6067528200

Committed 04 Sep 2023 12:12AM UTC coverage: 36.875% (-21.9%) from 58.794%

Build # 6067528200

Build Type

Pull #5791

github

Committed by

web-flow

Commit Message

Merge 64157e578 into d09cfc9d2

Pull Request Pull Request #5791: fix: strip down any sql function name

Run Details

3096 of 3096 new or added lines in 205 files covered. (100.0%)

9926 of 26918 relevant lines covered (36.87%)

6.5 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

63.24

/src/Serializer/Filter/PropertyFilter.php

<?php

/*
 * This file is part of the API Platform project.
 *
 * (c) Kévin Dunglas <dunglas@gmail.com>
 *
 * For the full copyright and license information, please view the LICENSE
 * file that was distributed with this source code.
 */

declare(strict_types=1);

namespace ApiPlatform\Serializer\Filter;

use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\Serializer\NameConverter\NameConverterInterface;
use Symfony\Component\Serializer\Normalizer\AbstractNormalizer;

/**
 * The property filter adds the possibility to select the properties to serialize (sparse fieldsets).
 *
 * Note: We strongly recommend using [Vulcain](https://vulcain.rocks/) instead of this filter. Vulcain is faster, allows a better hit rate, and is supported out of the box in the API Platform distribution.
 *
 * Syntax: `?properties[]=<property>&properties[<relation>][]=<property>`.
 *
 * You can add as many properties as you need.
 *
 * Three arguments are available to configure the filter:
 * - `parameterName` is the query parameter name (default: `properties`)
 * - `overrideDefaultProperties` allows to override the default serialization properties (default: `false`)
 * - `whitelist` properties whitelist to avoid uncontrolled data exposure (default: `null` to allow all properties)
 *
 * <CodeSelector>
 * ```php
 * <?php
 * // api/src/Entity/Book.php
 * use ApiPlatform\Metadata\ApiFilter;
 * use ApiPlatform\Metadata\ApiResource;
 * use ApiPlatform\Serializer\Filter\PropertyFilter;
 *
 * #[ApiResource]
 * #[ApiFilter(PropertyFilter::class, arguments: ['parameterName' => 'properties', 'overrideDefaultProperties' => false, 'whitelist' => ['allowed_property']])]
 * class Book
 * {
 *     // ...
 * }
 * ```
 *
 * ```yaml
 * # config/services.yaml
 * services:
 *     book.property_filter:
 *         parent: 'api_platform.serializer.property_filter'
 *         arguments: [ $parameterName: 'properties', $overrideDefaultGroups: false, $whitelist: ['allowed_property'] ]
 *         tags:  [ 'api_platform.filter' ]
 *         # The following are mandatory only if a _defaults section is defined with inverted values.
 *         # You may want to isolate filters in a dedicated file to avoid adding the following lines (by adding them in the defaults section)
 *         autowire: false
 *         autoconfigure: false
 *         public: false
 *
 * # api/config/api_platform/resources.yaml
 * resources:
 *     App\Entity\Book:
 *         - operations:
 *               ApiPlatform\Metadata\GetCollection:
 *                   filters: ['book.property_filter']
 * ```
 *
 * ```xml
 * <?xml version="1.0" encoding="UTF-8" ?>
 * <!-- api/config/services.xml -->
 * <?xml version="1.0" encoding="UTF-8" ?>
 * <container
 *         xmlns="http://symfony.com/schema/dic/services"
 *         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 *         xsi:schemaLocation="http://symfony.com/schema/dic/services
 *         https://symfony.com/schema/dic/services/services-1.0.xsd">
 *     <services>
 *         <service id="book.property_filter" parent="api_platform.serializer.property_filter">
 *             <argument key="parameterName">properties</argument>
 *             <argument key="overrideDefaultGroups">false</argument>
 *             <argument key="whitelist" type="collection">
 *                 <argument>allowed_property</argument>
 *             </argument>
 *             <tag name="api_platform.filter"/>
 *         </service>
 *     </services>
 * </container>
 * <!-- api/config/api_platform/resources.xml -->
 * <resources
 *         xmlns="https://api-platform.com/schema/metadata/resources-3.0"
 *         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 *         xsi:schemaLocation="https://api-platform.com/schema/metadata/resources-3.0
 *         https://api-platform.com/schema/metadata/resources-3.0.xsd">
 *     <resource class="App\Entity\Book">
 *         <operations>
 *             <operation class="ApiPlatform\Metadata\GetCollection">
 *                 <filters>
 *                     <filter>book.property_filter</filter>
 *                 </filters>
 *             </operation>
 *         </operations>
 *     </resource>
 * </resources>
 * ```
 * </CodeSelector>
 *
 * Given that the collection endpoint is `/books`, you can filter the serialization properties with the following query: `/books?properties[]=title&properties[]=author`. If you want to include some properties of the nested "author" document, use: `/books?properties[]=title&properties[author][]=name`.
 *
 * @author Baptiste Meyer <baptiste.meyer@gmail.com>
 */
final class PropertyFilter implements FilterInterface
{
    private ?array $whitelist;

