Verify child process result file with a random nonce

PHPUnit runs isolated tests by having the child process serialize a result object and write it to a temporary file under the system's directory for temporary files. The parent process then reads the file and calls unserialize() on its contents. The serialized payload contains Event, TestResult, PassedTests, and CodeCoverage instances, all types whose constructors and __wakeup() / __destruct() methods execute during deserialization. An attacker who can write to the temporary file between the child's exit and the parent's read can substitute a crafted serialized payload and achieve code execution in the parent PHPUnit process.

This change defends against that write-after-exit race:

* SeparateProcessTestRunner generates a 32-character hex nonce (bin2hex(random_bytes(16))) per isolated test, injects it into the child template as {processResultNonce}, and passes the same value to JobRunnerRegistry::runTestJob().

* The child template prepends the nonce to the serialized payload before writing it to the result file.

* ChildProcessResultProcessor compares the file's prefix against the expected nonce with hash_equals(). A mismatch or short read is treated as tampering: childProcessErrored is emitted, the test is marked errored with an AssertionFailedError, and unserialize() is never called. On a match the prefix is stripped and processing continues as before.

What this blocks:

* A co-tenant on a shared CI runner (or any local process that can write to the temp directory) replacing the result file with a crafted serialized payload between the child's exit and the parent's read. Without the nonce, the payload cannot pass the hash_equals() check and is rejected before reaching unserialize().

* Accidental reuse of a stale result file from an unrelated process that happens to occupy the same temp path.

What this does not block:

* A compromised or attacker-controlled child process. The child must know the nonce in order to emit a valid result, so any code running inside the child (including malicious test code executed by an untrusted pull request on an unisolated CI job) can produce a payload that passes the prefix check. Closing that vector requires converting the wire format away from serialize() of live objects.

* Attacks that do not involve swapping the result file, such as exploiting bugs in the Event subsystem itself once a legitimate payload has been deserialized.

The nonce is a defence-in-depth measure against the local race, not a substitute for treating the serialized wire format as untrusted input.

Author: sebastianbergmann

src/Framework/TestRunner/ChildProcessResultProcessor.php

@@ -10,6 +10,9 @@
 namespace PHPUnit\Framework;
 
 use function assert;
+use function hash_equals;
+use function strlen;
+use function substr;
 use function trim;
 use function unserialize;
 use PHPUnit\Event\Code\TestMethodBuilder;
@@ -37,7 +40,10 @@ public function __construct(Facade $eventFacade, Emitter $emitter, PassedTests $
         $this->codeCoverage = $codeCoverage;
     }
 
-    public function process(Test $test, string $serializedProcessResult, string $stderr): void
+    /**
+     * @param ?non-empty-string $processResultNonce
+     */
+    public function process(Test $test, string $serializedProcessResult, string $stderr, ?string $processResultNonce = null): void
     {
         if ($stderr !== '') {
             $exception = new Exception(trim($stderr));
@@ -52,6 +58,35 @@ public function process(Test $test, string $serializedProcessResult, string $std
             return;
         }
 
+        if ($processResultNonce !== null && $serializedProcessResult !== '') {
+            $nonceLength = strlen($processResultNonce);
+
+            if (strlen($serializedProcessResult) < $nonceLength ||
+                !hash_equals($processResultNonce, substr($serializedProcessResult, 0, $nonceLength))) {
+                $this->emitter->childProcessErrored();
+
+                $exception = new AssertionFailedError(
+                    'Test was run in child process and the result file was tampered with or written by an unexpected process',
+                );
+
+                assert($test instanceof TestCase);
+
+                $this->emitter->testErrored(
+                    TestMethodBuilder::fromTestCase($test),
+                    ThrowableBuilder::from($exception),
+                );
+
+                $this->emitter->testFinished(
+                    TestMethodBuilder::fromTestCase($test),
+                    0,
+                );
+
+                return;
+            }
+
+            $serializedProcessResult = substr($serializedProcessResult, $nonceLength);
+        }
+
         $childResult = @unserialize($serializedProcessResult);
 
         if ($childResult === false) {

src/Framework/TestRunner/SeparateProcessTestRunner.php

@@ -10,9 +10,11 @@
 namespace PHPUnit\Framework;
 
 use function assert;
+use function bin2hex;
 use function defined;
 use function get_include_path;
 use function hrtime;
+use function random_bytes;
 use function serialize;
 use function sprintf;
 use function sys_get_temp_dir;
@@ -118,6 +120,7 @@ public function run(TestCase $test, bool $runEntireClass, bool $preserveGlobalSt
         $offset                  = hrtime();
         $serializedConfiguration = $this->saveConfigurationForChildProcess();
         $processResultFile       = $this->pathForCachedSourceMap();
+        $processResultNonce      = bin2hex(random_bytes(16));
         $sourceMapFile           = $this->sourceMapFileForChildProcess();
 
         $file = $class->getFileName();
@@ -144,6 +147,7 @@ public function run(TestCase $test, bool $runEntireClass, bool $preserveGlobalSt
             'offsetNanoseconds'              => (string) $offset[1],
             'serializedConfiguration'        => $serializedConfiguration,
             'processResultFile'              => $processResultFile,
+            'processResultNonce'             => $processResultNonce,
             'sourceMapFile'                  => $sourceMapFile,
         ];
 
