DefaultFieldResolver: callback through ObjectAccess vulnerability

[simstern]

When using the DefaultFieldResolver there is the following risk:

Resolving an object through the "magic" ObjectAccess returning a property value that is callable, the resolver will call this function.

        if (is_object($source) && ObjectAccess::isPropertyGettable($source, $fieldName)) {
            $resolvedProperty = ObjectAccess::getProperty($source, $fieldName);
        }

        if (is_callable($resolvedProperty)) {
            return $resolvedProperty($source, $args, $context, $info);
        }

I noticed this when working with a user with firstName "Max". I do not have a specific resolver for User.

So, first the DefaultFieldResolver gets the firstName property from the User object through ObjectAccess::getProperty and assignes $resolvedProperty = 'Max'. Since Max is callable, this is executed.

This is quite risky when working with user input. Possibly only support Closures here?

[Sebobo]

@johannessteu do you know how to solve this in the best & secure way?

[DrillSergeant]

I came across this today as well, in my case a company with name "Tan" caused the Resolver to try to call tan().

[simstern]

Just sumitted this PR: #38
It works for me for quite some time now.

[kdambekalns]

This is indeed risky and probably (for most people) unexpected. Limiting the call to Closure values as in the suggested PR sounds reasonable to me… does that match the intention of the DefaultFieldResolver behaviour, @johannessteu?