Skip to content

Commit 5fd9513

Browse files
jordikroonjordikroon
committed
feat: add SensitiveParameter attributes to Security methods
Mark sensitive parameters in password hashing, data encryption, and validation methods with the #[\SensitiveParameter] attribute. This improves security by preventing sensitive data from being exposed in error messages, stack traces, and debugging output.
1 parent 92d6a15 commit 5fd9513

File tree

1 file changed

+6
-6
lines changed

1 file changed

+6
-6
lines changed

src/services/Security.php

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -67,7 +67,7 @@ public function getMinimumPasswordLength(): int
6767
* validation fails.
6868
* @return string The hash.
6969
*/
70-
public function hashPassword(string $password, bool $validateHash = false): string
70+
public function hashPassword(#[\SensitiveParameter] string $password, bool $validateHash = false): string
7171
{
7272
$hash = $this->generatePasswordHash($password, $this->_blowFishHashCost);
7373

@@ -93,7 +93,7 @@ public function hashPassword(string $password, bool $validateHash = false): stri
9393
* @see hkdf()
9494
* @see pbkdf2()
9595
*/
96-
public function hashData($data, $key = null, $rawHash = false): string
96+
public function hashData(#[\SensitiveParameter] $data, #[\SensitiveParameter] $key = null, $rawHash = false): string
9797
{
9898
if ($key === null) {
9999
$key = Craft::$app->getConfig()->getGeneral()->securityKey;
@@ -118,7 +118,7 @@ public function hashData($data, $key = null, $rawHash = false): string
118118
* @throws InvalidConfigException when HMAC generation fails.
119119
* @see hashData()
120120
*/
121-
public function validateData($data, $key = null, $rawHash = false): string|false
121+
public function validateData($data, #[\SensitiveParameter] $key = null, $rawHash = false): string|false
122122
{
123123
if ($key === null) {
124124
$key = Craft::$app->getConfig()->getGeneral()->securityKey;
@@ -138,7 +138,7 @@ public function validateData($data, $key = null, $rawHash = false): string|false
138138
* @see decryptByKey()
139139
* @see encryptByPassword()
140140
*/
141-
public function encryptByKey($data, $inputKey = null, $info = null): string
141+
public function encryptByKey(#[\SensitiveParameter] $data, #[\SensitiveParameter] $inputKey = null, $info = null): string
142142
{
143143
if ($inputKey === null) {
144144
$inputKey = Craft::$app->getConfig()->getGeneral()->securityKey;
@@ -157,7 +157,7 @@ public function encryptByKey($data, $inputKey = null, $info = null): string
157157
* @throws Exception on OpenSSL error
158158
* @see encryptByKey()
159159
*/
160-
public function decryptByKey($data, $inputKey = null, $info = null): string|false
160+
public function decryptByKey($data, #[\SensitiveParameter] $inputKey = null, $info = null): string|false
161161
{
162162
if ($inputKey === null) {
163163
$inputKey = Craft::$app->getConfig()->getGeneral()->securityKey;
@@ -185,7 +185,7 @@ public function isSensitive(string $key): bool
185185
* @param mixed $value
186186
* @return mixed The possibly-redacted value
187187
*/
188-
public function redactIfSensitive(string $key, mixed $value): mixed
188+
public function redactIfSensitive(string $key, #[\SensitiveParameter] mixed $value): mixed
189189
{
190190
if (is_array($value)) {
191191
foreach ($value as $n => &$v) {

0 commit comments

Comments
 (0)