diff --git a/system/Encryption/EncrypterInterface.php b/system/Encryption/EncrypterInterface.php index 2f40995041f3..9c1b0d36d1be 100644 --- a/system/Encryption/EncrypterInterface.php +++ b/system/Encryption/EncrypterInterface.php @@ -14,6 +14,7 @@ namespace CodeIgniter\Encryption; use CodeIgniter\Encryption\Exceptions\EncryptionException; +use SensitiveParameter; /** * CodeIgniter Encryption Handler @@ -32,7 +33,7 @@ interface EncrypterInterface * * @throws EncryptionException */ - public function encrypt($data, $params = null); + public function encrypt(#[SensitiveParameter] $data, #[SensitiveParameter] $params = null); /** * Decrypt - convert ciphertext into plaintext @@ -44,5 +45,5 @@ public function encrypt($data, $params = null); * * @throws EncryptionException */ - public function decrypt($data, $params = null); + public function decrypt($data, #[SensitiveParameter] $params = null); } diff --git a/system/Encryption/Handlers/OpenSSLHandler.php b/system/Encryption/Handlers/OpenSSLHandler.php index 9745160b8003..9dca5b90304c 100644 --- a/system/Encryption/Handlers/OpenSSLHandler.php +++ b/system/Encryption/Handlers/OpenSSLHandler.php @@ -14,6 +14,7 @@ namespace CodeIgniter\Encryption\Handlers; use CodeIgniter\Encryption\Exceptions\EncryptionException; +use SensitiveParameter; /** * Encryption handling for OpenSSL library @@ -79,7 +80,7 @@ class OpenSSLHandler extends BaseHandler /** * {@inheritDoc} */ - public function encrypt($data, $params = null) + public function encrypt(#[SensitiveParameter] $data, #[SensitiveParameter] $params = null) { // Allow key override if ($params !== null) { @@ -115,7 +116,7 @@ public function encrypt($data, $params = null) /** * {@inheritDoc} */ - public function decrypt($data, $params = null) + public function decrypt($data, #[SensitiveParameter] $params = null) { // Allow key override if ($params !== null) { diff --git a/system/Encryption/Handlers/SodiumHandler.php b/system/Encryption/Handlers/SodiumHandler.php index c74f2a5f0a48..45f9ac2fa383 100644 --- a/system/Encryption/Handlers/SodiumHandler.php +++ b/system/Encryption/Handlers/SodiumHandler.php @@ -14,6 +14,7 @@ namespace CodeIgniter\Encryption\Handlers; use CodeIgniter\Encryption\Exceptions\EncryptionException; +use SensitiveParameter; /** * SodiumHandler uses libsodium in encryption. @@ -40,7 +41,7 @@ class SodiumHandler extends BaseHandler /** * {@inheritDoc} */ - public function encrypt($data, $params = null) + public function encrypt(#[SensitiveParameter] $data, #[SensitiveParameter] $params = null) { $this->parseParams($params); @@ -71,7 +72,7 @@ public function encrypt($data, $params = null) /** * {@inheritDoc} */ - public function decrypt($data, $params = null) + public function decrypt($data, #[SensitiveParameter] $params = null) { $this->parseParams($params); diff --git a/system/HTTP/CURLRequest.php b/system/HTTP/CURLRequest.php index 7014ca418a43..29516a094a86 100644 --- a/system/HTTP/CURLRequest.php +++ b/system/HTTP/CURLRequest.php @@ -18,6 +18,7 @@ use Config\App; use Config\CURLRequest as ConfigCURLRequest; use CurlShareHandle; +use SensitiveParameter; /** * A lightweight HTTP client for sending synchronous HTTP requests via cURL. @@ -260,13 +261,9 @@ public function put(string $url, array $options = []): ResponseInterface * * @return $this */ - public function setAuth(string $username, string $password, string $type = 'basic') + public function setAuth(string $username, #[SensitiveParameter] string $password, string $type = 'basic') { - $this->config['auth'] = [ - $username, - $password, - $type, - ]; + $this->config['auth'] = [$username, $password, $type]; return $this; } diff --git a/system/HTTP/URI.php b/system/HTTP/URI.php index 5bcf11de655a..c904ff8a549a 100644 --- a/system/HTTP/URI.php +++ b/system/HTTP/URI.php @@ -17,6 +17,7 @@ use CodeIgniter\Exceptions\InvalidArgumentException; use CodeIgniter\HTTP\Exceptions\HTTPException; use Config\App; +use SensitiveParameter; use Stringable; /** @@ -768,7 +769,7 @@ public function withScheme(string $scheme) * * @TODO PSR-7: Should be `withUserInfo($user, $password = null)`. */ - public function setUserInfo(string $user, string $pass) + public function setUserInfo(string $user, #[SensitiveParameter] string $pass) { $this->user = trim($user); $this->password = trim($pass); diff --git a/system/Security/Security.php b/system/Security/Security.php index aa744d9ed343..c367d2d3b412 100644 --- a/system/Security/Security.php +++ b/system/Security/Security.php @@ -26,6 +26,7 @@ use Config\Cookie as CookieConfig; use Config\Security as SecurityConfig; use ErrorException; +use SensitiveParameter; /** * Class Security @@ -371,13 +372,13 @@ protected function randomize(string $hash): string * * @throws InvalidArgumentException "hex2bin(): Hexadecimal input string must have an even length" */ - protected function derandomize(string $token): string + protected function derandomize(#[SensitiveParameter] string $token): string { $key = substr($token, -static::CSRF_HASH_BYTES * 2); $value = substr($token, 0, static::CSRF_HASH_BYTES * 2); try { - return bin2hex(hex2bin($value) ^ hex2bin($key)); + return bin2hex((string) hex2bin($value) ^ (string) hex2bin($key)); } catch (ErrorException $e) { // "hex2bin(): Hexadecimal input string must have an even length" throw new InvalidArgumentException($e->getMessage(), $e->getCode(), $e); diff --git a/user_guide_src/source/changelogs/v4.7.0.rst b/user_guide_src/source/changelogs/v4.7.0.rst index a9c888592555..fd64911a6561 100644 --- a/user_guide_src/source/changelogs/v4.7.0.rst +++ b/user_guide_src/source/changelogs/v4.7.0.rst @@ -48,6 +48,17 @@ Interface Changes Method Signature Changes ======================== +- Added the ``SensitiveParameter`` attribute to various methods to conceal sensitive information from stack traces. Affected methods are: + - ``CodeIgniter\Encryption\EncrypterInterface::encrypt()`` + - ``CodeIgniter\Encryption\EncrypterInterface::decrypt()`` + - ``CodeIgniter\Encryption\Handlers\OpenSSLHandler::encrypt()`` + - ``CodeIgniter\Encryption\Handlers\OpenSSLHandler::decrypt()`` + - ``CodeIgniter\Encryption\Handlers\SodiumHandler::encrypt()`` + - ``CodeIgniter\Encryption\Handlers\SodiumHandler::decrypt()`` + - ``CodeIgniter\HTTP\CURLRequest::setAuth()`` + - ``CodeIgniter\HTTP\URI::setUserInfo()`` + - ``CodeIgniter\Security\Security::derandomize()`` + Removed Deprecated Items ========================