Security check performed after custom provider code is already executed

[Miras4207]

API Platform version(s) affected: 4.1.x (and most likely older versions too)

Description

API Platform performs security check after the custom provider code is already executed. At the very least, this leads to:

• Confusion about intended behavior and best security practices, as this does not seem to be mentioned in documentation well enough.
• Potential DoS vulnerability in case the custom provider performs an expensive operation or persists data. For example:
  • Unauthorized client may cause unwanted data to be created, if provider generates and persists a data object that is then provided (f.e. sequence number).
  • Unauthorized client may cause unwanted server load, if provider performs a resource or time consuming operation (f.e. database query, request forwarding, ...).

This was also briefly discussed in StackOverflow here and is probably related to some other reported issues in this repository. Therefore I chose not to report this as a security incident to the designated email address, but rather create an issue here to spark discussion about possible solutions.

I see this as a major 'security gotcha' that should be resolved. If this is indeed an intended behavior, then I think it is wrong and should be changed.

How to reproduce

class MyProvider implements ProviderInterface
{
    public function __construct(private readonly Security $security) {}

    public function provide(Operation $operation, array $uriVariables = [], array $context = [])
    {
        var_dump($this->security->isGranted('ROLE_API'));
        echo "this code should not be executed without security check";
        die;
    }
}

#[ApiResource(
    operations: [
        new Get(
            uriTemplate: '/my-entity',
            security: "is_granted('ROLE_API')"
            provider: MyProvider::class,
        ),
    ],
)]
class MyEntity
{
    public int $id;
}

curl -X 'GET' \
  'http://localhost/api/my-entity' \
  -H 'accept: application/json'
  
bool(false)
this code should not be executed without security check

Possible Solution

In current version of API Platform, the only solution I am aware of is to explicitly check security inside of the custom data provider (i.e. WET code), or create your own event listener with higher priority than API Platform listeners, which will do the security check before the custom data provider is called.

In future version of API Platform, I would like to see that security check is performed before the custom data provider is called. If the problem here is that the security expression should work with object returned from the provider (f.e. is_granted('edit', object)), then something like securityPostDenormalize should be used instead in such scenarios. Alternatively, a new property attribute could be introduced (f.e. performSecurityAfterProvider with default value false) that would steer this behavior.

Additional Context

I did not check if this affects non-custom providers as well, but it probably does.

I am not sure if I misunderstood or overlooked something in documentation, so if there is something I am not aware of, please let me know how do you think this issue should be approached.

Thank you.

[soyuka]

I've answered this already a few weeks ago: #7093

The Symfony firewall can prevent this from happening not sure we need anything inside API Platform. Should we introduce a securityBeforeProvider?