Merge branch '2.4'

.circleci/config.yml

@@ -195,7 +195,7 @@ jobs:
           name: Run Behat tests
           command: |-
             mkdir -p build/logs/tmp build/cov
-            for f in $(find features -name '*.feature' -not -path 'features/main/exposed_state.feature' -not -path 'features/elasticsearch/*' | circleci tests split --split-by=timings); do
+            for f in $(find features -name '*.feature' -not -path 'features/main/exposed_state.feature' -not -path 'features/elasticsearch/*' -not -path 'features/mongodb/*' | circleci tests split --split-by=timings); do
               _f=${f//\//_}
               FEATURE="${_f}" phpdbg -qrr vendor/bin/behat --profile=coverage --suite=default --format=progress --out=std --format=junit --out=build/logs/tmp/"${_f}" "$f"
             done

.travis.yml

@@ -11,7 +11,7 @@ jobs:
       env: NO_UNIT_TESTS=true
       before_install:
         - composer remove --dev ext-mongodb doctrine/mongodb-odm doctrine/mongodb-odm-bundle
-        - sed -i '26,32d' tests/Fixtures/app/config/config_common.yml
+        - sed -i '33,39d' tests/Fixtures/app/config/config_common.yml
     - php: '7.2'
     - php: '7.3'
     - php: '7.3'

CHANGELOG.md

@@ -35,7 +35,7 @@
 
 ## 2.3.6
 
-* /!\ Security: a vulnerability impacting the GraphQL subsystem was allowing users authorized to run mutations for a specific resource type, to execute it on any resource, of any type
+* /!\ Security: a vulnerability impacting the GraphQL subsystem was allowing users authorized to run mutations for a specific resource type, to execute it on any resource, of any type (CVE-2019-1000011)
 * Fix normalization of raw collections (not API resources)
 * Fix content negotiation format matching
 
@@ -120,7 +120,7 @@
 
 ## 2.2.10
 
-* /!\ Security: a vulnerability impacting the GraphQL subsystem was allowing users authorized to run mutations for a specific resource type, to execute it on any resource, of any type
+* /!\ Security: a vulnerability impacting the GraphQL subsystem was allowing users authorized to run mutations for a specific resource type, to execute it on any resource, of any type (CVE-2019-1000011)
 
 ## 2.2.9
 

appveyor.yml

@@ -34,4 +34,5 @@ services:
 test_script:
   - cd %APPVEYOR_BUILD_FOLDER%
   - php vendor\behat\behat\bin\behat --format=progress --suite=default
+  - rmdir tests\Fixtures\app\var\cache /s /q
   - php vendor\phpunit\phpunit\phpunit

behat.yml.dist

@@ -18,7 +18,7 @@ default:
         - 'Behat\MinkExtension\Context\MinkContext'
         - 'Behatch\Context\RestContext'
       filters:
-        tags: '~@postgres&&~@elasticsearch'
+        tags: '~@postgres&&~@mongodb&&~@elasticsearch'
     postgres:
       contexts:
         - 'DoctrineContext':
@@ -37,7 +37,7 @@ default:
         - 'Behat\MinkExtension\Context\MinkContext'
         - 'Behatch\Context\RestContext'
       filters:
-        tags: '~@sqlite&&~@elasticsearch'
+        tags: '~@sqlite&&~@mongodb&&~@elasticsearch'
     mongodb:
       contexts:
         - 'DoctrineContext':
@@ -106,4 +106,4 @@ coverage:
         - 'Behat\MinkExtension\Context\MinkContext'
         - 'Behatch\Context\RestContext'
       filters:
-        tags: '~@postgres&&~@elasticsearch'
+        tags: '~@postgres&&~@mongodb&&~@elasticsearch'

composer.json

@@ -51,13 +51,16 @@
         "psr/log": "^1.0",
         "ramsey/uuid": "^3.7",
         "ramsey/uuid-doctrine": "^1.4",
+        "sebastian/object-enumerator": "^3.0.3",
         "symfony/asset": "^3.4 || ^4.0",
         "symfony/cache": "^3.4 || ^4.0",
         "symfony/config": "^3.4 || ^4.0",
         "symfony/console": "^3.4 || ^4.0",
+        "symfony/css-selector": "^3.4 || ^4.0",
         "symfony/debug": "^3.4 || ^4.0",
         "symfony/dependency-injection": "^3.4 || ^4.0",
         "symfony/doctrine-bridge": "^3.4 || ^4.0",
+        "symfony/dom-crawler": "^3.4 || ^4.0",
         "symfony/event-dispatcher": "^3.4 || ^4.0",
         "symfony/expression-language": "^3.4 || ^4.0",
         "symfony/finder": "^3.4 || ^4.0",
@@ -71,7 +74,7 @@
         "symfony/security-bundle": "^3.4 || ^4.0",
         "symfony/twig-bundle": "^3.4 || ^4.0",
         "symfony/validator": "^3.4 || ^4.0",
-        "symfony/web-profiler-bundle": "^3.4 || ^4.0",
+        "symfony/web-profiler-bundle": "^4.2",
         "symfony/yaml": "^3.4 || ^4.0",
         "webonyx/graphql-php": ">=0.13 <1.0"
     },