    public function __construct(private readonly string $parameterName = 'properties', private readonly bool $overrideDefaultProperties = false, array $whitelist = null, private readonly ?NameConverterInterface $nameConverter = null)
    {
        $this->whitelist = null === $whitelist ? null : $this->formatWhitelist($whitelist);
    }

    /**
     * {@inheritdoc}
     */
    public function apply(Request $request, bool $normalization, array $attributes, array &$context): void
    {
        if (null !== $propertyAttribute = $request->attributes->get('_api_filter_property')) {
            $properties = $propertyAttribute;
        } elseif (\array_key_exists($this->parameterName, $commonAttribute = $request->attributes->get('_api_filters', []))) {
            $properties = $commonAttribute[$this->parameterName];
        } else {
            $properties = $request->query->all()[$this->parameterName] ?? null;
        }

        if (!\is_array($properties)) {
            return;
        }

        $properties = $this->denormalizeProperties($properties);

        if (null !== $this->whitelist) {
            $properties = $this->getProperties($properties, $this->whitelist);
        }

        if (!$this->overrideDefaultProperties && isset($context[AbstractNormalizer::ATTRIBUTES])) {
            $properties = array_merge_recursive((array) $context[AbstractNormalizer::ATTRIBUTES], $properties);
        }

        $context[AbstractNormalizer::ATTRIBUTES] = $properties;
    }

    /**
     * {@inheritdoc}
     */
    public function getDescription(string $resourceClass): array
    {
        $example = sprintf('%1$s[]={propertyName}&%1$s[]={anotherPropertyName}&%1$s[{nestedPropertyParent}][]={nestedProperty}',
            $this->parameterName
        );

        return [
            "$this->parameterName[]" => [
                'property' => null,
                'type' => 'string',
                'is_collection' => true,
                'required' => false,
                'description' => 'Allows you to reduce the response to contain only the properties you need. If your desired property is nested, you can address it using nested arrays. Example: '.$example,
                'swagger' => [
                    'description' => 'Allows you to reduce the response to contain only the properties you need. If your desired property is nested, you can address it using nested arrays. Example: '.$example,
                    'name' => "$this->parameterName[]",
                    'type' => 'array',
                    'items' => [
                        'type' => 'string',
                    ],
                ],
                'openapi' => [
                    'description' => 'Allows you to reduce the response to contain only the properties you need. If your desired property is nested, you can address it using nested arrays. Example: '.$example,
                    'name' => "$this->parameterName[]",
                    'schema' => [
                        'type' => 'array',
                        'items' => [
                            'type' => 'string',
                        ],
                    ],
                ],
            ],
        ];
    }

