From 2450d3b48ceddb7637eba2dd90b8133427ae6b83 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
<41898282+github-actions[bot]@users.noreply.github.com>
Date: Mon, 20 Apr 2026 13:08:15 +0000
Subject: [PATCH 1/2] [Dependabot Alert #1995] Scaffold PR for phpunit/phpunit
---
.github/dependabot-alerts/alert-1995.md | 76 +++++++++++++++++++++++++
1 file changed, 76 insertions(+)
create mode 100644 .github/dependabot-alerts/alert-1995.md
diff --git a/.github/dependabot-alerts/alert-1995.md b/.github/dependabot-alerts/alert-1995.md
new file mode 100644
index 00000000000..b6e146aaf1e
--- /dev/null
+++ b/.github/dependabot-alerts/alert-1995.md
@@ -0,0 +1,76 @@
+@devin-ai-integration Please resolve this Dependabot security alert.
+
+**Instructions:**
+1. Analyze the vulnerability and understand its impact
+2. Update the affected dependency to a secure version. If updating a poetry lock file, use the same version of poetry used to generate the existing one.
+3. Ideally resolve this without using an override - prefer updating the dependency directly
+4. If an override is absolutely necessary, document why in the PR description
+5. Run tests to ensure the update doesn't break anything
+6. Push your fix to this PR branch and tag @davidkonigsberg for review
+7. Delete the scaffold file (.github/dependabot-alerts/alert-*.md) as part of your fix
+8. Update the PR title, if needed, to pass CI checks
+
+**Alert Details:**
+
+- **Package:** phpunit/phpunit (composer)
+- **Severity:** HIGH
+- **Vulnerable versions:** <= 12.5.21
+- **Patched version:** 12.5.22
+- **CVE:** N/A
+- **GHSA:** GHSA-qrr6-mg7r-m243
+- **Manifest:** seed/php-model/multi-url-environment-reference/composer.json
+
+**Summary:**
+PHPUnit has Argument injection via newline in PHP INI values that are forwarded to child processes
+
+**Description:**
+## Impact
+
+PHPUnit forwards PHP INI settings to child processes (used for isolated/PHPT test execution) as `-d name=value` command-line arguments without neutralizing INI metacharacters. Because PHP's INI parser interprets `"` as a string delimiter, `;` as the start of a comment, and most importantly a newline as a directive separator, a value containing a newline is parsed by the child process as multiple INI directives.
+
+An attacker able to influence a single INI value can therefore inject arbitrary additional directives into the child's configuration, including `auto_prepend_file`, `extension`, `disable_functions`, `open_basedir`, and others. Setting `auto_prepend_file` to an attacker-controlled path yields remote code execution in the child process.
+
+Sources of INI values that participate in the attack:
+
+- `` entries in `phpunit.xml` / `phpunit.xml.dist`
+- INI settings inherited from the host PHP runtime via `ini_get_all()`
+
+### Threat Model
+
+Exploitation requires the attacker to control the content of an INI value read by PHPUnit. In practice this means write access to the project's `phpunit.xml`, the host `php.ini`, or the PHP binary's environment. The most realistic exposure is [Poisoned Pipeline Execution](https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-04-Poisoned-Pipeline-Execution) (PPE): a pull request from an untrusted contributor that modifies `phpunit.xml` to include a newline-containing INI value, executed by a CI system that runs PHPUnit against the PR without isolation. A malicious newline is not visibly distinguishable from a legitimate value in a typical diff review.
+
+### Affected component
+
+`PHPUnit\Util\PHP\JobRunner::settingsToParameters()`.
+
+## Patches
+
+The fix has two parts:
+
+**1. Reject line-break characters**
+
+Because a newline or carriage return in an INI value has no legitimate use and is the primitive that enables directive injection, any PHP setting value containing `\n` or `\r` is now rejected with an explicit `PhpProcessException`. This follows the same "visibility over silence" principle applied in [CVE-2026-24765](https://github.com/sebastianbergmann/phpunit/security/advisories/GHSA-vvj3-c3rp-c85p): the anomalous state fails loudly in CI output rather than being silently sanitized, giving operators an opportunity to investigate whether it reflects tampering, environment contamination, or an unexpected upstream change.
+
+**2. Quote remaining metacharacters**
+
+Values containing `"` or `;`, both of which have legitimate uses (e.g., regex-valued INI settings such as `ddtrace`'s `datadog.appsec.obfuscation_parameter_value_regexp`), are wrapped in double quotes with inner `"` escaped as `\"`, so PHP's INI parser reads them as literal string contents rather than comment/delimiter tokens. Plain values are forwarded unchanged so that boolean keywords (`On`/`Off`) and bitwise expressions (`E_ALL & ~E_NOTICE`) retain their INI semantics.
+
+## Workarounds
+
+If upgrading is not immediately possible:
+
+- Audit INI values: Ensure no `` entry in `phpunit.xml` / `phpunit.xml.dist` contains newline, `"`, or `;` characters, and that nothing writes such values into configuration at build time.
