Implement rule for `unserialize` by eliashaeussler · Pull Request #4754 · phpstan/phpstan-src

eliashaeussler · 2026-01-13T16:33:19Z

This PR implements a new rule for unserialize. Following behaviors will trigger an error:

Parameter $2 options is NOT set (only with parameter checkInsecureUnserialize: true)
Parameter $2 options has an invalid array key (neither allowed_classes nor max_depth)
Parameter $2 options has invalid type for allowed_classes
Parameter $2 options has 'allowed_classes' => true (only with parameter checkInsecureUnserialize: true)
Parameter $2 options has invalid array item for allowed_classes
Parameter $2 options has max_depth key on PHP < 7.4
Parameter $2 options has invalid type for max_depth
Parameter $2 options is set, but does not have allowed_classes configured (only with parameter checkInsecureUnserialize: true)

eliashaeussler · 2026-01-14T08:47:15Z

tests/PHPStan/Rules/Functions/UnserializeRuleTest.php

+		$this->analyse([__DIR__ . '/data/unserialize.php'], $expectedErrors);
+	}
+
+	#[RequiresPhp('< 7.4')]


I'm not sure whether to keep this test case, since it does not seem like PHP < 7.4 is actually included in the test matrix.

eliashaeussler force-pushed the feature/unserialize branch 2 times, most recently from d868abd to 0bf9e38 Compare January 14, 2026 08:46

eliashaeussler commented Jan 14, 2026

View reviewed changes

Implement rule for unserialize

548c158

eliashaeussler force-pushed the feature/unserialize branch from 0bf9e38 to 548c158 Compare January 26, 2026 06:26

Provide feedback