From 2995696db9268e0d947781904e5d57e19719c404 Mon Sep 17 00:00:00 2001
From: Sonia Zorba <zonia3000@gmail.com>
Date: Tue, 19 Sep 2023 10:24:11 +0200
Subject: [PATCH] Added section about Unsafe Reflection in Security best
 practices doc (#19948)

Co-authored-by: Bizley <pawel.bizley@gmail.com>
---
 docs/guide/security-best-practices.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/docs/guide/security-best-practices.md b/docs/guide/security-best-practices.md
index bafede12ae..291575c846 100644
--- a/docs/guide/security-best-practices.md
+++ b/docs/guide/security-best-practices.md
@@ -263,6 +263,12 @@ Further reading on the topic:
 - <https://owasp.org/www-community/SameSite>
 
 
+Avoiding arbitrary object instantiations
+----------------------------------------
+
+Yii [configurations](concept-configurations.md) are associative arrays used by the framework to instantiate new objects through `Yii::createObject($config)`. These arrays specify the class name for instantiation, and it is important to ensure that this class name does not originate from untrusted sources. Otherwise, it can lead to Unsafe Reflection, a vulnerability that allows the execution of malicious code by exploiting the loading of specific classes. Additionally, when you need to dynamically add keys to an object derived from a framework class, such as the base `Component` class, it's essential to validate these dynamic properties using a whitelist approach. This precaution is necessary because the framework might employ `Yii::createObject($config)` within the `__set()` magic method.
+
+
 Avoiding file exposure
 ----------------------