Do not run PHPT test when its temporary file for code coverage information exists

sebastianbergmann · sebastianbergmann · commit 3141742e0062 · 2026-01-26T17:37:32.000+01:00
diff --git a/ChangeLog-8.5.md b/ChangeLog-8.5.md
@@ -2,6 +2,12 @@
 
 All notable changes of the PHPUnit 8.5 release series are documented in this file using the [Keep a CHANGELOG](https://keepachangelog.com/) principles.
 
+## [8.5.52] - 2026-MM-DD
+
+### Changed
+
+* To prevent Poisoned Pipeline Execution (PPE) attacks using prepared `.coverage` files in pull requests, a PHPT test will no longer be run if the temporary file for writing code coverage information already exists before the test runs
+
 ## [8.5.51] - 2026-01-24
 
 ### Changed
@@ -374,6 +380,7 @@ All notable changes of the PHPUnit 8.5 release series are documented in this fil
 * [#3967](https://github.com/sebastianbergmann/phpunit/issues/3967): Cannot double interface that extends interface that extends `\Throwable`
 * [#3968](https://github.com/sebastianbergmann/phpunit/pull/3968): Test class run in a separate PHP process are passing when `exit` called inside
 
+[8.5.52]: https://github.com/sebastianbergmann/phpunit/compare/8.5.51...8.5
 [8.5.51]: https://github.com/sebastianbergmann/phpunit/compare/8.5.50...8.5.51
 [8.5.50]: https://github.com/sebastianbergmann/phpunit/compare/8.5.49...8.5.50
 [8.5.49]: https://github.com/sebastianbergmann/phpunit/compare/8.5.48...8.5.49
diff --git a/src/Runner/PhptTestCase.php b/src/Runner/PhptTestCase.php
@@ -93,7 +93,10 @@ public function __construct(string $filename, ?AbstractPhpProcess $phpUtil = nul
         $this->ensureFileExists($filename);
 
         $this->filename = $filename;
-        $this->phpUtil  = $phpUtil ?: AbstractPhpProcess::factory();
+
+        $this->ensureCoverageFileDoesNotExist();
+
+        $this->phpUtil = $phpUtil ?: AbstractPhpProcess::factory();
     }
 
     /**
@@ -829,4 +832,22 @@ private function ensureFileExists(string $filename): void
             );
         }
     }
+
+    /**
+     * @throws Exception
+     */
+    private function ensureCoverageFileDoesNotExist(): void
+    {
+        $files = $this->getCoverageFiles();
+
+        if (file_exists($files['coverage'])) {
+            throw new Exception(
+                sprintf(
+                    'File %s exists, PHPT test %s will not be executed',
+                    $files['coverage'],
+                    $this->filename
+                )
+            );
+        }
+    }
 }
diff --git a/tests/end-to-end/_files/phpt-coverage-file-exists/test.coverage b/tests/end-to-end/_files/phpt-coverage-file-exists/test.coverage
diff --git a/tests/end-to-end/_files/phpt-coverage-file-exists/test.phpt b/tests/end-to-end/_files/phpt-coverage-file-exists/test.phpt
@@ -0,0 +1,7 @@
+--TEST--
+test
+--FILE--
+<?php declare(strict_types=1);
+print 'test';
+--EXPECT--
+test
diff --git a/tests/end-to-end/phpt/phpt-coverage-file-exists.phpt b/tests/end-to-end/phpt/phpt-coverage-file-exists.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Error when code coverage file exists
+--FILE--
+<?php declare(strict_types=1);
+$_SERVER['argv'][] = '--do-not-cache-result';
+$_SERVER['argv'][] = '--no-configuration';
+$_SERVER['argv'][] = \realpath(__DIR__ . '/../_files/phpt-coverage-file-exists/test.phpt');
+
+require_once __DIR__ . '/../../bootstrap.php';
+
+PHPUnit\TextUI\Command::main();
+--EXPECTF--
+Fatal error: Uncaught PHPUnit\Runner\Exception: File %stest.coverage exists, PHPT test %stest.phpt will not be executed%A
