We were in the process of upgrading our application from graphqlite v6 to v8, and we discovered an issue with v8.
This is a consequence of what was introduces here: thecodingmachine/graphqlite#657.
With this PR, graphqlite will now look for Types not only in the src/ space, but in the vendors as well. Which bwt is totally legit. To reach this goal, the class explorer package was replaced with kcs/class-finder.
Now, we notices that, in the dev environment, kcs/class-finder was looking for all the classes in the vendor/ directory and in the tests/ directory as well. It iterates over all the .php files, looking for classes:
//class-finder/lib/Iterator/Psr0Iterator.php::62
static function (string $path, string $class): void {
class_exists($class, true);
}The issue now is that class_exists will include the file, if not already loaded.
In our case, we have a tests/bootstrap.php file which contains plain code, no class declarations.
So kcs/class-finder will do class_exists('tests/bootstrap.php', true), the file will be included and its content executed. So we are basically executing every php file (which does not contain a class) in both vendor/ and tests/ . Which should not be the case. For example, in our case, a simple run of:
bin/console cache:clear --env dev
will execute the tests/bootstrap.php, which has implementation specific for the test env.
And, moreover, it may pose some security issue, given it will execute any code in any plain php file in any vendor/ subfolder.
Moreover, as per the current configuration, kcs/class-finder is called several times, so it requests the lists of files many times in each session, which means our tests/bootstrap.php file is included more than once, which causes other issues and makes the process slower.
Has anybody else experienced similar issues related to this?
We were in the process of upgrading our application from
graphqlitev6 to v8, and we discovered an issue with v8.This is a consequence of what was introduces here: thecodingmachine/graphqlite#657.
With this PR,
graphqlitewill now look for Types not only in thesrc/space, but in the vendors as well. Which bwt is totally legit. To reach this goal, the class explorer package was replaced withkcs/class-finder.Now, we notices that, in the dev environment,
kcs/class-finderwas looking for all the classes in thevendor/directory and in thetests/directory as well. It iterates over all the .php files, looking for classes:The issue now is that
class_existswill include the file, if not already loaded.In our case, we have a
tests/bootstrap.phpfile which contains plain code, no class declarations.So
kcs/class-finderwill doclass_exists('tests/bootstrap.php', true), the file will be included and its content executed. So we are basically executing every php file (which does not contain a class) in bothvendor/andtests/. Which should not be the case. For example, in our case, a simple run of:will execute the
tests/bootstrap.php, which has implementation specific for thetestenv.And, moreover, it may pose some security issue, given it will execute any code in any plain php file in any
vendor/subfolder.Moreover, as per the current configuration,
kcs/class-finderis called several times, so it requests the lists of files many times in each session, which means ourtests/bootstrap.phpfile is included more than once, which causes other issues and makes the process slower.Has anybody else experienced similar issues related to this?