Skip to content

[upstream] [TASK] Implement and apply custom PHPStan rule to harden unserialize#8

Open
github-actions[bot] wants to merge 1 commit into
release/v14from
upstream-sync/aaf921cac6
Open

[upstream] [TASK] Implement and apply custom PHPStan rule to harden unserialize#8
github-actions[bot] wants to merge 1 commit into
release/v14from
upstream-sync/aaf921cac6

Conversation

@github-actions

@github-actions github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown

Automatisch vorgeschlagener Cherry-pick aus TYPO3-CMS/form @ 14.3.

Upstream-Commit

Commit-Message

Upstream-Commit-Message anzeigen
[TASK] Implement and apply custom PHPStan rule to harden `unserialize`

This patch integrates a custom PHPStan rule to detect unsecure or
invalid calls to the `unserialize` function. The rule was copied over
from [1] and may get removed again once it is merged into PHPStan core.

As a consequence, remaining potentially insecure `unserialize` calls
are covered by `@phpstan-ignore` annotations. This affects the following
code parts:

* `AuthenticatedMessageDeserializer`: Doing `unserialize` with
  `['allowed_classes' => true]` at this point is intended, as the
  relevant integrity check already happens via HMAC validation.
* `ActionController`: Same here (HMAC validation)
* `FormRuntime`: Same here (HMAC validation)
* Tests: Doing insecure `unserialize` in tests is currently ignored,
  because the effect of having potential security leaks is extreme low.

To allow PHPStan to properly detect the types used for `unserialize` in
`PackageCacheEntry`, this class now receives higher type coverage.

[1]: https://github.com/phpstan/phpstan-src/pull/4754

Resolves: #110120
Releases: main, 14.3, 13.4
Change-Id: I04255241d697703c27ad6c557b8f917f0a70e329
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/94648
Reviewed-by: Garvin Hicking <garvin@hick.ing>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Garvin Hicking <garvin@hick.ing>


Erzeugt von .github/workflows/upstream-sync.yml.
Um diesen Commit künftig nicht erneut vorzuschlagen, schließe die PR ohne Merge — der Marker unten bleibt erhalten.

This patch integrates a custom PHPStan rule to detect unsecure or
invalid calls to the `unserialize` function. The rule was copied over
from [1] and may get removed again once it is merged into PHPStan core.

As a consequence, remaining potentially insecure `unserialize` calls
are covered by `@phpstan-ignore` annotations. This affects the following
code parts:

* `AuthenticatedMessageDeserializer`: Doing `unserialize` with
  `['allowed_classes' => true]` at this point is intended, as the
  relevant integrity check already happens via HMAC validation.
* `ActionController`: Same here (HMAC validation)
* `FormRuntime`: Same here (HMAC validation)
* Tests: Doing insecure `unserialize` in tests is currently ignored,
  because the effect of having potential security leaks is extreme low.

To allow PHPStan to properly detect the types used for `unserialize` in
`PackageCacheEntry`, this class now receives higher type coverage.

[1]: phpstan/phpstan-src#4754

Resolves: #110120
Releases: main, 14.3, 13.4
Change-Id: I04255241d697703c27ad6c557b8f917f0a70e329
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/94648
Reviewed-by: Garvin Hicking <garvin@hick.ing>
Tested-by: core-ci <typo3@b13.com>
Tested-by: Garvin Hicking <garvin@hick.ing>
(cherry picked from commit aaf921cac61974529fd5ac8c4936e6de4ffb6dc9)
@github-actions github-actions Bot added the upstream-sync Automatically proposed cherry-pick from upstream label Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

upstream-sync Automatically proposed cherry-pick from upstream

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant