From 7dcc4ac2b803b0886fc44c7d2d39e6756ea1d0cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A9r=C3=B4me=20Tamarelle?= Date: Sat, 23 Apr 2022 23:07:28 +0200 Subject: [PATCH] Hide sensitive information with `SensitiveParameter` attribute --- psalm.xml | 6 ++++++ .../Security/RememberMe/DoctrineTokenProvider.php | 6 +++--- .../FrameworkBundle/Controller/AbstractController.php | 2 +- src/Symfony/Component/HttpClient/HttpOptions.php | 4 ++-- src/Symfony/Component/HttpKernel/UriSigner.php | 2 +- .../Component/Ldap/Adapter/ConnectionInterface.php | 2 +- src/Symfony/Component/Ldap/Adapter/ExtLdap/Connection.php | 2 +- src/Symfony/Component/Ldap/Ldap.php | 2 +- src/Symfony/Component/Ldap/LdapInterface.php | 2 +- src/Symfony/Component/Ldap/Security/LdapUser.php | 4 ++-- src/Symfony/Component/Ldap/Security/LdapUserProvider.php | 2 +- .../Mailer/Bridge/Amazon/Transport/SesSmtpTransport.php | 2 +- .../Mailer/Bridge/Google/Transport/GmailSmtpTransport.php | 2 +- .../Bridge/Mailchimp/Transport/MandrillSmtpTransport.php | 2 +- .../Bridge/Mailgun/Transport/MailgunSmtpTransport.php | 2 +- .../Bridge/Mailjet/Transport/MailjetSmtpTransport.php | 2 +- .../Sendinblue/Transport/SendinblueSmtpTransport.php | 2 +- src/Symfony/Component/Mailer/Transport/Dsn.php | 2 +- .../Mailer/Transport/Smtp/Auth/CramMd5Authenticator.php | 2 +- .../Component/Mailer/Transport/Smtp/EsmtpTransport.php | 2 +- .../Notifier/Bridge/Discord/DiscordTransport.php | 2 +- .../Notifier/Bridge/Esendex/EsendexTransport.php | 2 +- .../Notifier/Bridge/Firebase/FirebaseTransport.php | 2 +- .../Notifier/Bridge/FreeMobile/FreeMobileTransport.php | 2 +- .../Component/Notifier/Bridge/Gitter/GitterTransport.php | 2 +- .../Notifier/Bridge/GoogleChat/GoogleChatTransport.php | 2 +- .../Component/Notifier/Bridge/Iqsms/IqsmsTransport.php | 2 +- .../Notifier/Bridge/KazInfoTeh/KazInfoTehTransport.php | 2 +- .../Notifier/Bridge/LightSms/LightSmsTransport.php | 2 +- .../Notifier/Bridge/Mattermost/MattermostTransport.php | 2 +- .../Notifier/Bridge/MessageBird/MessageBirdTransport.php | 2 +- .../Notifier/Bridge/RocketChat/RocketChatTransport.php | 2 +- .../Notifier/Bridge/Sendberry/SendberryTransport.php | 2 +- .../Component/Notifier/Bridge/Slack/SlackTransport.php | 2 +- .../Notifier/Bridge/SmsFactor/SmsFactorTransport.php | 2 +- .../Component/Notifier/Bridge/Smsc/SmscTransport.php | 2 +- .../Notifier/Bridge/SpotHit/SpotHitTransport.php | 2 +- .../Notifier/Bridge/Telegram/TelegramTransport.php | 2 +- .../Component/Notifier/Bridge/Zulip/ZulipTransport.php | 2 +- src/Symfony/Component/PasswordHasher/CHANGELOG.md | 8 ++++++++ .../PasswordHasher/Hasher/CheckPasswordLengthTrait.php | 2 +- .../PasswordHasher/Hasher/MessageDigestPasswordHasher.php | 6 +++--- .../PasswordHasher/Hasher/MigratingPasswordHasher.php | 4 ++-- .../PasswordHasher/Hasher/NativePasswordHasher.php | 4 ++-- .../PasswordHasher/Hasher/Pbkdf2PasswordHasher.php | 4 ++-- .../PasswordHasher/Hasher/PlaintextPasswordHasher.php | 6 +++--- .../PasswordHasher/Hasher/SodiumPasswordHasher.php | 4 ++-- .../PasswordHasher/Hasher/UserPasswordHasher.php | 4 ++-- .../PasswordHasher/Hasher/UserPasswordHasherInterface.php | 4 ++-- .../PasswordHasher/LegacyPasswordHasherInterface.php | 4 ++-- .../Component/PasswordHasher/PasswordHasherInterface.php | 4 ++-- .../Core/Authentication/RememberMe/CacheTokenVerifier.php | 4 ++-- .../Authentication/RememberMe/InMemoryTokenProvider.php | 2 +- .../Core/Authentication/RememberMe/PersistentToken.php | 2 +- .../Authentication/RememberMe/TokenProviderInterface.php | 2 +- .../Authentication/RememberMe/TokenVerifierInterface.php | 4 ++-- .../Core/Authentication/Token/RememberMeToken.php | 2 +- .../Component/Security/Core/Signature/SignatureHasher.php | 2 +- src/Symfony/Component/Security/Csrf/CsrfToken.php | 2 +- src/Symfony/Component/Security/Csrf/CsrfTokenManager.php | 2 +- .../Passport/Credentials/PasswordCredentials.php | 2 +- .../Http/Authenticator/RememberMeAuthenticator.php | 2 +- .../Http/RememberMe/PersistentRememberMeHandler.php | 2 +- 63 files changed, 93 insertions(+), 79 deletions(-) diff --git a/psalm.xml b/psalm.xml index 3fb94145699cf..8abedbbaf8aa3 100644 --- a/psalm.xml +++ b/psalm.xml @@ -35,5 +35,11 @@ + + + + + + diff --git a/src/Symfony/Bridge/Doctrine/Security/RememberMe/DoctrineTokenProvider.php b/src/Symfony/Bridge/Doctrine/Security/RememberMe/DoctrineTokenProvider.php index 4d8dcb260467d..8880bea9fbdac 100644 --- a/src/Symfony/Bridge/Doctrine/Security/RememberMe/DoctrineTokenProvider.php +++ b/src/Symfony/Bridge/Doctrine/Security/RememberMe/DoctrineTokenProvider.php @@ -87,7 +87,7 @@ public function deleteTokenBySeries(string $series) /** * {@inheritdoc} */ - public function updateToken(string $series, string $tokenValue, \DateTime $lastUsed) + public function updateToken(string $series, #[\SensitiveParameter] string $tokenValue, \DateTime $lastUsed) { $sql = 'UPDATE rememberme_token SET value=:value, lastUsed=:lastUsed WHERE series=:series'; $paramValues = [ @@ -140,7 +140,7 @@ public function createNewToken(PersistentTokenInterface $token) /** * {@inheritdoc} */ - public function verifyToken(PersistentTokenInterface $token, string $tokenValue): bool + public function verifyToken(PersistentTokenInterface $token, #[\SensitiveParameter] string $tokenValue): bool { // Check if the token value matches the current persisted token if (hash_equals($token->getTokenValue(), $tokenValue)) { @@ -177,7 +177,7 @@ public function verifyToken(PersistentTokenInterface $token, string $tokenValue) /** * {@inheritdoc} */ - public function updateExistingToken(PersistentTokenInterface $token, string $tokenValue, \DateTimeInterface $lastUsed): void + public function updateExistingToken(PersistentTokenInterface $token, #[\SensitiveParameter] string $tokenValue, \DateTimeInterface $lastUsed): void { if (!$token instanceof PersistentToken) { return; diff --git a/src/Symfony/Bundle/FrameworkBundle/Controller/AbstractController.php b/src/Symfony/Bundle/FrameworkBundle/Controller/AbstractController.php index eda1678cd19d4..62b5c2fc85ff5 100644 --- a/src/Symfony/Bundle/FrameworkBundle/Controller/AbstractController.php +++ b/src/Symfony/Bundle/FrameworkBundle/Controller/AbstractController.php @@ -374,7 +374,7 @@ protected function getUser(): ?UserInterface * @param string $id The id used when generating the token * @param string|null $token The actual token sent with the request that should be validated */ - protected function isCsrfTokenValid(string $id, ?string $token): bool + protected function isCsrfTokenValid(string $id, #[\SensitiveParameter] ?string $token): bool { if (!$this->container->has('security.csrf.token_manager')) { throw new \LogicException('CSRF protection is not enabled in your application. Enable it with the "csrf_protection" key in "config/packages/framework.yaml".'); diff --git a/src/Symfony/Component/HttpClient/HttpOptions.php b/src/Symfony/Component/HttpClient/HttpOptions.php index d71b11926d4aa..a07fac7eda833 100644 --- a/src/Symfony/Component/HttpClient/HttpOptions.php +++ b/src/Symfony/Component/HttpClient/HttpOptions.php @@ -32,7 +32,7 @@ public function toArray(): array /** * @return $this */ - public function setAuthBasic(string $user, string $password = ''): static + public function setAuthBasic(string $user, #[\SensitiveParameter] string $password = ''): static { $this->options['auth_basic'] = $user; @@ -46,7 +46,7 @@ public function setAuthBasic(string $user, string $password = ''): static /** * @return $this */ - public function setAuthBearer(string $token): static + public function setAuthBearer(#[\SensitiveParameter] string $token): static { $this->options['auth_bearer'] = $token; diff --git a/src/Symfony/Component/HttpKernel/UriSigner.php b/src/Symfony/Component/HttpKernel/UriSigner.php index 6db882cb38b84..dfcf6222ddd51 100644 --- a/src/Symfony/Component/HttpKernel/UriSigner.php +++ b/src/Symfony/Component/HttpKernel/UriSigner.php @@ -27,7 +27,7 @@ class UriSigner * @param string $secret A secret * @param string $parameter Query string parameter to use */ - public function __construct(string $secret, string $parameter = '_hash') + public function __construct(#[\SensitiveParameter] string $secret, string $parameter = '_hash') { $this->secret = $secret; $this->parameter = $parameter; diff --git a/src/Symfony/Component/Ldap/Adapter/ConnectionInterface.php b/src/Symfony/Component/Ldap/Adapter/ConnectionInterface.php index 55db093e07462..1808709a35f99 100644 --- a/src/Symfony/Component/Ldap/Adapter/ConnectionInterface.php +++ b/src/Symfony/Component/Ldap/Adapter/ConnectionInterface.php @@ -32,5 +32,5 @@ public function isBound(): bool; * @throws ConnectionTimeoutException When the connection can't be created because of an LDAP_TIMEOUT error * @throws InvalidCredentialsException When the connection can't be created because of an LDAP_INVALID_CREDENTIALS error */ - public function bind(string $dn = null, string $password = null); + public function bind(string $dn = null, #[\SensitiveParameter] string $password = null); } diff --git a/src/Symfony/Component/Ldap/Adapter/ExtLdap/Connection.php b/src/Symfony/Component/Ldap/Adapter/ExtLdap/Connection.php index 018bcb8df678e..bd5a67d9bcc57 100644 --- a/src/Symfony/Component/Ldap/Adapter/ExtLdap/Connection.php +++ b/src/Symfony/Component/Ldap/Adapter/ExtLdap/Connection.php @@ -69,7 +69,7 @@ public function isBound(): bool * * @param string $password WARNING: When the LDAP server allows unauthenticated binds, a blank $password will always be valid */ - public function bind(string $dn = null, string $password = null) + public function bind(string $dn = null, #[\SensitiveParameter] string $password = null) { if (!$this->connection) { $this->connect(); diff --git a/src/Symfony/Component/Ldap/Ldap.php b/src/Symfony/Component/Ldap/Ldap.php index 9c717ce11bacb..b0b02ee98f167 100644 --- a/src/Symfony/Component/Ldap/Ldap.php +++ b/src/Symfony/Component/Ldap/Ldap.php @@ -32,7 +32,7 @@ public function __construct(AdapterInterface $adapter) /** * {@inheritdoc} */ - public function bind(string $dn = null, string $password = null) + public function bind(string $dn = null, #[\SensitiveParameter] string $password = null) { $this->adapter->getConnection()->bind($dn, $password); } diff --git a/src/Symfony/Component/Ldap/LdapInterface.php b/src/Symfony/Component/Ldap/LdapInterface.php index 6c91f22955c71..9a97017348cdb 100644 --- a/src/Symfony/Component/Ldap/LdapInterface.php +++ b/src/Symfony/Component/Ldap/LdapInterface.php @@ -30,7 +30,7 @@ interface LdapInterface * * @throws ConnectionException if dn / password could not be bound */ - public function bind(string $dn = null, string $password = null); + public function bind(string $dn = null, #[\SensitiveParameter] string $password = null); /** * Queries a ldap server for entries matching the given criteria. diff --git a/src/Symfony/Component/Ldap/Security/LdapUser.php b/src/Symfony/Component/Ldap/Security/LdapUser.php index c5f4e6a7f8901..71cc96355d848 100644 --- a/src/Symfony/Component/Ldap/Security/LdapUser.php +++ b/src/Symfony/Component/Ldap/Security/LdapUser.php @@ -29,7 +29,7 @@ class LdapUser implements UserInterface, PasswordAuthenticatedUserInterface, Equ private array $roles; private array $extraFields; - public function __construct(Entry $entry, string $username, ?string $password, array $roles = [], array $extraFields = []) + public function __construct(Entry $entry, string $username, #[\SensitiveParameter] ?string $password, array $roles = [], array $extraFields = []) { if (!$username) { throw new \InvalidArgumentException('The username cannot be empty.'); @@ -97,7 +97,7 @@ public function getExtraFields(): array return $this->extraFields; } - public function setPassword(string $password) + public function setPassword(#[\SensitiveParameter] string $password) { $this->password = $password; } diff --git a/src/Symfony/Component/Ldap/Security/LdapUserProvider.php b/src/Symfony/Component/Ldap/Security/LdapUserProvider.php index c28c72f74b531..3d028f5cb7995 100644 --- a/src/Symfony/Component/Ldap/Security/LdapUserProvider.php +++ b/src/Symfony/Component/Ldap/Security/LdapUserProvider.php @@ -43,7 +43,7 @@ class LdapUserProvider implements UserProviderInterface, PasswordUpgraderInterfa private ?string $passwordAttribute; private array $extraFields; - public function __construct(LdapInterface $ldap, string $baseDn, string $searchDn = null, string $searchPassword = null, array $defaultRoles = [], string $uidKey = null, string $filter = null, string $passwordAttribute = null, array $extraFields = []) + public function __construct(LdapInterface $ldap, string $baseDn, string $searchDn = null, #[\SensitiveParameter] string $searchPassword = null, array $defaultRoles = [], string $uidKey = null, string $filter = null, string $passwordAttribute = null, array $extraFields = []) { if (null === $uidKey) { $uidKey = 'sAMAccountName'; diff --git a/src/Symfony/Component/Mailer/Bridge/Amazon/Transport/SesSmtpTransport.php b/src/Symfony/Component/Mailer/Bridge/Amazon/Transport/SesSmtpTransport.php index 36634c8891b57..5bfa185d4158e 100644 --- a/src/Symfony/Component/Mailer/Bridge/Amazon/Transport/SesSmtpTransport.php +++ b/src/Symfony/Component/Mailer/Bridge/Amazon/Transport/SesSmtpTransport.php @@ -28,7 +28,7 @@ class SesSmtpTransport extends EsmtpTransport /** * @param string|null $region Amazon SES region */ - public function __construct(string $username, string $password, string $region = null, EventDispatcherInterface $dispatcher = null, LoggerInterface $logger = null) + public function __construct(string $username, #[\SensitiveParameter] string $password, string $region = null, EventDispatcherInterface $dispatcher = null, LoggerInterface $logger = null) { parent::__construct(sprintf('email-smtp.%s.amazonaws.com', $region ?: 'eu-west-1'), 465, true, $dispatcher, $logger); diff --git a/src/Symfony/Component/Mailer/Bridge/Google/Transport/GmailSmtpTransport.php b/src/Symfony/Component/Mailer/Bridge/Google/Transport/GmailSmtpTransport.php index 8f9742a2864bd..8a2e9086df763 100644 --- a/src/Symfony/Component/Mailer/Bridge/Google/Transport/GmailSmtpTransport.php +++ b/src/Symfony/Component/Mailer/Bridge/Google/Transport/GmailSmtpTransport.php @@ -20,7 +20,7 @@ */ class GmailSmtpTransport extends EsmtpTransport { - public function __construct(string $username, string $password, EventDispatcherInterface $dispatcher = null, LoggerInterface $logger = null) + public function __construct(string $username, #[\SensitiveParameter] string $password, EventDispatcherInterface $dispatcher = null, LoggerInterface $logger = null) { parent::__construct('smtp.gmail.com', 465, true, $dispatcher, $logger); diff --git a/src/Symfony/Component/Mailer/Bridge/Mailchimp/Transport/MandrillSmtpTransport.php b/src/Symfony/Component/Mailer/Bridge/Mailchimp/Transport/MandrillSmtpTransport.php index ef18b5de4326a..6afaaf775ba31 100644 --- a/src/Symfony/Component/Mailer/Bridge/Mailchimp/Transport/MandrillSmtpTransport.php +++ b/src/Symfony/Component/Mailer/Bridge/Mailchimp/Transport/MandrillSmtpTransport.php @@ -22,7 +22,7 @@ class MandrillSmtpTransport extends EsmtpTransport { use MandrillHeadersTrait; - public function __construct(string $username, string $password, EventDispatcherInterface $dispatcher = null, LoggerInterface $logger = null) + public function __construct(string $username, #[\SensitiveParameter] string $password, EventDispatcherInterface $dispatcher = null, LoggerInterface $logger = null) { parent::__construct('smtp.mandrillapp.com', 587, false, $dispatcher, $logger); diff --git a/src/Symfony/Component/Mailer/Bridge/Mailgun/Transport/MailgunSmtpTransport.php b/src/Symfony/Component/Mailer/Bridge/Mailgun/Transport/MailgunSmtpTransport.php index 5345345cc322a..84c4479d2defc 100644 --- a/src/Symfony/Component/Mailer/Bridge/Mailgun/Transport/MailgunSmtpTransport.php +++ b/src/Symfony/Component/Mailer/Bridge/Mailgun/Transport/MailgunSmtpTransport.php @@ -22,7 +22,7 @@ class MailgunSmtpTransport extends EsmtpTransport { use MailgunHeadersTrait; - public function __construct(string $username, string $password, string $region = null, EventDispatcherInterface $dispatcher = null, LoggerInterface $logger = null) + public function __construct(string $username, #[\SensitiveParameter] string $password, string $region = null, EventDispatcherInterface $dispatcher = null, LoggerInterface $logger = null) { parent::__construct('us' !== ($region ?: 'us') ? sprintf('smtp.%s.mailgun.org', $region) : 'smtp.mailgun.org', 465, true, $dispatcher, $logger); diff --git a/src/Symfony/Component/Mailer/Bridge/Mailjet/Transport/MailjetSmtpTransport.php b/src/Symfony/Component/Mailer/Bridge/Mailjet/Transport/MailjetSmtpTransport.php index e1bb40334f0b6..281f7b39c05c5 100644 --- a/src/Symfony/Component/Mailer/Bridge/Mailjet/Transport/MailjetSmtpTransport.php +++ b/src/Symfony/Component/Mailer/Bridge/Mailjet/Transport/MailjetSmtpTransport.php @@ -17,7 +17,7 @@ class MailjetSmtpTransport extends EsmtpTransport { - public function __construct(string $username, string $password, EventDispatcherInterface $dispatcher = null, LoggerInterface $logger = null) + public function __construct(string $username, #[\SensitiveParameter] string $password, EventDispatcherInterface $dispatcher = null, LoggerInterface $logger = null) { parent::__construct('in-v3.mailjet.com', 465, true, $dispatcher, $logger); diff --git a/src/Symfony/Component/Mailer/Bridge/Sendinblue/Transport/SendinblueSmtpTransport.php b/src/Symfony/Component/Mailer/Bridge/Sendinblue/Transport/SendinblueSmtpTransport.php index 85c05f49b6a3c..797cf7c3b0b65 100644 --- a/src/Symfony/Component/Mailer/Bridge/Sendinblue/Transport/SendinblueSmtpTransport.php +++ b/src/Symfony/Component/Mailer/Bridge/Sendinblue/Transport/SendinblueSmtpTransport.php @@ -20,7 +20,7 @@ */ final class SendinblueSmtpTransport extends EsmtpTransport { - public function __construct(string $username, string $password, EventDispatcherInterface $dispatcher = null, LoggerInterface $logger = null) + public function __construct(string $username, #[\SensitiveParameter] string $password, EventDispatcherInterface $dispatcher = null, LoggerInterface $logger = null) { parent::__construct('smtp-relay.sendinblue.com', 465, true, $dispatcher, $logger); diff --git a/src/Symfony/Component/Mailer/Transport/Dsn.php b/src/Symfony/Component/Mailer/Transport/Dsn.php index 380ce3705ad12..065be9a3f2e9f 100644 --- a/src/Symfony/Component/Mailer/Transport/Dsn.php +++ b/src/Symfony/Component/Mailer/Transport/Dsn.php @@ -25,7 +25,7 @@ final class Dsn private ?int $port; private array $options; - public function __construct(string $scheme, string $host, string $user = null, string $password = null, int $port = null, array $options = []) + public function __construct(string $scheme, string $host, string $user = null, #[\SensitiveParameter] string $password = null, int $port = null, array $options = []) { $this->scheme = $scheme; $this->host = $host; diff --git a/src/Symfony/Component/Mailer/Transport/Smtp/Auth/CramMd5Authenticator.php b/src/Symfony/Component/Mailer/Transport/Smtp/Auth/CramMd5Authenticator.php index b2ec7b0ee32d3..059b136e2be32 100644 --- a/src/Symfony/Component/Mailer/Transport/Smtp/Auth/CramMd5Authenticator.php +++ b/src/Symfony/Component/Mailer/Transport/Smtp/Auth/CramMd5Authenticator.php @@ -41,7 +41,7 @@ public function authenticate(EsmtpTransport $client): void /** * Generates a CRAM-MD5 response from a server challenge. */ - private function getResponse(string $secret, string $challenge): string + private function getResponse(#[\SensitiveParameter] string $secret, string $challenge): string { if (\strlen($secret) > 64) { $secret = pack('H32', md5($secret)); diff --git a/src/Symfony/Component/Mailer/Transport/Smtp/EsmtpTransport.php b/src/Symfony/Component/Mailer/Transport/Smtp/EsmtpTransport.php index 9a5b214590047..46ae8834301a8 100644 --- a/src/Symfony/Component/Mailer/Transport/Smtp/EsmtpTransport.php +++ b/src/Symfony/Component/Mailer/Transport/Smtp/EsmtpTransport.php @@ -83,7 +83,7 @@ public function getUsername(): string /** * @return $this */ - public function setPassword(string $password): static + public function setPassword(#[\SensitiveParameter] string $password): static { $this->password = $password; diff --git a/src/Symfony/Component/Notifier/Bridge/Discord/DiscordTransport.php b/src/Symfony/Component/Notifier/Bridge/Discord/DiscordTransport.php index 833c974332f52..628560f8ef1e5 100644 --- a/src/Symfony/Component/Notifier/Bridge/Discord/DiscordTransport.php +++ b/src/Symfony/Component/Notifier/Bridge/Discord/DiscordTransport.php @@ -34,7 +34,7 @@ final class DiscordTransport extends AbstractTransport private string $token; private string $webhookId; - public function __construct(string $token, string $webhookId, HttpClientInterface $client = null, EventDispatcherInterface $dispatcher = null) + public function __construct(#[\SensitiveParameter] string $token, string $webhookId, HttpClientInterface $client = null, EventDispatcherInterface $dispatcher = null) { $this->token = $token; $this->webhookId = $webhookId; diff --git a/src/Symfony/Component/Notifier/Bridge/Esendex/EsendexTransport.php b/src/Symfony/Component/Notifier/Bridge/Esendex/EsendexTransport.php index f59e6400bee7d..e34302eb58104 100644 --- a/src/Symfony/Component/Notifier/Bridge/Esendex/EsendexTransport.php +++ b/src/Symfony/Component/Notifier/Bridge/Esendex/EsendexTransport.php @@ -32,7 +32,7 @@ final class EsendexTransport extends AbstractTransport private string $accountReference; private string $from; - public function __construct(string $email, string $password, string $accountReference, string $from, HttpClientInterface $client = null, EventDispatcherInterface $dispatcher = null) + public function __construct(string $email, #[\SensitiveParameter] string $password, string $accountReference, string $from, HttpClientInterface $client = null, EventDispatcherInterface $dispatcher = null) { $this->email = $email; $this->password = $password; diff --git a/src/Symfony/Component/Notifier/Bridge/Firebase/FirebaseTransport.php b/src/Symfony/Component/Notifier/Bridge/Firebase/FirebaseTransport.php index 8052ff09c23f0..6ea675c6eadff 100644 --- a/src/Symfony/Component/Notifier/Bridge/Firebase/FirebaseTransport.php +++ b/src/Symfony/Component/Notifier/Bridge/Firebase/FirebaseTransport.php @@ -31,7 +31,7 @@ final class FirebaseTransport extends AbstractTransport private string $token; - public function __construct(string $token, HttpClientInterface $client = null, EventDispatcherInterface $dispatcher = null) + public function __construct(#[\SensitiveParameter] string $token, HttpClientInterface $client = null, EventDispatcherInterface $dispatcher = null) { $this->token = $token; $this->client = $client; diff --git a/src/Symfony/Component/Notifier/Bridge/FreeMobile/FreeMobileTransport.php b/src/Symfony/Component/Notifier/Bridge/FreeMobile/FreeMobileTransport.php index 56ebe42bb8dfe..980638f25a34b 100644 --- a/src/Symfony/Component/Notifier/Bridge/FreeMobile/FreeMobileTransport.php +++ b/src/Symfony/Component/Notifier/Bridge/FreeMobile/FreeMobileTransport.php @@ -32,7 +32,7 @@ final class FreeMobileTransport extends AbstractTransport private string $password; private string $phone; - public function __construct(string $login, string $password, string $phone, HttpClientInterface $client = null, EventDispatcherInterface $dispatcher = null) + public function __construct(string $login, #[\SensitiveParameter] string $password, string $phone, HttpClientInterface $client = null, EventDispatcherInterface $dispatcher = null) { $this->login = $login; $this->password = $password; diff --git a/src/Symfony/Component/Notifier/Bridge/Gitter/GitterTransport.php b/src/Symfony/Component/Notifier/Bridge/Gitter/GitterTransport.php index 8f5f194946553..a3521719c0d11 100644 --- a/src/Symfony/Component/Notifier/Bridge/Gitter/GitterTransport.php +++ b/src/Symfony/Component/Notifier/Bridge/Gitter/GitterTransport.php @@ -31,7 +31,7 @@ final class GitterTransport extends AbstractTransport private string $token; private string $roomId; - public function __construct(string $token, string $roomId, HttpClientInterface $client = null, EventDispatcherInterface $dispatcher = null) + public function __construct(#[\SensitiveParameter] string $token, string $roomId, HttpClientInterface $client = null, EventDispatcherInterface $dispatcher = null) { $this->token = $token; $this->roomId = $roomId; diff --git a/src/Symfony/Component/Notifier/Bridge/GoogleChat/GoogleChatTransport.php b/src/Symfony/Component/Notifier/Bridge/GoogleChat/GoogleChatTransport.php index 9de50dee09542..2216afbc949db 100644 --- a/src/Symfony/Component/Notifier/Bridge/GoogleChat/GoogleChatTransport.php +++ b/src/Symfony/Component/Notifier/Bridge/GoogleChat/GoogleChatTransport.php @@ -44,7 +44,7 @@ final class GoogleChatTransport extends AbstractTransport * Subsequent messages with the same thread identifier will be posted into the same thread. * {@see https://developers.google.com/hangouts/chat/reference/rest/v1/spaces.messages/create#query-parameters} */ - public function __construct(string $space, string $accessKey, string $accessToken, string $threadKey = null, HttpClientInterface $client = null, EventDispatcherInterface $dispatcher = null) + public function __construct(string $space, string $accessKey, #[\SensitiveParameter] string $accessToken, string $threadKey = null, HttpClientInterface $client = null, EventDispatcherInterface $dispatcher = null) { $this->space = $space; $this->accessKey = $accessKey; diff --git a/src/Symfony/Component/Notifier/Bridge/Iqsms/IqsmsTransport.php b/src/Symfony/Component/Notifier/Bridge/Iqsms/IqsmsTransport.php index de92520908881..39baa24d035dc 100644 --- a/src/Symfony/Component/Notifier/Bridge/Iqsms/IqsmsTransport.php +++ b/src/Symfony/Component/Notifier/Bridge/Iqsms/IqsmsTransport.php @@ -32,7 +32,7 @@ final class IqsmsTransport extends AbstractTransport private string $password; private string $from; - public function __construct(string $login, string $password, string $from, HttpClientInterface $client = null, EventDispatcherInterface $dispatcher = null) + public function __construct(string $login, #[\SensitiveParameter] string $password, string $from, HttpClientInterface $client = null, EventDispatcherInterface $dispatcher = null) { $this->login = $login; $this->password = $password; diff --git a/src/Symfony/Component/Notifier/Bridge/KazInfoTeh/KazInfoTehTransport.php b/src/Symfony/Component/Notifier/Bridge/KazInfoTeh/KazInfoTehTransport.php index b9747ece39dbb..83e41235682c3 100644 --- a/src/Symfony/Component/Notifier/Bridge/KazInfoTeh/KazInfoTehTransport.php +++ b/src/Symfony/Component/Notifier/Bridge/KazInfoTeh/KazInfoTehTransport.php @@ -32,7 +32,7 @@ class KazInfoTehTransport extends AbstractTransport private string $password; private string $sender; - public function __construct(string $username, string $password, string $sender, HttpClientInterface $client = null, EventDispatcherInterface $dispatcher = null) + public function __construct(string $username, #[\SensitiveParameter] string $password, string $sender, HttpClientInterface $client = null, EventDispatcherInterface $dispatcher = null) { $this->username = $username; $this->password = $password; diff --git a/src/Symfony/Component/Notifier/Bridge/LightSms/LightSmsTransport.php b/src/Symfony/Component/Notifier/Bridge/LightSms/LightSmsTransport.php index 4c762c1a3d4e8..719defa8ab5f6 100644 --- a/src/Symfony/Component/Notifier/Bridge/LightSms/LightSmsTransport.php +++ b/src/Symfony/Component/Notifier/Bridge/LightSms/LightSmsTransport.php @@ -75,7 +75,7 @@ final class LightSmsTransport extends AbstractTransport 999 => 'Unknown Error', ]; - public function __construct(string $login, string $password, string $from, HttpClientInterface $client = null, EventDispatcherInterface $dispatcher = null) + public function __construct(string $login, #[\SensitiveParameter] string $password, string $from, HttpClientInterface $client = null, EventDispatcherInterface $dispatcher = null) { $this->login = $login; $this->password = $password; diff --git a/src/Symfony/Component/Notifier/Bridge/Mattermost/MattermostTransport.php b/src/Symfony/Component/Notifier/Bridge/Mattermost/MattermostTransport.php index 11695ba3c8ba7..a863d4bcde846 100644 --- a/src/Symfony/Component/Notifier/Bridge/Mattermost/MattermostTransport.php +++ b/src/Symfony/Component/Notifier/Bridge/Mattermost/MattermostTransport.php @@ -30,7 +30,7 @@ final class MattermostTransport extends AbstractTransport private string $channel; private ?string $path; - public function __construct(string $token, string $channel, string $path = null, HttpClientInterface $client = null, EventDispatcherInterface $dispatcher = null) + public function __construct(#[\SensitiveParameter] string $token, string $channel, string $path = null, HttpClientInterface $client = null, EventDispatcherInterface $dispatcher = null) { $this->token = $token; $this->channel = $channel; diff --git a/src/Symfony/Component/Notifier/Bridge/MessageBird/MessageBirdTransport.php b/src/Symfony/Component/Notifier/Bridge/MessageBird/MessageBirdTransport.php index 1614a7ba630b9..4a0161983b2fb 100644 --- a/src/Symfony/Component/Notifier/Bridge/MessageBird/MessageBirdTransport.php +++ b/src/Symfony/Component/Notifier/Bridge/MessageBird/MessageBirdTransport.php @@ -31,7 +31,7 @@ final class MessageBirdTransport extends AbstractTransport private string $token; private string $from; - public function __construct(string $token, string $from, HttpClientInterface $client = null, EventDispatcherInterface $dispatcher = null) + public function __construct(#[\SensitiveParameter] string $token, string $from, HttpClientInterface $client = null, EventDispatcherInterface $dispatcher = null) { $this->token = $token; $this->from = $from; diff --git a/src/Symfony/Component/Notifier/Bridge/RocketChat/RocketChatTransport.php b/src/Symfony/Component/Notifier/Bridge/RocketChat/RocketChatTransport.php index 92f8fe40ce1ee..e1cfd92bab0a3 100644 --- a/src/Symfony/Component/Notifier/Bridge/RocketChat/RocketChatTransport.php +++ b/src/Symfony/Component/Notifier/Bridge/RocketChat/RocketChatTransport.php @@ -32,7 +32,7 @@ final class RocketChatTransport extends AbstractTransport private string $accessToken; private ?string $chatChannel; - public function __construct(string $accessToken, string $chatChannel = null, HttpClientInterface $client = null, EventDispatcherInterface $dispatcher = null) + public function __construct(#[\SensitiveParameter] string $accessToken, string $chatChannel = null, HttpClientInterface $client = null, EventDispatcherInterface $dispatcher = null) { $this->accessToken = $accessToken; $this->chatChannel = $chatChannel; diff --git a/src/Symfony/Component/Notifier/Bridge/Sendberry/SendberryTransport.php b/src/Symfony/Component/Notifier/Bridge/Sendberry/SendberryTransport.php index 5c3441a1ae508..ce87277006cc2 100644 --- a/src/Symfony/Component/Notifier/Bridge/Sendberry/SendberryTransport.php +++ b/src/Symfony/Component/Notifier/Bridge/Sendberry/SendberryTransport.php @@ -34,7 +34,7 @@ final class SendberryTransport extends AbstractTransport private string $authKey; private string $from; - public function __construct(string $username, string $password, string $authKey, string $from, HttpClientInterface $client = null, EventDispatcherInterface $dispatcher = null) + public function __construct(string $username, #[\SensitiveParameter] string $password, string $authKey, string $from, HttpClientInterface $client = null, EventDispatcherInterface $dispatcher = null) { $this->username = $username; $this->password = $password; diff --git a/src/Symfony/Component/Notifier/Bridge/Slack/SlackTransport.php b/src/Symfony/Component/Notifier/Bridge/Slack/SlackTransport.php index 1a06ed9a12f06..f253e90ebb9be 100644 --- a/src/Symfony/Component/Notifier/Bridge/Slack/SlackTransport.php +++ b/src/Symfony/Component/Notifier/Bridge/Slack/SlackTransport.php @@ -33,7 +33,7 @@ final class SlackTransport extends AbstractTransport private string $accessToken; private ?string $chatChannel; - public function __construct(string $accessToken, string $channel = null, HttpClientInterface $client = null, EventDispatcherInterface $dispatcher = null) + public function __construct(#[\SensitiveParameter] string $accessToken, string $channel = null, HttpClientInterface $client = null, EventDispatcherInterface $dispatcher = null) { if (!preg_match('/^xox(b-|p-|a-2)/', $accessToken)) { throw new InvalidArgumentException('A valid Slack token needs to start with "xoxb-", "xoxp-" or "xoxa-2". See https://api.slack.com/authentication/token-types for further information.'); diff --git a/src/Symfony/Component/Notifier/Bridge/SmsFactor/SmsFactorTransport.php b/src/Symfony/Component/Notifier/Bridge/SmsFactor/SmsFactorTransport.php index a116a35f97fff..5b95649d1bba4 100644 --- a/src/Symfony/Component/Notifier/Bridge/SmsFactor/SmsFactorTransport.php +++ b/src/Symfony/Component/Notifier/Bridge/SmsFactor/SmsFactorTransport.php @@ -33,7 +33,7 @@ final class SmsFactorTransport extends AbstractTransport private ?string $sender; private ?SmsFactorPushType $pushType; - public function __construct(string $tokenApi, ?string $sender, ?SmsFactorPushType $pushType, HttpClientInterface $client = null, EventDispatcherInterface $dispatcher = null) + public function __construct(#[\SensitiveParameter] string $tokenApi, ?string $sender, ?SmsFactorPushType $pushType, HttpClientInterface $client = null, EventDispatcherInterface $dispatcher = null) { $this->tokenApi = $tokenApi; $this->sender = $sender; diff --git a/src/Symfony/Component/Notifier/Bridge/Smsc/SmscTransport.php b/src/Symfony/Component/Notifier/Bridge/Smsc/SmscTransport.php index 4254b66fcca10..07b4f2855b72c 100644 --- a/src/Symfony/Component/Notifier/Bridge/Smsc/SmscTransport.php +++ b/src/Symfony/Component/Notifier/Bridge/Smsc/SmscTransport.php @@ -34,7 +34,7 @@ final class SmscTransport extends AbstractTransport private ?string $password; private string $from; - public function __construct(?string $username, ?string $password, string $from, HttpClientInterface $client = null, EventDispatcherInterface $dispatcher = null) + public function __construct(?string $username, #[\SensitiveParameter] ?string $password, string $from, HttpClientInterface $client = null, EventDispatcherInterface $dispatcher = null) { $this->login = $username; $this->password = $password; diff --git a/src/Symfony/Component/Notifier/Bridge/SpotHit/SpotHitTransport.php b/src/Symfony/Component/Notifier/Bridge/SpotHit/SpotHitTransport.php index d627688bef9b2..d9de6364c1045 100644 --- a/src/Symfony/Component/Notifier/Bridge/SpotHit/SpotHitTransport.php +++ b/src/Symfony/Component/Notifier/Bridge/SpotHit/SpotHitTransport.php @@ -36,7 +36,7 @@ final class SpotHitTransport extends AbstractTransport private string $token; private ?string $from; - public function __construct(string $token, string $from = null, HttpClientInterface $client = null, EventDispatcherInterface $dispatcher = null) + public function __construct(#[\SensitiveParameter] string $token, string $from = null, HttpClientInterface $client = null, EventDispatcherInterface $dispatcher = null) { $this->token = $token; $this->from = $from; diff --git a/src/Symfony/Component/Notifier/Bridge/Telegram/TelegramTransport.php b/src/Symfony/Component/Notifier/Bridge/Telegram/TelegramTransport.php index f9edef4c64da9..773b09a2c0641 100644 --- a/src/Symfony/Component/Notifier/Bridge/Telegram/TelegramTransport.php +++ b/src/Symfony/Component/Notifier/Bridge/Telegram/TelegramTransport.php @@ -36,7 +36,7 @@ final class TelegramTransport extends AbstractTransport private string $token; private ?string $chatChannel; - public function __construct(string $token, string $channel = null, HttpClientInterface $client = null, EventDispatcherInterface $dispatcher = null) + public function __construct(#[\SensitiveParameter] string $token, string $channel = null, HttpClientInterface $client = null, EventDispatcherInterface $dispatcher = null) { $this->token = $token; $this->chatChannel = $channel; diff --git a/src/Symfony/Component/Notifier/Bridge/Zulip/ZulipTransport.php b/src/Symfony/Component/Notifier/Bridge/Zulip/ZulipTransport.php index a75f78bf1fbd8..1f601024ac2f6 100644 --- a/src/Symfony/Component/Notifier/Bridge/Zulip/ZulipTransport.php +++ b/src/Symfony/Component/Notifier/Bridge/Zulip/ZulipTransport.php @@ -31,7 +31,7 @@ final class ZulipTransport extends AbstractTransport private string $token; private string $channel; - public function __construct(string $email, string $token, string $channel, HttpClientInterface $client = null, EventDispatcherInterface $dispatcher = null) + public function __construct(string $email, #[\SensitiveParameter] string $token, string $channel, HttpClientInterface $client = null, EventDispatcherInterface $dispatcher = null) { $this->email = $email; $this->token = $token; diff --git a/src/Symfony/Component/PasswordHasher/CHANGELOG.md b/src/Symfony/Component/PasswordHasher/CHANGELOG.md index 53ea3f1c17b6e..8258c30b8e2f2 100644 --- a/src/Symfony/Component/PasswordHasher/CHANGELOG.md +++ b/src/Symfony/Component/PasswordHasher/CHANGELOG.md @@ -1,3 +1,11 @@ +CHANGELOG +========= + +6.2 +--- + + * Use `SensitiveParameter` attribute to redact sensitive values in back traces + 5.3 --- diff --git a/src/Symfony/Component/PasswordHasher/Hasher/CheckPasswordLengthTrait.php b/src/Symfony/Component/PasswordHasher/Hasher/CheckPasswordLengthTrait.php index 2dce065ff8191..9721b4182dc43 100644 --- a/src/Symfony/Component/PasswordHasher/Hasher/CheckPasswordLengthTrait.php +++ b/src/Symfony/Component/PasswordHasher/Hasher/CheckPasswordLengthTrait.php @@ -18,7 +18,7 @@ */ trait CheckPasswordLengthTrait { - private function isPasswordTooLong(string $password): bool + private function isPasswordTooLong(#[\SensitiveParameter] string $password): bool { return