Avoids code execution during cache deserialization

Improves cache security by extracting the serialized string from the cache payload instead of using `eval()` to deserialize it. This prevents potential code execution vulnerabilities. It also adds a helper function to the test class for exporting variables as strings.

Author: yoeunes

src/Cache/PsrCacheAdapter.php

@@ -90,19 +90,46 @@ public function clear(?string $regex = null): void
      */
     private function decodePayload(string $content): ?RegexNode
     {
-        $code = ltrim($content);
+        $serialized = $this->extractSerializedString($content);
+        if (null === $serialized) {
+            return null;
+        }
 
+        $value = @unserialize($serialized, ['allowed_classes' => true]);
+
+        return $value instanceof RegexNode ? $value : null;
+    }
+
+    /**
+     * Extracts the serialized AST string from the generated payload without executing it.
+     */
+    private function extractSerializedString(string $content): ?string
+    {
+        $code = ltrim($content);
         if (str_starts_with($code, '<?php')) {
             $code = substr($code, 5);
         }
 
-        try {
-            $result = eval($code);
+        $offset = stripos($code, 'unserialize(');
+        if (false === $offset) {
+            return null;
+        }
 
-            return $result instanceof RegexNode ? $result : null;
-        } catch (\Throwable) {
-            // If anything goes wrong we just fall back to storing the raw payload.
+        $argumentBlock = substr($code, $offset + \strlen('unserialize('));
+        $commaPos = strpos($argumentBlock, ',');
+        if (false === $commaPos) {
             return null;
         }
+
+        $argument = trim(substr($argumentBlock, 0, $commaPos));
+        if ('' === $argument) {
+            return null;
+        }
+
+        if (\in_array($argument[0], ["'", '"'], true) && $argument[0] === substr($argument, -1)) {
+            $argument = substr($argument, 1, -1);
+        }
+
+        return stripcslashes($argument);
     }
 }

src/Cache/PsrSimpleCacheAdapter.php

@@ -83,18 +83,46 @@ public function clear(?string $regex = null): void
      */
     private function decodePayload(string $content): ?RegexNode
     {
-        $code = ltrim($content);
+        $serialized = $this->extractSerializedString($content);
+        if (null === $serialized) {
+            return null;
+        }
 
+        $value = @unserialize($serialized, ['allowed_classes' => true]);
+
+        return $value instanceof RegexNode ? $value : null;
+    }
+
+    /**
+     * Extracts the serialized AST string from the generated payload without executing it.
+     */
+    private function extractSerializedString(string $content): ?string
+    {
+        $code = ltrim($content);
         if (str_starts_with($code, '<?php')) {
             $code = substr($code, 5);
         }
 
-        try {
-            $result = eval($code);
+        $offset = stripos($code, 'unserialize(');
+        if (false === $offset) {
+            return null;
+        }
 
-            return $result instanceof RegexNode ? $result : null;
-        } catch (\Throwable) {
+        $argumentBlock = substr($code, $offset + \strlen('unserialize('));
+        $commaPos = strpos($argumentBlock, ',');
+        if (false === $commaPos) {
             return null;
         }
+
+        $argument = trim(substr($argumentBlock, 0, $commaPos));
+        if ('' === $argument) {
+            return null;
+        }
+
+        if (\in_array($argument[0], ["'", '"'], true) && $argument[0] === substr($argument, -1)) {
+            $argument = substr($argument, 1, -1);
+        }
+
+        return stripcslashes($argument);
     }
 }

tests/Unit/Cache/PsrCacheAdapterTest.php

@@ -48,7 +48,15 @@ public function test_write_and_load_decoded_payload(): void
         $pool = new InMemoryPool();
         $cache = new PsrCacheAdapter($pool);
 
-        $payload = "<?php return new \\RegexParser\\Node\\RegexNode(new \\RegexParser\\Node\\LiteralNode('', 0, 0), '', '/', 0, 0);";
+        $ast = new RegexNode(new LiteralNode('', 0, 0), '', '/', 0, 0);
+        $serialized = serialize($ast);
+        $payload = <<<PHP
+            <?php
+
+            declare(strict_types=1);
+
+            return unserialize({$this->export($serialized)}, ['allowed_classes' => true]);
+            PHP;
 
         $key = $cache->generateKey('foo');
         $cache->write($key, $payload);
@@ -87,6 +95,11 @@ public function test_clear(): void
         $cache->clear();
         $this->assertNull($cache->load($key));
     }
+
+    private function export(string $value): string
+    {
+        return var_export($value, true);
+    }
 }
 
 final class InMemoryPool implements CacheItemPoolInterface