Skip to content

Commit

Permalink
Merge pull request laminas#165 from TimWolla/sensitive-parameter
Browse files Browse the repository at this point in the history
Apply the #[\SensitiveParameter] attribute
  • Loading branch information
Ocramius authored Dec 13, 2022
2 parents 78903b7 + 278c5db commit e40ee8d
Show file tree
Hide file tree
Showing 2 changed files with 42 additions and 14 deletions.
12 changes: 10 additions & 2 deletions src/CreditCard.php
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
use Exception;
use Laminas\Stdlib\ArrayUtils;
use Laminas\Validator\Exception\InvalidArgumentException;
use SensitiveParameter;
use Traversable;

use function array_key_exists;
Expand Down Expand Up @@ -355,14 +356,19 @@ public function setService($service)
return $this;
}

// The following rule is buggy for parameters attributes
// phpcs:disable SlevomatCodingStandard.TypeHints.ParameterTypeHintSpacing.NoSpaceBetweenTypeHintAndParameter

/**
* Returns true if and only if $value follows the Luhn algorithm (mod-10 checksum)
*
* @param string $value
* @return bool
*/
public function isValid($value)
{
public function isValid(
#[SensitiveParameter]
$value
) {
$this->setValue($value);

if (! is_string($value)) {
Expand Down Expand Up @@ -433,4 +439,6 @@ public function isValid($value)

return true;
}

// phpcs:enable SlevomatCodingStandard.TypeHints.ParameterTypeHintSpacing.NoSpaceBetweenTypeHintAndParameter
}
44 changes: 32 additions & 12 deletions src/UndisclosedPassword.php
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
use Psr\Http\Client\ClientExceptionInterface;
use Psr\Http\Client\ClientInterface;
use Psr\Http\Message\RequestFactoryInterface;
use SensitiveParameter;

use function array_filter;
use function explode;
Expand Down Expand Up @@ -45,9 +46,14 @@ public function __construct(private ClientInterface $httpClient, private Request
parent::__construct();
}

// The following rule is buggy for parameters attributes
// phpcs:disable SlevomatCodingStandard.TypeHints.ParameterTypeHintSpacing.NoSpaceBetweenTypeHintAndParameter

/** {@inheritDoc} */
public function isValid($value): bool
{
public function isValid(
#[SensitiveParameter]
$value
): bool {
if (! is_string($value)) {
$this->error(self::NOT_A_STRING);
return false;
Expand All @@ -61,8 +67,12 @@ public function isValid($value): bool
return true;
}

private function isPwnedPassword(string $password): bool
{
// phpcs:enable SlevomatCodingStandard.TypeHints.ParameterTypeHintSpacing.NoSpaceBetweenTypeHintAndParameter

private function isPwnedPassword(
#[SensitiveParameter]
string $password
): bool {
$sha1Hash = $this->hashPassword($password);
$rangeHash = $this->getRangeHash($sha1Hash);
$hashList = $this->retrieveHashList($rangeHash);
Expand All @@ -74,8 +84,10 @@ private function isPwnedPassword(string $password): bool
* We use a SHA1 hashed password for checking it against
* the breached data set of HIBP.
*/
private function hashPassword(string $password): string
{
private function hashPassword(
#[SensitiveParameter]
string $password
): string {
$hashedPassword = sha1($password);

return strtoupper($hashedPassword);
Expand All @@ -87,8 +99,10 @@ private function hashPassword(string $password): string
*
* @see https://www.troyhunt.com/enhancing-pwned-passwords-privacy-by-exclusively-supporting-anonymity/
*/
private function getRangeHash(string $passwordHash): string
{
private function getRangeHash(
#[SensitiveParameter]
string $passwordHash
): string {
return substr($passwordHash, self::HIBP_K_ANONYMITY_HASH_RANGE_BASE, self::HIBP_K_ANONYMITY_HASH_RANGE_LENGTH);
}

Expand All @@ -99,8 +113,10 @@ private function getRangeHash(string $passwordHash): string
*
* @throws ClientExceptionInterface
*/
private function retrieveHashList(string $passwordRange): string
{
private function retrieveHashList(
#[SensitiveParameter]
string $passwordRange
): string {
$request = $this->makeHttpRequest->createRequest(
'GET',
self::HIBP_API_URI . '/range/' . $passwordRange
Expand All @@ -113,8 +129,12 @@ private function retrieveHashList(string $passwordRange): string
/**
* Checks if the password is in the response from HIBP
*/
private function hashInResponse(string $sha1Hash, string $resultStream): bool
{
private function hashInResponse(
#[SensitiveParameter]
string $sha1Hash,
#[SensitiveParameter]
string $resultStream
): bool {
$data = explode("\r\n", $resultStream);
$hashes = array_filter($data, static function ($value) use ($sha1Hash): bool {
[$hash] = explode(':', $value);
Expand Down

0 comments on commit e40ee8d

Please sign in to comment.