    /**
     * Generate an array of whitelist properties to match the format that properties
     * will have in the request.
     *
     * @param array $whitelist the whitelist to format
     *
     * @return array An array containing the whitelist ready to match request parameters
     */
    private function formatWhitelist(array $whitelist): array
    {
        if (array_values($whitelist) === $whitelist) {
            return $whitelist;
        }
        foreach ($whitelist as $name => $value) {
            if (null === $value) {
                unset($whitelist[$name]);
                $whitelist[] = $name;
            }
        }

        return $whitelist;
    }

    private function getProperties(array $properties, array $whitelist = null): array
    {
        $whitelist ??= $this->whitelist;
        $result = [];

        foreach ($properties as $key => $value) {
            if (is_numeric($key)) {
                if (\in_array($propertyName = $this->denormalizePropertyName($value), $whitelist, true)) {
                    $result[] = $propertyName;
                }

                continue;
            }

            if (\is_array($value) && isset($whitelist[$key]) && $recursiveResult = $this->getProperties($value, $whitelist[$key])) {
                $result[$this->denormalizePropertyName($key)] = $recursiveResult;
            }
        }

        return $result;
    }

    private function denormalizeProperties(array $properties): array
    {
        if (null === $this->nameConverter || !$properties) {
            return $properties;
        }

        $result = [];
        foreach ($properties as $key => $value) {
            $result[$this->denormalizePropertyName((string) $key)] = \is_array($value) ? $this->denormalizeProperties($value) : $this->denormalizePropertyName($value);
        }

        return $result;
    }

    private function denormalizePropertyName($property): string
    {
        return null !== $this->nameConverter ? $this->nameConverter->denormalize($property) : $property;
    }
}

