api-platform · Dec 16, 2024
diff --git a/‎src/Metadata/ApiResource.php
+2 b/‎src/Metadata/ApiResource.php
+2
diff --git a/‎src/Metadata/Delete.php
+2 b/‎src/Metadata/Delete.php
+2
diff --git a/‎src/Metadata/Extractor/XmlResourceExtractor.php
+1 b/‎src/Metadata/Extractor/XmlResourceExtractor.php
+1
diff --git a/‎src/Metadata/Extractor/YamlResourceExtractor.php
+1 b/‎src/Metadata/Extractor/YamlResourceExtractor.php
+1
diff --git a/‎src/Metadata/Extractor/schema/resources.xsd
+1 b/‎src/Metadata/Extractor/schema/resources.xsd
+1
diff --git a/‎src/Metadata/Get.php
+2 b/‎src/Metadata/Get.php
+2
diff --git a/‎src/Metadata/GetCollection.php
+2 b/‎src/Metadata/GetCollection.php
+2
diff --git a/‎src/Metadata/HttpOperation.php
+2 b/‎src/Metadata/HttpOperation.php
+2
diff --git a/‎src/Metadata/Metadata.php
+14 b/‎src/Metadata/Metadata.php
+14
diff --git a/‎src/Metadata/Operation.php
+2 b/‎src/Metadata/Operation.php
+2
diff --git a/‎src/Metadata/Patch.php
+2 b/‎src/Metadata/Patch.php
+2
diff --git a/‎src/Metadata/Post.php
+2 b/‎src/Metadata/Post.php
+2
diff --git a/‎src/Metadata/Put.php
+2 b/‎src/Metadata/Put.php
+2
diff --git a/‎src/Metadata/Tests/Extractor/Adapter/XmlResourceAdapter.php
+1 b/‎src/Metadata/Tests/Extractor/Adapter/XmlResourceAdapter.php
+1
diff --git a/‎src/Metadata/Tests/Extractor/Adapter/resources.xml
+1-1 b/‎src/Metadata/Tests/Extractor/Adapter/resources.xml
+1-1
diff --git a/‎src/Metadata/Tests/Extractor/Adapter/resources.yaml
+2 b/‎src/Metadata/Tests/Extractor/Adapter/resources.yaml
+2
diff --git a/‎src/Metadata/Tests/Extractor/ResourceMetadataCompatibilityTest.php
+3 b/‎src/Metadata/Tests/Extractor/ResourceMetadataCompatibilityTest.php
+3
diff --git a/‎src/Metadata/Tests/Extractor/XmlExtractorTest.php
+4 b/‎src/Metadata/Tests/Extractor/XmlExtractorTest.php
+4
diff --git a/‎src/Metadata/Tests/Extractor/YamlExtractorTest.php
+2 b/‎src/Metadata/Tests/Extractor/YamlExtractorTest.php
+2
diff --git a/‎src/State/Exception/ParameterNotSupportedException.php
+50 b/‎src/State/Exception/ParameterNotSupportedException.php
+50
diff --git a/‎src/State/Provider/ParameterProvider.php
+16 b/‎src/State/Provider/ParameterProvider.php
+16
diff --git a/‎tests/Fixtures/TestBundle/ApiResource/StrictParameters.php
+35 b/‎tests/Fixtures/TestBundle/ApiResource/StrictParameters.php
+35
diff --git a/‎tests/Functional/Parameters/StrictParametersTest.php
+46 b/‎tests/Functional/Parameters/StrictParametersTest.php
+46
@@ -963,6 +963,7 @@ public function __construct(
         ?string $policy = null,
         array|string|null $middleware = null,
         array|Parameters|null $parameters = null,
+        protected ?bool $strictQueryParameterValidation = null,
         protected array $extraProperties = [],
     ) {
         parent::__construct(
@@ -1007,6 +1008,7 @@ class: $class,
             rules: $rules,
             policy: $policy,
             middleware: $middleware,
+            strictQueryParameterValidation: $strictQueryParameterValidation,
             extraProperties: $extraProperties
         );
 
 
@@ -98,6 +98,7 @@ public function __construct(
         mixed $rules = null,
         ?string $policy = null,
         array|string|null $middleware = null,
+        ?bool $strictQueryParameterValidation = null,
         array $extraProperties = [],
     ) {
         parent::__construct(
@@ -178,6 +179,7 @@ class: $class,
             extraProperties: $extraProperties,
             collectDenormalizationErrors: $collectDenormalizationErrors,
             parameters: $parameters,
+            strictQueryParameterValidation: $strictQueryParameterValidation,
             stateOptions: $stateOptions,
         );
     }
 
@@ -94,6 +94,7 @@ private function buildExtendedBase(\SimpleXMLElement $resource): array
             'paginationViaCursor' => $this->buildPaginationViaCursor($resource),
             'exceptionToStatus' => $this->buildExceptionToStatus($resource),
             'queryParameterValidationEnabled' => $this->phpize($resource, 'queryParameterValidationEnabled', 'bool'),
+            'strictQueryParameterValidation' => $this->phpize($resource, 'strictQueryParameterValidation', 'bool'),
             'stateOptions' => $this->buildStateOptions($resource),
             'links' => $this->buildLinks($resource),
             'headers' => $this->buildHeaders($resource),
 
@@ -338,6 +338,7 @@ private function buildOperations(array $resource, array $root): ?array
                 'write' => $this->phpize($operation, 'write', 'bool'),
                 'serialize' => $this->phpize($operation, 'serialize', 'bool'),
                 'queryParameterValidate' => $this->phpize($operation, 'queryParameterValidate', 'bool'),
+                'strictQueryParameterValidation' => $this->phpize($operation, 'strictQueryParameterValidation', 'bool'),
                 'priority' => $this->phpize($operation, 'priority', 'integer'),
                 'name' => $this->phpize($operation, 'name', 'string'),
                 'class' => (string) $class,
 
@@ -515,6 +515,7 @@
 
     <xsd:attributeGroup name="extendedBase">
         <xsd:attributeGroup ref="base"/>
+        <xsd:attribute type="xsd:boolean" name="strictQueryParameterValidation"/>
         <xsd:attribute type="xsd:boolean" name="queryParameterValidationEnabled"/>
         <xsd:attribute type="xsd:string" name="routePrefix"/>
         <xsd:attribute type="xsd:boolean" name="stateless"/>
 
@@ -98,6 +98,7 @@ public function __construct(
         mixed $rules = null,
         ?string $policy = null,
         array|string|null $middleware = null,
+        ?bool $strictQueryParameterValidation = null,
         array $extraProperties = [],
     ) {
         parent::__construct(
@@ -177,6 +178,7 @@ class: $class,
             rules: $rules,
             policy: $policy,
             middleware: $middleware,
+            strictQueryParameterValidation: $strictQueryParameterValidation,
             extraProperties: $extraProperties,
         );
     }
 
@@ -98,6 +98,7 @@ public function __construct(
         array|string|null $rules = null,
         ?string $policy = null,
         array|string|null $middleware = null,
+        ?bool $strictQueryParameterValidation = null,
         array $extraProperties = [],
         private ?string $itemUriTemplate = null,
     ) {
@@ -178,6 +179,7 @@ class: $class,
             rules: $rules,
             policy: $policy,
             middleware: $middleware,
+            strictQueryParameterValidation: $strictQueryParameterValidation,
             stateOptions: $stateOptions,
         );
     }
 
@@ -155,6 +155,7 @@ public function __construct(
         protected ?array $exceptionToStatus = null,
         protected ?array $links = null,
         protected ?array $errors = null,
+        protected ?bool $strictQueryParameterValidation = null,
 
         ?string $shortName = null,
         ?string $class = null,
@@ -257,6 +258,7 @@ class: $class,
             policy: $policy,
             middleware: $middleware,
             queryParameterValidationEnabled: $queryParameterValidationEnabled,
+            strictQueryParameterValidation: $strictQueryParameterValidation,
             extraProperties: $extraProperties
         );
     }
 
@@ -81,6 +81,7 @@ public function __construct(
         protected ?string $policy = null,
         protected array|string|null $middleware = null,
         protected ?bool $queryParameterValidationEnabled = null,
+        protected ?bool $strictQueryParameterValidation = null,
         protected array $extraProperties = [],
     ) {
         if (\is_array($parameters) && $parameters) {
@@ -666,4 +667,17 @@ public function withExtraProperties(array $extraProperties = []): static
 
         return $self;
     }
+
+    public function getStrictQueryParameterValidation(): ?bool
+    {
+        return $this->strictQueryParameterValidation;
+    }
+
+    public function withStrictQueryParameterValidation(bool $strictQueryParameterValidation): static
+    {
+        $self = clone $this;
+        $self->strictQueryParameterValidation = $strictQueryParameterValidation;
+
+        return $self;
+    }
 }
@@ -811,6 +811,7 @@ public function __construct(
         ?string $policy = null,
         array|string|null $middleware = null,
         ?bool $queryParameterValidationEnabled = null,
+        protected ?bool $strictQueryParameterValidation = null,
         protected array $extraProperties = [],
     ) {
         parent::__construct(
@@ -856,6 +857,7 @@ class: $class,
             policy: $policy,
             middleware: $middleware,
             queryParameterValidationEnabled: $queryParameterValidationEnabled,
+            strictQueryParameterValidation: $strictQueryParameterValidation,
             extraProperties: $extraProperties,
         );
     }
 
