Fix PHP Object Injection vulnerability in Entity ArrayCast

gr8man · gr8man · commit c304edb42551 · 2026-06-22T22:52:29.000+02:00
diff --git a/system/Entity/Cast/ArrayCast.php b/system/Entity/Cast/ArrayCast.php
@@ -18,7 +18,7 @@ class ArrayCast extends BaseCast
     public static function get($value, array $params = []): array
     {
         if (is_string($value) && (str_starts_with($value, 'a:') || str_starts_with($value, 's:'))) {
-            $value = unserialize($value);
+            $value = unserialize($value, ['allowed_classes' => false]);
         }
 
         return (array) $value;
diff --git a/tests/system/Entity/Cast/ArrayCastTest.php b/tests/system/Entity/Cast/ArrayCastTest.php
@@ -0,0 +1,35 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * This file is part of CodeIgniter 4 framework.
+ *
+ * (c) CodeIgniter Foundation <admin@codeigniter.com>
+ *
+ * For the full copyright and license information, please view
+ * the LICENSE file that was distributed with this source code.
+ */
+
+namespace CodeIgniter\Entity\Cast;
+
+use CodeIgniter\Test\CIUnitTestCase;
+use PHPUnit\Framework\Attributes\Group;
+use stdClass;
+
+/**
+ * @internal
+ */
+#[Group('Others')]
+final class ArrayCastTest extends CIUnitTestCase
+{
+    public function testGetPreventsObjectInjection(): void
+    {
+        $payload = serialize([new stdClass()]);
+
+        $result = ArrayCast::get($payload);
+
+        $this->assertIsArray($result);
+        $this->assertInstanceOf('__PHP_Incomplete_Class', $result[0]);
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,7 @@ class ArrayCast extends BaseCast`
`18`	`18`	`public static function get($value, array $params = []): array`
`19`	`19`	`{`
`20`	`20`	`if (is_string($value) && (str_starts_with($value, 'a:') \|\| str_starts_with($value, 's:'))) {`
`21`		`- $value = unserialize($value);`
	`21`	`+ $value = unserialize($value, ['allowed_classes' => false]);`
`22`	`22`	`}`
`23`	`23`
`24`	`24`	`return (array) $value;`