From a3ea399d91dec05eda32d523c22db2306383b1c3 Mon Sep 17 00:00:00 2001 From: heap-s Date: Tue, 27 Aug 2024 18:08:56 -0700 Subject: [PATCH 1/9] Add SensitiveParameter to password in PdoDriverInterface --- src/Driver/Pdo/PdoDriverInterface.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Driver/Pdo/PdoDriverInterface.php b/src/Driver/Pdo/PdoDriverInterface.php index f8b8ba885..18ae0f4ea 100644 --- a/src/Driver/Pdo/PdoDriverInterface.php +++ b/src/Driver/Pdo/PdoDriverInterface.php @@ -78,7 +78,7 @@ public function getUsername(): string; * * @param string $password The password for establishing DB connection. */ - public function password(string $password): void; + public function password(#[\SensitiveParameter] string $password): void; /** * Set username for establishing DB connection. Defaults to `null` meaning use no username. From 99d59d674c498eb63807df017534f1bb21e4b931 Mon Sep 17 00:00:00 2001 From: heap-s Date: Wed, 28 Aug 2024 03:12:09 -0700 Subject: [PATCH 2/9] Move SensitiveParameter attribute from interface to implementation in AbstractPdoDriver --- src/Driver/Pdo/AbstractPdoDriver.php | 2 +- src/Driver/Pdo/PdoDriverInterface.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Driver/Pdo/AbstractPdoDriver.php b/src/Driver/Pdo/AbstractPdoDriver.php index 5ff58d10c..a79a5d426 100644 --- a/src/Driver/Pdo/AbstractPdoDriver.php +++ b/src/Driver/Pdo/AbstractPdoDriver.php @@ -61,7 +61,7 @@ public function getUsername(): string return $this->username; } - public function password(string $password): void + public function password(#[\SensitiveParameter] string $password): void { $this->password = $password; } diff --git a/src/Driver/Pdo/PdoDriverInterface.php b/src/Driver/Pdo/PdoDriverInterface.php index 18ae0f4ea..f8b8ba885 100644 --- a/src/Driver/Pdo/PdoDriverInterface.php +++ b/src/Driver/Pdo/PdoDriverInterface.php @@ -78,7 +78,7 @@ public function getUsername(): string; * * @param string $password The password for establishing DB connection. */ - public function password(#[\SensitiveParameter] string $password): void; + public function password(string $password): void; /** * Set username for establishing DB connection. Defaults to `null` meaning use no username. From d71275ebddaf30f05f8f65066a236c515f8f6abb Mon Sep 17 00:00:00 2001 From: heap-s Date: Wed, 28 Aug 2024 03:48:07 -0700 Subject: [PATCH 3/9] Add SensitiveParameter to constructor parameter and changelog #872 --- CHANGELOG.md | 1 + src/Driver/Pdo/AbstractPdoDriver.php | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 550d21e56..1cfc7557e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -34,6 +34,7 @@ - Enh #862: Refactor PHP type of `ColumnSchemaInterface` instances (@Tigrov) - Enh #865: Raise minimum PHP version to `^8.1` with minor refactoring (@Tigrov, @vjik) - Enh #798: Allow `QueryInterface::one()` and `QueryInterface::all()` to return objects (@darkdef, @Tigrov) +- Chg #872: Add `#[\SensitiveParameter]` attribute for password (@heap-s) ## 1.3.0 March 21, 2024 diff --git a/src/Driver/Pdo/AbstractPdoDriver.php b/src/Driver/Pdo/AbstractPdoDriver.php index a79a5d426..d66153e0b 100644 --- a/src/Driver/Pdo/AbstractPdoDriver.php +++ b/src/Driver/Pdo/AbstractPdoDriver.php @@ -21,7 +21,7 @@ abstract class AbstractPdoDriver implements PdoDriverInterface public function __construct( protected string $dsn, protected string $username = '', - protected string $password = '', + #[\SensitiveParameter] protected string $password = '', protected array $attributes = [] ) { } From 42ac65955326a3b6eebe2568aa96d896057e0747 Mon Sep 17 00:00:00 2001 From: heap-s Date: Wed, 28 Aug 2024 04:19:19 -0700 Subject: [PATCH 4/9] Make suggested changes to changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1cfc7557e..6b6e1a0a7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -34,7 +34,7 @@ - Enh #862: Refactor PHP type of `ColumnSchemaInterface` instances (@Tigrov) - Enh #865: Raise minimum PHP version to `^8.1` with minor refactoring (@Tigrov, @vjik) - Enh #798: Allow `QueryInterface::one()` and `QueryInterface::all()` to return objects (@darkdef, @Tigrov) -- Chg #872: Add `#[\SensitiveParameter]` attribute for password (@heap-s) +- Enh #872: Use `#[\SensitiveParameter]` attribute to mark sensitive parameters (@heap-s) ## 1.3.0 March 21, 2024 From c8ef8533f77acbf15bae3345f8d6ffcea1e53bb6 Mon Sep 17 00:00:00 2001 From: heap-s Date: Tue, 3 Sep 2024 04:41:36 -0700 Subject: [PATCH 5/9] fix: add test for SensitiveParameter --- tests/Db/Driver/PDO/PDODriverTest.php | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/tests/Db/Driver/PDO/PDODriverTest.php b/tests/Db/Driver/PDO/PDODriverTest.php index c7cf596c4..5eceecc3a 100644 --- a/tests/Db/Driver/PDO/PDODriverTest.php +++ b/tests/Db/Driver/PDO/PDODriverTest.php @@ -62,4 +62,17 @@ public function testGetUsername(): void $this->assertSame('username', $pdoDriver->getUsername()); } + + public function testSensitiveParameter(): void + { + try { + $fn = static function(#[\SensitiveParameter] string $password): void { + }; + $fn(null); + } catch (\Throwable $e) { + $trace = $e->getTrace()[0]; + $valid = isset($trace['args']) && $trace['args'][0] instanceof \SensitiveParameterValue; + var_dump($valid); + } + } } From 3b4be4c2245eafbc801a251ad5cf84ecfd898834 Mon Sep 17 00:00:00 2001 From: heap-s Date: Tue, 3 Sep 2024 05:16:56 -0700 Subject: [PATCH 6/9] fix: changes to SensitiveParameter test --- tests/Db/Driver/PDO/PDODriverTest.php | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/tests/Db/Driver/PDO/PDODriverTest.php b/tests/Db/Driver/PDO/PDODriverTest.php index 5eceecc3a..bf489a7d9 100644 --- a/tests/Db/Driver/PDO/PDODriverTest.php +++ b/tests/Db/Driver/PDO/PDODriverTest.php @@ -65,14 +65,20 @@ public function testGetUsername(): void public function testSensitiveParameter(): void { + if (PHP_VERSION_ID < 80200) { + $this->markTestSkipped('SensitiveParameterValue is not available in PHP < 8.2'); + } + $dsn = 'sqlite::memory:'; try { - $fn = static function(#[\SensitiveParameter] string $password): void { - }; - $fn(null); - } catch (\Throwable $e) { - $trace = $e->getTrace()[0]; - $valid = isset($trace['args']) && $trace['args'][0] instanceof \SensitiveParameterValue; - var_dump($valid); + new PDODriver($dsn, password: null); + } catch (\TypeError $e) { + $this->assertTrue($e->getTrace()[0]['args'][2] instanceof \SensitiveParameterValue); } + $pdoDriver = new PDODriver($dsn); + try { + $pdoDriver->password(null); + } catch (\TypeError $e) { + $this->assertTrue($e->getTrace()[0]['args'][0] instanceof \SensitiveParameterValue); + } } } From 0e8169cbe3f04073a8072254cf87214b812cafca Mon Sep 17 00:00:00 2001 From: Tigrov Date: Tue, 3 Sep 2024 21:50:43 +0700 Subject: [PATCH 7/9] Fix test --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7a31ab5ec..694d57964 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -47,7 +47,7 @@ jobs: with: php-version: ${{ matrix.php }} extensions: ${{ env.extensions }} - ini-values: date.timezone='UTC' + ini-values: date.timezone='UTC', zend.exception_ignore_args=0 coverage: pcov tools: composer:v2, pecl From 6dce2c685b11da9c567f58cacc6a30d89320b31b Mon Sep 17 00:00:00 2001 From: Tigrov Date: Tue, 3 Sep 2024 23:57:30 +0700 Subject: [PATCH 8/9] Fix rector --- .github/workflows/rector.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/rector.yml b/.github/workflows/rector.yml index 3013bfdd3..139e05122 100644 --- a/.github/workflows/rector.yml +++ b/.github/workflows/rector.yml @@ -15,6 +15,7 @@ jobs: secrets: token: ${{ secrets.YIISOFT_GITHUB_TOKEN }} with: + repository: ${{ github.event.pull_request.head.repo.full_name }} os: >- ['ubuntu-latest'] php: >- From a9195ab8738a1ff85c7682030356261d1498e24c Mon Sep 17 00:00:00 2001 From: Sergei Tigrov Date: Wed, 4 Sep 2024 15:08:56 +0700 Subject: [PATCH 9/9] Update tests/Db/Driver/PDO/PDODriverTest.php --- tests/Db/Driver/PDO/PDODriverTest.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/Db/Driver/PDO/PDODriverTest.php b/tests/Db/Driver/PDO/PDODriverTest.php index bf489a7d9..b67566a47 100644 --- a/tests/Db/Driver/PDO/PDODriverTest.php +++ b/tests/Db/Driver/PDO/PDODriverTest.php @@ -79,6 +79,6 @@ public function testSensitiveParameter(): void $pdoDriver->password(null); } catch (\TypeError $e) { $this->assertTrue($e->getTrace()[0]['args'][0] instanceof \SensitiveParameterValue); - } + } } }