feat: More strictly check patch structural validity during fromJson

acoulton · acoulton · commit 7658f79950d2 · 2025-12-16T09:53:11.000Z
Improve test coverage of attempting to create a PatchOperationList from
JSON with invalid data. Update the implementation so that the majority
of potential issues will be detected and thrown as InvalidPatchException
or InvalidPatchOperationException.
diff --git a/src/operations/PatchOperationList.php b/src/operations/PatchOperationList.php
@@ -6,7 +6,10 @@
 use blancks\JsonPatch\exceptions\InvalidPatchOperationException;
 use blancks\JsonPatch\json\handlers\BasicJsonHandler;
 use blancks\JsonPatch\json\handlers\JsonHandlerInterface;
+use ArgumentCountError;
+use Error;
 use stdClass;
+use TypeError;
 
 final readonly class PatchOperationList implements \JsonSerializable
 {
@@ -45,23 +48,94 @@ public static function fromJson(
 
         return new PatchOperationList(
             ...array_map(
-                function (stdClass $patch) use ($classes) {
-                    // The top-level patch entries should be identical as objects or arrays, cast to array to allow
-                    // spreading the properties into the DTO constructors (which are assumed to match the JSON objects)
-                    $patch = (array) $patch;
-                    $op = $patch['op'];
-                    unset($patch['op']);
+                function (mixed $patch) use ($classes) {
+                    [$op, $values] = self::extractPatchOpAndValues($patch);
                     if (!isset($classes[$op])) {
                         throw new InvalidPatchOperationException(sprintf('Unknown operation "%s"', $op));
                     }
-
-                    return new $classes[$op](...$patch);
+                    return self::createPatchDtoFromValues($op, $classes[$op], $values);
                 },
                 $patches
             ),
         );
     }
 
+    /**
+     * @phpstan-return array{string, array<string, mixed>}
+     */
+    private static function extractPatchOpAndValues(mixed $patch): array
+    {
+        if (!$patch instanceof stdClass) {
+            throw new InvalidPatchOperationException(
+                sprintf('Each patch item must be an object, got %s', get_debug_type($patch))
+            );
+        }
+
+        if (!isset($patch->op)) {
+            throw new InvalidPatchOperationException('Each patch item must specify "op"');
+        }
+
+        if (!is_string($patch->op)) {
+            throw new InvalidPatchOperationException(
+                sprintf('Patch "op" must be a string, got %s', get_debug_type($patch->op))
+            );
+        }
+
+        $op = $patch->op;
+        unset($patch->op);
+
+        $values = [];
+        foreach ((array) $patch as $key => $value) {
+            // We rely on the properties being strings, to ensure that PHP will enforce that all named properties are
+            // present / defined when creating the arbitrary DTO object. Ensure this is the case
+            if (!is_string($key)) {
+                throw new InvalidPatchOperationException('All patch operation properties must have string names');
+            }
+            $values[$key] = $value;
+        }
+
+        return [$op, $values];
+    }
+
+    /**
+     * @phpstan-param class-string<PatchOperation> $class
+     * @param array<string, mixed> $values
+     * @return PatchOperation
+     *
+     * @throws InvalidPatchOperationException
+     */
+    private static function createPatchDtoFromValues(string $op, string $class, array $values): PatchOperation
+    {
+        try {
+            return new $class(...$values);
+        } catch (ArgumentCountError $e) {
+            // We can be relatively confident that this was triggered for the DTO constructor. If the DTO was calling a
+            // method (e.g. a parent method / internal helper method) with incorrect argument counts that should have
+            // been detected by its own tests.
+            throw new InvalidPatchOperationException(
+                sprintf('Missing required param(s) for %s operation as %s: %s', $op, $class, $e->getMessage()),
+                previous: $e,
+            );
+        } catch (TypeError $e) {
+            // We can be relatively confident that this relates to the property types passed to the DTO constructor.
+            // If the DTO constructor has a type signature that does not match the expected supported values, that
+            // should have been detected by its own tests.
+            throw new InvalidPatchOperationException(
+                sprintf('Invalid param(s) for %s operation as %s: %s', $op, $class, $e->getMessage()),
+                previous: $e,
+            );
+        } catch (Error $e) {
+            if (str_contains($e->getMessage(), 'Unknown named parameter')) {
+                // This does not have a dedicated error type so we have to match on the message.
+                throw new InvalidPatchOperationException(
+                    sprintf('Unexpected param(s) for %s operation as %s: %s', $op, $class, $e->getMessage()),
+                    previous: $e,
+                );
+            }
+            throw $e;
+        }
+    }
+
     /**
      * @no-named-arguments
      */
diff --git a/tests/operations/PatchOperationListTest.php b/tests/operations/PatchOperationListTest.php
@@ -29,13 +29,13 @@
 use Throwable;
 
