Remove DeclaredHandler to prevent accidental internal discovery #11
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The `DeclaredHandler` has become a liability. Because class, interface, and enum names are represented as strings, we run the risk of the library "helpfully" identifying a piece of user input as an internal system part. If a user happens to input a string that matches an internal class or enum name, the stringifier would automatically confirm its existence by applying the specialized formatting. This creates an information leakage vulnerability where an outsider could map out our application's internal architecture simply by guessing names. By removing this handler, we ensure that a string is treated just as a string. This follows our recent "secure-by-default" trend seen in the `CallableStringifier` changes: we are prioritizing the privacy of the application's internal blueprint over the convenience of automatic type detection.
There was a problem hiding this comment.
Pull request overview
This pull request removes the DeclaredHandler to address a security vulnerability where user-supplied strings matching internal class, interface, trait, or enum names could be automatically detected and specially formatted, potentially leaking information about the application's internal architecture.
Changes:
- Removed
DeclaredHandlerclass and all its references - Updated documentation to remove examples of class name stringification
- Removed all associated tests for the removed functionality
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| src/Handlers/DeclaredHandler.php | Complete removal of the handler that detected and formatted declared type names from strings |
| src/Handlers/CompositeHandler.php | Removed DeclaredHandler from the handler chain in the create() method |
| tests/unit/Handlers/DeclaredHandlerTest.php | Removed unit tests for the deleted handler |
| tests/integration/stringify-declared.phpt | Removed integration test demonstrating class name stringification |
| README.md | Removed documentation examples showing class name and enum stringification as strings |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The
DeclaredHandlerhas become a liability. Because class, interface, and enum names are represented as strings, we run the risk of the library "helpfully" identifying a piece of user input as an internal system part.If a user happens to input a string that matches an internal class or enum name, the stringifier would automatically confirm its existence by applying the specialized formatting. This creates an information leakage vulnerability where an outsider could map out our application's internal architecture simply by guessing names.
By removing this handler, we ensure that a string is treated just as a string. This follows our recent "secure-by-default" trend seen in the
CallableStringifierchanges: we are prioritizing the privacy of the application's internal blueprint over the convenience of automatic type detection.