core icon indicating copy to clipboard operation
core copied to clipboard

Published 20 hours ago verified publisher icon api-platform

Exclude IRI from serializer's cache key to avoid cache explosion

Open amne opened this issue 1 year ago • 4 comments

Q A
Branch? 3.2
Tickets N/A
License MIT
Doc PR N/A

Exclude IRI from serializer's cache key. Having this unique identifier in $context results in private array caches explosion when iterating big result sets and normalizing items (batch processing jobs or exports).

Trying to serialize with provided $context['cache_key'] would work but this line https://github.com/symfony/symfony/blob/34915f6e16f04537eb18d9d2c303ec375e63cc4b/src/Symfony/Component/Serializer/Normalizer/AbstractObjectNormalizer.php#L708 results in normalized child contexts ignoring the provided 'cache_key' and generating unique cache keys because the IRI is part of the hash.

No tests were added because I'm not really sure how to test for this. The affected cache behavior is in Symfony not here.

amne avatar Jan 11 '24 22:01 amne

just add this value to your serializer context on the targetted operation ? This has security impacts we can't ignore the IRI.

soyuka avatar Jan 12 '24 09:01 soyuka

@soyuka I'm curious to find out more about the security impact. Or some leads on where to start. thank you

amne avatar Jan 15 '24 10:01 amne

doesn't:

#[ApiResource(normalizationContext: [AbstractObjectNormalizer::EXCLUDE_FROM_CACHE_KEY => ['iri']]);

works?

Not having the IRI inside a collection makes that you have the same cache for every item of that collection. When using the security option on properties you don't want the same cache.

soyuka avatar Jan 15 '24 21:01 soyuka

doesn't:

#[ApiResource(normalizationContext: [AbstractObjectNormalizer::EXCLUDE_FROM_CACHE_KEY => ['iri']]);

works?

Not having the IRI inside a collection makes that you have the same cache for every item of that collection. When using the security option on properties you don't want the same cache.

Adding manually the IRI to cache exclude works, of course.

I didn't dig deep enough in my initial investigation. Looking at features/authorization/deny I can now see more what the implications of this are.

amne avatar Jan 16 '24 21:01 amne

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Mar 16 '24 21:03 stale[bot]