add SensitiveParameter to sensitive arguments

NicolasCARPi · NicolasCARPi · commit 76f420e6b261 · 2024-04-15T21:40:19.000+02:00
This change adds the PHP attribute SensitiveParameter to the secret holding variables. See: https://www.php.net/manual/en/class.sensitiveparameter This feature is only available in PHP 8.2, so the minimum php version required has been updated. Github Actions now use PHP 8.2 and 8.3 for the tests. The checkout action has been updated to v4, too. Fix issue #118
diff --git a/.github/workflows/test-bacon.yml b/.github/workflows/test-bacon.yml
@@ -10,10 +10,10 @@ jobs:
 
     strategy:
       matrix:
-        php-version: ['8.1', '8.2']
+        php-version: ['8.2', '8.3']
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
 
     - uses: shivammathur/setup-php@v2
       with:
diff --git a/.github/workflows/test-endroid.yml b/.github/workflows/test-endroid.yml
@@ -10,11 +10,11 @@ jobs:
 
     strategy:
       matrix:
-        php-version: ['8.1', '8.2']
+        php-version: ['8.2', '8.3']
         endroid-version: ["^3","^4","^5"]
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
 
     - uses: shivammathur/setup-php@v2
       with:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -10,10 +10,10 @@ jobs:
 
     strategy:
       matrix:
-        php-version: ['8.1', '8.2']
+        php-version: ['8.2', '8.3']
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
 
     - uses: shivammathur/setup-php@v2
       with:
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,17 @@
 # RobThree\TwoFactorAuth changelog
 
+# Version 3.x
+
+## Breaking changes
+
+### PHP Version
+
+Version 3.x requires at least PHP 8.2.
+
+### Add SensitiveParameter
+
+The new attribute SensitiveParameter was added to the code, to prevent accidental leak of secrets in stack traces.
+
 # Version 2.x
 
 ## Breaking changes
diff --git a/README.md b/README.md
@@ -17,7 +17,7 @@ You can make use of the included [Endroid](https://robthree.github.io/TwoFactorA
 
 ## Requirements
 
-* Requires PHP version >=8.1
+* Requires PHP version >=8.2
 * [cURL](http://php.net/manual/en/book.curl.php) when using the provided `QRServerProvider` (default), `ImageChartsQRCodeProvider` or `QRicketProvider` but you can also provide your own QR-code provider.
 * [random_bytes()](http://php.net/manual/en/function.random-bytes.php), [OpenSSL](http://php.net/manual/en/book.openssl.php) or [Hash](http://php.net/manual/en/book.hash.php) depending on which built-in RNG you use (TwoFactorAuth will try to 'autodetect' and use the best available); however: feel free to provide your own (CS)RNG.
 
diff --git a/TwoFactorAuth.phpproj b/TwoFactorAuth.phpproj
@@ -15,7 +15,7 @@
     <PHPDevHostName>localhost</PHPDevHostName>
     <IISProjectUrl>http://localhost:41315/</IISProjectUrl>
     <Runtime>PHP</Runtime>
-    <RuntimeVersion>8.1</RuntimeVersion>
+    <RuntimeVersion>8.2</RuntimeVersion>
   </PropertyGroup>
   <PropertyGroup Condition=" '$(Configuration)' == 'Debug' ">
     <IncludeDebugInformation>true</IncludeDebugInformation>
diff --git a/composer.json b/composer.json
@@ -27,7 +27,7 @@
         "source": "https://github.com/RobThree/TwoFactorAuth"
     },
     "require": {
-        "php": ">=8.1.0"
+        "php": ">=8.2.0"
     },
     "require-dev": {
         "phpunit/phpunit": "^9",
diff --git a/lib/TwoFactorAuth.php b/lib/TwoFactorAuth.php
@@ -69,7 +69,7 @@ public function createSecret(int $bits = 80, bool $requirecryptosecure = true):
     /**
      * Calculate the code with given secret and point in time
      */
-    public function getCode(string $secret, ?int $time = null): string
+    public function getCode(#[\SensitiveParameter] string $secret, ?int $time = null): string
     {
         $secretkey = $this->base32Decode($secret);
 
@@ -107,7 +107,7 @@ public function verifyCode(string $secret, string $code, int $discrepancy = 1, ?
     /**
      * Get data-uri of QRCode
      */
-    public function getQRCodeImageAsDataUri(string $label, string $secret, int $size = 200): string
+    public function getQRCodeImageAsDataUri(string $label, #[\SensitiveParameter] string $secret, int $size = 200): string
     {
         if ($size <= 0) {
             throw new TwoFactorAuthException('Size must be > 0');
@@ -153,7 +153,7 @@ public function ensureCorrectTime(?array $timeproviders = null, int $leniency =
     /**
      * Builds a string to be encoded in a QR code
      */
-    public function getQRText(string $label, string $secret): string
+    public function getQRText(string $label, #[\SensitiveParameter] string $secret): string
     {
         return 'otpauth://totp/' . rawurlencode($label)
             . '?secret=' . rawurlencode($secret)
