Merge branch '11.5' into 12.5

sebastianbergmann · sebastianbergmann · commit 962f15255381 · 2026-01-26T18:19:41.000+01:00
* 11.5:
  Do not run PHPT test when its temporary file for code coverage information exists
  We do not need to unserialize() objects here
  Extract method
  Fix CS/WS issue
diff --git a/ChangeLog-12.5.md b/ChangeLog-12.5.md
@@ -2,6 +2,12 @@
 
 All notable changes of the PHPUnit 12.5 release series are documented in this file using the [Keep a CHANGELOG](https://keepachangelog.com/) principles.
 
+## [12.5.8] - 2026-MM-DD
+
+### Changed
+
+* To prevent Poisoned Pipeline Execution (PPE) attacks using prepared `.coverage` files in pull requests, a PHPT test will no longer be run if the temporary file for writing code coverage information already exists before the test runs
+
 ## [12.5.7] - 2026-01-24
 
 ### Fixed
@@ -69,6 +75,7 @@ All notable changes of the PHPUnit 12.5 release series are documented in this fi
 * [#6380](https://github.com/sebastianbergmann/phpunit/pull/6380): Allow `Throwable` in `expectExceptionObject()`
 * A PHPUnit notice is now emitted for test methods that create a mock object but do not configure an expectation for it
 
+[12.5.8]: https://github.com/sebastianbergmann/phpunit/compare/12.5.7...12.5
 [12.5.7]: https://github.com/sebastianbergmann/phpunit/compare/12.5.6...12.5.7
 [12.5.6]: https://github.com/sebastianbergmann/phpunit/compare/12.5.5...12.5.6
 [12.5.5]: https://github.com/sebastianbergmann/phpunit/compare/12.5.4...12.5.5
diff --git a/src/Runner/Exception/CodeCoverageFileExistsException.php b/src/Runner/Exception/CodeCoverageFileExistsException.php
@@ -0,0 +1,21 @@
+<?php declare(strict_types=1);
+/*
+ * This file is part of PHPUnit.
+ *
+ * (c) Sebastian Bergmann <sebastian@phpunit.de>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+namespace PHPUnit\Runner;
+
+use RuntimeException;
+
+/**
+ * @no-named-arguments Parameter names are not covered by the backward compatibility promise for PHPUnit
+ *
+ * @internal This class is not covered by the backward compatibility promise for PHPUnit
+ */
+final class CodeCoverageFileExistsException extends RuntimeException implements Exception
+{
+}
diff --git a/src/Runner/Phpt/TestCase.php b/src/Runner/Phpt/TestCase.php
@@ -17,6 +17,7 @@
 use function dirname;
 use function explode;
 use function extension_loaded;
+use function file_exists;
 use function file_get_contents;
 use function is_array;
 use function is_file;
@@ -49,6 +50,7 @@
 use PHPUnit\Framework\SelfDescribing;
 use PHPUnit\Framework\Test;
 use PHPUnit\Runner\CodeCoverage;
+use PHPUnit\Runner\CodeCoverageFileExistsException;
 use PHPUnit\Runner\Exception;
 use PHPUnit\Util\PHP\Job;
 use PHPUnit\Util\PHP\JobRunnerRegistry;
@@ -83,6 +85,8 @@
     public function __construct(string $filename)
     {
         $this->filename = $filename;
+
+        $this->ensureCoverageFileDoesNotExist();
     }
 
     public function count(): int
@@ -467,7 +471,7 @@ private function cleanupForCoverage(): RawCodeCoverageData
         }
 
         if ($buffer !== false) {
-            $coverage = @unserialize($buffer);
+            $coverage = @unserialize($buffer, ['allowed_classes' => false]);
 
             if ($coverage === false) {
                 /**
@@ -706,4 +710,22 @@ private function triggerRunnerWarningOnPhpErrors(string $section, string $output
             );
         }
     }
+
+    /**
+     * @throws CodeCoverageFileExistsException
+     */
+    private function ensureCoverageFileDoesNotExist(): void
+    {
+        $files = $this->coverageFiles();
+
+        if (file_exists($files['coverage'])) {
+            throw new CodeCoverageFileExistsException(
+                sprintf(
+                    'File %s exists, PHPT test %s will not be executed',
+                    $files['coverage'],
+                    $this->filename,
+                ),
+            );
+        }
+    }
 }
diff --git a/tests/end-to-end/_files/phpt-coverage-file-exists/test.coverage b/tests/end-to-end/_files/phpt-coverage-file-exists/test.coverage
diff --git a/tests/end-to-end/_files/phpt-coverage-file-exists/test.phpt b/tests/end-to-end/_files/phpt-coverage-file-exists/test.phpt
@@ -0,0 +1,7 @@
+--TEST--
+test
+--FILE--
+<?php declare(strict_types=1);
+print 'test';
+--EXPECT--
+test
diff --git a/tests/end-to-end/phpt/phpt-coverage-file-exists.phpt b/tests/end-to-end/phpt/phpt-coverage-file-exists.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Error when code coverage file exists
+--FILE--
+<?php declare(strict_types=1);
+$_SERVER['argv'][] = '--do-not-cache-result';
+$_SERVER['argv'][] = '--no-configuration';
+$_SERVER['argv'][] = \realpath(__DIR__ . '/../_files/phpt-coverage-file-exists/test.phpt');
+
+require_once __DIR__ . '/../../bootstrap.php';
+
+(new PHPUnit\TextUI\Application)->run($_SERVER['argv']);
+--EXPECTF--
+PHPUnit %s by Sebastian Bergmann and contributors.
+
+Runtime: %s
+
+There was 1 PHPUnit test runner warning:
+
+1) File %stest.coverage exists, PHPT test %stest.phpt will not be executed
+
+No tests executed!
