Streamline unserialize tainted results

[ohader]

• unserialize($payload)
  • unsafe, obvious
• unserialize($payload, ['allowed_classes' => false])
  • safe, however results in tainted issue
• unserialize($payload, ['allowed_classes' => [Custom::class]])
  • more tricky
  • either introduce new annotation e.g. @psalm-taint-config unserialize allowed_classes
  • and/or leave it to some custom plugin handling it, by analyzing provided AST part

https://psalm.dev/r/39fff64acc

[psalm-github-bot[bot]]

I found these snippets:

https://psalm.dev/r/39fff64acc

```php ` */ class Custom {} $payload = $_GET['payload'] // tainted as expected unserialize($payload); // actually is safe // 2nd parameter to `unserialize` available since PHP 7.0 (=> still unsafe for PHP 5.x) unserialize($payload, ['allowed_classes' => false]); // either some new annotation at class, or custom plugin could decide unserialize($payload, ['allowed_classes' => [Custom::class]]); ``` ``` Psalm output (using commit ae172b2): ERROR: ParseError - 16:1 - Syntax error, unexpected T_STRING on line 16 ERROR: TaintedUnserialize - 16:13 - Detected tainted code passed to unserialize or similar ERROR: TaintedUnserialize - 19:13 - Detected tainted code passed to unserialize or similar ERROR: TaintedUnserialize - 21:13 - Detected tainted code passed to unserialize or similar ```