Skip to content

Serializer/PropertyInfo treats list<Type> as Type[] and does not enforce sequential indexes #48887

New issue
New issue
Open
#49056
Open
Serializer/PropertyInfo treats list<Type> as Type[] and does not enforce sequential indexes#48887
#49056
Labels
BugPropertyInfoSerializerStalledStatus: Needs Review
@Tobion

Description

@Tobion
Tobion
opened on Jan 5, 2023

Symfony version(s) affected

6.2.3

Description

list<Type> annotation in phpstan and psalm are

Lists are arrays with sequential integer keys starting at 0.

But when annotating an array like this, the deserializer (and I fear also the propertyinfo component) does not distinguish between a list and a generic array (Type[] / array<Type>).
It enforces in both cases that the array indexes are integers. But it does not check that the result is an array_is_list in the list case.

So this means that you can actually deserialize a json object with integer keys instead of an actual json array and you will get a deserialized object where the array indexes are not sequential starting at 0.

How to reproduce

  • Annotate an array with list<string>
  • Try to deserialze a json object with with non-sequential integer keys json_encode([5 => 'foo', 1 => 'bar']) which should fail

Possible Solution

  • Better solution: Validate the incoming array with array_is_list so it's not allowed to deserialize a json object into an list
  • Worse solution: use array_values at the end to ensure the resulting array is valid according to the annotated type

Additional Context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugPropertyInfoSerializerStalledStatus: Needs Review

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions