Restrict CallableStringifier to closures to prevent data leakage

The `CallableStringifier` is undeniably useful, but its convenience comes at a
security risk. By allowing strings and arrays to be interpreted as callables
by default, we risk exposing sensitive data—like passwords or hostnames—hidden
within those structures. Furthermore, it is often frustrating to have arbitrary
strings automatically turned into callable representations.

To fix this, I am moving to a "secure-by-default" stance. The stringifier now
defaults to closure-only mode. Closures are significantly less likely to expose
sensitive data in their contracts, making this a much safer baseline.

I have made an exception for Fibers. Since a Fiber explicitly contains a
callable, we know the usage is intentional, and being explicit about the
underlying callable is important for debugging clarity.

If someone still needs the original behavior, they can have it, but they must be
intentional. They can restore the previous functionality by manually defining
the `$closureOnly` parameter as `false` in the constructor.

Author: henriquemoody

README.md

@@ -103,23 +103,8 @@ echo stringify(new class { public int $property = 42; }) . PHP_EOL;
 echo stringify(new class extends WithProperties { }) . PHP_EOL;
 // `WithProperties@anonymous { +$publicProperty=true #$protectedProperty=42 }`
 
-echo stringify('chr') . PHP_EOL;
-// `chr(int $codepoint): string`
-
-echo stringify([new WithMethods(), 'publicMethod']) . PHP_EOL;
-// `WithMethods->publicMethod(Iterator&Countable $parameter): ?static`
-
-echo stringify('WithMethods::publicStaticMethod') . PHP_EOL;
-// `WithMethods::publicStaticMethod(int|float $parameter): void`
-
-echo stringify(['WithMethods', 'publicStaticMethod']) . PHP_EOL;
-// `WithMethods::publicStaticMethod(int|float $parameter): void`
-
-echo stringify(new WithInvoke()) . PHP_EOL;
-// `WithInvoke->__invoke(int $parameter = 0): never`
-
 echo stringify(static fn(int $foo): string => '') . PHP_EOL;
-// `function (int $foo): string`
+// `Closure { static fn (int $foo): string }`
 
 echo stringify(new DateTime()) . PHP_EOL;
 // `DateTime { 2023-04-21T11:29:03+00:00 }`

phpcs.xml.dist

@@ -32,4 +32,8 @@
     <rule ref="Generic.PHP.CharacterBeforePHPOpeningTag.Found">
         <exclude-pattern>tests/integration/</exclude-pattern>
     </rule>
+    <rule ref="SlevomatCodingStandard.Functions.StaticClosure.ClosureNotStatic">
+        <exclude-pattern>tests/integration</exclude-pattern>
+        <exclude-pattern>tests/unit/Stringifiers/CallableStringifierTest.php</exclude-pattern>
+    </rule>
 </ruleset>

src/Stringifiers/CallableStringifier.php

@@ -25,6 +25,7 @@
 
 use function array_keys;
 use function array_map;
+use function assert;
 use function count;
 use function implode;
 use function is_array;
@@ -44,43 +45,47 @@ final class CallableStringifier implements Stringifier
     public function __construct(
         private readonly Stringifier $stringifier,
         private readonly Quoter $quoter,
+        private readonly bool $closureOnly = true,
     ) {
     }
 
     public function stringify(mixed $raw, int $depth): string|null
     {
-        if (!is_callable($raw)) {
-            return null;
-        }
-
         if ($raw instanceof Closure) {
             return $this->buildFunction(new ReflectionFunction($raw), $depth);
         }
 
+        if ($this->closureOnly || !is_callable($raw)) {
+            return null;
+        }
+
         if (is_object($raw)) {
             return $this->buildMethod(new ReflectionMethod($raw, '__invoke'), $raw, $depth);
         }
 
-        if (is_array($raw) && is_object($raw[0]) && is_string($raw[1])) {
-            return $this->buildMethod(new ReflectionMethod($raw[0], $raw[1]), $raw[0], $depth);
+        if (is_array($raw) && is_object($raw[0])) {
+            $method = $raw[1];
+            assert(is_string($method));
+
+            return $this->buildMethod(new ReflectionMethod($raw[0], $method), $raw[0], $depth);
         }
 
