#13 [HttpKernelExtensions] Prevent duplicate parameters in route and request body

Author: michaelzangerle

composer.json

@@ -1,6 +1,6 @@
 {
     "name": "fusonic/http-kernel-extensions",
-    "version": "1.0.4",
+    "version": "1.0.5",
     "description": "Symfony HttpKernel Component Extensions.",
     "type": "library",
     "authors": [

composer.lock

@@ -56,12 +56,10 @@ public function resolve(Request $request, ArgumentMetadata $argument): Generator
 
         if (in_array($request->getMethod(), self::METHODS_WITH_STRICT_TYPE_CHECKS, true)) {
             $options = [];
-            $content = $this->getRequestContent($request);
-            $data = array_merge($content, $routeParameters);
+            $data = $this->mergeRequestData($this->getRequestContent($request), $routeParameters);
         } else {
             $options = [AbstractObjectNormalizer::DISABLE_TYPE_ENFORCEMENT => true];
-            $queries = $this->getRequestQueries($request);
-            $data = array_merge($queries, $routeParameters);
+            $data = $this->mergeRequestData($this->getRequestQueries($request), $routeParameters);
         }
 
         $dto = $this->denormalize($data, $class, $options);
@@ -135,4 +133,13 @@ private function validate(RequestDto $dto): void
             throw new BadRequestHttpException('The request payload is invalid!'.PHP_EOL.$details);
         }
     }
+
+    private function mergeRequestData(array $data, array $routeParameters): array
+    {
+        if (count($keys = array_intersect_key($data, $routeParameters)) > 0) {
+            throw new BadRequestHttpException(sprintf('Parameters (%s) used as route attributes can not be used in the request body or query parameters.', implode(', ', array_keys($keys))));
+        }
+
+        return array_merge($data, $routeParameters);
+    }
 }

src/Controller/RequestDtoResolver.php

@@ -174,6 +174,35 @@ public function testInvalidRequestBodyHandling(): void
         $generator->current();
     }
 
+    public function testDuplicateKeyHandling(): void
+    {
+        $this->expectException(BadRequestHttpException::class);
+        $query = [
+            'int' => 5,
+            'float' => 9.99,
+            'string' => 'foobar',
+            'bool' => true,
+        ];
+        $attributes = [
+            '_route_params' => [
+                'int' => 5,
+                'float' => 9.99,
+                'string' => 'foobar',
+                'bool' => true,
+            ],
+        ];
+
+        $request = new Request($query, [], $attributes);
+        $request->setMethod(Request::METHOD_GET);
+        $argument = new ArgumentMetadata('dto', TestDto::class, false, false, null);
+
+        $resolver = new RequestDtoResolver($this->getDenormalizer(), $this->getValidator());
+        $generator = $resolver->resolve($request, $argument);
+
+        /** @var TestDto $dto */
+        $dto = $generator->current();
+    }
+
     public function testQueryParameterHandling(): void
     {
         $query = [