Restrict CallableStringifier to closures to prevent data leakage
#9
+135
−75
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was a problem hiding this comment.
Pull request overview
This PR restricts the CallableStringifier to only stringify closures by default, addressing security concerns about potential data leakage from stringifying arbitrary callables like strings and arrays. The change implements a "secure-by-default" approach with a closureOnly parameter that defaults to true.
Changes:
- Modified
CallableStringifierto addclosureOnlyparameter (default:true) and check for closures first - Updated closure signature format from
function (...)toClosure { [static] fn (...) } - Updated tests to use named data providers and test both closure-only and permissive modes
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| src/Stringifiers/CallableStringifier.php | Added closureOnly parameter with secure default, restructured logic to handle closures first, updated signature format |
| src/Stringifiers/CompositeStringifier.php | Created separate CallableStringifier instances - one closure-only for general use, one permissive for FiberObjectStringifier |
| tests/unit/Stringifiers/CallableStringifierTest.php | Split tests into closure-specific and non-closure callable tests, added test coverage for new default behavior |
| tests/integration/stringify-callable.phpt | Removed non-closure callable examples, updated expected output format |
| tests/src/Double/FakeStringifier.php | Changed return type from ?string to string |
| tests/fixtures/WithMethods.php | Changed return type from ?static to static |
| phpcs.xml.dist | Added exclusions for static closure rule in test files |
| README.md | Removed non-closure callable examples from documentation |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
henriquemoody
force-pushed
the
callable
branch
from
ecdcc84 to
cce56ae
Compare
henriquemoody
force-pushed
the
callable
branch
from
cce56ae to
a9c3510
Compare
henriquemoody
force-pushed
the
callable
branch
from
a9c3510 to
baaf520
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
henriquemoody
force-pushed
the
callable
branch
2 times, most recently
from
ce07549 to
49d2071
Compare
The `CallableStringifier` is undeniably useful, but its convenience comes at a security risk. By allowing strings and arrays to be interpreted as callables by default, we risk exposing sensitive data—like passwords or hostnames—hidden within those structures. Furthermore, it is often frustrating to have arbitrary strings automatically turned into callable representations. To fix this, I am moving to a "secure-by-default" stance. The stringifier now defaults to closure-only mode. Closures are significantly less likely to expose sensitive data in their contracts, making this a much safer baseline. I have made an exception for Fibers. Since a Fiber explicitly contains a callable, we know the usage is intentional, and being explicit about the underlying callable is important for debugging clarity. If someone still needs the original behavior, they can have it, but they must be intentional. They can restore the previous functionality by manually defining the `$closureOnly` parameter as `false` in the constructor.
henriquemoody
force-pushed
the
callable
branch
from
49d2071 to
676f823
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The
CallableStringifieris undeniably useful, but its convenience comes at a security risk. By allowing strings and arrays to be interpreted as callables by default, we risk exposing sensitive data—like passwords or hostnames—hidden within those structures. Furthermore, it is often frustrating to have arbitrary strings automatically turned into callable representations.To fix this, I am moving to a "secure-by-default" stance. The stringifier now defaults to closure-only mode. Closures are significantly less likely to expose sensitive data in their contracts, making this a much safer baseline.
I have made an exception for Fibers. Since a Fiber explicitly contains a callable, we know the usage is intentional, and being explicit about the underlying callable is important for debugging clarity.
If someone still needs the original behavior, they can have it, but they must be intentional. They can restore the previous functionality by manually defining the
$closureOnlyparameter asfalsein the constructor.