@@ -98,6 +98,7 @@ public function __construct(
         mixed $rules = null,
         ?string $policy = null,
         array|string|null $middleware = null,
+        ?bool $strictQueryParameterValidation = null,
         array $extraProperties = [],
     ) {
         parent::__construct(
@@ -178,6 +179,7 @@ class: $class,
             rules: $rules,
             policy: $policy,
             middleware: $middleware,
+            strictQueryParameterValidation: $strictQueryParameterValidation,
             extraProperties: $extraProperties
         );
     }
 
@@ -100,6 +100,7 @@ public function __construct(
         array|string|null $middleware = null,
         array $extraProperties = [],
         private ?string $itemUriTemplate = null,
+        ?bool $strictQueryParameterValidation = null,
     ) {
         parent::__construct(
             method: 'POST',
@@ -179,6 +180,7 @@ class: $class,
             rules: $rules,
             policy: $policy,
             middleware: $middleware,
+            strictQueryParameterValidation: $strictQueryParameterValidation,
             extraProperties: $extraProperties
         );
     }
 
@@ -99,6 +99,7 @@ public function __construct(
         ?string $policy = null,
         array|string|null $middleware = null,
         array $extraProperties = [],
+        ?bool $strictQueryParameterValidation = null,
         private ?bool $allowCreate = null,
     ) {
         parent::__construct(
@@ -179,6 +180,7 @@ class: $class,
             rules: $rules,
             policy: $policy,
             middleware: $middleware,
+            strictQueryParameterValidation: $strictQueryParameterValidation,
             extraProperties: $extraProperties
         );
     }
 
@@ -62,6 +62,7 @@ final class XmlResourceAdapter implements ResourceAdapterInterface
         'securityPostValidation',
         'securityPostValidationMessage',
         'queryParameterValidationEnabled',
+        'strictQueryParameterValidation',
         'stateOptions',
         'collectDenormalizationErrors',
         'links',
 
@@ -102,6 +102,7 @@ resources:
                     exceptionToStatus:
                         Symfony\Component\Serializer\Exception\ExceptionInterface: 404
                     queryParameterValidationEnabled: false
+                    strictQueryParameterValidation: false
                     read: true
                     deserialize: false
                     validate: false
@@ -339,6 +340,7 @@ resources:
             policy: null
             middleware: null
             parameters: null
+            strictQueryParameterValidation: false
             extraProperties:
                 custom_property: 'Lorem ipsum dolor sit amet'
                 another_custom_property:
 
@@ -96,6 +96,7 @@ final class ResourceMetadataCompatibilityTest extends TestCase
             'securityPostValidation' => 'is_granted(\'ROLE_OWNER\')',
             'securityPostValidationMessage' => 'Sorry, you must the owner of this resource to access it.',
             'queryParameterValidationEnabled' => true,
+            'strictQueryParameterValidation' => false,
             'types' => ['someirischema', 'anotheririschema'],
             'formats' => [
                 'json' => null,
@@ -399,6 +400,7 @@ final class ResourceMetadataCompatibilityTest extends TestCase
                         'Symfony\Component\Serializer\Exception\ExceptionInterface' => 404,
                     ],
                     'queryParameterValidationEnabled' => false,
+                    'strictQueryParameterValidation' => false,
                     'read' => true,
                     'deserialize' => false,
                     'validate' => false,
@@ -486,6 +488,7 @@ final class ResourceMetadataCompatibilityTest extends TestCase
         'condition',
         'controller',
         'queryParameterValidationEnabled',
+        'strictQueryParameterValidation',
         'exceptionToStatus',
         'types',
         'formats',
 
@@ -66,6 +66,7 @@ public function testValidXML(): void
                     'securityPostValidation' => null,
                     'securityPostValidationMessage' => null,
                     'queryParameterValidationEnabled' => null,
+                    'strictQueryParameterValidation' => null,
                     'input' => null,
                     'output' => null,
                     'types' => null,
@@ -136,6 +137,7 @@ public function testValidXML(): void
                     'securityPostValidation' => null,
                     'securityPostValidationMessage' => null,
                     'queryParameterValidationEnabled' => null,
+                    'strictQueryParameterValidation' => null,
                     'input' => null,
                     'output' => null,
                     'types' => ['someirischema', 'anotheririschema'],
@@ -264,6 +266,7 @@ public function testValidXML(): void
                             'write' => null,
                             'serialize' => null,
                             'queryParameterValidate' => null,
+                            'strictQueryParameterValidation' => null,
                             'collection' => null,
                             'method' => null,
                             'priority' => null,
@@ -367,6 +370,7 @@ public function testValidXML(): void
                             'write' => null,
                             'serialize' => null,
                             'queryParameterValidate' => null,
+                            'strictQueryParameterValidation' => null,
                             'collection' => null,
                             'method' => null,
                             'priority' => null,
 
