Security: Restrict allowed classes in Sequence::getUnSerializeGraph()#8579
Merged
Conversation
Refs GHSA-2c5g-hrhg-44vg Route Sequence::getUnSerializeGraph() through UnserializeApi::unserialize() with the existing 'sequence_graph' type, which restricts instantiation to the Fhaculty\Graph classes that legitimately compose a serialized sequence graph. This closes the PHP Object Injection path that allowed arbitrary class instantiation from the sequence.graph column, reusing the codebase's canonical allowlisted-deserialization helper. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
AngelFQC
force-pushed
the
security/auto-fix-GHSA-2c5g-hrhg-44vg
branch
from
e46758a to
1dfe99f
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Sequence::getUnSerializeGraph()(src/CoreBundle/Entity/Sequence.php) called bareunserialize()on thesequence.graphcolumn with no class restriction, allowing any autoloadable PHP class to be instantiated during deserialization — a PHP Object Injection sink (CWE-502).Refs GHSA-2c5g-hrhg-44vg
Fix
Route the call through the codebase's canonical helper
UnserializeApi::unserialize()(public/main/inc/lib/UnserializeApi.php) using the existing'sequence_graph'type, which already defines the allowlist for serialized sequence graphs:Graph,VerticesMap,Vertices,Edges,Vertex,Edge\Base,Directed,UndirectedThis reuses the same allowlisted-deserialization mechanism applied elsewhere in the project (course backups, LP,
ExternalTool) instead of inlining a per-call allowlist, keeping the policy centralized.Invariant now enforced
Deserializing
sequence.graphcan only instantiate the whitelistedFhaculty\Graphclasses. Any other serialized class (e.g. a gadget-chain payload) is decoded to__PHP_Incomplete_Classand its__destruct/__wakeupnever runs — closing the object-injection path regardless of how the column was written.OWASP control
A08:2021 — Software and Data Integrity Failures (insecure deserialization).
🤖 Generated with Claude Code