@@ -157,7 +161,7 @@ public function run(TestCase $test, bool $runEntireClass, bool $preserveGlobalSt
 
         assert($code !== '');
 
-        JobRunnerRegistry::runTestJob(new Job($code, requiresXdebug: $requiresXdebug), $processResultFile, $test);
+        JobRunnerRegistry::runTestJob(new Job($code, requiresXdebug: $requiresXdebug), $processResultFile, $test, $processResultNonce);
 
         @unlink($serializedConfiguration);
     }

src/Framework/TestRunner/templates/class.tpl

@@ -104,7 +104,7 @@ function __phpunit_run_isolated_test()
 
     file_put_contents(
         '{processResultFile}',
-        serialize(
+        '{processResultNonce}' . serialize(
             (object)[
                 'testResult'    => $test->result(),
                 'codeCoverage'  => {collectCodeCoverageInformation} ? CodeCoverage::instance()->codeCoverage() : null,

src/Framework/TestRunner/templates/method.tpl

@@ -104,7 +104,7 @@ function __phpunit_run_isolated_test()
 
     file_put_contents(
         '{processResultFile}',
-        serialize(
+        '{processResultNonce}' . serialize(
             (object)[
                 'testResult'    => $test->result(),
                 'codeCoverage'  => {collectCodeCoverageInformation} ? CodeCoverage::instance()->codeCoverage() : null,

src/Util/PHP/JobRunner.php

@@ -60,9 +60,10 @@ public function __construct(ChildProcessResultProcessor $processor)
     }
 
     /**
-     * @param non-empty-string $processResultFile
+     * @param non-empty-string  $processResultFile
+     * @param ?non-empty-string $processResultNonce
      */
-    public function runTestJob(Job $job, string $processResultFile, Test $test): void
+    public function runTestJob(Job $job, string $processResultFile, Test $test, ?string $processResultNonce = null): void
     {
         $result = $this->run($job);
 
@@ -80,6 +81,7 @@ public function runTestJob(Job $job, string $processResultFile, Test $test): voi
             $test,
             $processResult,
             $result->stderr(),
+            $processResultNonce,
         );
 
         EventFacade::emitter()->childProcessFinished($result->stdout(), $result->stderr());

src/Util/PHP/JobRunnerRegistry.php

@@ -30,11 +30,12 @@ public static function run(Job $job): Result
     }
 
     /**
-     * @param non-empty-string $processResultFile
+     * @param non-empty-string  $processResultFile
+     * @param ?non-empty-string $processResultNonce
      */
-    public static function runTestJob(Job $job, string $processResultFile, Test $test): void
+    public static function runTestJob(Job $job, string $processResultFile, Test $test, ?string $processResultNonce = null): void
     {
-        self::runner()->runTestJob($job, $processResultFile, $test);
+        self::runner()->runTestJob($job, $processResultFile, $test, $processResultNonce);
     }
 
     public static function set(JobRunner $runner): void

tests/unit/Framework/TestRunner/ChildProcessResultProcessorTest.php

@@ -46,6 +46,57 @@ public function testEmitsErrorEventWhenProcessResultCannotBeUnserialized(): void
         $this->processor($emitter)->process(new Success('testOne'), '', '');
     }
 
+    #[TestDox('Emits Test\Errored event when process result nonce is shorter than the expected nonce')]
+    public function testEmitsErrorEventWhenProcessResultIsShorterThanExpectedNonce(): void
+    {
+        $emitter = $this->createMock(Emitter::class);
+
+        $emitter
+            ->expects($this->once())
+            ->method('testErrored');
+
+        $this->processor($emitter)->process(
+            new Success('testOne'),
+            'too-short',
+            '',
+            'abcdef0123456789abcdef0123456789',
+        );
+    }
+
+    #[TestDox('Emits Test\Errored event when process result nonce does not match the expected nonce')]
+    public function testEmitsErrorEventWhenProcessResultNonceDoesNotMatchExpectedNonce(): void
+    {
+        $emitter = $this->createMock(Emitter::class);
+
+        $emitter
+            ->expects($this->once())
+            ->method('testErrored');
+
+        $this->processor($emitter)->process(
+            new Success('testOne'),
+            '00000000000000000000000000000000payload',
+            '',
+            'abcdef0123456789abcdef0123456789',
+        );
+    }
+
+    #[TestDox('Emits Test\Errored event when process result contains only the expected nonce and no serialized data')]
+    public function testEmitsErrorEventWhenProcessResultContainsOnlyExpectedNonceAndNoSerializedData(): void
+    {
+        $emitter = $this->createMock(Emitter::class);
+
+        $emitter
+            ->expects($this->once())
+            ->method('testErrored');
+
+        $this->processor($emitter)->process(
+            new Success('testOne'),
+            'abcdef0123456789abcdef0123456789',
+            '',
+            'abcdef0123456789abcdef0123456789',
+        );
+    }
+
     private function processor(Emitter $emitter): ChildProcessResultProcessor
     {
         return new ChildProcessResultProcessor(