 #[CoversClass(PatchOperationList::class)]
-#[UsesClass(Add::class)]
-#[UsesClass(Copy::class)]
-#[UsesClass(Move::class)]
-#[UsesClass(Remove::class)]
-#[UsesClass(Replace::class)]
-#[UsesClass(Test::class)]
-#[UsesClass(PatchOperation::class)]
+#[CoversClass(Add::class)]
+#[CoversClass(Copy::class)]
+#[CoversClass(Move::class)]
+#[CoversClass(Remove::class)]
+#[CoversClass(Replace::class)]
+#[CoversClass(Test::class)]
+#[CoversClass(PatchOperation::class)]
 #[UsesClass(FastJsonPatchExceptionTrait::class)]
 #[UsesClass(InvalidPatchException::class)]
 #[UsesClass(InvalidPatchOperationException::class)]
@@ -192,7 +192,7 @@ public function testItCanDecodeWithCustomOperationClasses(): void
         $result = PatchOperationList::fromJson(
             <<<'JSON'
             [
-              {"op":  "add", "path": "/greeting", "value": "Hello" },
+              {"op":  "add", "path": "/greeting", "value": "Hello", "custom": "my own var" },
               {"op":  "append", "path": "/greeting", "suffix": " World" },
               {"op":  "copy", "path": "/whatever", "from": "/greeting"}
             ]
@@ -205,7 +205,7 @@ public function testItCanDecodeWithCustomOperationClasses(): void
 
         $this->assertEquals(
             new PatchOperationList(
-                new CustomAdd('/greeting', 'Hello'),
+                new CustomAdd('/greeting', 'Hello', 'my own var'),
                 new Append('/greeting', ' World'),
                 new Copy(path: '/whatever', from: '/greeting'),
             ),
@@ -234,11 +234,75 @@ public static function invalidJsonProvider(): array
                 InvalidPatchException::class,
                 'Invalid patch structure (expected list, got stdClass)',
             ],
+            'patch item is not an object (example 1)' => [
+                '[["foo"]]',
+                InvalidPatchOperationException::class,
+                'Each patch item must be an object, got array',
+            ],
+            'patch item is not an object (example 2)' => [
+                '[{"op": "remove", "path": "/some/path"}, true]',
+                InvalidPatchOperationException::class,
+                'Each patch item must be an object, got bool',
+            ],
+            'patch without op property' => [
+                '[{"path": "/some/path", "value": "anything"}]',
+                InvalidPatchOperationException::class,
+                'Each patch item must specify "op"',
+            ],
+            'op is invalid type' => [
+                '[{"op": true}]',
+                InvalidPatchOperationException::class,
+                'Patch "op" must be a string, got bool',
+            ],
             'unknown operation' => [
                 '[{"op": "scramble", "path": "/anywhere"}]',
                 InvalidPatchOperationException::class,
                 'Unknown operation "scramble"',
             ],
+            'unexpected extra operation property' => [
+                '[{"op":"add", "path": "/foo", "value": "bar", "custom": "things"}]',
+                InvalidPatchOperationException::class,
+                // The message also contains the original PHP message but this varies between versions so we do not
+                // include it in the assertion.
+                sprintf(
+                    'Unexpected param(s) for add operation as %s',
+                    Add::class,
+                ),
+            ],
+            'missing operation property' => [
+                '[{"op":"add", "path": "/foo"}]',
+                InvalidPatchOperationException::class,
+                // The message also contains the original PHP message but this varies between versions so we do not
+                // include it in the assertion.
+                sprintf(
+                    'Missing required param(s) for add operation as %s',
+                    Add::class,
+                ),
+            ],
+            'operation property has incorrect type' => [
+                '[{"op":"add", "path": true, "value": "bar"}]',
+                InvalidPatchOperationException::class,
+                // The message also contains the original PHP message but this varies between versions so we do not
+                // include it in the assertion.
+                sprintf(
+                    'Invalid param(s) for add operation as %s',
+                    Add::class,
+                ),
+            ],
+            'operation with mixed string and int keys (example 1)' => [
+                // PHP would internally convert this into positional args and accept it even though there's no guarantee
+                // we have the right keys in the right sequence / have no extra properties.
+                '[{"op":"add", "0": "bar", "1": "/from"}]',
+                InvalidPatchOperationException::class,
+                'All patch operation properties must have string names'
+            ],
+            'operation with mixed string and int keys (example 2)' => [
+                // PHP would internally convert this into positional args and accept it even though there's no guarantee
+                // we have the right keys in the right sequence / have no extra properties.
+                '[{"op":"add", "1": "bar", "2": "/from"}]',
+                InvalidPatchOperationException::class,
+                'All patch operation properties must have string names'
+            ]
         ];
     }
 
@@ -272,6 +336,7 @@ public function __construct(
     public function __construct(
         public string $path,
         public mixed $value,
+        public mixed $custom,
     ) {
         parent::__construct('add');
     }
