Merge pull request from GHSA-vr2x-7687-h6qv

AbstractCollectionNormalizer.php

@@ -14,6 +14,7 @@
 namespace ApiPlatform\Serializer;
 
 use ApiPlatform\Api\ResourceClassResolverInterface;
+use ApiPlatform\Metadata\Operation;
 use ApiPlatform\Metadata\Resource\Factory\ResourceMetadataCollectionFactoryInterface;
 use ApiPlatform\State\Pagination\PaginatorInterface;
 use ApiPlatform\State\Pagination\PartialPaginatorInterface;
@@ -89,6 +90,7 @@ public function normalize(mixed $object, string $format = null, array $context =
 
         unset($context['operation']);
         unset($context['operation_type'], $context['operation_name']);
+
         $itemsData = $this->getItemsData($object, $format, $context);
 
         return array_merge_recursive($data, $paginationData, $itemsData);
@@ -137,6 +139,13 @@ protected function getPaginationConfig(iterable $object, array $context = []): a
         return [$paginator, $paginated, $currentPage, $itemsPerPage, $lastPage, $pageTotalItems, $totalItems];
     }
 
+    protected function getOperation(array $context = []): Operation
+    {
+        $metadata = $this->resourceMetadataFactory->create($context['resource_class'] ?? '');
+
+        return $metadata->getOperation($context['operation_name'] ?? null);
+    }
+
     /**
      * Gets the pagination data.
      */

AbstractItemNormalizer.php

@@ -19,6 +19,7 @@
 use ApiPlatform\Exception\InvalidArgumentException;
 use ApiPlatform\Exception\ItemNotFoundException;
 use ApiPlatform\Metadata\ApiProperty;
+use ApiPlatform\Metadata\CollectionOperationInterface;
 use ApiPlatform\Metadata\Property\Factory\PropertyMetadataFactoryInterface;
 use ApiPlatform\Metadata\Property\Factory\PropertyNameCollectionFactoryInterface;
 use ApiPlatform\Metadata\Resource\Factory\ResourceMetadataCollectionFactoryInterface;
@@ -114,6 +115,11 @@ public function normalize(mixed $object, string $format = null, array $context =
             return $this->serializer->normalize($object, $format, $context);
         }
 
+        if (isset($context['operation']) && $context['operation'] instanceof CollectionOperationInterface) {
+            unset($context['operation']);
+            unset($context['iri']);
+        }
+
         if ($this->resourceClassResolver->isResourceClass($resourceClass)) {
             $context = $this->initContext($resourceClass, $context);
         }

CacheKeyTrait.php

@@ -13,6 +13,12 @@
 
 namespace ApiPlatform\Serializer;
 
+/**
+ * Used to override Symfony\Component\Serializer\Normalizer\AbstractObjectNormalizer::getCacheKey which is private
+ * We need the cache_key in JsonApi and Hal before it is computed in Symfony.
+ *
+ * @see https://github.com/symfony/symfony/blob/49b6ab853d81e941736a1af67845efa3401e7278/src/Symfony/Component/Serializer/Normalizer/AbstractObjectNormalizer.php#L723 which isn't protected
+ */
 trait CacheKeyTrait
 {
     private function getCacheKey(?string $format, array $context): string|bool
@@ -21,10 +27,14 @@ private function getCacheKey(?string $format, array $context): string|bool
             unset($context[$key]);
         }
         unset($context[self::EXCLUDE_FROM_CACHE_KEY]);
+        unset($context[self::OBJECT_TO_POPULATE]);
         unset($context['cache_key']); // avoid artificially different keys
 
         try {
-            return md5($format.serialize($context));
+            return hash('xxh128', $format.serialize([
+                'context' => $context,
+                'ignored' => $context[self::IGNORED_ATTRIBUTES] ?? $this->defaultContext[self::IGNORED_ATTRIBUTES],
+            ]));
         } catch (\Exception) {
             // The context cannot be serialized, skip the cache
             return false;

SerializerContextBuilder.php

@@ -18,6 +18,7 @@
 use ApiPlatform\Util\RequestAttributesExtractor;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\Serializer\Encoder\CsvEncoder;
+use Symfony\Component\Serializer\Normalizer\AbstractObjectNormalizer;
 use Symfony\Component\Serializer\Normalizer\DenormalizerInterface;
 
 /**
@@ -81,6 +82,10 @@ public function createFromRequest(Request $request, bool $normalization, array $
             $context[DenormalizerInterface::COLLECT_DENORMALIZATION_ERRORS] = true;
         }
 
+        // to keep the cache computation smaller, we have "operation_name" and "iri" anyways
+        $context[AbstractObjectNormalizer::EXCLUDE_FROM_CACHE_KEY][] = 'root_operation';
+        $context[AbstractObjectNormalizer::EXCLUDE_FROM_CACHE_KEY][] = 'operation';
+
         return $context;
     }
 }