features/doctrine/date_filter.feature

@@ -404,7 +404,7 @@ Feature: Date filter on collections
       },
       "hydra:search": {
         "@type": "hydra:IriTemplate",
-        "hydra:template": "/dummies{?dummyBoolean,relatedDummy.embeddedDummy.dummyBoolean,dummyDate[before],dummyDate[strictly_before],dummyDate[after],dummyDate[strictly_after],relatedDummy.dummyDate[before],relatedDummy.dummyDate[strictly_before],relatedDummy.dummyDate[after],relatedDummy.dummyDate[strictly_after],description[exists],relatedDummy.name[exists],dummyBoolean[exists],relatedDummy[exists],dummyFloat,dummyFloat[],dummyPrice,dummyPrice[],order[id],order[name],order[description],order[relatedDummy.name],order[relatedDummy.symfony],order[dummyDate],dummyFloat[between],dummyFloat[gt],dummyFloat[gte],dummyFloat[lt],dummyFloat[lte],dummyPrice[between],dummyPrice[gt],dummyPrice[gte],dummyPrice[lt],dummyPrice[lte],id,id[],name,alias,description,relatedDummy.name,relatedDummy.name[],relatedDummies,relatedDummies[],dummy,relatedDummies.name,relatedDummy.thirdLevel.level,relatedDummy.thirdLevel.level[],relatedDummy.thirdLevel.fourthLevel.level,relatedDummy.thirdLevel.fourthLevel.level[],properties[]}",
+        "hydra:template": "/dummies{?dummyBoolean,relatedDummy.embeddedDummy.dummyBoolean,dummyDate[before],dummyDate[strictly_before],dummyDate[after],dummyDate[strictly_after],relatedDummy.dummyDate[before],relatedDummy.dummyDate[strictly_before],relatedDummy.dummyDate[after],relatedDummy.dummyDate[strictly_after],description[exists],relatedDummy.name[exists],dummyBoolean[exists],relatedDummy[exists],dummyFloat,dummyFloat[],dummyPrice,dummyPrice[],order[id],order[name],order[description],order[relatedDummy.name],order[relatedDummy.symfony],order[dummyDate],dummyFloat[between],dummyFloat[gt],dummyFloat[gte],dummyFloat[lt],dummyFloat[lte],dummyPrice[between],dummyPrice[gt],dummyPrice[gte],dummyPrice[lt],dummyPrice[lte],id,id[],name,alias,description,relatedDummy.name,relatedDummy.name[],relatedDummies,relatedDummies[],dummy,relatedDummies.name,relatedDummy.thirdLevel.level,relatedDummy.thirdLevel.level[],relatedDummy.thirdLevel.fourthLevel.level,relatedDummy.thirdLevel.fourthLevel.level[],relatedDummy.thirdLevel.badFourthLevel.level,relatedDummy.thirdLevel.badFourthLevel.level[],relatedDummy.thirdLevel.fourthLevel.badThirdLevel.level,relatedDummy.thirdLevel.fourthLevel.badThirdLevel.level[],properties[]}",
         "hydra:variableRepresentation": "BasicRepresentation",
         "hydra:mapping": [
           {
@@ -701,6 +701,30 @@ Feature: Date filter on collections
             "property": "relatedDummy.thirdLevel.fourthLevel.level",
             "required": false
           },
+          {
+            "@type": "IriTemplateMapping",
+            "variable": "relatedDummy.thirdLevel.badFourthLevel.level",
+            "property": "relatedDummy.thirdLevel.badFourthLevel.level",
+            "required": false
+          },
+          {
+            "@type": "IriTemplateMapping",
+            "variable": "relatedDummy.thirdLevel.badFourthLevel.level[]",
+            "property": "relatedDummy.thirdLevel.badFourthLevel.level",
+            "required": false
+          },
+          {
+            "@type": "IriTemplateMapping",
+            "variable": "relatedDummy.thirdLevel.fourthLevel.badThirdLevel.level",
+            "property": "relatedDummy.thirdLevel.fourthLevel.badThirdLevel.level",
+            "required": false
+          },
+          {
+            "@type": "IriTemplateMapping",
+            "variable": "relatedDummy.thirdLevel.fourthLevel.badThirdLevel.level[]",
+            "property": "relatedDummy.thirdLevel.fourthLevel.badThirdLevel.level",
+            "required": false
+          },
           {
               "@type": "IriTemplateMapping",
               "variable": "properties[]",

