Merge pull request #165 from TimWolla/sensitive-parameter

Apply the #[\SensitiveParameter] attribute
laminas · Dec 13, 2022 · e40ee8d · e40ee8d
2 parents 78903b7 + 278c5db
commit e40ee8d
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 14 deletions.
diff --git a/src/CreditCard.php b/src/CreditCard.php
@@ -5,6 +5,7 @@
 use Exception;
 use Laminas\Stdlib\ArrayUtils;
 use Laminas\Validator\Exception\InvalidArgumentException;
+use SensitiveParameter;
 use Traversable;
 
 use function array_key_exists;
@@ -355,14 +356,19 @@ public function setService($service)
         return $this;
     }
 
+    // The following rule is buggy for parameters attributes
+    // phpcs:disable SlevomatCodingStandard.TypeHints.ParameterTypeHintSpacing.NoSpaceBetweenTypeHintAndParameter
+
     /**
      * Returns true if and only if $value follows the Luhn algorithm (mod-10 checksum)
      *
      * @param  string $value
      * @return bool
      */
-    public function isValid($value)
-    {
+    public function isValid(
+        #[SensitiveParameter]
+        $value
+    ) {
         $this->setValue($value);
 
         if (! is_string($value)) {
@@ -433,4 +439,6 @@ public function isValid($value)
 
         return true;
     }
+
+    // phpcs:enable SlevomatCodingStandard.TypeHints.ParameterTypeHintSpacing.NoSpaceBetweenTypeHintAndParameter
 }
diff --git a/src/UndisclosedPassword.php b/src/UndisclosedPassword.php
@@ -5,6 +5,7 @@
 use Psr\Http\Client\ClientExceptionInterface;
 use Psr\Http\Client\ClientInterface;
 use Psr\Http\Message\RequestFactoryInterface;
+use SensitiveParameter;
 
 use function array_filter;
 use function explode;
@@ -45,9 +46,14 @@ public function __construct(private ClientInterface $httpClient, private Request
         parent::__construct();
     }
 
+    // The following rule is buggy for parameters attributes
+    // phpcs:disable SlevomatCodingStandard.TypeHints.ParameterTypeHintSpacing.NoSpaceBetweenTypeHintAndParameter
+
     /** {@inheritDoc} */
-    public function isValid($value): bool
-    {
+    public function isValid(
+        #[SensitiveParameter]
+        $value
+    ): bool {
         if (! is_string($value)) {
             $this->error(self::NOT_A_STRING);
             return false;
@@ -61,8 +67,12 @@ public function isValid($value): bool
         return true;
     }
 
-    private function isPwnedPassword(string $password): bool
-    {
+    // phpcs:enable SlevomatCodingStandard.TypeHints.ParameterTypeHintSpacing.NoSpaceBetweenTypeHintAndParameter
+
+    private function isPwnedPassword(
+        #[SensitiveParameter]
+        string $password
+    ): bool {
         $sha1Hash  = $this->hashPassword($password);
         $rangeHash = $this->getRangeHash($sha1Hash);
         $hashList  = $this->retrieveHashList($rangeHash);
@@ -74,8 +84,10 @@ private function isPwnedPassword(string $password): bool
      * We use a SHA1 hashed password for checking it against
      * the breached data set of HIBP.
      */
-    private function hashPassword(string $password): string
-    {
+    private function hashPassword(
+        #[SensitiveParameter]
+        string $password
+    ): string {
         $hashedPassword = sha1($password);
 
         return strtoupper($hashedPassword);
@@ -87,8 +99,10 @@ private function hashPassword(string $password): string
      *
      * @see https://www.troyhunt.com/enhancing-pwned-passwords-privacy-by-exclusively-supporting-anonymity/
      */
-    private function getRangeHash(string $passwordHash): string
-    {
+    private function getRangeHash(
+        #[SensitiveParameter]
+        string $passwordHash
+    ): string {
         return substr($passwordHash, self::HIBP_K_ANONYMITY_HASH_RANGE_BASE, self::HIBP_K_ANONYMITY_HASH_RANGE_LENGTH);
     }
 
@@ -99,8 +113,10 @@ private function getRangeHash(string $passwordHash): string
      *
      * @throws ClientExceptionInterface
      */
-    private function retrieveHashList(string $passwordRange): string
-    {
+    private function retrieveHashList(
+        #[SensitiveParameter]
+        string $passwordRange
+    ): string {
         $request = $this->makeHttpRequest->createRequest(
             'GET',
             self::HIBP_API_URI . '/range/' . $passwordRange
@@ -113,8 +129,12 @@ private function retrieveHashList(string $passwordRange): string
     /**
      * Checks if the password is in the response from HIBP
      */
-    private function hashInResponse(string $sha1Hash, string $resultStream): bool
-    {
+    private function hashInResponse(
+        #[SensitiveParameter]
+        string $sha1Hash,
+        #[SensitiveParameter]
+        string $resultStream
+    ): bool {
         $data   = explode("\r\n", $resultStream);
         $hashes = array_filter($data, static function ($value) use ($sha1Hash): bool {
             [$hash] = explode(':', $value);