Rule Definition
Insecure deserialization often leads to remote code execution. Even if deserialization flaws do not result in remote code execution, they can be used to perform attacks, including replay attacks, injection attacks, and privilege escalation attacks. The business impact depends on the protection needs of the application and data.

Remediation
Avoid serialising and deserialising objects. If you need to unserialize externally-stored serialized data, consider using hash_hmac() for data validation. Make sure data is not modified by anyone but you. Use a safe, standard data interchange format such as JSON (via json_decode() and json_encode()) if you need to pass serialized data to the user. As a last resort, restrict deserialization to be possible only to specific, whitelisted classes. Check out the OWASP Deserialisation Cheat Sheet

Violation Code Sample

<?php

function getObject(PDOStatement $stmt) : object {
    $stmt->execute();
    $row = $stmt->fetch();
    $data = $row["data"];
    return unserialize($data);    // VIOLATION
}

Fixed Code Sample

<?php

/**
* @psalm-taint-escape unserialize
*/
function my_escaping_function_for_serialized_data(string input) : string {
    hash = hash_hmac('ripemd160', input, 'secret');
    // Check that hash is the expected result
    return input;
};

function getObject(PDOStatement $stmt) : object {
    $stmt->execute();
    $row = $stmt->fetch();
    $data = $row["data"];
    $data = my_escaping_function_for_serialized_data($data);  // USE A FUNCTION ANNOTATED WITH @psalm-taint-escape unserialize
    return unserialize($data);                                // FIXED
}

CWE-502: Deserialization of Untrusted Data https://cwe.mitre.org/data/definitions/502.html Open Web Application Security Project (OWASP) Top Ten 2017 - Category A8 https://owasp.org/www-project-top-ten/2017/A8_2017-Insecure_Deserialization