+- Isolate CI execution of untrusted code: Run PHPUnit against pull requests only in ephemeral, containerized runners that discard filesystem state between jobs; require human review before executing PRs from forks; enforce branch protection on workflows that handle secrets (`pull_request_target` and similar). These mitigations apply to the broader PPE risk class and are effective against this vulnerability as well.
+- Restrict who can modify `phpunit.xml`: Treat `phpunit.xml` as security-sensitive in code review, particularly `` entries.
+- Sanitize host INI: Ensure the host PHP's `php.ini` does not contain values with embedded newlines or unescaped metacharacters.
+
+## References
+
+- Fix: https://github.com/sebastianbergmann/phpunit/pull/6592
+- Related advisory (same threat class, Poisoned Pipeline Execution): [GHSA-vvj3-c3rp-c85p / CVE-2026-24765](https://github.com/sebastianbergmann/phpunit/security/advisories/GHSA-vvj3-c3rp-c85p)
+- OWASP CI/CD Top 10: [CICD-SEC-04 Poisoned Pipeline Execution](https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-04-Poisoned-Pipeline-Execution)
+- CWE-88: https://cwe.mitre.org/data/definitions/88.html
+- CWE-93: https://cwe.mitre.org/data/definitions/93.html
+
+---
+[View Dependabot Alert](https://github.com/fern-api/fern/security/dependabot/1995)
From 410f37a125f226f30698295f038de0e43c7470f3 Mon Sep 17 00:00:00 2001
From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com>
Date: Mon, 20 Apr 2026 14:30:56 +0000
Subject: [PATCH 2/2] chore(ci): re-enable php-model seed auto-update
(GHSA-qrr6-mg7r-m243)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The php-model-seed-update job in update-seed.yml was pinned to if: false ('generator not actively supported'), so when #15145 bumped phpunit to ^12.5.22 and PHP to 8.3 in the shared @fern-api/php-base PhpProject template, the Update Seed auto-PR pipeline only refreshed seed/php-sdk/** — seed/php-model/** stayed on phpunit ^9.0 / PHP 8.1, leaving GHSA-qrr6-mg7r-m243 still flagged by Dependabot on seed/php-model/multi-url-environment-reference/composer.json.\n\nRestoring the original condition so the matching Update Seed auto-PR will run for php-model on the next push to main (or on a manual workflow_dispatch with language=php). The downstream apply-update-seed-patches / create-pull-request matrix already includes php-model, so no other changes are needed. Seed fixtures under seed/php-model/** will be refreshed by that follow-up auto-PR rather than by hand-edits in this PR.
---
.github/dependabot-alerts/alert-1995.md | 76 -------------------------
.github/workflows/update-seed.yml | 15 +++--
2 files changed, 7 insertions(+), 84 deletions(-)
delete mode 100644 .github/dependabot-alerts/alert-1995.md
diff --git a/.github/dependabot-alerts/alert-1995.md b/.github/dependabot-alerts/alert-1995.md
deleted file mode 100644
index b6e146aaf1e..00000000000
--- a/.github/dependabot-alerts/alert-1995.md
+++ /dev/null
@@ -1,76 +0,0 @@
-@devin-ai-integration Please resolve this Dependabot security alert.
-
-**Instructions:**
-1. Analyze the vulnerability and understand its impact
-2. Update the affected dependency to a secure version. If updating a poetry lock file, use the same version of poetry used to generate the existing one.
-3. Ideally resolve this without using an override - prefer updating the dependency directly
-4. If an override is absolutely necessary, document why in the PR description
-5. Run tests to ensure the update doesn't break anything
-6. Push your fix to this PR branch and tag @davidkonigsberg for review
-7. Delete the scaffold file (.github/dependabot-alerts/alert-*.md) as part of your fix
-8. Update the PR title, if needed, to pass CI checks
-
-**Alert Details:**
-
-- **Package:** phpunit/phpunit (composer)
-- **Severity:** HIGH
-- **Vulnerable versions:** <= 12.5.21
-- **Patched version:** 12.5.22
-- **CVE:** N/A
-- **GHSA:** GHSA-qrr6-mg7r-m243
-- **Manifest:** seed/php-model/multi-url-environment-reference/composer.json
-
-**Summary:**
-PHPUnit has Argument injection via newline in PHP INI values that are forwarded to child processes
-
-**Description:**
-## Impact
-
-PHPUnit forwards PHP INI settings to child processes (used for isolated/PHPT test execution) as `-d name=value` command-line arguments without neutralizing INI metacharacters. Because PHP's INI parser interprets `"` as a string delimiter, `;` as the start of a comment, and most importantly a newline as a directive separator, a value containing a newline is parsed by the child process as multiple INI directives.
-
-An attacker able to influence a single INI value can therefore inject arbitrary additional directives into the child's configuration, including `auto_prepend_file`, `extension`, `disable_functions`, `open_basedir`, and others. Setting `auto_prepend_file` to an attacker-controlled path yields remote code execution in the child process.
