Check whether secrets are empty and mark them all as sensitive

nicolas-grekas · nicolas-grekas · commit 9e24a7199744 · 2023-11-06T18:20:05.000+01:00
diff --git a/Authentication/Token/RememberMeToken.php b/Authentication/Token/RememberMeToken.php
@@ -11,6 +11,7 @@
 
 namespace Symfony\Component\Security\Core\Authentication\Token;
 
+use Symfony\Component\Security\Core\Exception\InvalidArgumentException;
 use Symfony\Component\Security\Core\User\UserInterface;
 
 /**
@@ -32,12 +33,12 @@ public function __construct(UserInterface $user, string $firewallName, #[\Sensit
     {
         parent::__construct($user->getRoles());
 
-        if (empty($secret)) {
-            throw new \InvalidArgumentException('$secret must not be empty.');
+        if (!$secret) {
+            throw new InvalidArgumentException('A non-empty secret is required.');
         }
 
-        if ('' === $firewallName) {
-            throw new \InvalidArgumentException('$firewallName must not be empty.');
+        if (!$firewallName) {
+            throw new InvalidArgumentException('$firewallName must not be empty.');
         }
 
         $this->firewallName = $firewallName;
diff --git a/Signature/SignatureHasher.php b/Signature/SignatureHasher.php
@@ -12,6 +12,7 @@
 namespace Symfony\Component\Security\Core\Signature;
 
 use Symfony\Component\PropertyAccess\PropertyAccessorInterface;
+use Symfony\Component\Security\Core\Exception\InvalidArgumentException;
 use Symfony\Component\Security\Core\Signature\Exception\ExpiredSignatureException;
 use Symfony\Component\Security\Core\Signature\Exception\InvalidSignatureException;
 use Symfony\Component\Security\Core\User\UserInterface;
@@ -37,6 +38,10 @@ class SignatureHasher
      */
     public function __construct(PropertyAccessorInterface $propertyAccessor, array $signatureProperties, #[\SensitiveParameter] string $secret, ExpiredSignatureStorage $expiredSignaturesStorage = null, int $maxUses = null)
     {
+        if (!$secret) {
+            throw new InvalidArgumentException('A non-empty secret is required.');
+        }
+
         $this->propertyAccessor = $propertyAccessor;
         $this->signatureProperties = $signatureProperties;
         $this->secret = $secret;

Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,7 @@`
`11`	`11`
`12`	`12`	`namespace Symfony\Component\Security\Core\Authentication\Token;`
`13`	`13`
	`14`	`+use Symfony\Component\Security\Core\Exception\InvalidArgumentException;`
`14`	`15`	`use Symfony\Component\Security\Core\User\UserInterface;`
`15`	`16`
`16`	`17`	`/**`
`@@ -32,12 +33,12 @@ public function __construct(UserInterface $user, string $firewallName, #[\Sensit`
`32`	`33`	`{`
`33`	`34`	`parent::__construct($user->getRoles());`
`34`	`35`
`35`		`- if (empty($secret)) {`
`36`		`- throw new \InvalidArgumentException('$secret must not be empty.');`
	`36`	`+ if (!$secret) {`
	`37`	`+ throw new InvalidArgumentException('A non-empty secret is required.');`
`37`	`38`	`}`
`38`	`39`
`39`		`- if ('' === $firewallName) {`
`40`		`- throw new \InvalidArgumentException('$firewallName must not be empty.');`
	`40`	`+ if (!$firewallName) {`
	`41`	`+ throw new InvalidArgumentException('$firewallName must not be empty.');`
`41`	`42`	`}`
`42`	`43`
`43`	`44`	`$this->firewallName = $firewallName;`