Skip to content

Support the actual #[\SensitiveParameter] attribute in stubs #8836

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Jul 12, 2022
Merged

Support the actual #[\SensitiveParameter] attribute in stubs #8836

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
085add0
Support the actual `#[\SensitiveParameter]` attribute in stubs
TimWolla Jun 13, 2022
b9e67fd
Use `#[\SensitiveParameter]` attribute instead of `@sensitive-param` …
TimWolla Jun 13, 2022
7075706
Remove `@sensitive-param` support from build/gen_stub.php
TimWolla Jun 13, 2022
3f62f35
Support arbitrary parameter attributes in stubs
TimWolla Jul 5, 2022
5820abe
Remove obsolete zend_mark_function_parameter_as_sensitive()
TimWolla Jul 5, 2022
1424e85
Improve identifier generation for parameter attributes in stubs
TimWolla Jul 12, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 0 additions & 13 deletions Zend/zend_attributes.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -117,19 +117,6 @@ static zend_always_inline zend_attribute *zend_add_class_constant_attribute(zend
return zend_add_attribute(&c->attributes, name, argc, flags, 0, 0);
}

static zend_always_inline zend_attribute *zend_mark_function_parameter_as_sensitive(const HashTable *table, const char *func_name, uint32_t parameter)
{
zend_function *func = zend_hash_str_find_ptr(table, func_name, strlen(func_name));
ZEND_ASSERT(func != NULL);

return zend_add_parameter_attribute(
func,
parameter,
zend_ce_sensitive_parameter->name,
0
);
}

void zend_register_attribute_ce(void);
void zend_attributes_shutdown(void);

Expand Down
42 changes: 23 additions & 19 deletions build/gen_stub.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -815,33 +815,35 @@ class ArgInfo {
public $phpDocType;
/** @var string|null */
public $defaultValue;
/** @var bool */
public $isSensitive;
/** @var AttributeInfo[] */
public $attributes;

/**
* @param AttributeInfo[] $attributes
*/
public function __construct(
string $name,
int $sendBy,
bool $isVariadic,
?Type $type,
?Type $phpDocType,
?string $defaultValue,
bool $isSensitive
array $attributes
) {
$this->name = $name;
$this->sendBy = $sendBy;
$this->isVariadic = $isVariadic;
$this->setTypes($type, $phpDocType);
$this->defaultValue = $defaultValue;
$this->isSensitive = $isSensitive;
$this->attributes = $attributes;
}

public function equals(ArgInfo $other): bool {
return $this->name === $other->name
&& $this->sendBy === $other->sendBy
&& $this->isVariadic === $other->isVariadic
&& Type::equals($this->type, $other->type)
&& $this->defaultValue === $other->defaultValue
&& $this->isSensitive === $other->isSensitive;
&& $this->defaultValue === $other->defaultValue;
Comment on lines -843 to +846
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure about this part. I don't believe that attributes need to be part of equals(), as they are not part of the ZEND_BEGIN_ARG_WITH_RETURN_TYPE_INFO_EX stuff.

}

public function getSendByString(): string {
Expand Down Expand Up @@ -2570,7 +2572,7 @@ function (Name $item) {
}
}

if ($attributeInitializationCode = generateAttributeInitialization($this->funcInfos, $this->cond)) {
if ($attributeInitializationCode = generateAttributeInitialization($this->funcInfos, $this->cond, $allConstInfos)) {
if (!$php82MinimumCompatibility) {
$code .= "#if (PHP_VERSION_ID >= " . PHP_82_VERSION_ID . ")\n";
}
Expand Down Expand Up @@ -3151,7 +3153,7 @@ public function getVariableName(): string {

if ($this->name === "param") {
preg_match('/^\s*[\w\|\\\\\[\]]+\s*\$(\w+).*$/', $value, $matches);
} elseif ($this->name === "prefer-ref" || $this->name === "sensitive-param") {
} elseif ($this->name === "prefer-ref") {
preg_match('/^\s*\$(\w+).*$/', $value, $matches);
}

Expand Down Expand Up @@ -3242,7 +3244,6 @@ function parseFunctionLike(
break;

case 'prefer-ref':
case 'sensitive-param':
$varName = $tag->getVariableName();
if (!isset($paramMeta[$varName])) {
$paramMeta[$varName] = [];
Expand All @@ -3260,7 +3261,12 @@ function parseFunctionLike(
foreach ($func->getParams() as $i => $param) {
$varName = $param->var->name;
$preferRef = !empty($paramMeta[$varName]['prefer-ref']);
$isSensitive = !empty($paramMeta[$varName]['sensitive-param']);
$attributes = [];
foreach ($param->attrGroups as $attrGroup) {
foreach ($attrGroup->attrs as $attr) {
$attributes[] = new AttributeInfo($attr->name->toString(), $attr->args);
}
}
unset($paramMeta[$varName]);

