Check whether secrets are empty and mark them all as sensitive

nicolas-grekas · nicolas-grekas · commit b7464eda6e75 · 2023-11-06T16:43:02.000+01:00
diff --git a/src/Symfony/Component/HttpFoundation/UriSigner.php b/src/Symfony/Component/HttpFoundation/UriSigner.php
@@ -12,8 +12,6 @@
 namespace Symfony\Component\HttpFoundation;
 
 /**
- * Signs URIs.
- *
  * @author Fabien Potencier <fabien@symfony.com>
  */
 class UriSigner
@@ -22,11 +20,15 @@ class UriSigner
     private string $parameter;
 
     /**
-     * @param string $secret    A secret
      * @param string $parameter Query string parameter to use
      */
     public function __construct(#[\SensitiveParameter] string $secret, string $parameter = '_hash')
     {
+        if (!$secret) {
+            trigger_deprecation('symfony/http-foundation', '6.4', 'Calling "%s()" with an empty secret is deprecated. A non-empty secret will be mandatory in version 7.0.', __METHOD__);
+            // throw new \InvalidArgumentException('A non-empty secret is required.');
+        }
+
         $this->secret = $secret;
         $this->parameter = $parameter;
     }
diff --git a/src/Symfony/Component/Mailer/Bridge/Brevo/Webhook/BrevoRequestParser.php b/src/Symfony/Component/Mailer/Bridge/Brevo/Webhook/BrevoRequestParser.php
@@ -41,7 +41,7 @@ protected function getRequestMatcher(): RequestMatcherInterface
         ]);
     }
 
-    protected function doParse(Request $request, string $secret): ?AbstractMailerEvent
+    protected function doParse(Request $request, #[\SensitiveParameter] string $secret): ?AbstractMailerEvent
     {
         $content = $request->toArray();
         if (
diff --git a/src/Symfony/Component/Mailer/Bridge/Mailgun/Webhook/MailgunRequestParser.php b/src/Symfony/Component/Mailer/Bridge/Mailgun/Webhook/MailgunRequestParser.php
@@ -37,8 +37,13 @@ protected function getRequestMatcher(): RequestMatcherInterface
         ]);
     }
 
-    protected function doParse(Request $request, string $secret): ?AbstractMailerEvent
+    protected function doParse(Request $request, #[\SensitiveParameter] string $secret): ?AbstractMailerEvent
     {
+        if (!$secret) {
+            trigger_deprecation('symfony/mailer', '6.4', 'Calling "%s()" with an empty secret is deprecated. A non-empty secret will be mandatory in version 7.0.', __METHOD__);
+            // throw new \Symfony\Component\Mailer\Exception\InvalidArgumentException('A non-empty secret is required.');
+        }
+
         $content = $request->toArray();
         if (
             !isset($content['signature']['timestamp'])
@@ -60,7 +65,7 @@ protected function doParse(Request $request, string $secret): ?AbstractMailerEve
         }
     }
 
-    private function validateSignature(array $signature, string $secret): void
+    private function validateSignature(array $signature, #[\SensitiveParameter] string $secret): void
     {
         // see https://documentation.mailgun.com/en/latest/user_manual.html#webhooks-1
         if (!hash_equals($signature['signature'], hash_hmac('sha256', $signature['timestamp'].$signature['token'], $secret))) {
diff --git a/src/Symfony/Component/Mailer/Bridge/Mailgun/composer.json b/src/Symfony/Component/Mailer/Bridge/Mailgun/composer.json
@@ -17,6 +17,7 @@
     ],
     "require": {
         "php": ">=8.1",
+        "symfony/deprecation-contracts": "^2.5|^3",
         "symfony/mailer": "^5.4.21|^6.2.7|^7.0"
     },
     "require-dev": {
diff --git a/src/Symfony/Component/Mailer/Bridge/Mailjet/Webhook/MailjetRequestParser.php b/src/Symfony/Component/Mailer/Bridge/Mailjet/Webhook/MailjetRequestParser.php
@@ -37,7 +37,7 @@ protected function getRequestMatcher(): RequestMatcherInterface
         ]);
     }
 
-    protected function doParse(Request $request, string $secret): ?AbstractMailerEvent
+    protected function doParse(Request $request, #[\SensitiveParameter] string $secret): ?AbstractMailerEvent
     {
         try {
             return $this->converter->convert($request->toArray());
diff --git a/src/Symfony/Component/Mailer/Bridge/Postmark/Webhook/PostmarkRequestParser.php b/src/Symfony/Component/Mailer/Bridge/Postmark/Webhook/PostmarkRequestParser.php
@@ -41,7 +41,7 @@ protected function getRequestMatcher(): RequestMatcherInterface
         ]);
     }
 
-    protected function doParse(Request $request, string $secret): ?AbstractMailerEvent
+    protected function doParse(Request $request, #[\SensitiveParameter] string $secret): ?AbstractMailerEvent
     {
         $payload = $request->toArray();
         if (
diff --git a/src/Symfony/Component/Mailer/Bridge/Sendgrid/Webhook/SendgridRequestParser.php b/src/Symfony/Component/Mailer/Bridge/Sendgrid/Webhook/SendgridRequestParser.php
@@ -86,12 +86,13 @@ protected function doParse(Request $request, string $secret): ?AbstractMailerEve
      *
      * @see https://docs.sendgrid.com/for-developers/tracking-events/getting-started-event-webhook-security-features
      */
-    private function validateSignature(
-        string $signature,
-        string $timestamp,
-        string $payload,
-        string $secret,
-    ): void {
+    private function validateSignature(string $signature, string $timestamp, string $payload, #[\SensitiveParameter] string $secret): void
+    {
+        if (!$secret) {
+            trigger_deprecation('symfony/mailer', '6.4', 'Calling "%s()" with an empty secret is deprecated. A non-empty secret will be mandatory in version 7.0.', __METHOD__);
+            // throw new \Symfony\Component\Mailer\Exception\InvalidArgumentException('A non-empty secret is required.');
+        }
+
         $timestampedPayload = $timestamp.$payload;
 
         // Sendgrid provides the verification key as base64-encoded DER data. Openssl wants a PEM format, which is a multiline version of the base64 data.
diff --git a/src/Symfony/Component/Mailer/Bridge/Sendgrid/composer.json b/src/Symfony/Component/Mailer/Bridge/Sendgrid/composer.json
@@ -17,6 +17,7 @@
     ],
     "require": {
         "php": ">=8.1",
+        "symfony/deprecation-contracts": "^2.5|^3",
         "symfony/mailer": "^5.4.21|^6.2.7|^7.0"
     },
     "require-dev": {
diff --git a/src/Symfony/Component/Mailer/Transport/Smtp/Auth/CramMd5Authenticator.php b/src/Symfony/Component/Mailer/Transport/Smtp/Auth/CramMd5Authenticator.php
@@ -41,6 +41,11 @@ public function authenticate(EsmtpTransport $client): void
      */
     private function getResponse(#[\SensitiveParameter] string $secret, string $challenge): string
     {
+        if (!$secret) {
+            trigger_deprecation('symfony/mailer', '6.4', 'Calling "%s()" with an empty secret is deprecated. A non-empty secret will be mandatory in version 7.0.', __METHOD__);
+            // throw new \Symfony\Component\Mailer\Exception\InvalidArgumentException('A non-empty secret is required.');
+        }
+
         if (\strlen($secret) > 64) {
             $secret = pack('H32', md5($secret));
         }
diff --git a/src/Symfony/Component/Mailer/composer.json b/src/Symfony/Component/Mailer/composer.json
@@ -20,6 +20,7 @@
         "egulias/email-validator": "^2.1.10|^3|^4",
         "psr/event-dispatcher": "^1",
         "psr/log": "^1|^2|^3",
+        "symfony/deprecation-contracts": "^2.5|^3",
         "symfony/event-dispatcher": "^5.4|^6.0|^7.0",
         "symfony/mime": "^6.2|^7.0",
         "symfony/service-contracts": "^2.5|^3"
diff --git a/src/Symfony/Component/Notifier/Bridge/Twilio/Webhook/TwilioRequestParser.php b/src/Symfony/Component/Notifier/Bridge/Twilio/Webhook/TwilioRequestParser.php
@@ -25,7 +25,7 @@ protected function getRequestMatcher(): RequestMatcherInterface
         return new MethodRequestMatcher('POST');
     }
 
