bug #52172 [Serializer] Fix denormalizing empty string into object|null parameter (Jeroeny)

nicolas-grekas · nicolas-grekas · commit 1bc8d268ef7b · 2023-11-24T13:05:09.000+01:00
This PR was merged into the 5.4 branch. Discussion ---------- [Serializer] Fix denormalizing empty string into `object|null` parameter | Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | License | MIT > In XML and CSV all basic datatypes are represented as strings The `AbstractObjectNormalizer` handles this for bool, int and float types. But if a parameter is typed `Object|null`, a serialization and then deserialization will fail. This will throw: ```php final class Xml { public function __construct(public Uuid|null $element = null) { } } $test = new Xml(null); $serialized = $this->serializer->serialize($test, XmlEncoder::FORMAT); $deserialized = $this->serializer->deserialize($serialized, Xml::class, XmlEncoder::FORMAT); ``` ``` [Symfony\Component\Serializer\Exception\NotNormalizableValueException] The data is not a valid "Symfony\Component\Uid\Uuid" string representation. ``` Reproducer: https://github.com/Jeroeny/reproduce/blob/xmlnull/src/Test.php Commits ------- 62f2203 Fix denormalizing empty string into object|null parameter
diff --git a/src/Symfony/Component/Serializer/Normalizer/AbstractObjectNormalizer.php b/src/Symfony/Component/Serializer/Normalizer/AbstractObjectNormalizer.php
@@ -467,8 +467,10 @@ private function validateAndDenormalize(array $types, string $currentClass, stri
     {
         $expectedTypes = [];
         $isUnionType = \count($types) > 1;
+        $e = null;
         $extraAttributesException = null;
         $missingConstructorArgumentException = null;
+        $isNullable = false;
         foreach ($types as $type) {
             if (null === $data && $type->isNullable()) {
                 return null;
@@ -491,18 +493,22 @@ private function validateAndDenormalize(array $types, string $currentClass, stri
                 // In XML and CSV all basic datatypes are represented as strings, it is e.g. not possible to determine,
                 // if a value is meant to be a string, float, int or a boolean value from the serialized representation.
                 // That's why we have to transform the values, if one of these non-string basic datatypes is expected.
+                $builtinType = $type->getBuiltinType();
                 if (\is_string($data) && (XmlEncoder::FORMAT === $format || CsvEncoder::FORMAT === $format)) {
                     if ('' === $data) {
-                        if (Type::BUILTIN_TYPE_ARRAY === $builtinType = $type->getBuiltinType()) {
+                        if (Type::BUILTIN_TYPE_ARRAY === $builtinType) {
                             return [];
                         }
 
-                        if ($type->isNullable() && \in_array($builtinType, [Type::BUILTIN_TYPE_BOOL, Type::BUILTIN_TYPE_INT, Type::BUILTIN_TYPE_FLOAT], true)) {
-                            return null;
+                        if (Type::BUILTIN_TYPE_STRING === $builtinType) {
+                            return '';
                         }
+
+                        // Don't return null yet because Object-types that come first may accept empty-string too
+                        $isNullable = $isNullable ?: $type->isNullable();
                     }
 
-                    switch ($builtinType ?? $type->getBuiltinType()) {
+                    switch ($builtinType) {
                         case Type::BUILTIN_TYPE_BOOL:
                             // according to https://www.w3.org/TR/xmlschema-2/#boolean, valid representations are "false", "true", "0" and "1"
                             if ('false' === $data || '0' === $data) {
@@ -603,19 +609,19 @@ private function validateAndDenormalize(array $types, string $currentClass, stri
                     return $data;
                 }
             } catch (NotNormalizableValueException $e) {
-                if (!$isUnionType) {
+                if (!$isUnionType && !$isNullable) {
                     throw $e;
                 }
             } catch (ExtraAttributesException $e) {
-                if (!$isUnionType) {
+                if (!$isUnionType && !$isNullable) {
                     throw $e;
                 }
 
                 if (!$extraAttributesException) {
                     $extraAttributesException = $e;
                 }
             } catch (MissingConstructorArgumentsException $e) {
-                if (!$isUnionType) {
+                if (!$isUnionType && !$isNullable) {
                     throw $e;
                 }
 
@@ -625,6 +631,10 @@ private function validateAndDenormalize(array $types, string $currentClass, stri
             }
         }
 