if (isset($varNameSet[$varName])) {
Expand Down Expand Up @@ -3308,7 +3314,7 @@ function parseFunctionLike(
$type,
isset($docParamTypes[$varName]) ? Type::fromString($docParamTypes[$varName]) : null,
$param->default ? $prettyPrinter->prettyPrintExpr($param->default) : null,
$isSensitive
$attributes
);
if (!$param->default && !$param->variadic) {
$numRequiredArgs = $i + 1;
Expand Down Expand Up @@ -3962,7 +3968,7 @@ static function (FuncInfo $funcInfo) use ($fileInfo, &$generatedFunctionDeclarat
}

if ($fileInfo->generateClassEntries) {
$attributeInitializationCode = generateAttributeInitialization($fileInfo->funcInfos);
$attributeInitializationCode = generateAttributeInitialization($fileInfo->funcInfos, null, $allConstInfos);

if ($attributeInitializationCode !== "" || !empty($fileInfo->constInfos)) {
$code .= "\nstatic void register_{$stubFilenameWithoutExtension}_symbols(int module_number)\n";
Expand Down Expand Up @@ -4029,25 +4035,23 @@ function generateFunctionEntries(?Name $className, array $funcInfos, ?string $co
/**
* @param iterable<FuncInfo> $funcInfos
*/
function generateAttributeInitialization(iterable $funcInfos, ?string $parentCond = null): string {
function generateAttributeInitialization(iterable $funcInfos, ?string $parentCond = null, iterable $allConstInfos): string {
return generateCodeWithConditions(
$funcInfos,
"",
static function (FuncInfo $funcInfo) {
static function (FuncInfo $funcInfo) use ($allConstInfos) {
$code = null;

foreach ($funcInfo->args as $index => $arg) {
if (!$arg->isSensitive) {
continue;
}

if ($funcInfo->name instanceof MethodName) {
$functionTable = "&class_entry->function_table";
} else {
$functionTable = "CG(function_table)";
}

$code .= "\tzend_mark_function_parameter_as_sensitive($functionTable, \"" . $funcInfo->name->getNameForAttributes() . "\", $index);\n";
foreach ($arg->attributes as $attribute) {
$code .= $attribute->generateCode("zend_add_parameter_attribute(zend_hash_str_find_ptr($functionTable, \"" . $funcInfo->name->getNameForAttributes() . "\", sizeof(\"" . $funcInfo->name->getNameForAttributes() . "\") - 1), $index", "{$funcInfo->getArgInfoName()}_arg{$index}", $allConstInfos);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't really like the fact that $funcInfo->getArgInfoName() is used for generating the attribute name, because the arginfo_ part is unnecessary (and I didn't realize for a while why it's there). Even though the format of $funcInfo->name->getMethodSynopsisFilename() looks a bit better, it would be weird to use this name here.. So either we should rename this method (getSnakeCasedName??) or just leave the name as-is.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! $funcInfo->name->getMethodSynopsisFilename() is indeed much better. It's was hard for me to "discover" something appropriate to use and ->getArgInfoName() worked.

}
}

return $code;
Expand Down
3 changes: 1 addition & 2 deletions ext/ftp/ftp.stub.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,8 +75,7 @@ function ftp_connect(string $hostname, int $port = 21, int $timeout = 90): FTP\C
function ftp_ssl_connect(string $hostname, int $port = 21, int $timeout = 90): FTP\Connection|false {}
#endif

/** @sensitive-param $password */
function ftp_login(FTP\Connection $ftp, string $username, string $password): bool {}
function ftp_login(FTP\Connection $ftp, string $username, #[\SensitiveParameter] string $password): bool {}
function ftp_pwd(FTP\Connection $ftp): string|false {}
function ftp_cdup(FTP\Connection $ftp): bool {}
function ftp_chdir(FTP\Connection $ftp, string $directory): bool {}
Expand Down
7 changes: 5 additions & 2 deletions ext/ftp/ftp_arginfo.h
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

21 changes: 6 additions & 15 deletions ext/hash/hash.stub.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,22 +15,19 @@ function hash(string $algo, string $data, bool $binary = false, array $options =
function hash_file(string $algo, string $filename, bool $binary = false, array $options = []): string|false {}

/**
* @sensitive-param $key
* @refcount 1
*/
function hash_hmac(string $algo, string $data, string $key, bool $binary = false): string {}
function hash_hmac(string $algo, string $data, #[\SensitiveParameter] string $key, bool $binary = false): string {}

/**
* @sensitive-param $key
* @refcount 1
*/
function hash_hmac_file(string $algo, string $filename, string $key, bool $binary = false): string|false {}
function hash_hmac_file(string $algo, string $filename, #[\SensitiveParameter] string $key, bool $binary = false): string|false {}

/**
* @sensitive-param $key
* @refcount 1
*/
function hash_init(string $algo, int $flags = 0, string $key = "", array $options = []): HashContext {}
function hash_init(string $algo, int $flags = 0, #[\SensitiveParameter] string $key = "", array $options = []): HashContext {}

function hash_update(HashContext $context, string $data): bool {}

Expand Down Expand Up @@ -59,22 +56,16 @@ function hash_algos(): array {}
function hash_hmac_algos(): array {}

/**
* @sensitive-param $password
* @refcount 1
*/
function hash_pbkdf2(string $algo, string $password, string $salt, int $iterations, int $length = 0, bool $binary = false): string {}
function hash_pbkdf2(string $algo, #[\SensitiveParameter] string $password, string $salt, int $iterations, int $length = 0, bool $binary = false): string {}

/**
* @sensitive-param $known_string
* @sensitive-param $user_string
*/
function hash_equals(string $known_string, string $user_string): bool {}
function hash_equals(#[\SensitiveParameter] string $known_string, #[\SensitiveParameter] string $user_string): bool {}

/**
* @sensitive-param $key
* @refcount 1
*/
function hash_hkdf(string $algo, string $key, int $length = 0, string $info = "", string $salt = ""): string {}
function hash_hkdf(string $algo, #[\SensitiveParameter] string $key, int $length = 0, string $info = "", string $salt = ""): string {}

#ifdef PHP_MHASH_BC
/** @deprecated */
Expand Down
37 changes: 29 additions & 8 deletions ext/hash/hash_arginfo.h
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 1 addition & 2 deletions ext/imap/php_imap.stub.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -405,8 +405,7 @@
*/
const IMAP_GC_TEXTS = UNKNOWN;

/** @sensitive-param $password */
function imap_open(string $mailbox, string $user, string $password, int $flags = 0, int $retries = 0, array $options = []): IMAP\Connection|false {}
function imap_open(string $mailbox, string $user, #[\SensitiveParameter] string $password, int $flags = 0, int $retries = 0, array $options = []): IMAP\Connection|false {}

function imap_reopen(IMAP\Connection $imap, string $mailbox, int $flags = 0, int $retries = 0): bool {}

Expand Down
7 changes: 5 additions & 2 deletions ext/imap/php_imap_arginfo.h
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

24 changes: 5 additions & 19 deletions ext/ldap/ldap.stub.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -610,10 +610,7 @@
#endif

#ifdef HAVE_ORALDAP
/**
* @sensitive-param $password
*/
function ldap_connect(?string $uri = null, int $port = 389, string $wallet = UNKNOWN, string $password = UNKNOWN, int $auth_mode = GSLC_SSL_NO_AUTH): LDAP\Connection|false {}
function ldap_connect(?string $uri = null, int $port = 389, string $wallet = UNKNOWN, #[\SensitiveParameter] string $password = UNKNOWN, int $auth_mode = GSLC_SSL_NO_AUTH): LDAP\Connection|false {}
#else
function ldap_connect(?string $uri = null, int $port = 389): LDAP\Connection|false {}
#endif
Expand All @@ -623,21 +620,12 @@ function ldap_unbind(LDAP\Connection $ldap): bool {}
/** @alias ldap_unbind */
function ldap_close(LDAP\Connection $ldap): bool {}

/**
* @sensitive-param $password
*/
function ldap_bind(LDAP\Connection $ldap, ?string $dn = null, ?string $password = null): bool {}
function ldap_bind(LDAP\Connection $ldap, ?string $dn = null, #[\SensitiveParameter] ?string $password = null): bool {}

/**
* @sensitive-param $password
*/
function ldap_bind_ext(LDAP\Connection $ldap, ?string $dn = null, ?string $password = null, ?array $controls = null): LDAP\Result|false {}
function ldap_bind_ext(LDAP\Connection $ldap, ?string $dn = null, #[\SensitiveParameter] ?string $password = null, ?array $controls = null): LDAP\Result|false {}

#ifdef HAVE_LDAP_SASL
/**
* @sensitive-param $password
*/
function ldap_sasl_bind(LDAP\Connection $ldap, ?string $dn = null, ?string $password = null, ?string $mech = null, ?string $realm = null, ?string $authc_id = null, ?string $authz_id = null, ?string $props = null): bool {}
function ldap_sasl_bind(LDAP\Connection $ldap, ?string $dn = null, #[\SensitiveParameter] ?string $password = null, ?string $mech = null, ?string $realm = null, ?string $authc_id = null, ?string $authz_id = null, ?string $props = null): bool {}
#endif

/** @param LDAP\Connection|array $ldap */
Expand Down Expand Up @@ -791,10 +779,8 @@ function ldap_exop(LDAP\Connection $ldap, string $request_oid, ?string $request_
#ifdef HAVE_LDAP_PASSWD
/**
* @param array $controls
* @sensitive-param $old_password
* @sensitive-param $new_password
*/
function ldap_exop_passwd(LDAP\Connection $ldap, string $user = "", string $old_password = "", string $new_password = "", &$controls = null): string|bool {}
function ldap_exop_passwd(LDAP\Connection $ldap, string $user = "", #[\SensitiveParameter] string $old_password = "", #[\SensitiveParameter] string $new_password = "", &$controls = null): string|bool {}
#endif


Expand Down
Loading