stof
commented
1 year ago PropertyInfo does not have full support for lists. It only has parser support for the, treating them like array<int, Type> (which is not the same than Type[] btw) so that we don't throw an exception when we don't understand a syntax.
Note that phpstan without bleedingEdge mode does exactly the same. Full support for list<Type> will only be enabled in phpstan 2.0.
Full support for lists in the Serializer and PropertyInfo is a new feature to me, not a bugfix.
carsonbot
Symfony version(s) affected
6.2.3
Description
list<Type>annotation in phpstan and psalm areBut when annotating an array like this, the deserializer (and I fear also the propertyinfo component) does not distinguish between a list and a generic array (
Type[]/array<Type>). It enforces in both cases that the array indexes are integers. But it does not check that the result is an array_is_list in the list case.So this means that you can actually deserialize a json object with integer keys instead of an actual json array and you will get a deserialized object where the array indexes are not sequential starting at 0.
How to reproduce
list<string>json_encode([5 => 'foo', 1 => 'bar'])which should failPossible Solution
array_is_listso it's not allowed to deserialize a json object into an listarray_valuesat the end to ensure the resulting array is valid according to the annotated typeAdditional Context
No response