From 29ab72aa3fdff154d0e5626a09d6a952dc52aa3e Mon Sep 17 00:00:00 2001 From: Dariusz Ruminski Date: Tue, 5 Jan 2021 23:11:25 +0100 Subject: [PATCH 1/2] Forbid execution under PHP 8.0.0 --- .github/workflows/ci.yml | 1 + php-cs-fixer | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c63243e663e..6cc8dd6ea72 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -87,6 +87,7 @@ jobs: tools: flex env: fail-fast: false # disabled as old PHP version cannot run flex + update: ${{ matrix.php-version == '8.0' }} # force update to 8.0.1+, ref https://github.com/shivammathur/setup-php/issues/394#issuecomment-760461251 - name: Get Composer cache directory id: composer-cache diff --git a/php-cs-fixer b/php-cs-fixer index 25ee66da98f..426637bdcc5 100755 --- a/php-cs-fixer +++ b/php-cs-fixer @@ -25,6 +25,14 @@ if (defined('HHVM_VERSION_ID')) { } } elseif (!defined('PHP_VERSION_ID') || \PHP_VERSION_ID < 50600 || \PHP_VERSION_ID >= 70500) { fwrite(STDERR, "PHP needs to be a minimum version of PHP 5.6.0 and maximum version of PHP 7.4.*.\n"); + fwrite(STDERR, 'Current PHP version: '.PHP_VERSION.".\n"); + + if (defined('PHP_VERSION_ID') && \PHP_VERSION_ID === 80000) { + fwrite(STDERR, "PHP CS Fixer is not able run on PHP 8.0.0 due to bug in PHP tokenizer (https://bugs.php.net/bug.php?id=80462).\n"); + fwrite(STDERR, "Update PHP version to unblock execution.\n"); + + exit(1); + } if (getenv('PHP_CS_FIXER_IGNORE_ENV')) { fwrite(STDERR, "Ignoring environment requirements because `PHP_CS_FIXER_IGNORE_ENV` is set. Execution may be unstable.\n"); From 486254000b5d4cb9e770eb6d488e162fb885b295 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Deruss=C3=A9?= Date: Tue, 15 Dec 2020 11:02:28 +0100 Subject: [PATCH 2/2] Don't allow unserializing classes with a destructor --- src/Cache/FileCacheManager.php | 20 ++++++++++++++++++++ src/Console/Output/ProcessOutput.php | 20 ++++++++++++++++++++ src/FileRemoval.php | 20 ++++++++++++++++++++ src/Linter/ProcessLinter.php | 20 ++++++++++++++++++++ 4 files changed, 80 insertions(+) diff --git a/src/Cache/FileCacheManager.php b/src/Cache/FileCacheManager.php index 6d76a888c38..e56a37138d6 100644 --- a/src/Cache/FileCacheManager.php +++ b/src/Cache/FileCacheManager.php @@ -77,6 +77,26 @@ public function __destruct() $this->writeCache(); } + /** + * This class is not intended to be serialized, + * and cannot be deserialized (see __wakeup method). + */ + public function __sleep() + { + throw new \BadMethodCallException('Cannot serialize '.__CLASS__); + } + + /** + * Disable the deserialization of the class to prevent attacker executing + * code by leveraging the __destruct method. + * + * @see https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection + */ + public function __wakeup() + { + throw new \BadMethodCallException('Cannot unserialize '.__CLASS__); + } + public function needFixing($file, $fileContent) { $file = $this->cacheDirectory->getRelativePathTo($file); diff --git a/src/Console/Output/ProcessOutput.php b/src/Console/Output/ProcessOutput.php index 61b69b9a6af..6251c13abc1 100644 --- a/src/Console/Output/ProcessOutput.php +++ b/src/Console/Output/ProcessOutput.php @@ -91,6 +91,26 @@ public function __destruct() $this->eventDispatcher->removeListener(FixerFileProcessedEvent::NAME, [$this, 'onFixerFileProcessed']); } + /** + * This class is not intended to be serialized, + * and cannot be deserialized (see __wakeup method). + */ + public function __sleep() + { + throw new \BadMethodCallException('Cannot serialize '.__CLASS__); + } + + /** + * Disable the deserialization of the class to prevent attacker executing + * code by leveraging the __destruct method. + * + * @see https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection + */ + public function __wakeup() + { + throw new \BadMethodCallException('Cannot unserialize '.__CLASS__); + } + public function onFixerFileProcessed(FixerFileProcessedEvent $event) { if ( diff --git a/src/FileRemoval.php b/src/FileRemoval.php index 2ba59884116..645c7a8380a 100644 --- a/src/FileRemoval.php +++ b/src/FileRemoval.php @@ -39,6 +39,26 @@ public function __destruct() $this->clean(); } + /** + * This class is not intended to be serialized, + * and cannot be deserialized (see __wakeup method). + */ + public function __sleep() + { + throw new \BadMethodCallException('Cannot serialize '.__CLASS__); + } + + /** + * Disable the deserialization of the class to prevent attacker executing + * code by leveraging the __destruct method. + * + * @see https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection + */ + public function __wakeup() + { + throw new \BadMethodCallException('Cannot unserialize '.__CLASS__); + } + /** * Adds a file to be removed. * diff --git a/src/Linter/ProcessLinter.php b/src/Linter/ProcessLinter.php index 2d46ab9f491..c3cd9461ab3 100644 --- a/src/Linter/ProcessLinter.php +++ b/src/Linter/ProcessLinter.php @@ -83,6 +83,26 @@ public function __destruct() } } + /** + * This class is not intended to be serialized, + * and cannot be deserialized (see __wakeup method). + */ + public function __sleep() + { + throw new \BadMethodCallException('Cannot serialize '.__CLASS__); + } + + /** + * Disable the deserialization of the class to prevent attacker executing + * code by leveraging the __destruct method. + * + * @see https://owasp.org/www-community/vulnerabilities/PHP_Object_Injection + */ + public function __wakeup() + { + throw new \BadMethodCallException('Cannot unserialize '.__CLASS__); + } + /** * {@inheritdoc} */