-    protected function doParse(Request $request, string $secret): ?SmsEvent
+    protected function doParse(Request $request, #[\SensitiveParameter] string $secret): ?SmsEvent
     {
         // Statuses: https://www.twilio.com/docs/sms/api/message-resource#message-status-values
         // Payload examples: https://www.twilio.com/docs/sms/outbound-message-logging
diff --git a/src/Symfony/Component/Notifier/Bridge/Vonage/Webhook/VonageRequestParser.php b/src/Symfony/Component/Notifier/Bridge/Vonage/Webhook/VonageRequestParser.php
@@ -30,8 +30,13 @@ protected function getRequestMatcher(): RequestMatcherInterface
         ]);
     }
 
-    protected function doParse(Request $request, string $secret): ?SmsEvent
+    protected function doParse(Request $request, #[\SensitiveParameter] string $secret): ?SmsEvent
     {
+        if (!$secret) {
+            trigger_deprecation('symfony/notifier', '6.4', 'Calling "%s()" with an empty secret is deprecated. A non-empty secret will be mandatory in version 7.0.', __METHOD__);
+            // throw new \Symfony\Component\Notifier\Exception\InvalidArgumentException('A non-empty secret is required.');
+        }
+
         // Signed webhooks: https://developer.vonage.com/en/getting-started/concepts/webhooks#validating-signed-webhooks
         if (!$request->headers->has('Authorization')) {
             throw new RejectWebhookException(406, 'Missing "Authorization" header.');
@@ -70,7 +75,7 @@ protected function doParse(Request $request, string $secret): ?SmsEvent
         return $event;
     }
 
-    private function validateSignature(string $jwt, string $secret): void
+    private function validateSignature(string $jwt, #[\SensitiveParameter] string $secret): void
     {
         $tokenParts = explode('.', $jwt);
         if (3 !== \count($tokenParts)) {
diff --git a/src/Symfony/Component/Notifier/Bridge/Vonage/composer.json b/src/Symfony/Component/Notifier/Bridge/Vonage/composer.json
@@ -17,6 +17,7 @@
     ],
     "require": {
         "php": ">=8.1",
+        "symfony/deprecation-contracts": "^2.5|^3",
         "symfony/http-client": "^5.4|^6.0|^7.0",
         "symfony/notifier": "^6.2.7|^7.0"
     },
diff --git a/src/Symfony/Component/Security/Core/Authentication/Token/RememberMeToken.php b/src/Symfony/Component/Security/Core/Authentication/Token/RememberMeToken.php
@@ -11,6 +11,7 @@
 
 namespace Symfony\Component\Security\Core\Authentication\Token;
 
+use Symfony\Component\Security\Core\Exception\InvalidArgumentException;
 use Symfony\Component\Security\Core\User\UserInterface;
 
 /**
@@ -32,12 +33,12 @@ public function __construct(UserInterface $user, string $firewallName, #[\Sensit
     {
         parent::__construct($user->getRoles());
 
-        if (empty($secret)) {
-            throw new \InvalidArgumentException('$secret must not be empty.');
+        if (!$secret) {
+            throw new InvalidArgumentException('A non-empty secret is required.');
         }
 
-        if ('' === $firewallName) {
-            throw new \InvalidArgumentException('$firewallName must not be empty.');
+        if (!$firewallName) {
+            throw new InvalidArgumentException('$firewallName must not be empty.');
         }
 