1	<?php
2
3	/*
4	* This file is part of the API Platform project.
5	*
6	* (c) Kévin Dunglas <dunglas@gmail.com>
7	*
8	* For the full copyright and license information, please view the LICENSE
9	* file that was distributed with this source code.
10	*/
11
12	declare(strict_types=1);
13
14	namespace ApiPlatform\Serializer\Filter;
15
16	use Symfony\Component\HttpFoundation\Request;
17	use Symfony\Component\Serializer\NameConverter\NameConverterInterface;
18	use Symfony\Component\Serializer\Normalizer\AbstractNormalizer;
19
20	/**
21	* The property filter adds the possibility to select the properties to serialize (sparse fieldsets).
22	*
23	* Note: We strongly recommend using [Vulcain](https://vulcain.rocks/) instead of this filter. Vulcain is faster, allows a better hit rate, and is supported out of the box in the API Platform distribution.
24	*
25	* Syntax: `?properties[]=<property>&properties[<relation>][]=<property>`.
26	*
27	* You can add as many properties as you need.
28	*
29	* Three arguments are available to configure the filter:
30	* - `parameterName` is the query parameter name (default: `properties`)
31	* - `overrideDefaultProperties` allows to override the default serialization properties (default: `false`)
32	* - `whitelist` properties whitelist to avoid uncontrolled data exposure (default: `null` to allow all properties)
33	*
34	* <CodeSelector>
35	* ```php
36	* <?php
37	* // api/src/Entity/Book.php
38	* use ApiPlatform\Metadata\ApiFilter;
39	* use ApiPlatform\Metadata\ApiResource;
40	* use ApiPlatform\Serializer\Filter\PropertyFilter;
41	*
42	* #[ApiResource]
43	* #[ApiFilter(PropertyFilter::class, arguments: ['parameterName' => 'properties', 'overrideDefaultProperties' => false, 'whitelist' => ['allowed_property']])]
44	* class Book
45	* {
46	* // ...
47	* }
48	* ```
49	*
50	* ```yaml
51	* # config/services.yaml
52	* services:
53	* book.property_filter:
54	* parent: 'api_platform.serializer.property_filter'
55	* arguments: [ $parameterName: 'properties', $overrideDefaultGroups: false, $whitelist: ['allowed_property'] ]
56	* tags: [ 'api_platform.filter' ]
57	* # The following are mandatory only if a _defaults section is defined with inverted values.
58	* # You may want to isolate filters in a dedicated file to avoid adding the following lines (by adding them in the defaults section)
59	* autowire: false
60	* autoconfigure: false
61	* public: false
62	*
63	* # api/config/api_platform/resources.yaml
64	* resources:
65	* App\Entity\Book:
66	* - operations:
67	* ApiPlatform\Metadata\GetCollection:
68	* filters: ['book.property_filter']
69	* ```
70	*
71	* ```xml
72	* <?xml version="1.0" encoding="UTF-8" ?>
73	* <!-- api/config/services.xml -->
74	* <?xml version="1.0" encoding="UTF-8" ?>
75	* <container
76	* xmlns="http://symfony.com/schema/dic/services"
77	* xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
78	* xsi:schemaLocation="http://symfony.com/schema/dic/services
79	* https://symfony.com/schema/dic/services/services-1.0.xsd">
80	* <services>
81	* <service id="book.property_filter" parent="api_platform.serializer.property_filter">
82	* <argument key="parameterName">properties</argument>
83	* <argument key="overrideDefaultGroups">false</argument>
84	* <argument key="whitelist" type="collection">
85	* <argument>allowed_property</argument>
86	* </argument>
87	* <tag name="api_platform.filter"/>
88	* </service>
89	* </services>
90	* </container>
91	* <!-- api/config/api_platform/resources.xml -->
92	* <resources
93	* xmlns="https://api-platform.com/schema/metadata/resources-3.0"
94	* xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
95	* xsi:schemaLocation="https://api-platform.com/schema/metadata/resources-3.0
96	* https://api-platform.com/schema/metadata/resources-3.0.xsd">
97	* <resource class="App\Entity\Book">
98	* <operations>
99	* <operation class="ApiPlatform\Metadata\GetCollection">
100	* <filters>
101	* <filter>book.property_filter</filter>
102	* </filters>
103	* </operation>
104	* </operations>
105	* </resource>
106	* </resources>
107	* ```
108	* </CodeSelector>
109	*
110	* Given that the collection endpoint is `/books`, you can filter the serialization properties with the following query: `/books?properties[]=title&properties[]=author`. If you want to include some properties of the nested "author" document, use: `/books?properties[]=title&properties[author][]=name`.
111	*
112	* @author Baptiste Meyer <baptiste.meyer@gmail.com>
113	*/
114	final class PropertyFilter implements FilterInterface
115	{
116	private ?array $whitelist;
117
118	public function __construct(private readonly string $parameterName = 'properties', private readonly bool $overrideDefaultProperties = false, array $whitelist = null, private readonly ?NameConverterInterface $nameConverter = null)
