Validate static command argument type before deserialization

riganti · Oct 22, 2023 · f833d62 · f833d62
1 parent f553323
commit f833d62
Showing 1 changed file with 14 additions and 1 deletion.
diff --git a/src/Framework/Framework/Hosting/DotvvmPresenter.cs b/src/Framework/Framework/Hosting/DotvvmPresenter.cs
@@ -25,6 +25,7 @@
 using Newtonsoft.Json.Linq;
 using System.Security;
 using System.Runtime.CompilerServices;
+using FastExpressionCompiler;
 
 namespace DotVVM.Framework.Hosting
 {
@@ -333,8 +334,20 @@ public async Task ProcessRequestCore(IDotvvmRequestContext context)
 
         private object? ExecuteStaticCommandPlan(StaticCommandInvocationPlan plan, Queue<JToken> arguments, IDotvvmRequestContext context)
         {
+            var parameters = plan.Method.GetParameters();
+            object? DeserializeArgument(Type type, int index)
+            {
+                var parameterType =
+                    plan.Method.IsStatic ? parameters[index].ParameterType :
+                    index == 0 ? plan.Method.DeclaringType :
+                    parameters[index - 1].ParameterType;
+                if (!parameterType.IsAssignableFrom(type))
+                    throw new Exception($"Argument {index} has an invalid type");
+                var arg = arguments.Dequeue();
+                return arg.ToObject(type);
+            }
             var methodArgs = plan.Arguments.Select((a, index) =>
-                a.Type == StaticCommandParameterType.Argument ? arguments.Dequeue().ToObject((Type)a.Arg!) :
+                a.Type == StaticCommandParameterType.Argument ? DeserializeArgument((Type)a.Arg!, index) :
                 a.Type == StaticCommandParameterType.Constant || a.Type == StaticCommandParameterType.DefaultValue ? a.Arg :
                 a.Type == StaticCommandParameterType.Inject ?
 #pragma warning disable CS0618