         $this->firewallName = $firewallName;
diff --git a/src/Symfony/Component/Security/Core/Signature/SignatureHasher.php b/src/Symfony/Component/Security/Core/Signature/SignatureHasher.php
@@ -37,6 +37,11 @@ class SignatureHasher
      */
     public function __construct(PropertyAccessorInterface $propertyAccessor, array $signatureProperties, #[\SensitiveParameter] string $secret, ExpiredSignatureStorage $expiredSignaturesStorage = null, int $maxUses = null)
     {
+        if (!$secret) {
+            trigger_deprecation('symfony/security-core', '6.4', 'Calling "%s()" with an empty secret is deprecated. A non-empty secret will be mandatory in version 7.0.', __METHOD__);
+            // throw new \Symfony\Component\Security\Core\Exception\InvalidArgumentException('A non-empty secret is required.');
+        }
+
         $this->propertyAccessor = $propertyAccessor;
         $this->signatureProperties = $signatureProperties;
         $this->secret = $secret;
diff --git a/src/Symfony/Component/Security/Http/Authenticator/RememberMeAuthenticator.php b/src/Symfony/Component/Security/Http/Authenticator/RememberMeAuthenticator.php
@@ -51,6 +51,11 @@ class RememberMeAuthenticator implements InteractiveAuthenticatorInterface
 
     public function __construct(RememberMeHandlerInterface $rememberMeHandler, #[\SensitiveParameter] string $secret, TokenStorageInterface $tokenStorage, string $cookieName, LoggerInterface $logger = null)
     {
+        if (!$secret) {
+            trigger_deprecation('symfony/security-http', '6.4', 'Calling "%s()" with an empty secret is deprecated. A non-empty secret will be mandatory in version 7.0.', __METHOD__);
+            // throw new \Symfony\Component\Security\Core\Exception\InvalidArgumentException('A non-empty secret is required.');
+        }
+
         $this->rememberMeHandler = $rememberMeHandler;
         $this->secret = $secret;
         $this->tokenStorage = $tokenStorage;
diff --git a/src/Symfony/Component/Security/Http/RateLimiter/DefaultLoginRateLimiter.php b/src/Symfony/Component/Security/Http/RateLimiter/DefaultLoginRateLimiter.php
@@ -35,10 +35,11 @@ final class DefaultLoginRateLimiter extends AbstractRequestRateLimiter
      */
     public function __construct(RateLimiterFactory $globalFactory, RateLimiterFactory $localFactory, #[\SensitiveParameter] string $secret = '')
     {
-        if ('' === $secret) {
+        if (!$secret) {
             trigger_deprecation('symfony/security-http', '6.4', 'Calling "%s()" with an empty secret is deprecated. A non-empty secret will be mandatory in version 7.0.', __METHOD__);
             // throw new \Symfony\Component\Security\Core\Exception\InvalidArgumentException('A non-empty secret is required.');
         }
+
         $this->globalFactory = $globalFactory;
         $this->localFactory = $localFactory;
         $this->secret = $secret;
diff --git a/src/Symfony/Component/Webhook/Client/AbstractRequestParser.php b/src/Symfony/Component/Webhook/Client/AbstractRequestParser.php
@@ -22,7 +22,7 @@
  */
 abstract class AbstractRequestParser implements RequestParserInterface
 {
-    public function parse(Request $request, string $secret): ?RemoteEvent
+    public function parse(Request $request, #[\SensitiveParameter] string $secret): ?RemoteEvent
     {
         $this->validate($request);
 
@@ -41,7 +41,7 @@ public function createRejectedResponse(string $reason): Response
 
     abstract protected function getRequestMatcher(): RequestMatcherInterface;
 
-    abstract protected function doParse(Request $request, string $secret): ?RemoteEvent;
+    abstract protected function doParse(Request $request, #[\SensitiveParameter] string $secret): ?RemoteEvent;
 
     protected function validate(Request $request): void
     {
diff --git a/src/Symfony/Component/Webhook/Client/RequestParser.php b/src/Symfony/Component/Webhook/Client/RequestParser.php
@@ -41,7 +41,7 @@ protected function getRequestMatcher(): RequestMatcherInterface
         ]);
     }
 
-    protected function doParse(Request $request, string $secret): RemoteEvent
+    protected function doParse(Request $request, #[\SensitiveParameter] string $secret): RemoteEvent
     {
         $body = $request->toArray();
 
@@ -60,7 +60,7 @@ protected function doParse(Request $request, string $secret): RemoteEvent
         );
     }
 
-    private function validateSignature(HeaderBag $headers, string $body, $secret): void
+    private function validateSignature(HeaderBag $headers, string $body, #[\SensitiveParameter] string $secret): void
     {
         $signature = $headers->get($this->signatureHeaderName);
         $event = $headers->get($this->eventHeaderName);
diff --git a/src/Symfony/Component/Webhook/Client/RequestParserInterface.php b/src/Symfony/Component/Webhook/Client/RequestParserInterface.php
@@ -28,7 +28,7 @@ interface RequestParserInterface
      *
      * @throws RejectWebhookException When the payload is rejected (signature issue, parse issue, ...)
      */
-    public function parse(Request $request, string $secret): ?RemoteEvent;
+    public function parse(Request $request, #[\SensitiveParameter] string $secret): ?RemoteEvent;
 
     public function createSuccessfulResponse(): Response;
 
diff --git a/src/Symfony/Component/Webhook/Server/HeaderSignatureConfigurator.php b/src/Symfony/Component/Webhook/Server/HeaderSignatureConfigurator.php
@@ -13,6 +13,7 @@
 
 use Symfony\Component\HttpClient\HttpOptions;
 use Symfony\Component\RemoteEvent\RemoteEvent;
+use Symfony\Component\Webhook\Exception\InvalidArgumentException;
 use Symfony\Component\Webhook\Exception\LogicException;
 
 /**
@@ -26,8 +27,12 @@ public function __construct(
     ) {
     }
 
-    public function configure(RemoteEvent $event, string $secret, HttpOptions $options): void
+    public function configure(RemoteEvent $event, #[\SensitiveParameter] string $secret, HttpOptions $options): void
     {
+        if (!$secret) {
+            throw new InvalidArgumentException('A non-empty secret is required.');
+        }
+
         $opts = $options->toArray();
         $headers = $opts['headers'];
         if (!isset($opts['body'])) {
diff --git a/src/Symfony/Component/Webhook/Server/HeadersConfigurator.php b/src/Symfony/Component/Webhook/Server/HeadersConfigurator.php
@@ -25,7 +25,7 @@ public function __construct(
     ) {
     }
 
-    public function configure(RemoteEvent $event, string $secret, HttpOptions $options): void
+    public function configure(RemoteEvent $event, #[\SensitiveParameter] string $secret, HttpOptions $options): void
     {
         $options->setHeaders([
             $this->eventHeaderName => $event->getName(),
diff --git a/src/Symfony/Component/Webhook/Server/JsonBodyConfigurator.php b/src/Symfony/Component/Webhook/Server/JsonBodyConfigurator.php
@@ -25,7 +25,7 @@ public function __construct(
     ) {
     }
 
-    public function configure(RemoteEvent $event, string $secret, HttpOptions $options): void
+    public function configure(RemoteEvent $event, #[\SensitiveParameter] string $secret, HttpOptions $options): void
     {
         $body = $this->serializer->serialize($event->getPayload(), 'json');
         $options->setBody($body);
diff --git a/src/Symfony/Component/Webhook/Server/RequestConfiguratorInterface.php b/src/Symfony/Component/Webhook/Server/RequestConfiguratorInterface.php
@@ -19,5 +19,5 @@
  */
 interface RequestConfiguratorInterface
 {
-    public function configure(RemoteEvent $event, string $secret, HttpOptions $options): void;
+    public function configure(RemoteEvent $event, #[\SensitiveParameter] string $secret, HttpOptions $options): void;
 }
diff --git a/src/Symfony/Component/Webhook/Subscriber.php b/src/Symfony/Component/Webhook/Subscriber.php
@@ -11,12 +11,17 @@
 
 namespace Symfony\Component\Webhook;
 
