Hardening Security - Unserialize DumpDataCollector

jderusse · jderusse · commit 021c21995630 · 2021-03-23T09:46:32.000+01:00
diff --git a/DataCollector/DumpDataCollector.php b/DataCollector/DumpDataCollector.php
@@ -183,6 +183,11 @@ public function __wakeup()
         $charset = array_pop($this->data);
         $fileLinkFormat = array_pop($this->data);
         $this->dataCount = \count($this->data);
+        foreach ($this->data as $dump) {
+            if (!\is_string($dump['name']) || !\is_string($dump['file']) || !\is_int($dump['line'])) {
+                throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);
+            }
+        }
 
         self::__construct($this->stopwatch, \is_string($fileLinkFormat) || $fileLinkFormat instanceof FileLinkFormatter ? $fileLinkFormat : null, \is_string($charset) ? $charset : null);
     }
@@ -257,7 +262,7 @@ public function __destruct()
         }
     }
 
-    private function doDump(DataDumperInterface $dumper, $data, string $name, string $file, int $line)
+    private function doDump(DataDumperInterface $dumper, Data $data, string $name, string $file, int $line)
     {
         if ($dumper instanceof CliDumper) {
             $contextDumper = function ($name, $file, $line, $fmt) {

Original file line number	Diff line number	Diff line change
`@@ -183,6 +183,11 @@ public function __wakeup()`
`183`	`183`	`$charset = array_pop($this->data);`
`184`	`184`	`$fileLinkFormat = array_pop($this->data);`
`185`	`185`	`$this->dataCount = \count($this->data);`
	`186`	`+ foreach ($this->data as $dump) {`
	`187`	`+ if (!\is_string($dump['name']) \|\| !\is_string($dump['file']) \|\| !\is_int($dump['line'])) {`
	`188`	`+ throw new \BadMethodCallException('Cannot unserialize '.__CLASS__);`
	`189`	`+ }`
	`190`	`+ }`
`186`	`191`
`187`	`192`	`self::__construct($this->stopwatch, \is_string($fileLinkFormat) \|\| $fileLinkFormat instanceof FileLinkFormatter ? $fileLinkFormat : null, \is_string($charset) ? $charset : null);`
`188`	`193`	`}`
`@@ -257,7 +262,7 @@ public function __destruct()`
`257`	`262`	`}`
`258`	`263`	`}`
`259`	`264`
`260`		`- private function doDump(DataDumperInterface $dumper, $data, string $name, string $file, int $line)`
	`265`	`+ private function doDump(DataDumperInterface $dumper, Data $data, string $name, string $file, int $line)`
`261`	`266`	`{`
`262`	`267`	`if ($dumper instanceof CliDumper) {`
`263`	`268`	`$contextDumper = function ($name, $file, $line, $fmt) {`