Open
Description
Implement the #[\SensitiveParameter] attribute (introduced in PHP 8.2) to sensitive parameters containing secret keys and confidential information to prevent exposure in stack traces.
Why is it necessary?
- Currently, when exceptions occur, stack traces include the values of method arguments, which may contain sensitive information such as secret keys.
- Using the
#[\SensitiveParameter]attribute masks confidential information in stack traces, preventing unintended information leakage in logs and error reports. - This library is used for authentication and encryption, so the risk of exposing secret keys is particularly serious. For example, if logs are leaked to a third party, secret keys used for JWT signatures could be exposed, potentially allowing the generation of fraudulent tokens.
The following code example demonstrates the current issue with secret key exposure:
$key = 'secret_key';
$payload = [
'iss' => 'http://example.org',
'aud' => 'http://example.com',
'iat' => 1356999524,
'nbf' => 1357000000
];
$jwt = JWT::encode($payload, $key, 'HS256');
try {
$secretKey = "other_secret_key";
$decoded = JWT::decode($jwt, new Key($secretKey, 'HS256'));
} catch (Exception $e) {
print_r($e->getTrace()[0]['args']);
}Current output shows the secret key in plain text:
Array
(
[0] => eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOi8vZXhhbXBsZS5vcmciLCJhdWQiOiJodHRwOi8vZXhhbXBsZS5jb20iLCJpYXQiOjEzNTY5OTk1MjQsIm5iZiI6MTM1NzAwMDAwMH0.UAlpCk3EDwmIZJooCs656pcHuJSpgHiAMxhc36v3lak
[1] => Firebase\JWT\Key Object
(
[keyMaterial:Firebase\JWT\Key:private] => other_secret_key
[algorithm:Firebase\JWT\Key:private] => HS256
)
)
With the #[\SensitiveParameter] attribute applied, sensitive information is masked:
Array
(
[0] => eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOi8vZXhhbXBsZS5vcmciLCJhdWQiOiJodHRwOi8vZXhhbXBsZS5jb20iLCJpYXQiOjEzNTY5OTk1MjQsIm5iZiI6MTM1NzAwMDAwMH0.UAlpCk3EDwmIZJooCs656pcHuJSpgHiAMxhc36v3lak
[1] => SensitiveParameterValue Object
(
)
)
Where is it needed and why?
Based on detailed code analysis, the #[\SensitiveParameter] attribute should be applied to the following method parameters:
-
Keyclass constructor's$keyMaterialparameter- Holds key material for both symmetric and asymmetric keys
public function __construct( #[\SensitiveParameter] private $keyMaterial, private string $algorithm ) {
-
In the
JWTclass:encode()'s$keyparameter - Used for signing with all algorithms (symmetric key or private key)
public static function encode( array $payload, #[\SensitiveParameter] $key, string $alg, ?string $keyId = null, ?array $head = null ): string {
sign()'s$keyparameter - Used for signature generation with all algorithms (symmetric key or private key)
public static function sign( string $msg, #[\SensitiveParameter] $key, string $alg ): string {
decode()'s$keyOrKeyArrayparameter - Contains sensitive information only when using symmetric algorithms (HS256, HS384, HS512)
public static function decode( string $jwt, #[\SensitiveParameter] $keyOrKeyArray, ?stdClass &$headers = null ): stdClass {
verify()'s$keyMaterialparameter - Contains sensitive information only when using symmetric algorithms (HS256, HS384, HS512)
private static function verify( string $msg, string $signature, #[\SensitiveParameter] $keyMaterial, string $alg ): bool {
getKey()'s$keyOrKeyArrayparameter - May contain keys for symmetric algorithms
private static function getKey( #[\SensitiveParameter] $keyOrKeyArray, ?string $kid ): Key {
-
In the
JWKclass:parseKeySet()'s$jwksparameter - May contain 'oct' type symmetric keys
public static function parseKeySet(#[\SensitiveParameter] array $jwks, ?string $defaultAlg = null): array
parseKey()'s$jwkparameter - May contain 'oct' type symmetric keys
public static function parseKey(#[\SensitiveParameter] array $jwk, ?string $defaultAlg = null): ?Key
Metadata
Metadata
Assignees
Labels
No labels