Add #[SensitiveParameter] attribute to sensitive parameters
#1082
Conversation
Slamdunk
changed the title
#[SensitiveParameter] attribute to sensitive parameters
There was a problem hiding this comment.
Thank you for this contribution.
As far as I know, #[SensitiveParameter] only makes sense in string parameters, please update the PR to only target:
\Lcobucci\JWT\Signer\Key\InMemorymethods\Lcobucci\JWT\Signer\OpenSSL::createSignature\Lcobucci\JWT\Signer\OpenSSL::verifySignature
Also, as this can be considered a
Bug
please target the 5.4.x branch.
slknijnenburg
force-pushed
the
add-sensitiveparam-attribute
branch
from
b0e12fc
to
6be91ef
Compare
slknijnenburg
force-pushed
the
add-sensitiveparam-attribute
branch
from
6be91ef
to
bb807f4
Compare
slknijnenburg
force-pushed
the
add-sensitiveparam-attribute
branch
from
bb807f4
to
6a61245
Compare
Adds `#[SensitiveParameter]` to all potentially sensitive parameters, including key material, certificates and passphrases.
slknijnenburg
force-pushed
the
add-sensitiveparam-attribute
branch
from
6a61245
to
90aab82
Compare
This is false. The attribute is agnostic to the parameter type and the Exception handler of your choice might opt to also process objects (e.g. by printing their |
|
Mmm, by this logic everything is sensitive, if my debug handler dumps the entire memory and filesystem to the logger. I think handling the default behaviour is enough for us. |
Fixes #1081, adds
#[SensitiveParameter]to all potentially sensitive parameters, including key material, certificates and passphrases.I wondered if this would be a BC break, but it seems that that is not the case. Child classes/interface implementations can apparently omit the attribute without any problems.