Merge branch '9.6' into 10.5

sebastianbergmann · sebastianbergmann · commit a8b932bd41c5 · 2026-01-26T17:51:30.000+01:00
* 9.6:
  Do not run PHPT test when its temporary file for code coverage information exists
  We do not need to unserialize() objects here
  Extract method
  Fix CS/WS issue
diff --git a/ChangeLog-10.5.md b/ChangeLog-10.5.md
@@ -2,6 +2,12 @@
 
 All notable changes of the PHPUnit 10.5 release series are documented in this file using the [Keep a CHANGELOG](https://keepachangelog.com/) principles.
 
+## [10.5.62] - 2026-MM-DD
+
+### Changed
+
+* To prevent Poisoned Pipeline Execution (PPE) attacks using prepared `.coverage` files in pull requests, a PHPT test will no longer be run if the temporary file for writing code coverage information already exists before the test runs
+
 ## [10.5.61] - 2026-01-24
 
 ### Changed
@@ -515,6 +521,7 @@ All notable changes of the PHPUnit 10.5 release series are documented in this fi
 
 * [#5563](https://github.com/sebastianbergmann/phpunit/issues/5563): `createMockForIntersectionOfInterfaces()` does not automatically register mock object for expectation verification
 
+[10.5.62]: https://github.com/sebastianbergmann/phpunit/compare/10.5.61...10.5
 [10.5.61]: https://github.com/sebastianbergmann/phpunit/compare/10.5.60...10.5.61
 [10.5.60]: https://github.com/sebastianbergmann/phpunit/compare/10.5.59...10.5.60
 [10.5.59]: https://github.com/sebastianbergmann/phpunit/compare/10.5.58...10.5.59
diff --git a/src/Runner/Exception/CodeCoverageFileExistsException.php b/src/Runner/Exception/CodeCoverageFileExistsException.php
@@ -0,0 +1,21 @@
+<?php declare(strict_types=1);
+/*
+ * This file is part of PHPUnit.
+ *
+ * (c) Sebastian Bergmann <sebastian@phpunit.de>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+namespace PHPUnit\Runner;
+
+use RuntimeException;
+
+/**
+ * @no-named-arguments Parameter names are not covered by the backward compatibility promise for PHPUnit
+ *
+ * @internal This class is not covered by the backward compatibility promise for PHPUnit
+ */
+final class CodeCoverageFileExistsException extends RuntimeException implements Exception
+{
+}
diff --git a/src/Runner/PhptTestCase.php b/src/Runner/PhptTestCase.php
@@ -19,6 +19,7 @@
 use function explode;
 use function extension_loaded;
 use function file;
+use function file_exists;
 use function file_get_contents;
 use function file_put_contents;
 use function is_array;
@@ -31,6 +32,7 @@
 use function preg_split;
 use function realpath;
 use function rtrim;
+use function sprintf;
 use function str_contains;
 use function str_replace;
 use function str_starts_with;
@@ -89,7 +91,10 @@ final class PhptTestCase implements Reorderable, SelfDescribing, Test
     public function __construct(string $filename, ?AbstractPhpProcess $phpUtil = null)
     {
         $this->filename = $filename;
-        $this->phpUtil  = $phpUtil ?: AbstractPhpProcess::factory();
+
+        $this->ensureCoverageFileDoesNotExist();
+
+        $this->phpUtil = $phpUtil ?: AbstractPhpProcess::factory();
     }
 
     /**
@@ -654,7 +659,7 @@ private function cleanupForCoverage(): RawCodeCoverageData
         }
 
         if ($buffer !== false) {
-            $coverage = @unserialize($buffer);
+            $coverage = @unserialize($buffer, ['allowed_class' => false]);
 
             if ($coverage === false) {
                 $coverage = RawCodeCoverageData::fromXdebugWithoutPathCoverage([]);
@@ -840,4 +845,22 @@ private function settings(bool $collectCoverage): array
 
         return $settings;
     }
+
+    /**
+     * @throws CodeCoverageFileExistsException
+     */
+    private function ensureCoverageFileDoesNotExist(): void
+    {
+        $files = $this->getCoverageFiles();
+
+        if (file_exists($files['coverage'])) {
+            throw new CodeCoverageFileExistsException(
+                sprintf(
+                    'File %s exists, PHPT test %s will not be executed',
+                    $files['coverage'],
+                    $this->filename,
+                ),
+            );
+        }
+    }
 }
diff --git a/tests/end-to-end/_files/phpt-coverage-file-exists/test.coverage b/tests/end-to-end/_files/phpt-coverage-file-exists/test.coverage
diff --git a/tests/end-to-end/_files/phpt-coverage-file-exists/test.phpt b/tests/end-to-end/_files/phpt-coverage-file-exists/test.phpt
@@ -0,0 +1,7 @@
+--TEST--
+test
+--FILE--
+<?php declare(strict_types=1);
+print 'test';
+--EXPECT--
+test
diff --git a/tests/end-to-end/phpt/phpt-coverage-file-exists.phpt b/tests/end-to-end/phpt/phpt-coverage-file-exists.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Error when code coverage file exists
+--FILE--
+<?php declare(strict_types=1);
+$_SERVER['argv'][] = '--do-not-cache-result';
+$_SERVER['argv'][] = '--no-configuration';
+$_SERVER['argv'][] = \realpath(__DIR__ . '/../_files/phpt-coverage-file-exists/test.phpt');
+
+require_once __DIR__ . '/../../bootstrap.php';
+
+(new PHPUnit\TextUI\Application)->run($_SERVER['argv']);
+--EXPECTF--
+PHPUnit %s by Sebastian Bergmann and contributors.
+
+Runtime: %s
+
+There was 1 PHPUnit test runner warning:
+
+1) File %stest.coverage exists, PHPT test %stest.phpt will not be executed
+
+No tests executed!
