Skip to content

Implement rule for unserialize #4754

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
eliashaeussler wants to merge 1 commit into
base: 2.1.x
Choose a base branch
from
Open

Implement rule for unserialize #4754

eliashaeussler wants to merge 1 commit into from
+250 −0

Conversation

@eliashaeussler
Copy link

@eliashaeussler eliashaeussler commented Jan 13, 2026

This PR implements a new rule for unserialize. Following behaviors will trigger an error:

  • Parameter $2 options is NOT set (only with parameter checkInsecureUnserialize: true)
  • Parameter $2 options has an invalid array key (neither allowed_classes nor max_depth)
  • Parameter $2 options has invalid type for allowed_classes
  • Parameter $2 options has 'allowed_classes' => true (only with parameter checkInsecureUnserialize: true)
  • Parameter $2 options has invalid array item for allowed_classes
  • Parameter $2 options has max_depth key on PHP < 7.4
  • Parameter $2 options has invalid type for max_depth
  • Parameter $2 options is set, but does not have allowed_classes configured (only with parameter checkInsecureUnserialize: true)

@eliashaeussler eliashaeussler force-pushed the feature/unserialize branch 2 times, most recently from d868abd to 0bf9e38 Compare January 14, 2026 08:46
eliashaeussler
eliashaeussler commented Jan 14, 2026
View reviewed changes
tests/PHPStan/Rules/Functions/UnserializeRuleTest.php
$this->analyse([__DIR__ . '/data/unserialize.php'], $expectedErrors);
}

#[RequiresPhp('< 7.4')]
Copy link
Author

@eliashaeussler eliashaeussler Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure whether to keep this test case, since it does not seem like PHP < 7.4 is actually included in the test matrix.

ondrejmirtes
ondrejmirtes requested changes Feb 10, 2026
View reviewed changes
Copy link
Member

@ondrejmirtes ondrejmirtes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Two things:

  1. This is a new rule, should only be enabled with bleeding edge using conditionalTags in config.
  2. Some things this rule reports should be achieved by changing resources/functionMap files (the deltas) - this will make existing rule to pick up the errors. I'm thinking about:
  • Parameter #2 $options to function unserialize contains an invalid value null for "max_depth"
  • Parameter #2 $options to function unserialize contains unsupported option "foo".
  • Parameter #2 $options to function unserialize contains an option "max_depth" which is not supported by this PHP version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ondrejmirtes ondrejmirtes ondrejmirtes requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@eliashaeussler @ondrejmirtes