frontend serialization: resolve type before using their static name

author Alexis Laferrière <alexis.laf@xymus.net>

Sat, 10 Sep 2016 18:27:23 +0000 (14:27 -0400)

committer Alexis Laferrière <alexis.laf@xymus.net>

Fri, 14 Oct 2016 19:18:31 +0000 (15:18 -0400)
author Alexis Laferrière <alexis.laf@xymus.net>
Sat, 10 Sep 2016 18:27:23 +0000 (14:27 -0400)
committer Alexis Laferrière <alexis.laf@xymus.net>
Fri, 14 Oct 2016 19:18:31 +0000 (15:18 -0400)
diff --git a/src/frontend/serialization_phase.nit b/src/frontend/serialization_phase.nit

index 4549144..1091c47 100644 (file)
--- a/src/frontend/serialization_phase.nit
+++ b/src/frontend/serialization_phase.nit
@@ -317,14 +317,28 @@ do
                         var type_name = mtype.to_s
                         var name = attribute.name
  
+                       var resolved_type_name = type_name
+                       var mclassdef = nclassdef.mclassdef
+                       if mclassdef != null then
+                               var bound_mtype = mclassdef.bound_mtype
+                               var resolved_mtype = mtype.resolve_for(bound_mtype, bound_mtype, mclassdef.mmodule, true)
+                               resolved_type_name = resolved_mtype.name
+
+                               # TODO Use something like `V.class_name` to get the precise runtime type of virtual types.
+                               # We currently use the upper bound of virtual types as static type in generated code
+                               # for type suggestion and to prevent loading unexected types.
+                               # This leaves a security issue when, for example, `DefaultMap::default_value`
+                               # is bound to `nullable Object` and would allow any object to be loaded.
+                       end
+
                         if type_name == "nullable Object" then
                                 # Don't type check
                                 code.add """
-       self.{{{name}}} = v.deserialize_attribute("{{{attribute.serialize_name}}}", "{{{type_name}}}")
+       self.{{{name}}} = v.deserialize_attribute("{{{attribute.serialize_name}}}", "{{{resolved_type_name}}}")
  """
                         else
                                 code.add """
-       var {{{name}}} = v.deserialize_attribute("{{{attribute.serialize_name}}}", "{{{type_name}}}")
+       var {{{name}}} = v.deserialize_attribute("{{{attribute.serialize_name}}}", "{{{resolved_type_name}}}")
         if v.deserialize_attribute_missing then
  """
                                 # What to do when an attribute is missing?
@@ -338,7 +352,7 @@ do
  
                                 code.add """
         else if not {{{name}}} isa {{{type_name}}} then
-               v.errors.add new AttributeTypeError(self, "{{{attribute.serialize_name}}}", {{{name}}}, "{{{type_name}}}")
+               v.errors.add new AttributeTypeError(self, "{{{attribute.serialize_name}}}", {{{name}}}, "{{{resolved_type_name}}}")
                 if v.keep_going == false then return
         else
                 self.{{{name}}} = {{{name}}}
author	Alexis Laferrière <alexis.laf@xymus.net>
	Sat, 10 Sep 2016 18:27:23 +0000 (14:27 -0400)
committer	Alexis Laferrière <alexis.laf@xymus.net>
	Fri, 14 Oct 2016 19:18:31 +0000 (15:18 -0400)