Scenario POST response may leak owner (no normalizationContext on Post) #69
Loading…
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Bug (suspected — needs a characterization test to confirm)
POST /api/scenarioshas nonormalizationContext, so its response serializes all readable properties ignoring#[Groups](same API Platform gotcha as #68, but for the write op).Scenario::$ownercarries no#[Groups]and is populated before serialization (ScenarioOwnerProcessor::process()sets it pre-persist), so the POST response likely embeds the nestedUser— potentially includingrolesand the hashed password.Severity is moderate, not critical: it's the hashed password, not plaintext, and only the authenticated owner sees their own POST response. But it's still an unintended internal-entity leak on the write path.
Why separate from #68
#68 fixed the collection/item read ops (added
scenario:summary). It deliberately leftPostuntouched to stay scoped.Get/GetCollectionnow correctly excludeowner(explicit non-empty group contexts);Postis the last op with implicit "serialize everything" behavior. Pre-existing — predates #68.Fix
POST /api/scenariosresponse body and assert whetherowner/passwordappear (settle it empirically before changing behavior).Postan explicitnormalizationContext(reusescenario:summary, or a dedicated response group) so it returns the same lean/safe shape as the other ops. Add a test assertingowneris absent from the POST response (mirrorstestGetItemDoesNotExposeOwner, which only coversGettoday).Notes
Bucket/StreamPOST ops for the same implicit-all-props behavior while here.