feature #62230 [Messenger] Support signing messages per handler (nicolas-grekas)

fabpot · fabpot · commit bfaa4835d2f6 · 2025-11-01T17:13:11.000+01:00
This PR was merged into the 7.4 branch.

Discussion
----------

[Messenger] Support signing messages per handler

| Q             | A
| ------------- | ---
| Branch?       | 7.4
| Bug fix?      | no
| New feature?  | yes
| Deprecations? | no
| Issues        | -
| License       | MIT

At the moment, if one is able to inject a forged payload into a queue, one can trigger any handler via the messenger consumer, including eg `RunProcessHandler`. This is not a security issue in Symfony itself because queues should be protected from arbitrary payload injection. But it'd still be nice to harden this.

This PR adds a new `sign` attribute to the `messenger.message_handler` DI tag (which can be set either via explicit config or via `#[AsMessageHandler]`).

When at least one handler does so, a `SigningSerializer` decorator is added to all transport serializers. This then computes the signature when encoding a message bound to such handlers, and verifies it when decoding one.

The `sign` attribute is enabled for `RunProcessHandler` and `RunCommandHandler`, and can be for any others of yours.

Submitting for 7.4 as having a hardened LTS looks important to me.

Commits
-------

21c5ac56aca [Messenger] Support signing messages per handler
diff --git a/DependencyInjection/FrameworkExtension.php b/DependencyInjection/FrameworkExtension.php
@@ -2556,6 +2556,7 @@ private function registerMessengerConfiguration(array $config, ContainerBuilder
         $senderAliases = [];
         $transportRetryReferences = [];
         $transportRateLimiterReferences = [];
+        $serializerIds = [];
         foreach ($config['transports'] as $name => $transport) {
             $serializerId = $transport['serializer'] ?? 'messenger.default_serializer';
             $tags = [
@@ -2572,6 +2573,7 @@ private function registerMessengerConfiguration(array $config, ContainerBuilder
             ;
             $container->setDefinition($transportId = 'messenger.transport.'.$name, $transportDefinition);
             $senderAliases[$name] = $transportId;
+            $serializerIds[$transportId] = $serializerId;
 
             if (null !== $transport['retry_strategy']['service']) {
                 $transportRetryReferences[$name] = new Reference($transport['retry_strategy']['service']);
@@ -2599,13 +2601,11 @@ private function registerMessengerConfiguration(array $config, ContainerBuilder
         }
 
         $senderReferences = [];
-        // alias => service_id
-        foreach ($senderAliases as $alias => $serviceId) {
-            $senderReferences[$alias] = new Reference($serviceId);
+        foreach ($senderAliases as $alias => $transportId) {
+            $senderReferences[$alias] = new Reference($transportId);
         }
-        // service_id => service_id
-        foreach ($senderAliases as $serviceId) {
-            $senderReferences[$serviceId] = new Reference($serviceId);
+        foreach ($senderAliases as $transportId) {
+            $senderReferences[$transportId] = new Reference($transportId);
         }
 
         foreach ($config['transports'] as $name => $transport) {
@@ -2616,7 +2616,7 @@ private function registerMessengerConfiguration(array $config, ContainerBuilder
             }
         }
 
-        $failureTransportReferencesByTransportName = array_map(fn ($failureTransportName) => $senderReferences[$failureTransportName], $failureTransportsByName);
+        $failureTransportReferencesByTransportName = array_map(static fn ($failureTransportName) => $senderReferences[$failureTransportName], $failureTransportsByName);
 
         $messageToSendersMapping = [];
         foreach ($config['routing'] as $message => $messageConfiguration) {
@@ -2645,6 +2645,18 @@ private function registerMessengerConfiguration(array $config, ContainerBuilder
             ->replaceArgument(1, $sendersServiceLocator)
         ;
 
+        $messageToSerializersMapping = [];
+        foreach ($messageToSendersMapping as $message => $senders) {
+            foreach ($senders as $sender) {
+                $serializerId = $serializerIds[$senderAliases[$sender] ?? $sender];
+                $messageToSerializersMapping[$message][$serializerId] = $serializerId;
+            }
+            $messageToSerializersMapping[$message] = array_keys($messageToSerializersMapping[$message]);
+        }
+
+        $container->getDefinition('messenger.signing_serializer')
+            ->replaceArgument(2, $messageToSerializersMapping);
+
         $container->getDefinition('messenger.retry.send_failed_message_for_retry_listener')
             ->replaceArgument(0, $sendersServiceLocator)
         ;
@@ -2943,7 +2955,7 @@ private function registerCachingHttpClient(array $options, array $defaultOptions
 
         $container
             ->register($name.'.caching', CachingHttpClient::class)
-            ->setDecoratedService($name, null,  15)
+            ->setDecoratedService($name, null, 15)
             ->setArguments([
                 new Reference('.inner'),
                 new Reference($options['cache_pool']),
diff --git a/Resources/config/console.php b/Resources/config/console.php
@@ -407,6 +407,6 @@
             ->args([
                 service('console.messenger.application'),
             ])
-            ->tag('messenger.message_handler')
+            ->tag('messenger.message_handler', ['sign' => true])
     ;
 };
diff --git a/Resources/config/messenger.php b/Resources/config/messenger.php
@@ -11,6 +11,7 @@
 
 namespace Symfony\Component\DependencyInjection\Loader\Configurator;
 
