Harden the use of unserialize in InlineBlock via allowed classes

With security improvement not sure if the tests could be pushed to a followup but for now tagging for tests.

ilya.no → made their first commit to this issue’s fork.

I've added test, but it's not shown in https://git.drupalcode.org/project/drupal/-/merge_requests/4926/diffs section. I guess, it's due to serialized lines.
Also I've found, that function getEntity() is called mainly when we create/edit inline block via UI. But there is another place, when unserialize() function is called and it's saveBlockContent(), which is called on presave hook. So I've added separate function in order to avoid code duplication. In test I create node where component in field layout_builder__layout field, which contains serialized data.

Went to test this but appears there's conflict applying

error: missing binary patch data for 'core/modules/layout_builder/tests/src/Kernel/InlineBlockSerializationTest.php'
error: binary patch does not apply to 'core/modules/layout_builder/tests/src/Kernel/InlineBlockSerializationTest.php'

I've updated code, so there is no binary data anymore.

Re-ran tests-only feature and it passes without the change to core/modules/layout_builder/src/Plugin/Block/InlineBlock.php

I think it needs change record as of behavior change - unserialize with allowed classes may fail for existing sites which has a bet on existing way to unserialize. Test surely needs improvement

If you use Paragraphs on a Block Type in Layout Builder, you will get a fatal error:

Error: Cannot use object of type __PHP_Incomplete_Class as array in Drupal\entity_reference_revisions\Plugin\DataType\EntityReferenceRevisions->setValue() (line 116 of modules/contrib/entity_reference_revisions/src/Plugin/DataType/EntityReferenceRevisions.php).

I traced it back to this patch.

Unfortunately the Paragraph class never makes it into the allowed_classes list. When it is listed, it works. Example:

  /**
   * Processes serialized block correctly.
   *
   * @return mixed
   *   Result of unserialize() function.
   */
  protected function getUnserializedBlock(): mixed {
    $base_class = $this->entityTypeManager->getDefinition('block_content')->getClass();
    [, $bundle] = explode(PluginBase::DERIVATIVE_SEPARATOR, $this->getPluginId());
    $bundle_class = $this->entityTypeManager->getStorage('block_content')->getEntityClass($bundle);

    return unserialize($this->configuration['block_serialized'], ['allowed_classes' => [$base_class, $bundle_class, 'Drupal\paragraphs\Entity\Paragraph']]);
  }

Although I am unaware at the moment how to get "Paragraph" into that list. The block type is block_content with an EntityReferenceRevision field on it pointing at a Paragraph bundle.

Well that fixes the reading, but saving is broken with Paragraphs.

Disregard last comment, the saving issue was due to a change with Layout Builder iFrame Modal.

Adding an explicit pointer here to 📌 Allow field types to control how properties are mapped to and from storage Needs work which would potentially provide a path to not needing \unserialize() and deprecating serialization of PHP objects.

Changed hard-coded uuid's in the kernel test with generated uuid's.

Test can be reviewed. Set to 'Needs review'.

The Needs Review Queue Bot → tested this issue. It fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

This does not mean that the patch necessarily needs to be re-rolled or the MR rebased. Read the Issue Summary, the issue tags and the latest discussion here to determine what needs to be done.

Consult the Drupal Contributor Guide → to find step-by-step guides for working with issues.

Fixed PHPCBF. Looking at the comment on the MR, the function is used twice, not once, so seems okay. That leaves a comment that needs to be improved. There is also a CSpell lint error from pipeline.

Remove 'Needs tests' tag.

liam morland → made their first commit to this issue’s fork.

Code comment improved.