+        if ($isNullable) {
+            return null;
+        }
+
         if ($extraAttributesException) {
             throw $extraAttributesException;
         }
@@ -633,6 +643,10 @@ private function validateAndDenormalize(array $types, string $currentClass, stri
             throw $missingConstructorArgumentException;
         }
 
+        if (!$isUnionType && $e) {
+            throw $e;
+        }
+
         if ($context[self::DISABLE_TYPE_ENFORCEMENT] ?? $this->defaultContext[self::DISABLE_TYPE_ENFORCEMENT] ?? false) {
             return $data;
         }
diff --git a/src/Symfony/Component/Serializer/Tests/Fixtures/DummyString.php b/src/Symfony/Component/Serializer/Tests/Fixtures/DummyString.php
@@ -0,0 +1,29 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Serializer\Tests\Fixtures;
+
+use Symfony\Component\Serializer\Normalizer\DenormalizableInterface;
+use Symfony\Component\Serializer\Normalizer\DenormalizerInterface;
+
+/**
+ * @author Jeroen <github.com/Jeroeny>
+ */
+class DummyString implements DenormalizableInterface
+{
+    /** @var string $value */
+    public $value;
+
+    public function denormalize(DenormalizerInterface $denormalizer, $data, string $format = null, array $context = [])
+    {
+        $this->value = $data;
+    }
+}
diff --git a/src/Symfony/Component/Serializer/Tests/Fixtures/DummyWithNotNormalizable.php b/src/Symfony/Component/Serializer/Tests/Fixtures/DummyWithNotNormalizable.php
@@ -0,0 +1,22 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Serializer\Tests\Fixtures;
+
+/**
+ * @author Jeroen <github.com/Jeroeny>
+ */
+class DummyWithNotNormalizable
+{
+    public function __construct(public NotNormalizableDummy|null $value)
+    {
+    }
+}
diff --git a/src/Symfony/Component/Serializer/Tests/Fixtures/DummyWithObjectOrBool.php b/src/Symfony/Component/Serializer/Tests/Fixtures/DummyWithObjectOrBool.php
@@ -0,0 +1,22 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Serializer\Tests\Fixtures;
+
+/**
+ * @author Jeroen <github.com/Jeroeny>
+ */
+class DummyWithObjectOrBool
+{
+    public function __construct(public Php80WithPromotedTypedConstructor|bool $value)
+    {
+    }
+}
diff --git a/src/Symfony/Component/Serializer/Tests/Fixtures/DummyWithObjectOrNull.php b/src/Symfony/Component/Serializer/Tests/Fixtures/DummyWithObjectOrNull.php
@@ -0,0 +1,22 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Serializer\Tests\Fixtures;
+
+/**
+ * @author Jeroen <github.com/Jeroeny>
+ */
+class DummyWithObjectOrNull
+{
+    public function __construct(public Php80WithPromotedTypedConstructor|null $value)
+    {
+    }
+}
diff --git a/src/Symfony/Component/Serializer/Tests/Fixtures/DummyWithStringObject.php b/src/Symfony/Component/Serializer/Tests/Fixtures/DummyWithStringObject.php
@@ -0,0 +1,22 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Serializer\Tests\Fixtures;
+
+/**
+ * @author Jeroen <github.com/Jeroeny>
+ */
+class DummyWithStringObject
+{
+    public function __construct(public DummyString|null $value)
+    {
+    }
+}
diff --git a/src/Symfony/Component/Serializer/Tests/Fixtures/NotNormalizableDummy.php b/src/Symfony/Component/Serializer/Tests/Fixtures/NotNormalizableDummy.php
@@ -0,0 +1,31 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Serializer\Tests\Fixtures;
+
+use Symfony\Component\Serializer\Exception\NotNormalizableValueException;
+use Symfony\Component\Serializer\Normalizer\DenormalizableInterface;
+use Symfony\Component\Serializer\Normalizer\DenormalizerInterface;
+
+/**
+ * @author Jeroen <github.com/Jeroeny>
+ */
+class NotNormalizableDummy implements DenormalizableInterface
+{
+    public function __construct()
+    {
+    }
+
+    public function denormalize(DenormalizerInterface $denormalizer, $data, string $format = null, array $context = [])
+    {
+        throw new NotNormalizableValueException();
+    }
+}
diff --git a/src/Symfony/Component/Serializer/Tests/Normalizer/AbstractObjectNormalizerTest.php b/src/Symfony/Component/Serializer/Tests/Normalizer/AbstractObjectNormalizerTest.php
@@ -14,11 +14,14 @@
 use Doctrine\Common\Annotations\AnnotationReader;
 use PHPUnit\Framework\TestCase;
 use Symfony\Component\PropertyInfo\Extractor\PhpDocExtractor;
+use Symfony\Component\PropertyInfo\Extractor\ReflectionExtractor;
+use Symfony\Component\PropertyInfo\PropertyInfoExtractor;
 use Symfony\Component\PropertyInfo\Type;
 use Symfony\Component\Serializer\Annotation\Ignore;
 use Symfony\Component\Serializer\Exception\ExtraAttributesException;
 use Symfony\Component\Serializer\Exception\InvalidArgumentException;
 use Symfony\Component\Serializer\Exception\LogicException;
+use Symfony\Component\Serializer\Exception\MissingConstructorArgumentsException;
 use Symfony\Component\Serializer\Exception\NotNormalizableValueException;
 use Symfony\Component\Serializer\Mapping\ClassDiscriminatorFromClassMetadata;
 use Symfony\Component\Serializer\Mapping\ClassDiscriminatorMapping;
@@ -30,6 +33,7 @@
 use Symfony\Component\Serializer\Mapping\Loader\AnnotationLoader;
 use Symfony\Component\Serializer\Normalizer\AbstractNormalizer;
 use Symfony\Component\Serializer\Normalizer\AbstractObjectNormalizer;
+use Symfony\Component\Serializer\Normalizer\CustomNormalizer;
 use Symfony\Component\Serializer\Normalizer\DenormalizerInterface;
 use Symfony\Component\Serializer\Normalizer\ObjectNormalizer;
 use Symfony\Component\Serializer\Serializer;
@@ -40,6 +44,11 @@
 use Symfony\Component\Serializer\Tests\Fixtures\Annotations\AbstractDummySecondChild;
 use Symfony\Component\Serializer\Tests\Fixtures\DummyFirstChildQuux;
 use Symfony\Component\Serializer\Tests\Fixtures\DummySecondChildQuux;
+use Symfony\Component\Serializer\Tests\Fixtures\DummyString;
+use Symfony\Component\Serializer\Tests\Fixtures\DummyWithNotNormalizable;
+use Symfony\Component\Serializer\Tests\Fixtures\DummyWithObjectOrBool;
+use Symfony\Component\Serializer\Tests\Fixtures\DummyWithObjectOrNull;
+use Symfony\Component\Serializer\Tests\Fixtures\DummyWithStringObject;
 
