From 2f6138847b8b3f64413d576e9521d195433ab92c Mon Sep 17 00:00:00 2001 From: Philip Iezzi Date: Fri, 28 Jun 2024 10:39:16 +0200 Subject: [PATCH] Add SensitiveParameter attribute to a lot more sensitive params in Auth --- src/Illuminate/Auth/DatabaseUserProvider.php | 11 ++++++----- src/Illuminate/Auth/EloquentUserProvider.php | 11 ++++++----- src/Illuminate/Auth/Events/Attempting.php | 4 +++- src/Illuminate/Auth/Events/Failed.php | 4 +++- src/Illuminate/Auth/Notifications/ResetPassword.php | 3 ++- src/Illuminate/Auth/Passwords/CanResetPassword.php | 3 ++- .../Auth/Passwords/DatabaseTokenRepository.php | 5 +++-- src/Illuminate/Auth/Passwords/PasswordBroker.php | 13 +++++++------ .../Auth/Passwords/TokenRepositoryInterface.php | 3 ++- src/Illuminate/Auth/RequestGuard.php | 3 ++- src/Illuminate/Auth/SessionGuard.php | 3 ++- src/Illuminate/Contracts/Auth/UserProvider.php | 12 +++++++----- src/Illuminate/Encryption/Encrypter.php | 2 +- 13 files changed, 46 insertions(+), 31 deletions(-) diff --git a/src/Illuminate/Auth/DatabaseUserProvider.php b/src/Illuminate/Auth/DatabaseUserProvider.php index 1be060cb831a..88775699b7ca 100755 --- a/src/Illuminate/Auth/DatabaseUserProvider.php +++ b/src/Illuminate/Auth/DatabaseUserProvider.php @@ -8,6 +8,7 @@ use Illuminate\Contracts\Hashing\Hasher as HasherContract; use Illuminate\Contracts\Support\Arrayable; use Illuminate\Database\ConnectionInterface; +use SensitiveParameter; class DatabaseUserProvider implements UserProvider { @@ -67,7 +68,7 @@ public function retrieveById($identifier) * @param string $token * @return \Illuminate\Contracts\Auth\Authenticatable|null */ - public function retrieveByToken($identifier, $token) + public function retrieveByToken($identifier, #[SensitiveParameter] $token) { $user = $this->getGenericUser( $this->connection->table($this->table)->find($identifier) @@ -84,7 +85,7 @@ public function retrieveByToken($identifier, $token) * @param string $token * @return void */ - public function updateRememberToken(UserContract $user, $token) + public function updateRememberToken(UserContract $user, #[SensitiveParameter] $token) { $this->connection->table($this->table) ->where($user->getAuthIdentifierName(), $user->getAuthIdentifier()) @@ -97,7 +98,7 @@ public function updateRememberToken(UserContract $user, $token) * @param array $credentials * @return \Illuminate\Contracts\Auth\Authenticatable|null */ - public function retrieveByCredentials(array $credentials) + public function retrieveByCredentials(#[SensitiveParameter] array $credentials) { $credentials = array_filter( $credentials, @@ -152,7 +153,7 @@ protected function getGenericUser($user) * @param array $credentials * @return bool */ - public function validateCredentials(UserContract $user, array $credentials) + public function validateCredentials(UserContract $user, #[SensitiveParameter] array $credentials) { return $this->hasher->check( $credentials['password'], $user->getAuthPassword() @@ -167,7 +168,7 @@ public function validateCredentials(UserContract $user, array $credentials) * @param bool $force * @return void */ - public function rehashPasswordIfRequired(UserContract $user, array $credentials, bool $force = false) + public function rehashPasswordIfRequired(UserContract $user, #[SensitiveParameter] array $credentials, bool $force = false) { if (! $this->hasher->needsRehash($user->getAuthPassword()) && ! $force) { return; diff --git a/src/Illuminate/Auth/EloquentUserProvider.php b/src/Illuminate/Auth/EloquentUserProvider.php index 646c2187f595..78e40dda117c 100755 --- a/src/Illuminate/Auth/EloquentUserProvider.php +++ b/src/Illuminate/Auth/EloquentUserProvider.php @@ -7,6 +7,7 @@ use Illuminate\Contracts\Auth\UserProvider; use Illuminate\Contracts\Hashing\Hasher as HasherContract; use Illuminate\Contracts\Support\Arrayable; +use SensitiveParameter; class EloquentUserProvider implements UserProvider { @@ -66,7 +67,7 @@ public function retrieveById($identifier) * @param string $token * @return \Illuminate\Contracts\Auth\Authenticatable|null */ - public function retrieveByToken($identifier, $token) + public function retrieveByToken($identifier, #[SensitiveParameter] $token) { $model = $this->createModel(); @@ -90,7 +91,7 @@ public function retrieveByToken($identifier, $token) * @param string $token * @return void */ - public function updateRememberToken(UserContract $user, $token) + public function updateRememberToken(UserContract $user, #[SensitiveParameter] $token) { $user->setRememberToken($token); @@ -109,7 +110,7 @@ public function updateRememberToken(UserContract $user, $token) * @param array $credentials * @return \Illuminate\Contracts\Auth\Authenticatable|null */ - public function retrieveByCredentials(array $credentials) + public function retrieveByCredentials(#[SensitiveParameter] array $credentials) { $credentials = array_filter( $credentials, @@ -146,7 +147,7 @@ public function retrieveByCredentials(array $credentials) * @param array $credentials * @return bool */ - public function validateCredentials(UserContract $user, array $credentials) + public function validateCredentials(UserContract $user, #[SensitiveParameter] array $credentials) { if (is_null($plain = $credentials['password'])) { return false; @@ -163,7 +164,7 @@ public function validateCredentials(UserContract $user, array $credentials) * @param bool $force * @return void */ - public function rehashPasswordIfRequired(UserContract $user, array $credentials, bool $force = false) + public function rehashPasswordIfRequired(UserContract $user, #[SensitiveParameter] array $credentials, bool $force = false) { if (! $this->hasher->needsRehash($user->getAuthPassword()) && ! $force) { return; diff --git a/src/Illuminate/Auth/Events/Attempting.php b/src/Illuminate/Auth/Events/Attempting.php index 3f911bac58e8..8e177fe52980 100644 --- a/src/Illuminate/Auth/Events/Attempting.php +++ b/src/Illuminate/Auth/Events/Attempting.php @@ -2,6 +2,8 @@ namespace Illuminate\Auth\Events; +use SensitiveParameter; + class Attempting { /** @@ -33,7 +35,7 @@ class Attempting * @param bool $remember * @return void */ - public function __construct($guard, $credentials, $remember) + public function __construct($guard, #[SensitiveParameter] $credentials, $remember) { $this->guard = $guard; $this->remember = $remember; diff --git a/src/Illuminate/Auth/Events/Failed.php b/src/Illuminate/Auth/Events/Failed.php index 34f812487027..ee8c4470cb92 100644 --- a/src/Illuminate/Auth/Events/Failed.php +++ b/src/Illuminate/Auth/Events/Failed.php @@ -2,6 +2,8 @@ namespace Illuminate\Auth\Events; +use SensitiveParameter; + class Failed { /** @@ -33,7 +35,7 @@ class Failed * @param array $credentials * @return void */ - public function __construct($guard, $user, $credentials) + public function __construct($guard, $user, #[SensitiveParameter] $credentials) { $this->user = $user; $this->guard = $guard; diff --git a/src/Illuminate/Auth/Notifications/ResetPassword.php b/src/Illuminate/Auth/Notifications/ResetPassword.php index efb4573e8be2..ad32d5df12a6 100644 --- a/src/Illuminate/Auth/Notifications/ResetPassword.php +++ b/src/Illuminate/Auth/Notifications/ResetPassword.php @@ -5,6 +5,7 @@ use Illuminate\Notifications\Messages\MailMessage; use Illuminate\Notifications\Notification; use Illuminate\Support\Facades\Lang; +use SensitiveParameter; class ResetPassword extends Notification { @@ -35,7 +36,7 @@ class ResetPassword extends Notification * @param string $token * @return void */ - public function __construct($token) + public function __construct(#[SensitiveParameter] $token) { $this->token = $token; } diff --git a/src/Illuminate/Auth/Passwords/CanResetPassword.php b/src/Illuminate/Auth/Passwords/CanResetPassword.php index 918a288fec66..cea20304a4aa 100644 --- a/src/Illuminate/Auth/Passwords/CanResetPassword.php +++ b/src/Illuminate/Auth/Passwords/CanResetPassword.php @@ -3,6 +3,7 @@ namespace Illuminate\Auth\Passwords; use Illuminate\Auth\Notifications\ResetPassword as ResetPasswordNotification; +use SensitiveParameter; trait CanResetPassword { @@ -22,7 +23,7 @@ public function getEmailForPasswordReset() * @param string $token * @return void */ - public function sendPasswordResetNotification($token) + public function sendPasswordResetNotification(#[SensitiveParameter] $token) { $this->notify(new ResetPasswordNotification($token)); } diff --git a/src/Illuminate/Auth/Passwords/DatabaseTokenRepository.php b/src/Illuminate/Auth/Passwords/DatabaseTokenRepository.php index fe5f54b79765..b4d7eef45715 100755 --- a/src/Illuminate/Auth/Passwords/DatabaseTokenRepository.php +++ b/src/Illuminate/Auth/Passwords/DatabaseTokenRepository.php @@ -7,6 +7,7 @@ use Illuminate\Database\ConnectionInterface; use Illuminate\Support\Carbon; use Illuminate\Support\Str; +use SensitiveParameter; class DatabaseTokenRepository implements TokenRepositoryInterface { @@ -115,7 +116,7 @@ protected function deleteExisting(CanResetPasswordContract $user) * @param string $token * @return array */ - protected function getPayload($email, $token) + protected function getPayload($email, #[SensitiveParameter] $token) { return ['email' => $email, 'token' => $this->hasher->make($token), 'created_at' => new Carbon]; } @@ -127,7 +128,7 @@ protected function getPayload($email, $token) * @param string $token * @return bool */ - public function exists(CanResetPasswordContract $user, $token) + public function exists(CanResetPasswordContract $user, #[SensitiveParameter] $token) { $record = (array) $this->getTable()->where( 'email', $user->getEmailForPasswordReset() diff --git a/src/Illuminate/Auth/Passwords/PasswordBroker.php b/src/Illuminate/Auth/Passwords/PasswordBroker.php index eb213c498876..5a66c574b4e0 100755 --- a/src/Illuminate/Auth/Passwords/PasswordBroker.php +++ b/src/Illuminate/Auth/Passwords/PasswordBroker.php @@ -7,6 +7,7 @@ use Illuminate\Contracts\Auth\PasswordBroker as PasswordBrokerContract; use Illuminate\Contracts\Auth\UserProvider; use Illuminate\Support\Arr; +use SensitiveParameter; use UnexpectedValueException; class PasswordBroker implements PasswordBrokerContract @@ -32,7 +33,7 @@ class PasswordBroker implements PasswordBrokerContract * @param \Illuminate\Contracts\Auth\UserProvider $users * @return void */ - public function __construct(TokenRepositoryInterface $tokens, UserProvider $users) + public function __construct(#[SensitiveParameter] TokenRepositoryInterface $tokens, UserProvider $users) { $this->users = $users; $this->tokens = $tokens; @@ -45,7 +46,7 @@ public function __construct(TokenRepositoryInterface $tokens, UserProvider $user * @param \Closure|null $callback * @return string */ - public function sendResetLink(array $credentials, ?Closure $callback = null) + public function sendResetLink(#[SensitiveParameter] array $credentials, ?Closure $callback = null) { // First we will check to see if we found a user at the given credentials and // if we did not we will redirect back to this current URI with a piece of @@ -81,7 +82,7 @@ public function sendResetLink(array $credentials, ?Closure $callback = null) * @param \Closure $callback * @return mixed */ - public function reset(array $credentials, Closure $callback) + public function reset(#[SensitiveParameter] array $credentials, Closure $callback) { $user = $this->validateReset($credentials); @@ -110,7 +111,7 @@ public function reset(array $credentials, Closure $callback) * @param array $credentials * @return \Illuminate\Contracts\Auth\CanResetPassword|string */ - protected function validateReset(array $credentials) + protected function validateReset(#[SensitiveParameter] array $credentials) { if (is_null($user = $this->getUser($credentials))) { return static::INVALID_USER; @@ -131,7 +132,7 @@ protected function validateReset(array $credentials) * * @throws \UnexpectedValueException */ - public function getUser(array $credentials) + public function getUser(#[SensitiveParameter] array $credentials) { $credentials = Arr::except($credentials, ['token']); @@ -173,7 +174,7 @@ public function deleteToken(CanResetPasswordContract $user) * @param string $token * @return bool */ - public function tokenExists(CanResetPasswordContract $user, $token) + public function tokenExists(CanResetPasswordContract $user, #[SensitiveParameter] $token) { return $this->tokens->exists($user, $token); } diff --git a/src/Illuminate/Auth/Passwords/TokenRepositoryInterface.php b/src/Illuminate/Auth/Passwords/TokenRepositoryInterface.php index 47c17581ff50..34cc2fe389e3 100755 --- a/src/Illuminate/Auth/Passwords/TokenRepositoryInterface.php +++ b/src/Illuminate/Auth/Passwords/TokenRepositoryInterface.php @@ -3,6 +3,7 @@ namespace Illuminate\Auth\Passwords; use Illuminate\Contracts\Auth\CanResetPassword as CanResetPasswordContract; +use SensitiveParameter; interface TokenRepositoryInterface { @@ -21,7 +22,7 @@ public function create(CanResetPasswordContract $user); * @param string $token * @return bool */ - public function exists(CanResetPasswordContract $user, $token); + public function exists(CanResetPasswordContract $user, #[SensitiveParameter] $token); /** * Determine if the given user recently created a password reset token. diff --git a/src/Illuminate/Auth/RequestGuard.php b/src/Illuminate/Auth/RequestGuard.php index 7c1dfdc553e0..e95ffd98edb5 100644 --- a/src/Illuminate/Auth/RequestGuard.php +++ b/src/Illuminate/Auth/RequestGuard.php @@ -6,6 +6,7 @@ use Illuminate\Contracts\Auth\UserProvider; use Illuminate\Http\Request; use Illuminate\Support\Traits\Macroable; +use SensitiveParameter; class RequestGuard implements Guard { @@ -65,7 +66,7 @@ public function user() * @param array $credentials * @return bool */ - public function validate(array $credentials = []) + public function validate(#[SensitiveParameter] array $credentials = []) { return ! is_null((new static( $this->callback, $credentials['request'], $this->getProvider() diff --git a/src/Illuminate/Auth/SessionGuard.php b/src/Illuminate/Auth/SessionGuard.php index ebcf0de61fb0..dae6e0b66612 100644 --- a/src/Illuminate/Auth/SessionGuard.php +++ b/src/Illuminate/Auth/SessionGuard.php @@ -24,6 +24,7 @@ use Illuminate\Support\Traits\Macroable; use InvalidArgumentException; use RuntimeException; +use SensitiveParameter; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpKernel\Exception\UnauthorizedHttpException; @@ -488,7 +489,7 @@ protected function shouldLogin($callbacks, AuthenticatableContract $user) * @param array $credentials * @return void */ - protected function rehashPasswordIfRequired(AuthenticatableContract $user, array $credentials) + protected function rehashPasswordIfRequired(AuthenticatableContract $user, #[SensitiveParameter] array $credentials) { if ($this->rehashOnLogin) { $this->provider->rehashPasswordIfRequired($user, $credentials); diff --git a/src/Illuminate/Contracts/Auth/UserProvider.php b/src/Illuminate/Contracts/Auth/UserProvider.php index 4ed51bf00e9c..5e2b8e77ae9c 100644 --- a/src/Illuminate/Contracts/Auth/UserProvider.php +++ b/src/Illuminate/Contracts/Auth/UserProvider.php @@ -2,6 +2,8 @@ namespace Illuminate\Contracts\Auth; +use SensitiveParameter; + interface UserProvider { /** @@ -19,7 +21,7 @@ public function retrieveById($identifier); * @param string $token * @return \Illuminate\Contracts\Auth\Authenticatable|null */ - public function retrieveByToken($identifier, $token); + public function retrieveByToken($identifier, #[SensitiveParameter] $token); /** * Update the "remember me" token for the given user in storage. @@ -28,7 +30,7 @@ public function retrieveByToken($identifier, $token); * @param string $token * @return void */ - public function updateRememberToken(Authenticatable $user, $token); + public function updateRememberToken(Authenticatable $user, #[SensitiveParameter] $token); /** * Retrieve a user by the given credentials. @@ -36,7 +38,7 @@ public function updateRememberToken(Authenticatable $user, $token); * @param array $credentials * @return \Illuminate\Contracts\Auth\Authenticatable|null */ - public function retrieveByCredentials(array $credentials); + public function retrieveByCredentials(#[SensitiveParameter] array $credentials); /** * Validate a user against the given credentials. @@ -45,7 +47,7 @@ public function retrieveByCredentials(array $credentials); * @param array $credentials * @return bool */ - public function validateCredentials(Authenticatable $user, array $credentials); + public function validateCredentials(Authenticatable $user, #[SensitiveParameter] array $credentials); /** * Rehash the user's password if required and supported. @@ -55,5 +57,5 @@ public function validateCredentials(Authenticatable $user, array $credentials); * @param bool $force * @return void */ - public function rehashPasswordIfRequired(Authenticatable $user, array $credentials, bool $force = false); + public function rehashPasswordIfRequired(Authenticatable $user, #[SensitiveParameter] array $credentials, bool $force = false); } diff --git a/src/Illuminate/Encryption/Encrypter.php b/src/Illuminate/Encryption/Encrypter.php index f66ac633eb8e..eb5c44d777a4 100755 --- a/src/Illuminate/Encryption/Encrypter.php +++ b/src/Illuminate/Encryption/Encrypter.php @@ -218,7 +218,7 @@ public function decryptString($payload) * @param string $key * @return string */ - protected function hash($iv, #[SensitiveParameter] $value, $key) + protected function hash(#[SensitiveParameter] $iv, #[SensitiveParameter] $value, #[SensitiveParameter] $key) { return hash_hmac('sha256', $iv.$value, $key); }