bug #57341 [Serializer] properly handle invalid data for false/true types (xabbuh)

xabbuh · xabbuh · commit 3fd3ecadff1d · 2024-06-16T22:54:24.000+02:00
This PR was merged into the 5.4 branch. Discussion ---------- [Serializer] properly handle invalid data for false/true types | Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Issues | Fix symfony/symfony#57320 (comment) | License | MIT Commits ------- d35d4a337b properly handle invalid data for false/true types
diff --git a/Normalizer/AbstractObjectNormalizer.php b/Normalizer/AbstractObjectNormalizer.php
@@ -621,12 +621,34 @@ private function validateAndDenormalize(array $types, string $currentClass, stri
                     return (float) $data;
                 }
 
-                if (Type::BUILTIN_TYPE_FALSE === $builtinType && false === $data) {
-                    return $data;
-                }
+                switch ($builtinType) {
+                    case Type::BUILTIN_TYPE_ARRAY:
+                    case Type::BUILTIN_TYPE_BOOL:
+                    case Type::BUILTIN_TYPE_CALLABLE:
+                    case Type::BUILTIN_TYPE_FLOAT:
+                    case Type::BUILTIN_TYPE_INT:
+                    case Type::BUILTIN_TYPE_ITERABLE:
+                    case Type::BUILTIN_TYPE_NULL:
+                    case Type::BUILTIN_TYPE_OBJECT:
+                    case Type::BUILTIN_TYPE_RESOURCE:
+                    case Type::BUILTIN_TYPE_STRING:
+                        if (('is_'.$builtinType)($data)) {
+                            return $data;
+                        }
+
+                        break;
+                    case Type::BUILTIN_TYPE_FALSE:
+                        if (false === $data) {
+                            return $data;
+                        }
+
+                        break;
+                    case Type::BUILTIN_TYPE_TRUE:
+                        if (true === $data) {
+                            return $data;
+                        }
 
-                if (('is_'.$builtinType)($data)) {
-                    return $data;
+                        break;
                 }
             } catch (NotNormalizableValueException $e) {
                 if (!$isUnionType && !$isNullable) {
diff --git a/Tests/Normalizer/AbstractObjectNormalizerTest.php b/Tests/Normalizer/AbstractObjectNormalizerTest.php
@@ -687,6 +687,26 @@ protected function setAttributeValue(object $object, string $attribute, $value,
 
         $this->assertSame('scalar', $normalizer->denormalize('scalar', XmlScalarDummy::class, 'xml')->value);
     }
+
+    /**
+     * @dataProvider provideBooleanTypesData
+     */
+    public function testDenormalizeBooleanTypesWithNotMatchingData(array $data, string $type)
+    {
+        $normalizer = new AbstractObjectNormalizerWithMetadataAndPropertyTypeExtractors();
+
+        $this->expectException(NotNormalizableValueException::class);
+
+        $normalizer->denormalize($data, $type);
+    }
+
+    public function provideBooleanTypesData()
+    {
+        return [
+            [['foo' => true], FalsePropertyDummy::class],
+            [['foo' => false], TruePropertyDummy::class],
+        ];
+    }
 }
 
 class AbstractObjectNormalizerDummy extends AbstractObjectNormalizer
@@ -816,6 +836,18 @@ class XmlScalarDummy
     public $value;
 }
 
+class FalsePropertyDummy
+{
+    /** @var false */
+    public $foo;
+}
+
+class TruePropertyDummy
+{
+    /** @var true */
+    public $foo;
+}
+
 class SerializerCollectionDummy implements SerializerInterface, DenormalizerInterface
 {
     private $normalizers;
@@ -936,3 +968,28 @@ public function __sleep(): array
         throw new \Error('not serializable');
     }
 }
+
+class AbstractObjectNormalizerWithMetadataAndPropertyTypeExtractors extends AbstractObjectNormalizer
+{
+    public function __construct()
+    {
+        parent::__construct(new ClassMetadataFactory(new AnnotationLoader()), null, new PropertyInfoExtractor([], [new PhpDocExtractor(), new ReflectionExtractor()]));
+    }
+
+    protected function extractAttributes(object $object, ?string $format = null, array $context = []): array
+    {
+        return [];
+    }
+
+    protected function getAttributeValue(object $object, string $attribute, ?string $format = null, array $context = [])
+    {
+        return null;
+    }
+
+    protected function setAttributeValue(object $object, string $attribute, $value, ?string $format = null, array $context = []): void
+    {
+        if (property_exists($object, $attribute)) {
+            $object->$attribute = $value;
+        }
+    }
+}