 class AbstractObjectNormalizerTest extends TestCase
 {
@@ -453,6 +462,60 @@ public function testNormalizeWithIgnoreAnnotationAndPrivateProperties()
 
         $this->assertSame(['foo' => 'foo'], $serializer->normalize(new ObjectDummyWithIgnoreAnnotationAndPrivateProperty()));
     }
+
+    /**
+     * @requires PHP 8
+     */
+    public function testDenormalizeUntypedFormat()
+    {
+        $serializer = new Serializer([new ObjectNormalizer(null, null, null, new PropertyInfoExtractor([], [new PhpDocExtractor(), new ReflectionExtractor()]))]);
+        $actual = $serializer->denormalize(['value' => ''], DummyWithObjectOrNull::class, 'xml');
+
+        $this->assertEquals(new DummyWithObjectOrNull(null), $actual);
+    }
+
+    /**
+     * @requires PHP 8
+     */
+    public function testDenormalizeUntypedFormatNotNormalizable()
+    {
+        $this->expectException(NotNormalizableValueException::class);
+        $serializer = new Serializer([new CustomNormalizer(), new ObjectNormalizer(null, null, null, new PropertyInfoExtractor([], [new PhpDocExtractor(), new ReflectionExtractor()]))]);
+        $serializer->denormalize(['value' => 'test'], DummyWithNotNormalizable::class, 'xml');
+    }
+
+    /**
+     * @requires PHP 8
+     */
+    public function testDenormalizeUntypedFormatMissingArg()
+    {
+        $this->expectException(MissingConstructorArgumentsException::class);
+        $serializer = new Serializer([new ObjectNormalizer(null, null, null, new PropertyInfoExtractor([], [new PhpDocExtractor(), new ReflectionExtractor()]))]);
+        $serializer->denormalize(['value' => 'invalid'], DummyWithObjectOrNull::class, 'xml');
+    }
+
+    /**
+     * @requires PHP 8
+     */
+    public function testDenormalizeUntypedFormatScalar()
+    {
+        $serializer = new Serializer([new ObjectNormalizer(null, null, null, new PropertyInfoExtractor([], [new PhpDocExtractor(), new ReflectionExtractor()]))]);
+        $actual = $serializer->denormalize(['value' => 'false'], DummyWithObjectOrBool::class, 'xml');
+
+        $this->assertEquals(new DummyWithObjectOrBool(false), $actual);
+    }
+
+    /**
+     * @requires PHP 8
+     */
+    public function testDenormalizeUntypedStringObject()
+    {
+        $serializer = new Serializer([new CustomNormalizer(), new ObjectNormalizer(null, null, null, new PropertyInfoExtractor([], [new PhpDocExtractor(), new ReflectionExtractor()]))]);
+        $actual = $serializer->denormalize(['value' => ''], DummyWithStringObject::class, 'xml');
+
+        $this->assertEquals(new DummyWithStringObject(new DummyString()), $actual);
+        $this->assertEquals('', $actual->value->value);
+    }
 }
 
