[API] Endpoint to add review does not accept newline characters in the body

[christopherhero]

Sylius version affected: All versions 1.13, 1.14 and 2.0

Description
Using a newline character in the comment field in the endpoint: api/v2/shop/product-reviews causes an error.
This issue has been occurring since the commit in symfony/http-foundation symfony/http-foundation@168b77c, which fixes the issue GHSA-mrqx-rp3w-jpjp

Using the Symfony version, e.g. v6.4.13, which is one of the versions without the mentioned patch, the problem does not occur.

Example

url: api/v2/shop/product-reviews

Request Body:

{
	"rating": 5,
	"product": "everyday_white_basic_t_shirt",
	"title": "Review title",
	"comment": "review comment \n test 123"
}

Response:

{
	"@context": "/api/v2/contexts/Error",
	"@type": "hydra:Error",
	"hydra:title": "An error occurred",
	"hydra:description": "Invalid URI: A URI cannot contain CR/LF/TAB characters."
}

[nicolalazzaro]

I don't understand, though, why this check is being performed on the request payload. The URI is mentioned, but it's something different from the payload. Am I missing something? I'm referring to the patch released by Symfony.

[christopherhero]

I don't understand, though, why this check is being performed on the request payload. The URI is mentioned, but it's something different from the payload. Am I missing something? I'm referring to the patch released by Symfony.

The Symfony patch indeed concerns URI security, not payload - you're right.

The issue in Sylius occurs because we use the Symfony router component in an unconventional way - we pass field values from the command (which come from the request, so from the payload) to router->match().

We do this in Sylius API to validate whether the provided values are identifiers

https://github.com/Sylius/Sylius/blob/2.1/src/Sylius/Bundle/ApiBundle/Serializer/Denormalizer/CommandArgumentsDenormalizer.php#L69