 2020

Q A
Branch? 3.4
Bug fix? yes
New feature? no
Deprecations? no
Tickets Fix #36415
License MIT
Doc PR

@xabbuh xabbuh added this to the 3.4 milestone Oct 2, 2020
@xabbuh xabbuh mentioned this pull request Oct 2, 2020
Merged
@xabbuh
Copy link
Member Author

xabbuh commented Oct 2, 2020

ping @fancyweb

@xabbuh xabbuh mentioned this pull request Oct 2, 2020
Closed
@nicolas-grekas nicolas-grekas changed the title [Validator] prevent hash collisions caused by resued object hashes [Validator] prevent hash collisions caused by reused object hashes Oct 2, 2020
stof
stof reviewed Oct 2, 2020
View reviewed changes
src/Symfony/Component/Validator/Validator/RecursiveContextualValidator.php Outdated
return spl_object_hash($object);
}

private function cleanUpObjectRefs()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldn't calls to this cleanUpObjectRefs happen in a finally block instead, to be sure we also record the end of the callstack when some called code triggers an exception ?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In fact keeping the object references in the validator instance does not work as expected as new validator instances can be created in one validation run. I decided to move the reference handling to the execution context instead which also saves us from worrying about have to clean up the stored references instead.

@xabbuh xabbuh force-pushed the validator-cache-key-collisions branch 3 times, most recently from 907ddf6 to 752d2a4 Compare October 2, 2020 14:55
fancyweb
fancyweb suggested changes Oct 2, 2020
View reviewed changes
Copy link
Contributor

@fancyweb fancyweb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As discussed on Slack, we would need a test that assert that using the same constraint instance on several paths on the same RecursiveContextualValidator instance (by using atPath()) works correctly.

@xabbuh xabbuh force-pushed the validator-cache-key-collisions branch 2 times, most recently from 15b77b1 to 85f359c Compare October 7, 2020 11:21
@fabpot fabpot modified the milestones: 3.4, 4.4 Oct 28, 2020
@xabbuh xabbuh force-pushed the validator-cache-key-collisions branch from 85f359c to 9c81f2a Compare November 12, 2020 08:35
@xabbuh xabbuh changed the base branch from 3.4 to 4.4 November 12, 2020 08:37
@xabbuh xabbuh requested a review from yceruto as a code owner November 12, 2020 08:37
@xabbuh xabbuh force-pushed the validator-cache-key-collisions branch 3 times, most recently from 89c48ea to 099886f Compare November 12, 2020 14:30
@xabbuh xabbuh force-pushed the validator-cache-key-collisions branch from 099886f to 8dd1a6e Compare November 13, 2020 09:14
@xabbuh
Copy link
Member Author

xabbuh commented Nov 13, 2020

Thank you @fancyweb.

@xabbuh xabbuh merged commit c72f853 into symfony:4.4 Nov 13, 2020
@xabbuh xabbuh deleted the validator-cache-key-collisions branch November 13, 2020 09:31
@fabpot fabpot mentioned this pull request Nov 21, 2020
Merged
This was referenced Nov 29, 2020
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stof stof stof left review comments

@nicolas-grekas nicolas-grekas nicolas-grekas approved these changes

@yceruto yceruto yceruto approved these changes

@fancyweb fancyweb fancyweb approved these changes

@dunglas dunglas Awaiting requested review from dunglas

@lyrixx lyrixx Awaiting requested review from lyrixx

@sroze sroze Awaiting requested review from sroze

Assignees
No one assigned
Labels
Bug Status: Reviewed Validator
Projects
None yet
Milestone
4.4
Development

Successfully merging this pull request may close these issues.
7 participants
@xabbuh @nicolas-grekas @stof @yceruto @fancyweb @fabpot @carsonbot