features/main/crud.feature

@@ -4,7 +4,6 @@ Feature: Create-Retrieve-Update-Delete
   I need to be able to retrieve, create, update and delete JSON-LD encoded resources.
 
   @createSchema
-  @mongodb
   Scenario: Create a resource
     When I add "Content-Type" header equal to "application/ld+json"
     And I send a "POST" request to "/dummies" with body:
@@ -56,7 +55,6 @@ Feature: Create-Retrieve-Update-Delete
     }
     """
 
-  @mongodb
   Scenario: Get a resource
     When I send a "GET" request to "/dummies/1"
     Then the response status code should be 200
@@ -93,7 +91,6 @@ Feature: Create-Retrieve-Update-Delete
     }
     """
 
-  @mongodb
   Scenario: Get a not found exception
     When I send a "GET" request to "/dummies/42"
     Then the response status code should be 404
@@ -140,7 +137,7 @@ Feature: Create-Retrieve-Update-Delete
       "hydra:totalItems": 1,
       "hydra:search": {
         "@type": "hydra:IriTemplate",
-        "hydra:template": "/dummies{?dummyBoolean,relatedDummy.embeddedDummy.dummyBoolean,dummyDate[before],dummyDate[strictly_before],dummyDate[after],dummyDate[strictly_after],relatedDummy.dummyDate[before],relatedDummy.dummyDate[strictly_before],relatedDummy.dummyDate[after],relatedDummy.dummyDate[strictly_after],description[exists],relatedDummy.name[exists],dummyBoolean[exists],relatedDummy[exists],dummyFloat,dummyFloat[],dummyPrice,dummyPrice[],order[id],order[name],order[description],order[relatedDummy.name],order[relatedDummy.symfony],order[dummyDate],dummyFloat[between],dummyFloat[gt],dummyFloat[gte],dummyFloat[lt],dummyFloat[lte],dummyPrice[between],dummyPrice[gt],dummyPrice[gte],dummyPrice[lt],dummyPrice[lte],id,id[],name,alias,description,relatedDummy.name,relatedDummy.name[],relatedDummies,relatedDummies[],dummy,relatedDummies.name,relatedDummy.thirdLevel.level,relatedDummy.thirdLevel.level[],relatedDummy.thirdLevel.fourthLevel.level,relatedDummy.thirdLevel.fourthLevel.level[],properties[]}",
+        "hydra:template": "/dummies{?dummyBoolean,relatedDummy.embeddedDummy.dummyBoolean,dummyDate[before],dummyDate[strictly_before],dummyDate[after],dummyDate[strictly_after],relatedDummy.dummyDate[before],relatedDummy.dummyDate[strictly_before],relatedDummy.dummyDate[after],relatedDummy.dummyDate[strictly_after],description[exists],relatedDummy.name[exists],dummyBoolean[exists],relatedDummy[exists],dummyFloat,dummyFloat[],dummyPrice,dummyPrice[],order[id],order[name],order[description],order[relatedDummy.name],order[relatedDummy.symfony],order[dummyDate],dummyFloat[between],dummyFloat[gt],dummyFloat[gte],dummyFloat[lt],dummyFloat[lte],dummyPrice[between],dummyPrice[gt],dummyPrice[gte],dummyPrice[lt],dummyPrice[lte],id,id[],name,alias,description,relatedDummy.name,relatedDummy.name[],relatedDummies,relatedDummies[],dummy,relatedDummies.name,relatedDummy.thirdLevel.level,relatedDummy.thirdLevel.level[],relatedDummy.thirdLevel.fourthLevel.level,relatedDummy.thirdLevel.fourthLevel.level[],relatedDummy.thirdLevel.badFourthLevel.level,relatedDummy.thirdLevel.badFourthLevel.level[],relatedDummy.thirdLevel.fourthLevel.badThirdLevel.level,relatedDummy.thirdLevel.fourthLevel.badThirdLevel.level[],properties[]}",
         "hydra:variableRepresentation": "BasicRepresentation",
         "hydra:mapping": [
           {
@@ -437,6 +434,30 @@ Feature: Create-Retrieve-Update-Delete
             "property": "relatedDummy.thirdLevel.fourthLevel.level",
             "required": false
           },
+          {
+            "@type": "IriTemplateMapping",
+            "variable": "relatedDummy.thirdLevel.badFourthLevel.level",
+            "property": "relatedDummy.thirdLevel.badFourthLevel.level",
+            "required": false
+          },
+          {
+            "@type": "IriTemplateMapping",
+            "variable": "relatedDummy.thirdLevel.badFourthLevel.level[]",
+            "property": "relatedDummy.thirdLevel.badFourthLevel.level",
+            "required": false
+          },
+          {
+            "@type": "IriTemplateMapping",
+            "variable": "relatedDummy.thirdLevel.fourthLevel.badThirdLevel.level",
+            "property": "relatedDummy.thirdLevel.fourthLevel.badThirdLevel.level",
+            "required": false
+          },
+          {
+            "@type": "IriTemplateMapping",
+            "variable": "relatedDummy.thirdLevel.fourthLevel.badThirdLevel.level[]",
+            "property": "relatedDummy.thirdLevel.fourthLevel.badThirdLevel.level",
+            "required": false
+          },
           {
               "@type": "IriTemplateMapping",
               "variable": "properties[]",
@@ -448,14 +469,14 @@ Feature: Create-Retrieve-Update-Delete
     }
     """
 