119	{
120	$this->whitelist = null === $whitelist ? null : $this->formatWhitelist($whitelist);	24✔
121	}
122
123	/**
124	* {@inheritdoc}
125	*/
126	public function apply(Request $request, bool $normalization, array $attributes, array &$context): void
127	{
128	if (null !== $propertyAttribute = $request->attributes->get('_api_filter_property')) {	15✔
129	$properties = $propertyAttribute;	×
130	} elseif (\array_key_exists($this->parameterName, $commonAttribute = $request->attributes->get('_api_filters', []))) {	15✔
131	$properties = $commonAttribute[$this->parameterName];	×
132	} else {
133	$properties = $request->query->all()[$this->parameterName] ?? null;	15✔
134	}
135
136	if (!\is_array($properties)) {	15✔
137	return;	15✔
138	}
139
140	$properties = $this->denormalizeProperties($properties);	×
141
142	if (null !== $this->whitelist) {	×
143	$properties = $this->getProperties($properties, $this->whitelist);	×
144	}
145
146	if (!$this->overrideDefaultProperties && isset($context[AbstractNormalizer::ATTRIBUTES])) {	×
147	$properties = array_merge_recursive((array) $context[AbstractNormalizer::ATTRIBUTES], $properties);	×
148	}
149
150	$context[AbstractNormalizer::ATTRIBUTES] = $properties;	×
151	}
152
153	/**
154	* {@inheritdoc}
155	*/
156	public function getDescription(string $resourceClass): array
157	{
158	$example = sprintf('%1$s[]={propertyName}&%1$s[]={anotherPropertyName}&%1$s[{nestedPropertyParent}][]={nestedProperty}',	15✔
159	$this->parameterName	15✔
160	);	15✔
161
162	return [	15✔
163	"$this->parameterName[]" => [	15✔
164	'property' => null,	15✔
165	'type' => 'string',	15✔
166	'is_collection' => true,	15✔
167	'required' => false,	15✔
168	'description' => 'Allows you to reduce the response to contain only the properties you need. If your desired property is nested, you can address it using nested arrays. Example: '.$example,	15✔
169	'swagger' => [	15✔
170	'description' => 'Allows you to reduce the response to contain only the properties you need. If your desired property is nested, you can address it using nested arrays. Example: '.$example,	15✔
171	'name' => "$this->parameterName[]",	15✔
172	'type' => 'array',	15✔
173	'items' => [	15✔
174	'type' => 'string',	15✔
175	],	15✔
176	],	15✔
177	'openapi' => [	15✔
178	'description' => 'Allows you to reduce the response to contain only the properties you need. If your desired property is nested, you can address it using nested arrays. Example: '.$example,	15✔
179	'name' => "$this->parameterName[]",	15✔
180	'schema' => [	15✔
181	'type' => 'array',	15✔
182	'items' => [	15✔
183	'type' => 'string',	15✔
184	],	15✔
185	],	15✔
186	],	15✔
187	],	15✔
188	];	15✔
189	}
190
191	/**
192	* Generate an array of whitelist properties to match the format that properties
193	* will have in the request.
194	*
195	* @param array $whitelist the whitelist to format
196	*
197	* @return array An array containing the whitelist ready to match request parameters
198	*/
199	private function formatWhitelist(array $whitelist): array
200	{
201	if (array_values($whitelist) === $whitelist) {	9✔
202	return $whitelist;	9✔
203	}
204	foreach ($whitelist as $name => $value) {	9✔
205	if (null === $value) {	9✔
206	unset($whitelist[$name]);	9✔
207	$whitelist[] = $name;	9✔
208	}
209	}
210
211	return $whitelist;	9✔
212	}
213
214	private function getProperties(array $properties, array $whitelist = null): array
215	{
216	$whitelist ??= $this->whitelist;	×
217	$result = [];	×
218
219	foreach ($properties as $key => $value) {	×
220	if (is_numeric($key)) {	×
221	if (\in_array($propertyName = $this->denormalizePropertyName($value), $whitelist, true)) {	×
222	$result[] = $propertyName;	×
223	}
224
225	continue;	×
226	}
227
228	if (\is_array($value) && isset($whitelist[$key]) && $recursiveResult = $this->getProperties($value, $whitelist[$key])) {	×
229	$result[$this->denormalizePropertyName($key)] = $recursiveResult;	×
230	}
231	}
232
233	return $result;	×
234	}
235
236	private function denormalizeProperties(array $properties): array
237	{
238	if (null === $this->nameConverter \|\| !$properties) {	×
239	return $properties;	×
240	}
241
242	$result = [];	×
243	foreach ($properties as $key => $value) {	×
244	$result[$this->denormalizePropertyName((string) $key)] = \is_array($value) ? $this->denormalizeProperties($value) : $this->denormalizePropertyName($value);	×
245	}
246
247	return $result;	×
248	}
249
250	private function denormalizePropertyName($property): string
251	{
252	return null !== $this->nameConverter ? $this->nameConverter->denormalize($property) : $property;	×
253	}
254	}

api-platform / core / 6067528200

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous