Class finder loads files it should not load #241
Description
We were in the process of upgrading our application from graphqlite v6 to v8, and we discovered an issue with v8.
This is a consequence of what was introduces here: thecodingmachine/graphqlite#657.
With this PR, graphqlite will now look for Types not only in the src/ space, but in the vendors as well. Which bwt is totally legit. To reach this goal, the class explorer package was replaced with kcs/class-finder.
Now, we notices that, in the dev environment, kcs/class-finder was looking for all the classes in the vendor/ directory and in the tests/ directory as well. It iterates over all the .php files, looking for classes:
//class-finder/lib/Iterator/Psr0Iterator.php::62
static function (string $path, string $class): void {
class_exists($class, true);
}The issue now is that class_exists will include the file, if not already loaded.
In our case, we have a tests/bootstrap.php file which contains plain code, no class declarations.
So kcs/class-finder will do class_exists('tests/bootstrap.php', true), the file will be included and its content executed. So we are basically executing every php file (which does not contain a class) in both vendor/ and tests/ . Which should not be the case. For example, in our case, a simple run of:
bin/console cache:clear --env dev
will execute the tests/bootstrap.php, which has implementation specific for the test env.
And, moreover, it may pose some security issue, given it will execute any code in any plain php file in any vendor/ subfolder.
Moreover, as per the current configuration, kcs/class-finder is called several times, so it requests the lists of files many times in each session, which means our tests/bootstrap.php file is included more than once, which causes other issues and makes the process slower.
Has anybody else experienced similar issues related to this?