From 81b4bbe9ee82d90202ec2073cc3a34fcc8379330 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Standa=20Luke=C5=A1?= <exyi@outlook.cz>
Date: Sun, 22 Oct 2023 12:02:11 +0200
Subject: [PATCH] Validate static command argument type before deserialization

---
 src/Framework/Framework/Hosting/DotvvmPresenter.cs | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/src/Framework/Framework/Hosting/DotvvmPresenter.cs b/src/Framework/Framework/Hosting/DotvvmPresenter.cs
index 30ebeb526e..2c40e0ae8b 100644
--- a/src/Framework/Framework/Hosting/DotvvmPresenter.cs
+++ b/src/Framework/Framework/Hosting/DotvvmPresenter.cs
@@ -333,8 +333,20 @@ public async Task ProcessRequestCore(IDotvvmRequestContext context)
 
         private object? ExecuteStaticCommandPlan(StaticCommandInvocationPlan plan, Queue<JToken> arguments, IDotvvmRequestContext context)
         {
+            var parameters = plan.Method.GetParameters();
+            object? DeserializeArgument(Type type, int index)
+            {
+                var parameterType =
+                    plan.Method.IsStatic ? parameters[index].ParameterType :
+                    index == 0 ? plan.Method.DeclaringType :
+                    parameters[index - 1].ParameterType;
+                if (!parameterType.IsAssignableFrom(type))
+                    throw new Exception($"Argument {index} has an invalid type");
+                var arg = arguments.Dequeue();
+                return arg.ToObject(type);
+            }
             var methodArgs = plan.Arguments.Select((a, index) =>
-                a.Type == StaticCommandParameterType.Argument ? arguments.Dequeue().ToObject((Type)a.Arg!) :
+                a.Type == StaticCommandParameterType.Argument ? DeserializeArgument((Type)a.Arg!, index) :
                 a.Type == StaticCommandParameterType.Constant || a.Type == StaticCommandParameterType.DefaultValue ? a.Arg :
                 a.Type == StaticCommandParameterType.Inject ?
 #pragma warning disable CS0618