+use Symfony\Component\Webhook\Exception\InvalidArgumentException;
+
 class Subscriber
 {
     public function __construct(
         private readonly string $url,
         #[\SensitiveParameter] private readonly string $secret,
     ) {
+        if (!$secret) {
+            throw new InvalidArgumentException('A non-empty secret is required.');
+        }
     }
 
     public function getUrl(): string

Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,7 @@ protected function getRequestMatcher(): RequestMatcherInterface`
`41`	`41`	`]);`
`42`	`42`	`}`
`43`	`43`
`44`		`- protected function doParse(Request $request, string $secret): ?AbstractMailerEvent`
	`44`	`+ protected function doParse(Request $request, #[\SensitiveParameter] string $secret): ?AbstractMailerEvent`
`45`	`45`	`{`
`46`	`46`	`$content = $request->toArray();`
`47`	`47`	`if (`
Original file line number	Diff line number	Diff line change
`@@ -37,8 +37,13 @@ protected function getRequestMatcher(): RequestMatcherInterface`
`37`	`37`	`]);`
`38`	`38`	`}`
`39`	`39`
`40`		`- protected function doParse(Request $request, string $secret): ?AbstractMailerEvent`
	`40`	`+ protected function doParse(Request $request, #[\SensitiveParameter] string $secret): ?AbstractMailerEvent`
`41`	`41`	`{`
	`42`	`+ if (!$secret) {`
	`43`	`+ trigger_deprecation('symfony/mailer', '6.4', 'Calling "%s()" with an empty secret is deprecated. A non-empty secret will be mandatory in version 7.0.', __METHOD__);`
	`44`	`+ // throw new \Symfony\Component\Mailer\Exception\InvalidArgumentException('A non-empty secret is required.');`
	`45`	`+ }`
	`46`	`+`
`42`	`47`	`$content = $request->toArray();`
`43`	`48`	`if (`
`44`	`49`	`!isset($content['signature']['timestamp'])`
`@@ -60,7 +65,7 @@ protected function doParse(Request $request, string $secret): ?AbstractMailerEve`
`60`	`65`	`}`
`61`	`66`	`}`
`62`	`67`
`63`		`- private function validateSignature(array $signature, string $secret): void`
	`68`	`+ private function validateSignature(array $signature, #[\SensitiveParameter] string $secret): void`
`64`	`69`	`{`
`65`	`70`	`// see https://documentation.mailgun.com/en/latest/user_manual.html#webhooks-1`
`66`	`71`	`if (!hash_equals($signature['signature'], hash_hmac('sha256', $signature['timestamp'].$signature['token'], $secret))) {`
Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,7 @@ protected function getRequestMatcher(): RequestMatcherInterface`
`37`	`37`	`]);`
`38`	`38`	`}`
`39`	`39`
`40`		`- protected function doParse(Request $request, string $secret): ?AbstractMailerEvent`
	`40`	`+ protected function doParse(Request $request, #[\SensitiveParameter] string $secret): ?AbstractMailerEvent`
`41`	`41`	`{`
`42`	`42`	`try {`
`43`	`43`	`return $this->converter->convert($request->toArray());`
Original file line number	Diff line number	Diff line change
`@@ -41,6 +41,11 @@ public function authenticate(EsmtpTransport $client): void`
`41`	`41`	`*/`
`42`	`42`	`private function getResponse(#[\SensitiveParameter] string $secret, string $challenge): string`
`43`	`43`	`{`
	`44`	`+ if (!$secret) {`
	`45`	`+ trigger_deprecation('symfony/mailer', '6.4', 'Calling "%s()" with an empty secret is deprecated. A non-empty secret will be mandatory in version 7.0.', __METHOD__);`
	`46`	`+ // throw new \Symfony\Component\Mailer\Exception\InvalidArgumentException('A non-empty secret is required.');`
	`47`	`+ }`
	`48`	`+`
`44`	`49`	`if (\strlen($secret) > 64) {`
`45`	`50`	`$secret = pack('H32', md5($secret));`
`46`	`51`	`}`