Skip to content

appsec/laravel: be more defensive#3503

Merged
cataphract merged 1 commit intomasterfrom
glopes/appsec-laravel-fix
Dec 5, 2025
Merged

appsec/laravel: be more defensive#3503
cataphract merged 1 commit intomasterfrom
glopes/appsec-laravel-fix

Conversation

@cataphract
Copy link
Copy Markdown
Contributor

@cataphract cataphract commented Nov 26, 2025

Just doing isset($user['username']) is not safe is $user doesn't implement ArrayAccess.

php > class A {}
php > $a = new A;
php > var_dump(isset($a['x']));
PHP Warning: Uncaught Error: Cannot use object of type A as array in php shell code:1 Stack trace:
thrown in php shell code on line 1

Description

Reviewer checklist

  • Test coverage seems ok.
  • Appropriate labels assigned.

@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Nov 26, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 61.60%. Comparing base (867b36c) to head (e985cb6).

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #3503      +/-   ##
==========================================
- Coverage   61.74%   61.60%   -0.14%     
==========================================
  Files         142      142              
  Lines       12975    12975              
  Branches     1700     1700              
==========================================
- Hits         8011     7993      -18     
- Misses       4204     4222      +18     
  Partials      760      760

see 4 files with indirect coverage changes

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 867b36c...e985cb6. Read the comment docs.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@pr-commenter
Copy link
Copy Markdown

pr-commenter Bot commented Nov 26, 2025

Benchmarks [ appsec ]

Benchmark execution time: 2025-11-26 18:43:47

Comparing candidate commit 05af36e in PR branch glopes/appsec-laravel-fix with baseline commit 0c35caf in branch master.

Found 0 performance improvements and 0 performance regressions! Performance is the same for 12 metrics, 0 unstable metrics.

@pr-commenter
Copy link
Copy Markdown

pr-commenter Bot commented Nov 26, 2025
edited
Loading

Benchmarks [ tracer ]

Benchmark execution time: 2025-12-04 11:29:04

Comparing candidate commit e985cb6 in PR branch glopes/appsec-laravel-fix with baseline commit 867b36c in branch master.

Found 3 performance improvements and 6 performance regressions! Performance is the same for 185 metrics, 0 unstable metrics.

scenario:ComposerTelemetryBench/benchTelemetryParsing

  • 🟥 execution_time [+502.600ns; +1297.400ns] or [+4.654%; +12.013%]

scenario:MessagePackSerializationBench/benchMessagePackSerialization

  • 🟩 execution_time [-5.152µs; -2.568µs] or [-4.699%; -2.343%]

scenario:MessagePackSerializationBench/benchMessagePackSerialization-opcache

  • 🟩 execution_time [-4.252µs; -2.768µs] or [-3.790%; -2.468%]

scenario:SamplingRuleMatchingBench/benchRegexMatching1

  • 🟥 execution_time [+97.668ns; +163.732ns] or [+8.450%; +14.165%]

scenario:SamplingRuleMatchingBench/benchRegexMatching2

  • 🟥 execution_time [+95.388ns; +176.612ns] or [+8.213%; +15.207%]

scenario:SamplingRuleMatchingBench/benchRegexMatching3

  • 🟥 execution_time [+87.882ns; +149.718ns] or [+7.477%; +12.738%]

scenario:SamplingRuleMatchingBench/benchRegexMatching4

  • 🟥 execution_time [+93.015ns; +129.785ns] or [+8.055%; +11.240%]

scenario:SpanBench/benchOpenTelemetryAPI

  • 🟥 mem_peak [+1.712MB; +1.718MB] or [+4.144%; +4.160%]

scenario:TraceSerializationBench/benchSerializeTrace

  • 🟩 execution_time [-36.746µs; -24.854µs] or [-8.213%; -5.555%]

@cataphract cataphract marked this pull request as ready for review December 3, 2025 16:15
@cataphract cataphract requested review from a team as code owners December 3, 2025 16:15
@cataphract cataphract force-pushed the glopes/appsec-laravel-fix branch from 05af36e to b49e000 Compare December 3, 2025 16:15
@cataphract
appsec/laravel: be more defensive
e985cb6 
Just doing isset($user['username']) is not safe is $user doesn't
implement ArrayAccess.

php > class A {}
php > $a = new A;
php > var_dump(isset($a['x']));
PHP Warning:  Uncaught Error: Cannot use object of type A as array in php shell code:1
Stack trace:
  thrown in php shell code on line 1
@cataphract cataphract force-pushed the glopes/appsec-laravel-fix branch from b49e000 to e985cb6 Compare December 4, 2025 10:22
@cataphract cataphract merged commit ca291a7 into master Dec 5, 2025
2006 of 2007 checks passed
@cataphract cataphract deleted the glopes/appsec-laravel-fix branch December 5, 2025 12:33
@github-actions github-actions Bot added this to the 1.15.0 milestone Dec 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@estringana estringana estringana approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

1.15.0

Development

Successfully merging this pull request may close these issues.

3 participants

@cataphract @codecov-commenter @estringana