Json and PHP serializers should throw exception on failure

Open on Drupal.org →

Created on 13 February 2024, 8 months ago

Updated 17 September 2024, 11 days ago

Problem/Motivation

Currently the PhpSerialize and Json serialization classes do not provide indication of failure.

It is documented on the SerializationInterface API for \Drupal\Component\Serialization\Exception\InvalidDataTypeException to be thrown however neither implementation appears to to do so, as such errors are silently hidden which can lead to failure, The YAML serializer does raise exceptions on failure.

Setting as Critical per Priority as this can lead to Data Loss or Corruption.

Steps to reproduce

$serializer = \Drupal::service('serialization.json');
$data = $serializer->decode('s:8:"not json"');
var_dump($data); // NULL
$data= $serializer->decode('null');
var_dump($data); // NULL

Note: These serializers are part of the Base core install not part of the Serialization module.

Proposed resolution

Json: Use the JSON_THROW_ON_ERROR flag and catch \JsonException to raise \InvalidDataTypeException on both encode and decode. (Added PHP 7.3.0)
PHP: serialize() has no published fault scenario, unserialize() however will return FALSE on an error and set an error status. We can capture the FALSE and compare if the string matches a serialized FALSE, if not its a valid error. Inspired by discussions in 🐛 UserData only returns strings for scalar values Needs review

Sample versions of the above implementations with tests can be found in a contrib issue I'm working on.
https://git.drupalcode.org/issue/rabbitmq-3416009/-/commit/f12e4725e6110...

Remaining tasks

Patch

User interface changes

None

API changes

None

Data model changes

None

Release notes snippet

Json and PHP serilaizers will now detect faults and raise exception as indicated in the API specifications.

🐛 Bug report

Status

Needs work

Version

11.0 🔥

Component

Last updated 16 minutes ago

Maintained by
🇺🇸United States @effulgentsia
🇬🇧United Kingdom @catch
🇬🇧United Kingdom @alexpott
🇦🇺Australia @larowlan
🇺🇸United States @bnjmnm
🇫🇷France @nod_
🇪🇸Spain @ckrina
🇬🇧United Kingdom @justafish

Created by

🇺🇸United States cmlara

Live updates comments and jobs are added and updated live.

Sign in to follow issues

Merge Requests

!9512Json and PHP serializers should throw exception on failure
Open
🇮🇳India anandhi karnan
updated 10 days ago

Comments & Activities

Issue created by @cmlara
Comment 8 months ago →
🇺🇸United States cmlara
Comment 12 days ago →
🇮🇳India anandhi karnan Chennai
anandhi karnan → made their first commit to this issue’s fork.
Merge request !9512Issue #3421234 Json and PHP serializers should throw exception on failure → (Open) created by anandhi karnan
Comment 12 days ago →
🇮🇳India anandhi karnan Chennai
I have updated the serializers to handle failure scenarios more robustly:

PHP Serializer (PhpSerialize):

Added exception handling for unserialization errors.

Incorporated the allowed_classes option to enhance security and prevent unserialization of objects.

JSON Serializer (Json):

Implemented exception handling for JSON encoding and decoding, including handling invalid JSON and circular references.

Testing:

Added tests to verify correct behavior for both valid and invalid inputs, covering various edge cases.
Status changed to Needs review 12 days ago4:51am 17 September 2024
Comment 12 days ago →
🇮🇳India anandhi karnan Chennai
Pipeline finished with Failed
12 days ago
Total: 767s
#284968
Status changed to Needs work 11 days ago2:10pm 17 September 2024
Comment 11 days ago →
🇺🇸United States smustgrave
This broke all the tests it seems.

Also made validation go down so that should be looked at.
Pipeline finished with Failed
10 days ago
Total: 907s
#286828

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024