Forbid unserialize() method.

Can lead to code execution exploits if not used properly with
user supplied data. There are better methods of data exchange.

Author: paulholden

moodle/Sniffs/PHP/ForbiddenFunctionsSniff.php

@@ -19,8 +19,6 @@
 // phpcs:disable moodle.NamingConventions
 
 use PHP_CodeSniffer\Standards\Generic\Sniffs\PHP\ForbiddenFunctionsSniff as GenericForbiddenFunctionsSniff;
-use PHP_CodeSniffer\Sniffs\Sniff;
-use PHP_CodeSniffer\Files\File;
 
 /**
  * Sniff for debugging and other functions that we don't want used in finished code.
@@ -65,5 +63,6 @@ class ForbiddenFunctionsSniff extends GenericForbiddenFunctionsSniff {
         'print_object' => null,
         // Dangerous functions. From coding style.
         'extract'      => null,
+        'unserialize'  => null,
     ];
 }

moodle/Tests/MoodleStandardTest.php

@@ -470,6 +470,7 @@ public function test_moodle_php_forbiddenfunctions() {
             15 => 0,
             16 => 0,
             17 => 0,
+            20 => 'function unserialize() is forbidden',
             ));
         $this->set_warnings(array());
 

moodle/Tests/fixtures/moodle_php_forbiddenfunctions.php

@@ -16,5 +16,6 @@
 a: echo 'Goto labels, oh my!'
 b:
 echo 'More goto labels, re-oh my!'
-// Fair enough.
+// Fair enough. Unserialize can be dangerous too, better catch it.
+$a = unserialize($b);