 class AbstractObjectNormalizerDummy extends AbstractObjectNormalizer
diff --git a/src/Symfony/Component/Serializer/Tests/SerializerTest.php b/src/Symfony/Component/Serializer/Tests/SerializerTest.php
@@ -17,6 +17,7 @@
 use Symfony\Component\PropertyInfo\Extractor\PhpDocExtractor;
 use Symfony\Component\PropertyInfo\Extractor\ReflectionExtractor;
 use Symfony\Component\PropertyInfo\PropertyInfoExtractor;
+use Symfony\Component\Serializer\Encoder\CsvEncoder;
 use Symfony\Component\Serializer\Encoder\DecoderInterface;
 use Symfony\Component\Serializer\Encoder\EncoderInterface;
 use Symfony\Component\Serializer\Encoder\JsonEncoder;
@@ -62,6 +63,7 @@
 use Symfony\Component\Serializer\Tests\Fixtures\DummyMessageNumberTwo;
 use Symfony\Component\Serializer\Tests\Fixtures\DummyObjectWithEnumConstructor;
 use Symfony\Component\Serializer\Tests\Fixtures\DummyObjectWithEnumProperty;
+use Symfony\Component\Serializer\Tests\Fixtures\DummyWithObjectOrNull;
 use Symfony\Component\Serializer\Tests\Fixtures\FalseBuiltInDummy;
 use Symfony\Component\Serializer\Tests\Fixtures\NormalizableTraversableDummy;
 use Symfony\Component\Serializer\Tests\Fixtures\Php74Full;
@@ -818,6 +820,17 @@ public function testFalseBuiltInTypes()
         $this->assertEquals(new FalseBuiltInDummy(), $actual);
     }
 
+    /**
+     * @requires PHP 8
+     */
+    public function testDeserializeUntypedFormat()
+    {
+        $serializer = new Serializer([new ObjectNormalizer(null, null, null, new PropertyInfoExtractor([], [new PhpDocExtractor(), new ReflectionExtractor()]))], ['csv' => new CsvEncoder()]);
+        $actual = $serializer->deserialize('value'.\PHP_EOL.',', DummyWithObjectOrNull::class, 'csv', [CsvEncoder::AS_COLLECTION_KEY => false]);
+
+        $this->assertEquals(new DummyWithObjectOrNull(null), $actual);
+    }
+
     private function serializerWithClassDiscriminator()
     {
         $classMetadataFactory = new ClassMetadataFactory(new AnnotationLoader(new AnnotationReader()));

