Skip to content

fix(security): FileDriver allowed_classes=false (v2.3.3)#22

Merged
devsimsek merged 2 commits into
mainfrom
dev
Jul 5, 2026
Merged

fix(security): FileDriver allowed_classes=false (v2.3.3)#22
devsimsek merged 2 commits into
mainfrom
dev

Conversation

@devsimsek

@devsimsek devsimsek commented Jul 5, 2026

Copy link
Copy Markdown
Owner

Summary

Resolves the final critical security finding (SDF-59) from the deep security audit. Bumps 2.3.2 → 2.3.3.

Fix

Ticket Surface Fix
SDF-59 sdf/core/Cache/FileDriver.php:265 unserialize(..., ['allowed_classes' => true])false. Blocks object-injection RCE gadget chains (Monolog, Guzzle, etc.) - cached objects now become __PHP_Incomplete_Class (no __wakeup/__destruct fires). Brings FileDriver in line with RedisDriver and MemcachedDriver which already used false.

Breaking change

Users who cached PHP objects via FileDriver will now get null from Cache::get() instead of an object instance. Migration:

// Before (v2.3.2)
Cache::set('user', $userObject);
$user = Cache::get('user');  // User instance

// After (v2.3.3)
Cache::set('user', $userObject->toArray());
$user = Cache::get('user');  // array

Documented in wiki/libraries/caching.md - new "Object unserialization safety (v2.3.3+)" section.
Tests
1 new test: test_file_driver_refuses_object_unserialization - writes serialized stdClass directly to cache file, asserts get() returns null.
Verification

  • PHPUnit: 447 tests, 786 assertions, 0 failures (1 new)
  • PHPStan level 5: No errors
  • PHP-CS-Fixer: 0 files need fixing
    Audit progress - all 6 critical issues resolved
  • SDF-56, SDF-58, SDF-60, SDF-61 (v2.3.1 - PR fix(security): resolve 4 critical security findings (v2.3.1) #21)
  • SDF-57 (v2.3.2 - previous PR)
  • SDF-59 (this PR - v2.3.3)

devsimsek added 2 commits July 5, 2026 18:05
Rewrite resolve() with lexical normalization - resolves . and ..
segments without realpath() so it works for non-existent paths (put,
stream, makeDirectory). Rejects null bytes and throws
InvalidArgumentException when a path would escape the storage root.

5 new tests covering traversal in get/put/delete, null bytes, and
legitimate .. normalization. Bump 2.3.1 -> 2.3.2.
Switch unserialize from allowed_classes=true to false, blocking
object-injection RCE gadget chains. Brings FileDriver in line with
RedisDriver and MemcachedDriver. Breaking for users caching objects -
documented migration path in wiki. Bump 2.3.2 -> 2.3.3.
@devsimsek

Copy link
Copy Markdown
Owner Author

ready for code review - (experimental, used saddle)

@devsimsek devsimsek left a comment

Copy link
Copy Markdown
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! let's merge.

@devsimsek devsimsek merged commit e88a8f7 into main Jul 5, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant