ASV: re-validate unserialized value

mle86 · mle86 · commit 2f747f922729 · 2019-11-28T17:53:17.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,8 @@
 v2.2.0 (2019-11)
 
- * Test serialization/unserialization
+ * Improved unserialization
+    * Re-validate serialized value
+    * Tests
 
 v2.1.0 (2019-11-13)
 
diff --git a/src/AbstractSerializableValue.php b/src/AbstractSerializableValue.php
@@ -35,4 +35,33 @@ public function jsonSerialize()
         return $this->value();
     }
 
+    /**
+     * This method ensures that unserialized instances are still valid.
+     *
+     * Serialization may be stored in databases for a long time;
+     * if the class definition changes in between,
+     * it's possible that a formerly-valid serialization
+     * contains a value which is no longer considered valid.
+     * That's why this method re-applies the {@see isValid} check.
+     *
+     * @internal
+     */
+    public function __wakeup()
+    {
+        /*
+         * The serialization contained both $value and $isSet
+         * and there's nothing left to assign.
+         * But we'll still run the validation
+         * just in case the serialized value is no longer considered valid.
+         */
+
+        $storedValue = $this->value();
+        if (!static::isValid($storedValue)) {
+            $storedValue = (is_string($storedValue) || is_int($storedValue) || is_float($storedValue))
+                ? "'{$storedValue}'"
+                : gettype($storedValue);
+            throw new InvalidArgumentException("not a valid serialized " . static::class . ": {$storedValue}");
+        }
+    }
+
 }
diff --git a/test/15-SerializableValueTest.php b/test/15-SerializableValueTest.php
@@ -3,6 +3,7 @@
 namespace mle86\Value\Tests;
 
 use mle86\Value\AbstractSerializableValue;
+use mle86\Value\InvalidArgumentException;
 use mle86\Value\Tests\Helpers\TestSWrapper6;
 use mle86\Value\Value;
 use PHPUnit\Framework\TestCase;
@@ -14,9 +15,10 @@
 class SerializableValueTest extends TestCase
 {
 
-    const VALID_INPUT   = "61234";
-    const INVALID_INPUT = "61234 ";
-    const VALID_INPUT2  = "69999";
+    const VALID_INPUT    = "61234";
+    const INVALID_INPUT  = "61234 ";
+    const VALID_INPUT2   = "69999";
+    const INVALID_INPUT2 = "79990";
 
 
     public function testClassExists()
@@ -118,4 +120,31 @@ public function testPhpUnserialize(string $serialization, AbstractSerializableVa
             "Original object doesn't equal an unserialized object anymore!");
     }
 
+    /**
+     * @depends testPhpSerialize
+     * @depends testPhpUnserialize
+     */
+    public function testSerializedValueValidity()
+    {
+        $validInput   = self::VALID_INPUT2;
+        $invalidInput = self::INVALID_INPUT2;
+        if (strlen($validInput) !== strlen($invalidInput)) {
+            // We just want to replace the stored string without breaking the serialization format.
+            // That only works if the replacement string is of the same length
+            // because the serialization contains a length indicator.
+            $this->markTestSkipped("Cannot test invalid serialization; strings are not of same length");
+        }
+
+        $validSerialization = serialize(new TestSWrapper6($validInput));
+
+        $reValidInput = '/\b' . preg_quote($validInput, '/') . '\b/';
+        $invalidSerialization = preg_replace($reValidInput, $invalidInput, $validSerialization, -1, $nReplaced);
+        if ($nReplaced !== 1) {
+            $this->markTestSkipped("Cannot test invalid serialization; manipulation of serialization string failed");
+        }
+
+        $this->expectException(InvalidArgumentException::class);  // !
+        unserialize($invalidSerialization);
+    }
+
 }