PasswordHasherInterface::MAX_PASSWORD_LENGTH < \strlen($password); } diff --git a/src/Symfony/Component/PasswordHasher/Hasher/MessageDigestPasswordHasher.php b/src/Symfony/Component/PasswordHasher/Hasher/MessageDigestPasswordHasher.php index d89c7f9f6b34c..7d7278c0913a7 100644 --- a/src/Symfony/Component/PasswordHasher/Hasher/MessageDigestPasswordHasher.php +++ b/src/Symfony/Component/PasswordHasher/Hasher/MessageDigestPasswordHasher.php @@ -48,7 +48,7 @@ public function __construct(string $algorithm = 'sha512', bool $encodeHashAsBase $this->iterations = $iterations; } - public function hash(string $plainPassword, string $salt = null): string + public function hash(#[\SensitiveParameter] string $plainPassword, string $salt = null): string { if ($this->isPasswordTooLong($plainPassword)) { throw new InvalidPasswordException(); @@ -69,7 +69,7 @@ public function hash(string $plainPassword, string $salt = null): string return $this->encodeHashAsBase64 ? base64_encode($digest) : bin2hex($digest); } - public function verify(string $hashedPassword, string $plainPassword, string $salt = null): bool + public function verify(string $hashedPassword, #[\SensitiveParameter] string $plainPassword, string $salt = null): bool { if (\strlen($hashedPassword) !== $this->hashLength || str_contains($hashedPassword, '$')) { return false; @@ -83,7 +83,7 @@ public function needsRehash(string $hashedPassword): bool return false; } - private function mergePasswordAndSalt(string $password, ?string $salt): string + private function mergePasswordAndSalt(#[\SensitiveParameter] string $password, ?string $salt): string { if (!$salt) { return $password; diff --git a/src/Symfony/Component/PasswordHasher/Hasher/MigratingPasswordHasher.php b/src/Symfony/Component/PasswordHasher/Hasher/MigratingPasswordHasher.php index 7a8dc3e742161..cc3a9aa2f7415 100644 --- a/src/Symfony/Component/PasswordHasher/Hasher/MigratingPasswordHasher.php +++ b/src/Symfony/Component/PasswordHasher/Hasher/MigratingPasswordHasher.php @@ -33,12 +33,12 @@ public function __construct(PasswordHasherInterface $bestHasher, PasswordHasherI $this->extraHashers = $extraHashers; } - public function hash(string $plainPassword, string $salt = null): string + public function hash(#[\SensitiveParameter] string $plainPassword, string $salt = null): string { return $this->bestHasher->hash($plainPassword, $salt); } - public function verify(string $hashedPassword, string $plainPassword, string $salt = null): bool + public function verify(string $hashedPassword, #[\SensitiveParameter] string $plainPassword, string $salt = null): bool { if ($this->bestHasher->verify($hashedPassword, $plainPassword, $salt)) { return true; diff --git a/src/Symfony/Component/PasswordHasher/Hasher/NativePasswordHasher.php b/src/Symfony/Component/PasswordHasher/Hasher/NativePasswordHasher.php index 3deef74cacab0..b6dc3661fed6d 100644 --- a/src/Symfony/Component/PasswordHasher/Hasher/NativePasswordHasher.php +++ b/src/Symfony/Component/PasswordHasher/Hasher/NativePasswordHasher.php @@ -71,7 +71,7 @@ public function __construct(int $opsLimit = null, int $memLimit = null, int $cos ]; } - public function hash(string $plainPassword): string + public function hash(#[\SensitiveParameter] string $plainPassword): string { if ($this->isPasswordTooLong($plainPassword)) { throw new InvalidPasswordException(); @@ -84,7 +84,7 @@ public function hash(string $plainPassword): string return password_hash($plainPassword, $this->algorithm, $this->options); } - public function verify(string $hashedPassword, string $plainPassword): bool + public function verify(string $hashedPassword, #[\SensitiveParameter] string $plainPassword): bool { if ('' === $plainPassword || $this->isPasswordTooLong($plainPassword)) { return false; diff --git a/src/Symfony/Component/PasswordHasher/Hasher/Pbkdf2PasswordHasher.php b/src/Symfony/Component/PasswordHasher/Hasher/Pbkdf2PasswordHasher.php index bf17cb4b6478b..f393e0fc02c3f 100644 --- a/src/Symfony/Component/PasswordHasher/Hasher/Pbkdf2PasswordHasher.php +++ b/src/Symfony/Component/PasswordHasher/Hasher/Pbkdf2PasswordHasher.php @@ -59,7 +59,7 @@ public function __construct(string $algorithm = 'sha512', bool $encodeHashAsBase $this->iterations = $iterations; } - public function hash(string $plainPassword, string $salt = null): string + public function hash(#[\SensitiveParameter] string $plainPassword, string $salt = null): string { if ($this->isPasswordTooLong($plainPassword)) { throw new InvalidPasswordException(); @@ -74,7 +74,7 @@ public function hash(string $plainPassword, string $salt = null): string return $this->encodeHashAsBase64 ? base64_encode($digest) : bin2hex($digest); } - public function verify(string $hashedPassword, string $plainPassword, string $salt = null): bool + public function verify(string $hashedPassword, #[\SensitiveParameter] string $plainPassword, string $salt = null): bool { if (\strlen($hashedPassword) !== $this->encodedLength || str_contains($hashedPassword, '$')) { return false; diff --git a/src/Symfony/Component/PasswordHasher/Hasher/PlaintextPasswordHasher.php b/src/Symfony/Component/PasswordHasher/Hasher/PlaintextPasswordHasher.php index 21cac98366cdf..68562631fac15 100644 --- a/src/Symfony/Component/PasswordHasher/Hasher/PlaintextPasswordHasher.php +++ b/src/Symfony/Component/PasswordHasher/Hasher/PlaintextPasswordHasher.php @@ -38,7 +38,7 @@ public function __construct(bool $ignorePasswordCase = false) /** * {@inheritdoc} */ - public function hash(string $plainPassword, string $salt = null): string + public function hash(#[\SensitiveParameter] string $plainPassword, string $salt = null): string { if ($this->isPasswordTooLong($plainPassword)) { throw new InvalidPasswordException(); @@ -47,7 +47,7 @@ public function hash(string $plainPassword, string $salt = null): string return $this->mergePasswordAndSalt($plainPassword, $salt); } - public function verify(string $hashedPassword, string $plainPassword, string $salt = null): bool + public function verify(string $hashedPassword, #[\SensitiveParameter] string $plainPassword, string $salt = null): bool { if ($this->isPasswordTooLong($plainPassword)) { return false; @@ -67,7 +67,7 @@ public function needsRehash(string $hashedPassword): bool return false; } - private function mergePasswordAndSalt(string $password, ?string $salt): string + private function mergePasswordAndSalt(#[\SensitiveParameter] string $password, ?string $salt): string { if (empty($salt)) { return $password; diff --git a/src/Symfony/Component/PasswordHasher/Hasher/SodiumPasswordHasher.php b/src/Symfony/Component/PasswordHasher/Hasher/SodiumPasswordHasher.php index acad6c8408658..37ca7d9718621 100644 --- a/src/Symfony/Component/PasswordHasher/Hasher/SodiumPasswordHasher.php +++ b/src/Symfony/Component/PasswordHasher/Hasher/SodiumPasswordHasher.php @@ -52,7 +52,7 @@ public static function isSupported(): bool return version_compare(\extension_loaded('sodium') ? \SODIUM_LIBRARY_VERSION : phpversion('libsodium'), '1.0.14', '>='); } - public function hash(string $plainPassword): string + public function hash(#[\SensitiveParameter] string $plainPassword): string { if ($this->isPasswordTooLong($plainPassword)) { throw new InvalidPasswordException(); @@ -69,7 +69,7 @@ public function hash(string $plainPassword): string throw new LogicException('Libsodium is not available. You should either install the sodium extension or use a different password hasher.'); } - public function verify(string $hashedPassword, string $plainPassword): bool + public function verify(string $hashedPassword, #[\SensitiveParameter] string $plainPassword): bool { if ('' === $plainPassword) { return false; diff --git a/src/Symfony/Component/PasswordHasher/Hasher/UserPasswordHasher.php b/src/Symfony/Component/PasswordHasher/Hasher/UserPasswordHasher.php index be1a9b6682cfc..733a1c4e1b038 100644 --- a/src/Symfony/Component/PasswordHasher/Hasher/UserPasswordHasher.php +++ b/src/Symfony/Component/PasswordHasher/Hasher/UserPasswordHasher.php @@ -30,7 +30,7 @@ public function __construct(PasswordHasherFactoryInterface $hasherFactory) $this->hasherFactory = $hasherFactory; } - public function hashPassword(PasswordAuthenticatedUserInterface $user, string $plainPassword): string + public function hashPassword(PasswordAuthenticatedUserInterface $user, #[\SensitiveParameter] string $plainPassword): string { $salt = null; if ($user instanceof LegacyPasswordAuthenticatedUserInterface) { @@ -42,7 +42,7 @@ public function hashPassword(PasswordAuthenticatedUserInterface $user, string $p return $hasher->hash($plainPassword, $salt); } - public function isPasswordValid(PasswordAuthenticatedUserInterface $user, string $plainPassword): bool + public function isPasswordValid(PasswordAuthenticatedUserInterface $user, #[\SensitiveParameter] string $plainPassword): bool { $salt = null; if ($user instanceof LegacyPasswordAuthenticatedUserInterface) { diff --git a/src/Symfony/Component/PasswordHasher/Hasher/UserPasswordHasherInterface.php b/src/Symfony/Component/PasswordHasher/Hasher/UserPasswordHasherInterface.php index 9a40054609b49..8d4cc1e3420a7 100644 --- a/src/Symfony/Component/PasswordHasher/Hasher/UserPasswordHasherInterface.php +++ b/src/Symfony/Component/PasswordHasher/Hasher/UserPasswordHasherInterface.php @@ -23,12 +23,12 @@ interface UserPasswordHasherInterface /** * Hashes the plain password for the given user. */ - public function hashPassword(PasswordAuthenticatedUserInterface $user, string $plainPassword): string; + public function hashPassword(PasswordAuthenticatedUserInterface $user, #[\SensitiveParameter] string $plainPassword): string; /** * Checks if the plaintext password matches the user's password. */ - public function isPasswordValid(PasswordAuthenticatedUserInterface $user, string $plainPassword): bool; + public function isPasswordValid(PasswordAuthenticatedUserInterface $user, #[\SensitiveParameter] string $plainPassword): bool; /** * Checks if an encoded password would benefit from rehashing. diff --git a/src/Symfony/Component/PasswordHasher/LegacyPasswordHasherInterface.php b/src/Symfony/Component/PasswordHasher/LegacyPasswordHasherInterface.php index 7897b006dd102..b8606ae05ec9e 100644 --- a/src/Symfony/Component/PasswordHasher/LegacyPasswordHasherInterface.php +++ b/src/Symfony/Component/PasswordHasher/LegacyPasswordHasherInterface.php @@ -27,10 +27,10 @@ interface LegacyPasswordHasherInterface extends PasswordHasherInterface * * @throws InvalidPasswordException If the plain password is invalid, e.g. excessively long */ - public function hash(string $plainPassword, string $salt = null): string; + public function hash(#[\SensitiveParameter] string $plainPassword, string $salt = null): string; /** * Checks that a plain password and a salt match a password hash. */ - public function verify(string $hashedPassword, string $plainPassword, string $salt = null): bool; + public function verify(string $hashedPassword, #[\SensitiveParameter] string $plainPassword, string $salt = null): bool; } diff --git a/src/Symfony/Component/PasswordHasher/PasswordHasherInterface.php b/src/Symfony/Component/PasswordHasher/PasswordHasherInterface.php index 6b3575783891f..6e09db3d10aa3 100644 --- a/src/Symfony/Component/PasswordHasher/PasswordHasherInterface.php +++ b/src/Symfony/Component/PasswordHasher/PasswordHasherInterface.php @@ -29,12 +29,12 @@ interface PasswordHasherInterface * * @throws InvalidPasswordException When the plain password is invalid, e.g. excessively long */ - public function hash(string $plainPassword): string; + public function hash(#[\SensitiveParameter] string $plainPassword): string; /** * Verifies a plain password against a hash. */ - public function verify(string $hashedPassword, string $plainPassword): bool; + public function verify(string $hashedPassword, #[\SensitiveParameter] string $plainPassword): bool; /** * Checks if a password hash would benefit from rehashing. diff --git a/src/Symfony/Component/Security/Core/Authentication/RememberMe/CacheTokenVerifier.php b/src/Symfony/Component/Security/Core/Authentication/RememberMe/CacheTokenVerifier.php index 65e15eadf99bc..a9af59270b721 100644 --- a/src/Symfony/Component/Security/Core/Authentication/RememberMe/CacheTokenVerifier.php +++ b/src/Symfony/Component/Security/Core/Authentication/RememberMe/CacheTokenVerifier.php @@ -38,7 +38,7 @@ public function __construct(CacheItemPoolInterface $cache, int $outdatedTokenTtl /** * {@inheritdoc} */ - public function verifyToken(PersistentTokenInterface $token, string $tokenValue): bool + public function verifyToken(PersistentTokenInterface $token, #[\SensitiveParameter] string $tokenValue): bool { if (hash_equals($token->getTokenValue(), $tokenValue)) { return true; @@ -58,7 +58,7 @@ public function verifyToken(PersistentTokenInterface $token, string $tokenValue) /** * {@inheritdoc} */ - public function updateExistingToken(PersistentTokenInterface $token, string $tokenValue, \DateTimeInterface $lastUsed): void + public function updateExistingToken(PersistentTokenInterface $token, #[\SensitiveParameter] string $tokenValue, \DateTimeInterface $lastUsed): void { // When a token gets updated, persist the outdated token for $outdatedTokenTtl seconds so we can // still accept it as valid in verifyToken diff --git a/src/Symfony/Component/Security/Core/Authentication/RememberMe/InMemoryTokenProvider.php b/src/Symfony/Component/Security/Core/Authentication/RememberMe/InMemoryTokenProvider.php index 3e348df9171a7..e6d526613524a 100644 --- a/src/Symfony/Component/Security/Core/Authentication/RememberMe/InMemoryTokenProvider.php +++ b/src/Symfony/Component/Security/Core/Authentication/RememberMe/InMemoryTokenProvider.php @@ -37,7 +37,7 @@ public function loadTokenBySeries(string $series): PersistentTokenInterface /** * {@inheritdoc} */ - public function updateToken(string $series, string $tokenValue, \DateTime $lastUsed) + public function updateToken(string $series, #[\SensitiveParameter] string $tokenValue, \DateTime $lastUsed) { if (!isset($this->tokens[$series])) { throw new TokenNotFoundException('No token found.'); diff --git a/src/Symfony/Component/Security/Core/Authentication/RememberMe/PersistentToken.php b/src/Symfony/Component/Security/Core/Authentication/RememberMe/PersistentToken.php index b8b504b8c7092..9f3f9e76e6d02 100644 --- a/src/Symfony/Component/Security/Core/Authentication/RememberMe/PersistentToken.php +++ b/src/Symfony/Component/Security/Core/Authentication/RememberMe/PersistentToken.php @@ -24,7 +24,7 @@ final class PersistentToken implements PersistentTokenInterface private string $tokenValue; private \DateTime $lastUsed; - public function __construct(string $class, string $userIdentifier, string $series, string $tokenValue, \DateTime $lastUsed) + public function __construct(string $class, string $userIdentifier, string $series, #[\SensitiveParameter] string $tokenValue, \DateTime $lastUsed) { if (empty($class)) { throw new \InvalidArgumentException('$class must not be empty.'); diff --git a/src/Symfony/Component/Security/Core/Authentication/RememberMe/TokenProviderInterface.php b/src/Symfony/Component/Security/Core/Authentication/RememberMe/TokenProviderInterface.php index eda4730004414..9b32fdce315d1 100644 --- a/src/Symfony/Component/Security/Core/Authentication/RememberMe/TokenProviderInterface.php +++ b/src/Symfony/Component/Security/Core/Authentication/RememberMe/TokenProviderInterface.php @@ -39,7 +39,7 @@ public function deleteTokenBySeries(string $series); * * @throws TokenNotFoundException if the token is not found */ - public function updateToken(string $series, string $tokenValue, \DateTime $lastUsed); + public function updateToken(string $series, #[\SensitiveParameter] string $tokenValue, \DateTime $lastUsed); /** * Creates a new token. diff --git a/src/Symfony/Component/Security/Core/Authentication/RememberMe/TokenVerifierInterface.php b/src/Symfony/Component/Security/Core/Authentication/RememberMe/TokenVerifierInterface.php index 57278d9e3c8d2..a323175073754 100644 --- a/src/Symfony/Component/Security/Core/Authentication/RememberMe/TokenVerifierInterface.php +++ b/src/Symfony/Component/Security/Core/Authentication/RememberMe/TokenVerifierInterface.php @@ -23,10 +23,10 @@ interface TokenVerifierInterface * * Do not forget to implement token comparisons using hash_equals for a secure implementation. */ - public function verifyToken(PersistentTokenInterface $token, string $tokenValue): bool; + public function verifyToken(PersistentTokenInterface $token, #[\SensitiveParameter] string $tokenValue): bool; /** * Updates an existing token with a new token value and lastUsed time. */ - public function updateExistingToken(PersistentTokenInterface $token, string $tokenValue, \DateTimeInterface $lastUsed): void; + public function updateExistingToken(PersistentTokenInterface $token, #[\SensitiveParameter] string $tokenValue, \DateTimeInterface $lastUsed): void; } diff --git a/src/Symfony/Component/Security/Core/Authentication/Token/RememberMeToken.php b/src/Symfony/Component/Security/Core/Authentication/Token/RememberMeToken.php index d4d9369018813..147c1d68b6888 100644 --- a/src/Symfony/Component/Security/Core/Authentication/Token/RememberMeToken.php +++ b/src/Symfony/Component/Security/Core/Authentication/Token/RememberMeToken.php @@ -28,7 +28,7 @@ class RememberMeToken extends AbstractToken * * @throws \InvalidArgumentException */ - public function __construct(UserInterface $user, string $firewallName, string $secret) + public function __construct(UserInterface $user, string $firewallName, #[\SensitiveParameter] string $secret) { parent::__construct($user->getRoles()); diff --git a/src/Symfony/Component/Security/Core/Signature/SignatureHasher.php b/src/Symfony/Component/Security/Core/Signature/SignatureHasher.php index 04022d58b35ed..29d508cecd90e 100644 --- a/src/Symfony/Component/Security/Core/Signature/SignatureHasher.php +++ b/src/Symfony/Component/Security/Core/Signature/SignatureHasher.php @@ -35,7 +35,7 @@ class SignatureHasher * @param ExpiredSignatureStorage|null $expiredSignaturesStorage if provided, secures a sequence of hashes that are expired * @param int|null $maxUses used together with $expiredSignatureStorage to allow a maximum usage of a hash */ - public function __construct(PropertyAccessorInterface $propertyAccessor, array $signatureProperties, string $secret, ExpiredSignatureStorage $expiredSignaturesStorage = null, int $maxUses = null) + public function __construct(PropertyAccessorInterface $propertyAccessor, array $signatureProperties, #[\SensitiveParameter] string $secret, ExpiredSignatureStorage $expiredSignaturesStorage = null, int $maxUses = null) { $this->propertyAccessor = $propertyAccessor; $this->signatureProperties = $signatureProperties; diff --git a/src/Symfony/Component/Security/Csrf/CsrfToken.php b/src/Symfony/Component/Security/Csrf/CsrfToken.php index 7ae62d67ba7f8..57f972e620e61 100644 --- a/src/Symfony/Component/Security/Csrf/CsrfToken.php +++ b/src/Symfony/Component/Security/Csrf/CsrfToken.php @@ -21,7 +21,7 @@ class CsrfToken private string $id; private string $value; - public function __construct(string $id, ?string $value) + public function __construct(string $id, #[\SensitiveParameter] ?string $value) { $this->id = $id; $this->value = $value ?? ''; diff --git a/src/Symfony/Component/Security/Csrf/CsrfTokenManager.php b/src/Symfony/Component/Security/Csrf/CsrfTokenManager.php index f4aee2a28d1ca..ad376593d65f5 100644 --- a/src/Symfony/Component/Security/Csrf/CsrfTokenManager.php +++ b/src/Symfony/Component/Security/Csrf/CsrfTokenManager.php @@ -85,7 +85,7 @@ public function getToken(string $tokenId): CsrfToken /** * {@inheritdoc} */ - public function refreshToken(string $tokenId): CsrfToken + public function refreshToken(#[\SensitiveParameter] string $tokenId): CsrfToken { $namespacedId = $this->getNamespace().$tokenId; $value = $this->generator->generateToken(); diff --git a/src/Symfony/Component/Security/Http/Authenticator/Passport/Credentials/PasswordCredentials.php b/src/Symfony/Component/Security/Http/Authenticator/Passport/Credentials/PasswordCredentials.php index ebaf8eabee4a4..9c86b12907d36 100644 --- a/src/Symfony/Component/Security/Http/Authenticator/Passport/Credentials/PasswordCredentials.php +++ b/src/Symfony/Component/Security/Http/Authenticator/Passport/Credentials/PasswordCredentials.php @@ -28,7 +28,7 @@ class PasswordCredentials implements CredentialsInterface private ?string $password = null; private bool $resolved = false; - public function __construct(string $password) + public function __construct(#[\SensitiveParameter] string $password) { $this->password = $password; } diff --git a/src/Symfony/Component/Security/Http/Authenticator/RememberMeAuthenticator.php b/src/Symfony/Component/Security/Http/Authenticator/RememberMeAuthenticator.php index e9a31269e7b42..2082176e63b84 100644 --- a/src/Symfony/Component/Security/Http/Authenticator/RememberMeAuthenticator.php +++ b/src/Symfony/Component/Security/Http/Authenticator/RememberMeAuthenticator.php @@ -49,7 +49,7 @@ class RememberMeAuthenticator implements InteractiveAuthenticatorInterface private string $cookieName; private ?LoggerInterface $logger; - public function __construct(RememberMeHandlerInterface $rememberMeHandler, string $secret, TokenStorageInterface $tokenStorage, string $cookieName, LoggerInterface $logger = null) + public function __construct(RememberMeHandlerInterface $rememberMeHandler, #[\SensitiveParameter] string $secret, TokenStorageInterface $tokenStorage, string $cookieName, LoggerInterface $logger = null) { $this->rememberMeHandler = $rememberMeHandler; $this->secret = $secret; diff --git a/src/Symfony/Component/Security/Http/RememberMe/PersistentRememberMeHandler.php b/src/Symfony/Component/Security/Http/RememberMe/PersistentRememberMeHandler.php index e7243ac8b049d..d8565084b79e4 100644 --- a/src/Symfony/Component/Security/Http/RememberMe/PersistentRememberMeHandler.php +++ b/src/Symfony/Component/Security/Http/RememberMe/PersistentRememberMeHandler.php @@ -36,7 +36,7 @@ final class PersistentRememberMeHandler extends AbstractRememberMeHandler private ?TokenVerifierInterface $tokenVerifier; private string $secret; - public function __construct(TokenProviderInterface $tokenProvider, string $secret, UserProviderInterface $userProvider, RequestStack $requestStack, array $options, LoggerInterface $logger = null, TokenVerifierInterface $tokenVerifier = null) + public function __construct(TokenProviderInterface $tokenProvider, #[\SensitiveParameter] string $secret, UserProviderInterface $userProvider, RequestStack $requestStack, array $options, LoggerInterface $logger = null, TokenVerifierInterface $tokenVerifier = null) { parent::__construct($userProvider, $requestStack, $options, $logger);