check that the secret passed to RequestParser is not empty

xabbuh · xabbuh · commit 00aaea21a4a7 · 2023-11-08T11:34:20.000+01:00
diff --git a/src/Symfony/Component/Webhook/Client/RequestParser.php b/src/Symfony/Component/Webhook/Client/RequestParser.php
@@ -18,6 +18,7 @@
 use Symfony\Component\HttpFoundation\RequestMatcher\MethodRequestMatcher;
 use Symfony\Component\HttpFoundation\RequestMatcherInterface;
 use Symfony\Component\RemoteEvent\RemoteEvent;
+use Symfony\Component\Webhook\Exception\InvalidArgumentException;
 use Symfony\Component\Webhook\Exception\RejectWebhookException;
 
 /**
@@ -43,6 +44,10 @@ protected function getRequestMatcher(): RequestMatcherInterface
 
     protected function doParse(Request $request, #[\SensitiveParameter] string $secret): RemoteEvent
     {
+        if (!$secret) {
+            throw new InvalidArgumentException('A non-empty secret is required.');
+        }
+
         $body = $request->toArray();
 
         foreach ([$this->signatureHeaderName, $this->eventHeaderName, $this->idHeaderName] as $header) {