-        if (is_array($raw) && is_string($raw[0]) && is_string($raw[1])) {
-            return $this->buildStaticMethod(new ReflectionMethod($raw[0], $raw[1]), $depth);
+        if (is_array($raw) && is_string($raw[0])) {
+            $method = $raw[1];
+            assert(is_string($method));
+
+            return $this->buildStaticMethod(new ReflectionMethod($raw[0], $method), $depth);
         }
 
-        if (is_string($raw) && str_contains($raw, ':')) {
+        /** @var callable-string $raw */
+        if (str_contains($raw, ':')) {
             /** @var class-string $class */
             $class = (string) strstr($raw, ':', true);
             $method = substr((string) strrchr($raw, ':'), 1);
 
             return $this->buildStaticMethod(new ReflectionMethod($class, $method), $depth);
         }
 
-        if (!is_string($raw)) {
-            return null;
-        }
-
         return $this->buildFunction(new ReflectionFunction($raw), $depth);
     }
 
@@ -107,8 +112,7 @@ private function buildStaticMethod(ReflectionMethod $reflection, int $depth): st
 
     private function buildSignature(ReflectionFunctionAbstract $function, int $depth): string
     {
-        $signature = $function->isClosure() ? 'function ' : $function->getName();
-        $signature .= sprintf(
+        $signature = sprintf(
             '(%s)',
             implode(
                 ', ',
@@ -138,7 +142,11 @@ private function buildSignature(ReflectionFunctionAbstract $function, int $depth
             $signature .= ': ' . $this->buildType($returnType, $depth);
         }
 
-        return $signature;
+        if ($function->isClosure()) {
+            return sprintf('Closure { %sfn%s }', $function->isStatic() ? 'static ' : '', $signature);
+        }
+
+        return $function->getName() . $signature;
     }
 
     private function buildParameter(ReflectionParameter $reflectionParameter, int $depth): string
@@ -192,15 +200,8 @@ private function buildType(ReflectionType $raw, int $depth): string
             );
         }
 
-        if ($raw instanceof ReflectionNamedType) {
-            $type = $raw->getName();
-            if ($raw->allowsNull()) {
-                $type = sprintf('?%s', $type);
-            }
-
-            return $type;
-        }
+        /** @var ReflectionNamedType $raw */
 
-        return '';
+        return ($raw->allowsNull() ? '?' : '') . $raw->getName();
     }
 }

src/Stringifiers/CompositeStringifier.php

@@ -60,8 +60,10 @@ public static function createDefault(): self
                 self::MAXIMUM_NUMBER_OF_PROPERTIES,
             ),
         );
-        $stringifier->prependStringifier($callableStringifier = new CallableStringifier($stringifier, $quoter));
-        $stringifier->prependStringifier(new FiberObjectStringifier($callableStringifier, $quoter));
+        $stringifier->prependStringifier(new CallableStringifier($stringifier, $quoter));
+        $stringifier->prependStringifier(
+            new FiberObjectStringifier(new CallableStringifier($stringifier, $quoter, closureOnly: false), $quoter),
+        );
         $stringifier->prependStringifier(new EnumerationStringifier($quoter));
         $stringifier->prependStringifier(new ObjectWithDebugInfoStringifier($arrayStringifier, $quoter));
         $stringifier->prependStringifier(new ArrayObjectStringifier($arrayStringifier, $quoter));

tests/integration/stringify-callable.phpt

@@ -5,25 +5,15 @@ declare(strict_types=1);
 
 require 'vendor/autoload.php';
 
-$variable = new WithInvoke();
+$variable = true;
 
 outputMultiple(
-    'chr',
-    $variable,
-    [new WithMethods(), 'publicMethod'],
-    'WithMethods::publicStaticMethod',
-    ['WithMethods', 'publicStaticMethod'],
-    static fn(int $foo): bool => (bool) $foo,
+    fn(int $foo): bool => (bool) $foo,
     static function (int $foo) use ($variable): string {
         return $variable::class;
     },
 );
 ?>
 --EXPECT--
-`chr(int $codepoint): string`
-`WithInvoke->__invoke(int $parameter = 0): never`
-`WithMethods->publicMethod(Iterator&Countable $parameter): ?static`
-`WithMethods::publicStaticMethod(int|float $parameter): void`
-`WithMethods::publicStaticMethod(int|float $parameter): void`
-`function (int $foo): bool`
-`function (int $foo) use ($variable): string`
+`Closure { fn(int $foo): bool }`
+`Closure { static fn(int $foo) use ($variable): string }`