@@ -274,6 +274,7 @@ public function testValidYaml(): void
                             'securityPostValidation' => null,
                             'securityPostValidationMessage' => null,
                             'queryParameterValidationEnabled' => null,
+                            'strictQueryParameterValidation' => null,
                             'input' => null,
                             'output' => null,
                             'types' => ['someirischema'],
@@ -353,6 +354,7 @@ public function testValidYaml(): void
                             'securityPostValidation' => null,
                             'securityPostValidationMessage' => null,
                             'queryParameterValidationEnabled' => null,
+                            'strictQueryParameterValidation' => null,
                             'input' => null,
                             'output' => null,
                             'types' => ['anotheririschema'],
 
@@ -0,0 +1,50 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <dunglas@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\State\Exception;
+
+use ApiPlatform\Metadata\Exception\ProblemExceptionInterface;
+use ApiPlatform\Metadata\Exception\RuntimeException;
+
+final class ParameterNotSupportedException extends RuntimeException implements ProblemExceptionInterface
+{
+    public function __construct(private readonly string $parameter, string $message = 'Parameter not supported', int $code = 0, ?\Throwable $previous = null)
+    {
+        parent::__construct($message, $code, $previous);
+    }
+
+    public function getType(): string
+    {
+        return '/error/400';
+    }
+
+    public function getTitle(): ?string
+    {
+        return $this->message;
+    }
+
+    public function getStatus(): ?int
+    {
+        return 400;
+    }
+
+    public function getDetail(): ?string
+    {
+        return \sprintf('Parameter "%s" not supported', $this->parameter);
+    }
+
+    public function getInstance(): ?string
+    {
+        return $this->parameter;
+    }
+}
@@ -13,7 +13,9 @@
 
 namespace ApiPlatform\State\Provider;
 
+use ApiPlatform\Metadata\HttpOperation;
 use ApiPlatform\Metadata\Operation;
+use ApiPlatform\State\Exception\ParameterNotSupportedException;
 use ApiPlatform\State\Exception\ProviderNotFoundException;
 use ApiPlatform\State\ParameterNotFound;
 use ApiPlatform\State\ParameterProviderInterface;
@@ -50,6 +52,20 @@ public function provide(Operation $operation, array $uriVariables = [], array $c
         }
 
         $parameters = $operation->getParameters();
+
+        if ($operation instanceof HttpOperation && true === $operation->getStrictQueryParameterValidation()) {
+            $keys = [];
+            foreach ($parameters as $parameter) {
+                $keys[] = $parameter->getKey();
+            }
+
+            foreach (array_keys($request->attributes->get('_api_query_parameters')) as $key) {
+                if (!\in_array($key, $keys, true)) {
+                    throw new ParameterNotSupportedException($key);
+                }
+            }
+        }
+
         foreach ($parameters ?? [] as $parameter) {
             $extraProperties = $parameter->getExtraProperties();
             unset($extraProperties['_api_values']);
 
@@ -0,0 +1,35 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <dunglas@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Tests\Fixtures\TestBundle\ApiResource;
+
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\QueryParameter;
+
+#[Get(
+    uriTemplate: 'strict_query_parameters',
+    strictQueryParameterValidation: true,
+    parameters: [
+        'foo' => new QueryParameter(),
+    ],
+    provider: [self::class, 'provider']
+)]
+class StrictParameters
+{
+    public string $id;
+
+    public static function provider()
+    {
+        return new self();
+    }
+}
@@ -0,0 +1,46 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <dunglas@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Tests\Functional\Parameters;
+
+use ApiPlatform\Symfony\Bundle\Test\ApiTestCase;
+use ApiPlatform\Tests\Fixtures\TestBundle\ApiResource\StrictParameters;
+use ApiPlatform\Tests\SetupClassResourcesTrait;
+
+final class StrictParametersTest extends ApiTestCase
+{
+    use SetupClassResourcesTrait;
+
+    /**
+     * @return class-string[]
+     */
+    public static function getResources(): array
+    {
+        return [StrictParameters::class];
+    }
+
+    public function testErrorAsParameterIsNotAllowed(): void
+    {
+        self::createClient()->request('GET', 'strict_query_parameters?bar=test');
+        $this->assertJsonContains(['detail' => 'Parameter not supported']);
+        $this->assertResponseStatusCodeSame(400);
+    }
+
+    public function testCorrectParameters(): void
+    {
+        self::createClient()->request('GET', 'strict_query_parameters');
+        $this->assertResponseStatusCodeSame(200);
+        self::createClient()->request('GET', 'strict_query_parameters?foo=test');
+        $this->assertResponseStatusCodeSame(200);
+    }
+}