Original file line number	Diff line number	Diff line change
`@@ -467,8 +467,10 @@ private function validateAndDenormalize(array $types, string $currentClass, stri`
`467`	`467`	`{`
`468`	`468`	`$expectedTypes = [];`
`469`	`469`	`$isUnionType = \count($types) > 1;`
	`470`	`+ $e = null;`
`470`	`471`	`$extraAttributesException = null;`
`471`	`472`	`$missingConstructorArgumentException = null;`
	`473`	`+ $isNullable = false;`
`472`	`474`	`foreach ($types as $type) {`
`473`	`475`	`if (null === $data && $type->isNullable()) {`
`474`	`476`	`return null;`
`@@ -491,18 +493,22 @@ private function validateAndDenormalize(array $types, string $currentClass, stri`
`491`	`493`	`// In XML and CSV all basic datatypes are represented as strings, it is e.g. not possible to determine,`
`492`	`494`	`// if a value is meant to be a string, float, int or a boolean value from the serialized representation.`
`493`	`495`	`// That's why we have to transform the values, if one of these non-string basic datatypes is expected.`
	`496`	`+ $builtinType = $type->getBuiltinType();`
`494`	`497`	`if (\is_string($data) && (XmlEncoder::FORMAT === $format \|\| CsvEncoder::FORMAT === $format)) {`
`495`	`498`	`if ('' === $data) {`
`496`		`- if (Type::BUILTIN_TYPE_ARRAY === $builtinType = $type->getBuiltinType()) {`
	`499`	`+ if (Type::BUILTIN_TYPE_ARRAY === $builtinType) {`
`497`	`500`	`return [];`
`498`	`501`	`}`
`499`	`502`
`500`		`- if ($type->isNullable() && \in_array($builtinType, [Type::BUILTIN_TYPE_BOOL, Type::BUILTIN_TYPE_INT, Type::BUILTIN_TYPE_FLOAT], true)) {`
`501`		`- return null;`
	`503`	`+ if (Type::BUILTIN_TYPE_STRING === $builtinType) {`
	`504`	`+ return '';`
`502`	`505`	`}`
	`506`	`+`
	`507`	`+ // Don't return null yet because Object-types that come first may accept empty-string too`
	`508`	`+ $isNullable = $isNullable ?: $type->isNullable();`
`503`	`509`	`}`
`504`	`510`
`505`		`- switch ($builtinType ?? $type->getBuiltinType()) {`
	`511`	`+ switch ($builtinType) {`
`506`	`512`	`case Type::BUILTIN_TYPE_BOOL:`
`507`	`513`	`// according to https://www.w3.org/TR/xmlschema-2/#boolean, valid representations are "false", "true", "0" and "1"`
`508`	`514`	`if ('false' === $data \|\| '0' === $data) {`
`@@ -603,19 +609,19 @@ private function validateAndDenormalize(array $types, string $currentClass, stri`
`603`	`609`	`return $data;`
`604`	`610`	`}`
`605`	`611`	`} catch (NotNormalizableValueException $e) {`
`606`		`- if (!$isUnionType) {`
	`612`	`+ if (!$isUnionType && !$isNullable) {`
`607`	`613`	`throw $e;`
`608`	`614`	`}`
`609`	`615`	`} catch (ExtraAttributesException $e) {`
`610`		`- if (!$isUnionType) {`
	`616`	`+ if (!$isUnionType && !$isNullable) {`
`611`	`617`	`throw $e;`
`612`	`618`	`}`
`613`	`619`
`614`	`620`	`if (!$extraAttributesException) {`
`615`	`621`	`$extraAttributesException = $e;`
`616`	`622`	`}`
`617`	`623`	`} catch (MissingConstructorArgumentsException $e) {`
`618`		`- if (!$isUnionType) {`
	`624`	`+ if (!$isUnionType && !$isNullable) {`
`619`	`625`	`throw $e;`
`620`	`626`	`}`
`621`	`627`
`@@ -625,6 +631,10 @@ private function validateAndDenormalize(array $types, string $currentClass, stri`
`625`	`631`	`}`
`626`	`632`	`}`
`627`	`633`
	`634`	`+ if ($isNullable) {`
	`635`	`+ return null;`
	`636`	`+ }`
	`637`	`+`
`628`	`638`	`if ($extraAttributesException) {`
`629`	`639`	`throw $extraAttributesException;`
`630`	`640`	`}`
`@@ -633,6 +643,10 @@ private function validateAndDenormalize(array $types, string $currentClass, stri`
`633`	`643`	`throw $missingConstructorArgumentException;`
`634`	`644`	`}`
`635`	`645`
	`646`	`+ if (!$isUnionType && $e) {`
	`647`	`+ throw $e;`
	`648`	`+ }`
	`649`	`+`
`636`	`650`	`if ($context[self::DISABLE_TYPE_ENFORCEMENT] ?? $this->defaultContext[self::DISABLE_TYPE_ENFORCEMENT] ?? false) {`
`637`	`651`	`return $data;`
`638`	`652`	`}`