-  @mongodb
   Scenario: Update a resource
     When I add "Content-Type" header equal to "application/ld+json"
     And I send a "PUT" request to "/dummies/1" with body:
     """
     {
       "@id": "/dummies/1",
       "name": "A nice dummy",
+      "dummyDate": "2018-12-01 13:12",
       "jsonData": [{
           "key": "value1"
         },
@@ -478,7 +499,7 @@ Feature: Create-Retrieve-Update-Delete
       "description": null,
       "dummy": null,
       "dummyBoolean": null,
-      "dummyDate": "2015-03-01T10:00:00+00:00",
+      "dummyDate": "2018-12-01T13:12:00+00:00",
       "dummyFloat": null,
       "dummyPrice": null,
       "relatedDummy": null,
@@ -502,7 +523,6 @@ Feature: Create-Retrieve-Update-Delete
     }
     """
 
-  @mongodb
   Scenario: Update a resource with empty body
     When I add "Content-Type" header equal to "application/ld+json"
     And I send a "PUT" request to "/dummies/1"
@@ -519,7 +539,7 @@ Feature: Create-Retrieve-Update-Delete
       "description": null,
       "dummy": null,
       "dummyBoolean": null,
-      "dummyDate": "2015-03-01T10:00:00+00:00",
+      "dummyDate": "2018-12-01T13:12:00+00:00",
       "dummyFloat": null,
       "dummyPrice": null,
       "relatedDummy": null,
@@ -543,7 +563,6 @@ Feature: Create-Retrieve-Update-Delete
     }
     """
 
-  @mongodb
   Scenario: Delete a resource
     When I send a "DELETE" request to "/dummies/1"
     Then the response status code should be 204

features/main/relation.feature

@@ -20,6 +20,7 @@ Feature: Relations support
       "@id": "/third_levels/1",
       "@type": "ThirdLevel",
       "fourthLevel": null,
+      "badFourthLevel": null,
       "id": 1,
       "level": 3,
       "test": true

features/main/subresource.feature

@@ -245,6 +245,7 @@ Feature: Subresource support
       "@id": "/third_levels/1",
       "@type": "ThirdLevel",
       "fourthLevel": "/fourth_levels/1",
+      "badFourthLevel": null,
       "id": 1,
       "level": 3,
       "test": true
@@ -262,6 +263,7 @@ Feature: Subresource support
       "@context": "/contexts/FourthLevel",
       "@id": "/fourth_levels/1",
       "@type": "FourthLevel",
+      "badThirdLevel": [],
       "id": 1,
       "level": 4
     }

