fix: prevent callable strings

loks0n · loks0n · commit 2cad921b3f92 · 2025-07-02T16:25:30.000+01:00
diff --git a/composer.json b/composer.json
@@ -16,6 +16,11 @@
             "Tests\\E2E\\": "tests/e2e"
         }
     },
+    "autoload-dev": {
+        "psr-4": {
+            "Utopia\\Http\\Tests\\": "tests/"
+        }
+    },
     "scripts": {
         "lint": "vendor/bin/pint --test",
         "format": "vendor/bin/pint",
diff --git a/phpunit.xml b/phpunit.xml
@@ -1,17 +1,18 @@
-<phpunit backupGlobals="false"
-         backupStaticAttributes="false"
-         bootstrap="vendor/autoload.php"
-         colors="true"
-         convertErrorsToExceptions="true"
-         convertNoticesToExceptions="true"
-         convertWarningsToExceptions="true"
-         processIsolation="false"
-         stopOnFailure="false"
-        >
+<phpunit
+    backupGlobals="false"
+    backupStaticAttributes="false"
+    bootstrap="vendor/autoload.php"
+    colors="true"
+    convertErrorsToExceptions="true"
+    convertNoticesToExceptions="true"
+    convertWarningsToExceptions="true"
+    processIsolation="false"
+    stopOnFailure="false"
+>
     <testsuites>
         <testsuite name="Application Test Suite">
             <file>./tests/e2e/Client.php</file>
             <directory>./tests/</directory>
         </testsuite>
     </testsuites>
-</phpunit>
+</phpunit>
diff --git a/src/Http/Http.php b/src/Http/Http.php
@@ -740,7 +740,7 @@ protected function getArguments(Hook $hook, string $context, array $values, arra
             $paramExists = $existsInRequest || $existsInValues;
 
             $arg = $existsInRequest ? $requestParams[$key] : $param['default'];
-            if (\is_callable($arg)) {
+            if (\is_callable($arg) && !\is_string($arg)) {
                 $arg = \call_user_func_array($arg, $this->getResources($param['injections']));
             }
             $value = $existsInValues ? $values[$key] : $arg;
diff --git a/tests/HttpTest.php b/tests/HttpTest.php
@@ -454,7 +454,7 @@ public function providerRouteMatching(): array
     /**
      * @dataProvider providerRouteMatching
      */
-    public function testCanMatchRoute(string $method, string $path, string $url = null): void
+    public function testCanMatchRoute(string $method, string $path, ?string $url = null): void
     {
         $url ??= $path;
         $expected = null;
@@ -616,4 +616,61 @@ public function testWildcardRoute(): void
         $_SERVER['REQUEST_METHOD'] = $method;
         $_SERVER['REQUEST_URI'] = $uri;
     }
+
+    public function testCallableStringParametersNotExecuted(): void
+    {
+        // Test that callable strings (like function names) are not executed
+        $route = new Route('GET', '/test-callable-string');
+
+        $route
+            ->param('callback', 'phpinfo', new Text(200), 'callback param', true)
+            ->action(function ($callback) {
+                // If the string 'phpinfo' was executed as a function,
+                // it would output PHP info. Instead, it should just be the string.
+                echo 'callback-value: ' . $callback;
+            });
+
+        \ob_start();
+        $this->http->execute($route, new Request(), '1');
+        $result = \ob_get_contents();
+        \ob_end_clean();
+
+        $this->assertEquals('callback-value: phpinfo', $result);
+
+        // Test with request parameter that is a callable string
+        $route2 = new Route('GET', '/test-callable-string-param');
+
+        $route2
+            ->param('func', 'default', new Text(200), 'func param', false)
+            ->action(function ($func) {
+                echo 'func-value: ' . $func;
+            });
+
+        \ob_start();
+        $request = new UtopiaFPMRequestTest();
+        $request::_setParams(['func' => 'system']);
+        $this->http->execute($route2, $request, '1');
+        $result = \ob_get_contents();
+        \ob_end_clean();
+
+        $this->assertEquals('func-value: system', $result);
+
+        // Test callable closure still works
+        $route3 = new Route('GET', '/test-callable-closure');
+
+        $route3
+            ->param('generated', function () {
+                return 'generated-value';
+            }, new Text(200), 'generated param', true)
+            ->action(function ($generated) {
+                echo 'generated: ' . $generated;
+            });
+
+        \ob_start();
+        $this->http->execute($route3, new Request(), '1');
+        $result = \ob_get_contents();
+        \ob_end_clean();
+
+        $this->assertEquals('generated: generated-value', $result);
+    }
 }
diff --git a/tests/UtopiaFPMRequestTest.php b/tests/UtopiaFPMRequestTest.php

Original file line number	Diff line number	Diff line change
`@@ -740,7 +740,7 @@ protected function getArguments(Hook $hook, string $context, array $values, arra`
`740`	`740`	`$paramExists = $existsInRequest \|\| $existsInValues;`
`741`	`741`
`742`	`742`	`$arg = $existsInRequest ? $requestParams[$key] : $param['default'];`
`743`		`- if (\is_callable($arg)) {`
	`743`	`+ if (\is_callable($arg) && !\is_string($arg)) {`
`744`	`744`	`$arg = \call_user_func_array($arg, $this->getResources($param['injections']));`
`745`	`745`	`}`
`746`	`746`	`$value = $existsInValues ? $values[$key] : $arg;`