Forbid unserialize() method.

Can lead to code execution exploits if not used properly with user supplied data. There are better methods of data exchange.
moodlehq · Nov 27, 2023 · 3a31c65 · 3a31c65
1 parent aea4999
commit 3a31c65
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 3 deletions.
diff --git a/moodle/Sniffs/PHP/ForbiddenFunctionsSniff.php b/moodle/Sniffs/PHP/ForbiddenFunctionsSniff.php
@@ -19,8 +19,6 @@
 // phpcs:disable moodle.NamingConventions
 
 use PHP_CodeSniffer\Standards\Generic\Sniffs\PHP\ForbiddenFunctionsSniff as GenericForbiddenFunctionsSniff;
-use PHP_CodeSniffer\Sniffs\Sniff;
-use PHP_CodeSniffer\Files\File;
 
 /**
  * Sniff for debugging and other functions that we don't want used in finished code.
@@ -65,5 +63,6 @@ class ForbiddenFunctionsSniff extends GenericForbiddenFunctionsSniff {
         'print_object' => null,
         // Dangerous functions. From coding style.
         'extract'      => null,
+        'unserialize'  => null,
     ];
 }
diff --git a/moodle/Tests/MoodleStandardTest.php b/moodle/Tests/MoodleStandardTest.php
@@ -470,6 +470,7 @@ public function test_moodle_php_forbiddenfunctions() {
             15 => 0,
             16 => 0,
             17 => 0,
+            20 => 'function unserialize() is forbidden',
             ));
         $this->set_warnings(array());
 

diff --git a/moodle/Tests/fixtures/moodle_php_forbiddenfunctions.php b/moodle/Tests/fixtures/moodle_php_forbiddenfunctions.php
@@ -16,5 +16,6 @@
 a: echo 'Goto labels, oh my!'
 b:
 echo 'More goto labels, re-oh my!'
-// Fair enough.
+// Fair enough. Unserialize can be dangerous too, better catch it.
+$a = unserialize($b);