features/mongodb/filters.feature

@@ -0,0 +1,29 @@
+@mongodb
+Feature: Filters on collections
+  In order to retrieve large collections of resources
+  As a client software developer
+  I need to retrieve collections with filters
+
+  @createSchema
+  Scenario: Error when getting collection with nested properties if references are not correctly stored (owning side)
+    Given there is a dummy object with a fourth level relation
+    When I send a "GET" request to "/dummies?relatedDummy.thirdLevel.badFourthLevel.level=4"
+    Then the response status code should be 500
+    And the response should be in JSON
+    And the header "Content-Type" should be equal to "application/ld+json; charset=utf-8"
+    And the JSON node "@context" should be equal to "/contexts/Error"
+    And the JSON node "@type" should be equal to "hydra:Error"
+    And the JSON node "hydra:title" should be equal to "An error occurred"
+    And the JSON node "hydra:description" should be equal to "Cannot use reference 'badFourthLevel' in class 'ThirdLevel' for lookup or graphLookup: dbRef references are not supported."
+    And the JSON node "trace" should exist
+
+  Scenario: Error when getting collection with nested properties if references are not correctly stored (not owning side)
+    When I send a "GET" request to "/dummies?relatedDummy.thirdLevel.fourthLevel.badThirdLevel.level=3"
+    Then the response status code should be 500
+    And the response should be in JSON
+    And the header "Content-Type" should be equal to "application/ld+json; charset=utf-8"
+    And the JSON node "@context" should be equal to "/contexts/Error"
+    And the JSON node "@type" should be equal to "hydra:Error"
+    And the JSON node "hydra:title" should be equal to "An error occurred"
+    And the JSON node "hydra:description" should be equal to "Cannot use reference 'badThirdLevel' in class 'FourthLevel' for lookup or graphLookup: dbRef references are not supported."
+    And the JSON node "trace" should exist

src/Bridge/Doctrine/Common/Filter/RangeFilterTrait.php

@@ -96,7 +96,7 @@ private function normalizeValues(array $values, string $property): ?array
     /**
      * Normalize the values array for between operator.
      */
-    private function normalizeBetweenValues(array $values, string $property): ?array
+    private function normalizeBetweenValues(array $values): ?array
     {
         if (2 !== \count($values)) {
             $this->getLogger()->notice('Invalid filter ignored', [
@@ -120,7 +120,7 @@ private function normalizeBetweenValues(array $values, string $property): ?array
     /**
      * Normalize the value.
      */
-    private function normalizeValue(string $value, string $property, string $operator): ?string
+    private function normalizeValue(string $value, string $operator): ?string
     {
         if (!is_numeric($value)) {
             $this->getLogger()->notice('Invalid filter ignored', [

src/Bridge/Doctrine/MongoDbOdm/Filter/RangeFilter.php

@@ -73,7 +73,7 @@ protected function addMatch(Builder $aggregationBuilder, string $field, string $
             case self::PARAMETER_BETWEEN:
                 $rangeValue = explode('..', $value);
 
-                $rangeValue = $this->normalizeBetweenValues($rangeValue, $field);
+                $rangeValue = $this->normalizeBetweenValues($rangeValue);
                 if (null === $rangeValue) {
                     return;
                 }
@@ -82,7 +82,7 @@ protected function addMatch(Builder $aggregationBuilder, string $field, string $
 
                 break;
             case self::PARAMETER_GREATER_THAN:
-                $value = $this->normalizeValue($value, $field, $operator);
+                $value = $this->normalizeValue($value, $operator);
                 if (null === $value) {
                     return;
                 }
@@ -91,7 +91,7 @@ protected function addMatch(Builder $aggregationBuilder, string $field, string $
 
                 break;
             case self::PARAMETER_GREATER_THAN_OR_EQUAL:
-                $value = $this->normalizeValue($value, $field, $operator);
+                $value = $this->normalizeValue($value, $operator);
                 if (null === $value) {
                     return;
                 }
@@ -100,7 +100,7 @@ protected function addMatch(Builder $aggregationBuilder, string $field, string $
 
                 break;
             case self::PARAMETER_LESS_THAN:
-                $value = $this->normalizeValue($value, $field, $operator);
+                $value = $this->normalizeValue($value, $operator);
                 if (null === $value) {
                     return;
                 }
@@ -109,7 +109,7 @@ protected function addMatch(Builder $aggregationBuilder, string $field, string $
 
                 break;
             case self::PARAMETER_LESS_THAN_OR_EQUAL:
-                $value = $this->normalizeValue($value, $field, $operator);
+                $value = $this->normalizeValue($value, $operator);
                 if (null === $value) {
                     return;
                 }

src/Bridge/Doctrine/MongoDbOdm/ItemDataProvider.php

@@ -72,7 +72,7 @@ public function getItem(string $resourceClass, $id, string $operationName = null
 
         $id = (array) $id;
 
-        if (!$fetchData = $context['fetch_data'] ?? true) {
+        if (!($context['fetch_data'] ?? true)) {
             return $manager->getReference($resourceClass, reset($id));
         }