Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Forbid unserialize() method. #52

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Forbid unserialize() method. #52

wants to merge 1 commit into from

Conversation

paulholden
Copy link
Member

@paulholden paulholden commented Jul 5, 2023
edited
Loading

Can lead to code execution exploits if not used properly with user supplied data. There are better methods of data exchange.

See also moodle/devdocs#822

@codecov
Copy link

codecov bot commented Jul 5, 2023
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (aea4999) 96.46% compared to head (3a31c65) 96.46%.
Report is 34 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff            @@
##               main      #52   +/-   ##
=========================================
  Coverage     96.46%   96.46%           
  Complexity      517      517           
=========================================
  Files            22       22           
  Lines          1471     1471           
=========================================
  Hits           1419     1419           
  Misses           52       52

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@jrchamp
Copy link
Contributor

jrchamp commented Jul 5, 2023

I like the idea, mainly because I don't like the idea of guaranteeing that the internal structure of the object won't change (i.e. private variables). However, it probably needs some kind of official approval and an update in the Moodle developer documentation. Found this relevant issue in the Moodle tracker: https://tracker.moodle.org/browse/MDLSITE-3242

@paulholden
Copy link
Member Author

Hi @jrchamp, absolutely - this'll go through the regular policy voting issues much like https://tracker.moodle.org/browse/CONTRIB-4146

After that point (if it's agreed) then we'll update https://docs.moodle.org/dev/Coding_style#Dangerous_functions_and_constructs and land this pull request

andrewnicols
andrewnicols approved these changes Sep 17, 2023
View reviewed changes
Copy link
Contributor

@andrewnicols andrewnicols left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me and was approved in the MDLSITE issue.

@stronk7
Copy link
Member

stronk7 commented Sep 17, 2023

was approved in the MDLSITE issue.

Was it? MDLSITE-3242

@andrewnicols
Copy link
Contributor

andrewnicols commented Sep 17, 2023 via email

@andrewnicols
Copy link
Contributor

Apologies - I misread this one. The MDSLITE is still open and undecided.

@andrewnicols andrewnicols marked this pull request as draft September 26, 2023 00:48
@paulholden
Forbid unserialize() method.
3a31c65 
Can lead to code execution exploits if not used properly with
user supplied data. There are better methods of data exchange.
@paulholden paulholden mentioned this pull request Nov 27, 2023
Draft
jrchamp
jrchamp reviewed Nov 29, 2023
View reviewed changes
moodle/Sniffs/PHP/ForbiddenFunctionsSniff.php
@@ -65,5 +63,6 @@ class ForbiddenFunctionsSniff extends GenericForbiddenFunctionsSniff {
'print_object' => null,
// Dangerous functions. From coding style.
'extract' => null,
'unserialize' => null,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While I agree that we should avoid serialize and unserialize entirely, it might be nice to let people know that unserialize_object() is the Moodle-provided alternative to unserialize.

Suggested change
'unserialize' => null,
'unserialize' => 'unserialize_object',

@stronk7 stronk7 added the enhancement New feature or request label Feb 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jrchamp jrchamp jrchamp left review comments

@andrewnicols andrewnicols andrewnicols approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@paulholden @jrchamp @stronk7 @andrewnicols