Security: Restrict allowed classes in Sequence::getUnSerializeGraph()

AngelFQC · claude · AngelFQC · commit 1dfe99f24db7 · 2026-06-11T14:42:44.000-05:00
Refs GHSA-2c5g-hrhg-44vg

Route Sequence::getUnSerializeGraph() through UnserializeApi::unserialize()
with the existing 'sequence_graph' type, which restricts instantiation to
the Fhaculty\Graph classes that legitimately compose a serialized sequence
graph. This closes the PHP Object Injection path that allowed arbitrary
class instantiation from the sequence.graph column, reusing the codebase's
canonical allowlisted-deserialization helper.

Co-Authored-By: Claude Opus 4.8 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/CoreBundle/Entity/Sequence.php b/src/CoreBundle/Entity/Sequence.php
@@ -11,6 +11,7 @@
 use Fhaculty\Graph\Graph;
 use Gedmo\Timestampable\Traits\TimestampableEntity;
 use Stringable;
+use UnserializeApi;
 
 #[ORM\Table(name: 'sequence')]
 #[ORM\Entity(repositoryClass: SequenceRepository::class)]
@@ -82,7 +83,7 @@ public function hasGraph(): bool
      */
     public function getUnSerializeGraph()
     {
-        return unserialize($this->graph);
+        return UnserializeApi::unserialize('sequence_graph', $this->graph);
     }
 
     public function setGraphAndSerialize(Graph $graph): self

Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,7 @@`
`11`	`11`	`use Fhaculty\Graph\Graph;`
`12`	`12`	`use Gedmo\Timestampable\Traits\TimestampableEntity;`
`13`	`13`	`use Stringable;`
	`14`	`+use UnserializeApi;`
`14`	`15`
`15`	`16`	`#[ORM\Table(name: 'sequence')]`
`16`	`17`	`#[ORM\Entity(repositoryClass: SequenceRepository::class)]`
`@@ -82,7 +83,7 @@ public function hasGraph(): bool`
`82`	`83`	`*/`
`83`	`84`	`public function getUnSerializeGraph()`
`84`	`85`	`{`
`85`		`- return unserialize($this->graph);`
	`86`	`+ return UnserializeApi::unserialize('sequence_graph', $this->graph);`
`86`	`87`	`}`
`87`	`88`
`88`	`89`	`public function setGraphAndSerialize(Graph $graph): self`