-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DefaultFieldResolver: callback through ObjectAccess vulnerability #35
Comments
@johannessteu do you know how to solve this in the best & secure way? |
I came across this today as well, in my case a company with name "Tan" caused the Resolver to try to call tan(). |
Just sumitted this PR: #38 |
This is indeed risky and probably (for most people) unexpected. Limiting the call to |
When using the
DefaultFieldResolver
there is the following risk:Resolving an object through the "magic" ObjectAccess returning a property value that is callable, the resolver will call this function.
I noticed this when working with a user with
firstName
"Max". I do not have a specific resolver forUser
.So, first the
DefaultFieldResolver
gets thefirstName
property from theUser
object throughObjectAccess::getProperty
and assignes$resolvedProperty = 'Max'
. SinceMax
is callable, this is executed.This is quite risky when working with user input. Possibly only support Closures here?
The text was updated successfully, but these errors were encountered: