rspec/rules/S5135/php/how-to-fix-it/laminas.adoc

== How to fix it in Laminas

=== Code examples

The following code is vulnerable to deserialization attacks because it
deserializes HTTP data without validating it first.

==== Noncompliant code example

[source,php,diff-id=11,diff-type=noncompliant]
----
$serializer = new Adapter\PhpSerialize();
$session = $serializer->unserialize($_COOKIE['session']); // Noncompliant
return new ViewModel([
    "auth" => $session->auth
]);
----

==== Compliant solution

[source,php,diff-id=11,diff-type=compliant]
----
$serializer = new Adapter\Json();
$session = $serializer->unserialize($_COOKIE['session']);
return new ViewModel([
    "auth" => $session['auth']
]);
----

=== How does this work?

include::../../common/fix/introduction.adoc[]

include::../../common/fix/safer-serialization.adoc[]

The example compliant code uses the `Json` adapter to perform the
deserialization. This one will not carry out any automatic object instantiation
and is thus safer than its `PhpSerialize` counterpart.

include::../../common/fix/integrity-check.adoc[]

include::../../common/fix/pre-approved-list.adoc[]

=== Pitfalls

include::../../common/pitfalls/constant-time.adoc[]
Add checks for education format (#1607) 2023-03-07 17:16:47 +01:00			`== How to fix it in Laminas`

			`=== Code examples`
Modify rule S5135: Change text to the education framework format [PHP][APPSEC-230] (#1373) 2022-11-08 13:51:45 +01:00
			`The following code is vulnerable to deserialization attacks because it`
			`deserializes HTTP data without validating it first.`

			`==== Noncompliant code example`

Diff blocks: fix some incorrect use for php (#2804) Improvement identified in #2790. Add a prefix to the diff-id when it is used multiple times in different "how to fix it in XYZ" sections to avoid ambiguity and pedantically follow the spec: > A single and unique diff-id should be used only once for each type of code example as shown in the description of a rule. Obvious typos around `diff-type` were fixed. 2023-08-10 15:57:24 +02:00			`[source,php,diff-id=11,diff-type=noncompliant]`
Modify rule S5135: Change text to the education framework format [PHP][APPSEC-230] (#1373) 2022-11-08 13:51:45 +01:00			`----`
			`$serializer = new Adapter\PhpSerialize();`
			`$session = $serializer->unserialize($_COOKIE['session']); // Noncompliant`
			`return new ViewModel([`
			`"auth" => $session->auth`
			`]);`
			`----`

			`==== Compliant solution`

Diff blocks: fix some incorrect use for php (#2804) Improvement identified in #2790. Add a prefix to the diff-id when it is used multiple times in different "how to fix it in XYZ" sections to avoid ambiguity and pedantically follow the spec: > A single and unique diff-id should be used only once for each type of code example as shown in the description of a rule. Obvious typos around `diff-type` were fixed. 2023-08-10 15:57:24 +02:00			`[source,php,diff-id=11,diff-type=compliant]`
Modify rule S5135: Change text to the education framework format [PHP][APPSEC-230] (#1373) 2022-11-08 13:51:45 +01:00			`----`
			`$serializer = new Adapter\Json();`
			`$session = $serializer->unserialize($_COOKIE['session']);`
			`return new ViewModel([`
			`"auth" => $session['auth']`
			`]);`
			`----`

			`=== How does this work?`

			`include::../../common/fix/introduction.adoc[]`

			`include::../../common/fix/safer-serialization.adoc[]`

Diff blocks: fix some incorrect use for php (#2804) Improvement identified in #2790. Add a prefix to the diff-id when it is used multiple times in different "how to fix it in XYZ" sections to avoid ambiguity and pedantically follow the spec: > A single and unique diff-id should be used only once for each type of code example as shown in the description of a rule. Obvious typos around `diff-type` were fixed. 2023-08-10 15:57:24 +02:00			The example compliant code uses the `Json` adapter to perform the
Modify rule S5135: Change text to the education framework format [PHP][APPSEC-230] (#1373) 2022-11-08 13:51:45 +01:00			`deserialization. This one will not carry out any automatic object instantiation`
			and is thus safer than its `PhpSerialize` counterpart.

			`include::../../common/fix/integrity-check.adoc[]`

			`include::../../common/fix/pre-approved-list.adoc[]`

			`=== Pitfalls`

			`include::../../common/pitfalls/constant-time.adoc[]`