Fix-type-error-when-revealing-broken-secret

jack-worman · nicolas-grekas · commit 480e7d1e481a · 2025-06-15T11:49:23.000+02:00
diff --git a/src/Symfony/Bundle/FrameworkBundle/Command/SecretsRevealCommand.php b/src/Symfony/Bundle/FrameworkBundle/Command/SecretsRevealCommand.php
@@ -61,6 +61,10 @@ protected function execute(InputInterface $input, OutputInterface $output): int
             if (!\array_key_exists($name, $secrets)) {
                 $io->error(\sprintf('The secret "%s" does not exist.', $name));
 
+                return self::INVALID;
+            } elseif (null === $secrets[$name]) {
+                $io->error(\sprintf('The secret "%s" could not be decrypted.', $name));
+
                 return self::INVALID;
             }
 
diff --git a/src/Symfony/Bundle/FrameworkBundle/Secrets/AbstractVault.php b/src/Symfony/Bundle/FrameworkBundle/Secrets/AbstractVault.php
@@ -31,6 +31,9 @@ abstract public function reveal(string $name): ?string;
 
     abstract public function remove(string $name): bool;
 
+    /**
+     * @return array<string, string|null>
+     */
     abstract public function list(bool $reveal = false): array;
 
     protected function validateName(string $name): void
diff --git a/src/Symfony/Bundle/FrameworkBundle/Secrets/DotenvVault.php b/src/Symfony/Bundle/FrameworkBundle/Secrets/DotenvVault.php
@@ -89,13 +89,13 @@ public function list(bool $reveal = false): array
 
         foreach ($_ENV as $k => $v) {
             if ('' !== ($v ?? '') && preg_match('/^\w+$/D', $k)) {
-                $secrets[$k] = $reveal ? $v : null;
+                $secrets[$k] = \is_string($v) && $reveal ? $v : null;
             }
         }
 
         foreach ($_SERVER as $k => $v) {
             if ('' !== ($v ?? '') && preg_match('/^\w+$/D', $k)) {
-                $secrets[$k] = $reveal ? $v : null;
+                $secrets[$k] = \is_string($v) && $reveal ? $v : null;
             }
         }
 
diff --git a/src/Symfony/Bundle/FrameworkBundle/Tests/Command/SecretsRevealCommandTest.php b/src/Symfony/Bundle/FrameworkBundle/Tests/Command/SecretsRevealCommandTest.php
@@ -46,6 +46,19 @@ public function testInvalidName()
         $this->assertStringContainsString('The secret "undefinedKey" does not exist.', trim($tester->getDisplay(true)));
     }
 
+    public function testFailedDecrypt()
+    {
+        $vault = $this->createMock(AbstractVault::class);
+        $vault->method('list')->willReturn(['secretKey' => null]);
+
+        $command = new SecretsRevealCommand($vault);
+
+        $tester = new CommandTester($command);
+        $this->assertSame(Command::INVALID, $tester->execute(['name' => 'secretKey']));
+
+        $this->assertStringContainsString('The secret "secretKey" could not be decrypted.', trim($tester->getDisplay(true)));
+    }
+
     /**
      * @backupGlobals enabled
      */

Original file line number	Diff line number	Diff line change
`@@ -61,6 +61,10 @@ protected function execute(InputInterface $input, OutputInterface $output): int`
`61`	`61`	`if (!\array_key_exists($name, $secrets)) {`
`62`	`62`	`$io->error(\sprintf('The secret "%s" does not exist.', $name));`
`63`	`63`
	`64`	`+ return self::INVALID;`
	`65`	`+ } elseif (null === $secrets[$name]) {`
	`66`	`+ $io->error(\sprintf('The secret "%s" could not be decrypted.', $name));`
	`67`	`+`
`64`	`68`	`return self::INVALID;`
`65`	`69`	`}`
`66`	`70`
Original file line number	Diff line number	Diff line change
`@@ -89,13 +89,13 @@ public function list(bool $reveal = false): array`
`89`	`89`
`90`	`90`	`foreach ($_ENV as $k => $v) {`
`91`	`91`	`if ('' !== ($v ?? '') && preg_match('/^\w+$/D', $k)) {`
`92`		`- $secrets[$k] = $reveal ? $v : null;`
	`92`	`+ $secrets[$k] = \is_string($v) && $reveal ? $v : null;`
`93`	`93`	`}`
`94`	`94`	`}`
`95`	`95`
`96`	`96`	`foreach ($_SERVER as $k => $v) {`
`97`	`97`	`if ('' !== ($v ?? '') && preg_match('/^\w+$/D', $k)) {`
`98`		`- $secrets[$k] = $reveal ? $v : null;`
	`98`	`+ $secrets[$k] = \is_string($v) && $reveal ? $v : null;`
`99`	`99`	`}`
`100`	`100`	`}`
`101`	`101`