Skip to content

[Security] Unset token roles when serializing it and user implements EquatableInterface #59558

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 29, 2025
Merged

[Security] Unset token roles when serializing it and user implements EquatableInterface #59558

merged 1 commit into from
Jan 29, 2025

Conversation

nicolas-grekas
Copy link
Member

Q A
Branch? 7.3
Bug fix? no
New feature? no
Deprecations? no
Issues -
License MIT

When the user object implement EquatableInterface, we never read the roles stored in the token object that wraps the user in the session storage.

This PR ensures we don't store these roles either - they're just wasting space.

@carsonbot carsonbot added this to the 7.3 milestone Jan 20, 2025
@stof
Copy link
Member

stof commented Jan 20, 2025

When the user object implement EquatableInterface, we never read the roles stored in the token object that wraps the user in the session storage.

This affirmation looks weird to me. The RoleVoter reads them when voting on roles.

@nicolas-grekas
Copy link
Member Author

Yes sure, I meant from the pov of ContextListenet::hasUserChanged, which contains this bypass:

symfony/src/Symfony/Component/Security/Http/Firewall/ContextListener.php

Lines 286 to 288 in 5cab1e1

if ($originalUser instanceof EquatableInterface) {
return !$originalUser->isEqualTo($refreshedUser);
}

@nicolas-grekas
Copy link
Member Author

Friendly ping @symfony/mergers

@nicolas-grekas nicolas-grekas merged commit eff9b52 into symfony:7.3 Jan 29, 2025
11 checks passed
@nicolas-grekas nicolas-grekas deleted the sec-optim branch January 29, 2025 10:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alexandre-daubois alexandre-daubois alexandre-daubois approved these changes

@chalasr chalasr Awaiting requested review from chalasr chalasr is a code owner

Assignees
No one assigned
Labels
Security Status: Reviewed
Projects
None yet
Milestone
7.3
Development

Successfully merging this pull request may close these issues.
4 participants
@nicolas-grekas @stof @alexandre-daubois @carsonbot