Implement rule for `unserialize` #4754

eliashaeussler · 2026-01-13T16:33:19Z

This PR implements a new rule for unserialize. Following behaviors will trigger an error:

Parameter $2 options is NOT set (only with parameter checkInsecureUnserialize: true)
Parameter $2 options has an invalid array key (neither allowed_classes nor max_depth)
Parameter $2 options has invalid type for allowed_classes
Parameter $2 options has 'allowed_classes' => true (only with parameter checkInsecureUnserialize: true)
Parameter $2 options has invalid array item for allowed_classes
Parameter $2 options has max_depth key on PHP < 7.4
Parameter $2 options has invalid type for max_depth
Parameter $2 options is set, but does not have allowed_classes configured (only with parameter checkInsecureUnserialize: true)

eliashaeussler · 2026-01-14T08:47:15Z

tests/PHPStan/Rules/Functions/UnserializeRuleTest.php

+		$this->analyse([__DIR__ . '/data/unserialize.php'], $expectedErrors);
+	}
+
+	#[RequiresPhp('< 7.4')]


I'm not sure whether to keep this test case, since it does not seem like PHP < 7.4 is actually included in the test matrix.

eliashaeussler force-pushed the feature/unserialize branch from 53e98a0 to d868abd Compare January 13, 2026 16:46

Implement rule for unserialize

0bf9e38

eliashaeussler force-pushed the feature/unserialize branch from d868abd to 0bf9e38 Compare January 14, 2026 08:46

eliashaeussler commented Jan 14, 2026

View reviewed changes

Provide feedback