Add #[\SensitiveParameter] to $secret in ClientRaw::setAuth()#34
Add #[\SensitiveParameter] to $secret in ClientRaw::setAuth()#34semgrep-code-badoo[bot] wants to merge 1 commit into
Conversation
Mark the `$secret` parameter as sensitive to prevent credential exposure in stack traces. ## Changes - Added `#[\SensitiveParameter]` attribute to the `$secret` parameter in `ClientRaw::setAuth()` ## Why When an exception is thrown, PHP includes function arguments in stack traces. Without the `#[\SensitiveParameter]` attribute, the authentication secret could be logged or displayed in error output, potentially exposing credentials. This PHP 8.2+ attribute redacts the parameter value in stack traces, preventing unintended secret disclosure. ## Semgrep Finding Details Function parameter like $secret, $secretKey, or $secret_key contains sensitive data but is not marked with #[\SensitiveParameter]. If the application crashes or throws an exception, this value may be included in stack traces or error logs, leading to unintended secret disclosure. Add the #[\SensitiveParameter] attribute to prevent exposure. @9071412 requested Semgrep Assistant generate this pull request to fix [a finding](https://semgrep.dev/orgs/bmbl/findings/695640481).
![semgrep-code-badoo[bot]](https://avatars.githubusercontent.com/u/1277442?s=60&v=4){kind=small}
| * @return ClientRaw | ||
| */ | ||
| public function setAuth(string $login, string $secret) : ClientRaw | ||
| public function setAuth(string $login, #[\SensitiveParameter] string $secret) : ClientRaw |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Function parameter like $secret, $secretKey, or $secret_key contains sensitive data but is not marked with #[\SensitiveParameter]. If the application crashes or throws an exception, this value may be included in stack traces or error logs, leading to unintended secret disclosure. Add the #[\SensitiveParameter] attribute to prevent exposure.
To resolve this comment:
✨ Commit Assistant Fix Suggestion
- Add the attribute
#[\SensitiveParameter]before the$secretparameter in the function definition so the first line reads:public function setAuth(string $login, #[\SensitiveParameter] string $secret) : ClientRaw. - Make sure there are no syntax errors resulting from this change.
This marks the $secret parameter as sensitive and helps prevent its value from being exposed in error logs or stack traces.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by php-missing-sensitive-parameter-secret.
You can view more details about this finding in the Semgrep AppSec Platform.
Mark the
$secretparameter as sensitive to prevent credential exposure in stack traces.Changes
#[\SensitiveParameter]attribute to the$secretparameter inClientRaw::setAuth()Why
When an exception is thrown, PHP includes function arguments in stack traces. Without the
#[\SensitiveParameter]attribute, the authentication secret could be logged or displayed in error output, potentially exposing credentials. This PHP 8.2+ attribute redacts the parameter value in stack traces, preventing unintended secret disclosure.Semgrep Finding Details
Function parameter like $secret, $secretKey, or $secret_key contains sensitive data but is not marked with #[\SensitiveParameter]. If the application crashes or throws an exception, this value may be included in stack traces or error logs, leading to unintended secret disclosure. Add the #[\SensitiveParameter] attribute to prevent exposure.
@9071412 requested Semgrep Assistant generate this pull request to fix a finding.