Skip to content

Commit

Permalink
Validate static command argument type before deserialization
Browse files Browse the repository at this point in the history
  • Loading branch information
exyi committed Oct 22, 2023
1 parent f553323 commit 81b4bbe
Showing 1 changed file with 13 additions and 1 deletion.
14 changes: 13 additions & 1 deletion src/Framework/Framework/Hosting/DotvvmPresenter.cs
Original file line number Diff line number Diff line change
Expand Up @@ -333,8 +333,20 @@ public async Task ProcessRequestCore(IDotvvmRequestContext context)

private object? ExecuteStaticCommandPlan(StaticCommandInvocationPlan plan, Queue<JToken> arguments, IDotvvmRequestContext context)
{
var parameters = plan.Method.GetParameters();
object? DeserializeArgument(Type type, int index)
{
var parameterType =
plan.Method.IsStatic ? parameters[index].ParameterType :
index == 0 ? plan.Method.DeclaringType :
parameters[index - 1].ParameterType;
if (!parameterType.IsAssignableFrom(type))

Check failure on line 343 in src/Framework/Framework/Hosting/DotvvmPresenter.cs

View workflow job for this annotation

GitHub Actions / Build published projects without warnings (Release)

Dereference of a possibly null reference.

Check failure on line 343 in src/Framework/Framework/Hosting/DotvvmPresenter.cs

View workflow job for this annotation

GitHub Actions / Build published projects without warnings (Release)

Dereference of a possibly null reference.

Check failure on line 343 in src/Framework/Framework/Hosting/DotvvmPresenter.cs

View workflow job for this annotation

GitHub Actions / Build published projects without warnings (Debug)

Dereference of a possibly null reference.

Check failure on line 343 in src/Framework/Framework/Hosting/DotvvmPresenter.cs

View workflow job for this annotation

GitHub Actions / Build published projects without warnings (Debug)

Dereference of a possibly null reference.
throw new Exception($"Argument {index} has an invalid type");
var arg = arguments.Dequeue();
return arg.ToObject(type);
}
var methodArgs = plan.Arguments.Select((a, index) =>
a.Type == StaticCommandParameterType.Argument ? arguments.Dequeue().ToObject((Type)a.Arg!) :
a.Type == StaticCommandParameterType.Argument ? DeserializeArgument((Type)a.Arg!, index) :
a.Type == StaticCommandParameterType.Constant || a.Type == StaticCommandParameterType.DefaultValue ? a.Arg :
a.Type == StaticCommandParameterType.Inject ?
#pragma warning disable CS0618
Expand Down

0 comments on commit 81b4bbe

Please sign in to comment.