+use Symfony\Component\DependencyInjection\Parameter;
 use Symfony\Component\DependencyInjection\ServiceLocator;
 use Symfony\Component\Messenger\Bridge\AmazonSqs\Transport\AmazonSqsTransportFactory;
 use Symfony\Component\Messenger\Bridge\Amqp\Transport\AmqpTransportFactory;
@@ -44,13 +45,13 @@
 use Symfony\Component\Messenger\Transport\Serialization\PhpSerializer;
 use Symfony\Component\Messenger\Transport\Serialization\Serializer;
 use Symfony\Component\Messenger\Transport\Serialization\SerializerInterface;
+use Symfony\Component\Messenger\Transport\Serialization\SigningSerializer;
 use Symfony\Component\Messenger\Transport\Sync\SyncTransportFactory;
 use Symfony\Component\Messenger\Transport\TransportFactory;
+use Symfony\Component\String\LazyString;
 
 return static function (ContainerConfigurator $container) {
     $container->services()
-        ->alias(SerializerInterface::class, 'messenger.default_serializer')
-
         // Asynchronous
         ->set('messenger.senders_locator', SendersLocator::class)
             ->args([
@@ -79,6 +80,22 @@
 
         ->set('messenger.transport.native_php_serializer', PhpSerializer::class)
         ->alias('messenger.default_serializer', 'messenger.transport.native_php_serializer')
+        ->alias(SerializerInterface::class, 'messenger.default_serializer')
+
+        ->set('messenger.signing_serializer', SigningSerializer::class)
+            ->abstract()
+            ->args([
+                service('.inner'),
+                inline_service('string') // wrap the signing key in a lazy string to prevent a hard dependency on the kernel.secret parameter
+                    ->factory(class_exists(LazyString::class) ? [LazyString::class, 'fromCallable'] : 'current')
+                    ->args([
+                        class_exists(LazyString::class, false) ? service_closure('.messenger.signing_serializer.signing_key') : [new Parameter('kernel.secret')],
+                    ]),
+                abstract_arg('message types to serializers'), // read and replaced by MessengerPass
+            ])
+        ->set('.messenger.signing_serializer.signing_key', 'string')
+            ->factory('current')
+            ->args([[new Parameter('kernel.secret')]])
 
         // Middleware
         ->set('messenger.middleware.handle_message', HandleMessageMiddleware::class)
diff --git a/Resources/config/process.php b/Resources/config/process.php
@@ -17,6 +17,6 @@
     $container
         ->services()
             ->set('process.messenger.process_message_handler', RunProcessMessageHandler::class)
-                ->tag('messenger.message_handler')
+                ->tag('messenger.message_handler', ['sign' => true])
     ;
 };
diff --git a/Tests/DependencyInjection/PhpFrameworkExtensionTest.php b/Tests/DependencyInjection/PhpFrameworkExtensionTest.php
@@ -18,6 +18,7 @@
 use Symfony\Component\DependencyInjection\Exception\LogicException;
 use Symfony\Component\DependencyInjection\Exception\OutOfBoundsException;
 use Symfony\Component\DependencyInjection\Loader\PhpFileLoader;
+use Symfony\Component\Messenger\Tests\Fixtures\DummyMessage;
 use Symfony\Component\RateLimiter\CompoundRateLimiterFactory;
 use Symfony\Component\RateLimiter\RateLimiterFactoryInterface;
 use Symfony\Component\Validator\Constraints\Email;
@@ -425,6 +426,40 @@ public static function emailValidationModeProvider()
         }
         yield ['loose'];
     }
+
+    public function testMessengerSigningSerializerWiring()
+    {
+        $container = $this->createContainerFromClosure(function (ContainerBuilder $container) {
+            $container->register('signed_handler', 'stdClass')
+                ->addTag('messenger.message_handler', ['handles' => DummyMessage::class, 'sign' => true]);
+
+            $container->loadFromExtension('framework', [
+                'annotations' => false,
+                'http_method_override' => false,
+                'handle_all_throwables' => true,
+                'php_errors' => ['log' => true],
+                'messenger' => [
+                    'transports' => [
+                        'async' => ['dsn' => 'in-memory://'],
+                    ],
+                    'routing' => [
+                        DummyMessage::class => ['senders' => ['async']],
+                    ],
+                    'buses' => [
+                        'message_bus' => ['default_middleware' => ['enabled' => true]],
+                    ],
+                ],
+            ]);
+        });
+
+        $this->assertTrue($container->hasDefinition('messenger.signing_serializer'));
+        $mapping = $container->getDefinition('messenger.signing_serializer')->getArgument(2);
+        $this->assertArrayHasKey(DummyMessage::class, $mapping);
+        $this->assertNotEmpty($mapping[DummyMessage::class]);
+
+        $this->assertTrue($container->hasDefinition('message_bus'));
+        $this->assertSame('message_bus', (string) $container->getAlias('messenger.default_bus'));
+    }
 }
 
 class WorkflowValidatorWithConstructor implements DefinitionValidatorInterface

Original file line number	Diff line number	Diff line change
`@@ -407,6 +407,6 @@`
`407`	`407`	`->args([`
`408`	`408`	`service('console.messenger.application'),`
`409`	`409`	`])`
`410`		`- ->tag('messenger.message_handler')`
	`410`	`+ ->tag('messenger.message_handler', ['sign' => true])`
`411`	`411`	`;`
`412`	`412`	`};`
Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,6 @@`
`17`	`17`	`$container`
`18`	`18`	`->services()`
`19`	`19`	`->set('process.messenger.process_message_handler', RunProcessMessageHandler::class)`
`20`		`- ->tag('messenger.message_handler')`
	`20`	`+ ->tag('messenger.message_handler', ['sign' => true])`
`21`	`21`	`;`
`22`	`22`	`};`