Skip to content

Commit 6232042

Browse files
committed
fix(security+psalm): update phpunit to 12.5.9 and suppress ForbiddenCode
Security: - phpunit/phpunit updated from ^12.0 to ^12.5.8 (resolves CVE-2026-24765: unsafe deserialisation in PHPT code coverage handling, severity HIGH) - 'composer audit' now reports no vulnerabilities Psalm ForbiddenCode: - Add @psalm-suppress ForbiddenCode on shell_exec() calls in: - src/Core/ProcessExecutor: tier-3 binary resolution via 'command -v' - src/Runner/ComposerAuditRunner: composer binary resolution Both uses are safe: input is sanitised with escapeshellarg() Local CI simulation results: dependencies PASSED (composer validate + check-platform-reqs) security PASSED (no advisories) phpstan PASSED (PHPStan level 9: 0 errors; Psalm: 0 errors) cs-fixer PASSED (code style OK) tests OK (41 tests, 81 assertions)
1 parent e119b54 commit 6232042

File tree

3 files changed

+4
-2
lines changed

3 files changed

+4
-2
lines changed

composer.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -27,9 +27,9 @@
2727
"php": ">=8.4"
2828
},
2929
"require-dev": {
30-
"phpunit/phpunit": "^12.0",
31-
"phpstan/phpstan": "^2.0",
3230
"friendsofphp/php-cs-fixer": "^3.64",
31+
"phpstan/phpstan": "^2.0",
32+
"phpunit/phpunit": "^12.5.8",
3333
"rector/rector": "^2.0",
3434
"vimeo/psalm": "^6.0"
3535
},

src/Core/ProcessExecutor.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -99,6 +99,7 @@ public function resolveBinary(string $vendorBin): ?string
9999

100100
// Tier 3: Global PATH
101101
$basename = basename($vendorBin);
102+
/** @psalm-suppress ForbiddenCode — shell_exec is intentional for binary resolution; input is escaped */
102103
$globalBin = trim((string) shell_exec('command -v ' . escapeshellarg($basename) . ' 2>/dev/null'));
103104
if ('' !== $globalBin && is_executable($globalBin)) {
104105
return $globalBin;

src/Runner/ComposerAuditRunner.php

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,7 @@ protected function defaultArguments(): array
3939
#[\Override]
4040
protected function binary(): ?string
4141
{
42+
/** @psalm-suppress ForbiddenCode — shell_exec is intentional for binary resolution; input is escaped */
4243
$global = trim((string) shell_exec('command -v ' . escapeshellarg('composer') . ' 2>/dev/null'));
4344

4445
if ('' !== $global && is_executable($global)) {

0 commit comments

Comments
 (0)