-
-Sources of INI values that participate in the attack:
-
-- `` entries in `phpunit.xml` / `phpunit.xml.dist`
-- INI settings inherited from the host PHP runtime via `ini_get_all()`
-
-### Threat Model
-
-Exploitation requires the attacker to control the content of an INI value read by PHPUnit. In practice this means write access to the project's `phpunit.xml`, the host `php.ini`, or the PHP binary's environment. The most realistic exposure is [Poisoned Pipeline Execution](https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-04-Poisoned-Pipeline-Execution) (PPE): a pull request from an untrusted contributor that modifies `phpunit.xml` to include a newline-containing INI value, executed by a CI system that runs PHPUnit against the PR without isolation. A malicious newline is not visibly distinguishable from a legitimate value in a typical diff review.
-
-### Affected component
-
-`PHPUnit\Util\PHP\JobRunner::settingsToParameters()`.
-
-## Patches
-
-The fix has two parts:
-
-**1. Reject line-break characters**
-
-Because a newline or carriage return in an INI value has no legitimate use and is the primitive that enables directive injection, any PHP setting value containing `\n` or `\r` is now rejected with an explicit `PhpProcessException`. This follows the same "visibility over silence" principle applied in [CVE-2026-24765](https://github.com/sebastianbergmann/phpunit/security/advisories/GHSA-vvj3-c3rp-c85p): the anomalous state fails loudly in CI output rather than being silently sanitized, giving operators an opportunity to investigate whether it reflects tampering, environment contamination, or an unexpected upstream change.
-
-**2. Quote remaining metacharacters**
-
-Values containing `"` or `;`, both of which have legitimate uses (e.g., regex-valued INI settings such as `ddtrace`'s `datadog.appsec.obfuscation_parameter_value_regexp`), are wrapped in double quotes with inner `"` escaped as `\"`, so PHP's INI parser reads them as literal string contents rather than comment/delimiter tokens. Plain values are forwarded unchanged so that boolean keywords (`On`/`Off`) and bitwise expressions (`E_ALL & ~E_NOTICE`) retain their INI semantics.
-
-## Workarounds
-
-If upgrading is not immediately possible:
-
-- Audit INI values: Ensure no `` entry in `phpunit.xml` / `phpunit.xml.dist` contains newline, `"`, or `;` characters, and that nothing writes such values into configuration at build time.
-- Isolate CI execution of untrusted code: Run PHPUnit against pull requests only in ephemeral, containerized runners that discard filesystem state between jobs; require human review before executing PRs from forks; enforce branch protection on workflows that handle secrets (`pull_request_target` and similar). These mitigations apply to the broader PPE risk class and are effective against this vulnerability as well.
-- Restrict who can modify `phpunit.xml`: Treat `phpunit.xml` as security-sensitive in code review, particularly `` entries.
-- Sanitize host INI: Ensure the host PHP's `php.ini` does not contain values with embedded newlines or unescaped metacharacters.
-
-## References
-
-- Fix: https://github.com/sebastianbergmann/phpunit/pull/6592
-- Related advisory (same threat class, Poisoned Pipeline Execution): [GHSA-vvj3-c3rp-c85p / CVE-2026-24765](https://github.com/sebastianbergmann/phpunit/security/advisories/GHSA-vvj3-c3rp-c85p)
-- OWASP CI/CD Top 10: [CICD-SEC-04 Poisoned Pipeline Execution](https://owasp.org/www-project-top-10-ci-cd-security-risks/CICD-SEC-04-Poisoned-Pipeline-Execution)
-- CWE-88: https://cwe.mitre.org/data/definitions/88.html
-- CWE-93: https://cwe.mitre.org/data/definitions/93.html
-
----
-[View Dependabot Alert](https://github.com/fern-api/fern/security/dependabot/1995)
diff --git a/.github/workflows/update-seed.yml b/.github/workflows/update-seed.yml
index f2f1224c002..ba1ba44570d 100644
--- a/.github/workflows/update-seed.yml
+++ b/.github/workflows/update-seed.yml
@@ -736,14 +736,13 @@ jobs:
runs-on: ubuntu-latest
timeout-minutes: 60
needs: [changes, setup, get-all-test-matrices]
- # if: >-
- # ${{
- # always() && !cancelled() &&
- # (needs.setup.outputs.selected-language == 'all' || needs.setup.outputs.selected-language == 'php') &&
- # (github.event_name == 'workflow_dispatch' || needs.changes.outputs.php == 'true' || needs.changes.outputs.seed == 'true') &&
- # needs.get-all-test-matrices.outputs.php-model != ''
- # }}
- if: false # generator not actively supported
+ if: >-
+ ${{
+ always() && !cancelled() &&
+ (needs.setup.outputs.selected-language == 'all' || needs.setup.outputs.selected-language == 'php') &&
+ (github.event_name == 'workflow_dispatch' || needs.changes.outputs.php == 'true' || needs.changes.outputs.seed == 'true') &&
+ needs.get-all-test-matrices.outputs.php-model != ''
+ }}
strategy:
fail-fast: false # Let all tests run for debug, won't end up applying changes with a failure
max-parallel: 15 # Limit the number of runners for this job