Introduce HiddenString for Config-Values

diff --git a/composer.json b/composer.json
index a8b4a20d28fc4463c1c677cef0bae3a60cfe463f..aac5c10bc6e3fa88582ab7563b8661f62cefac33 100644 (file)
--- a/composer.json
+++ b/composer.json
@@ -37,6 +37,7 @@
                "mobiledetect/mobiledetectlib": "2.8.*",
                "monolog/monolog": "^1.24",
                "nikic/fast-route": "^1.3",
+               "paragonie/hidden-string": "^1.0",
                "pear/text_languagedetect": "1.*",
                "pragmarx/google2fa": "^5.0",
                "pragmarx/recovery": "^0.1.0",

diff --git a/composer.lock b/composer.lock
index 75c10b78f026eaea9b8c83d3a73c828ff90932e7..af51b6dfe7ef7c9ca4ba2de0e4cad4ea3501ae96 100644 (file)
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "67821d2270bdf8cdd24e7a047b9544e7",
+    "content-hash": "eb985236d64ed0b0fe1fc2e4ac6616e2",
     "packages": [
         {
             "name": "asika/simple-console",
@@ -1723,25 +1723,24 @@
         },
         {
             "name": "paragonie/constant_time_encoding",
-            "version": "v1.0.4",
+            "version": "v2.2.3",
             "source": {
                 "type": "git",
                 "url": "https://github.com/paragonie/constant_time_encoding.git",
-                "reference": "2132f0f293d856026d7d11bd81b9f4a23a1dc1f6"
+                "reference": "55af0dc01992b4d0da7f6372e2eac097bbbaffdb"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/paragonie/constant_time_encoding/zipball/2132f0f293d856026d7d11bd81b9f4a23a1dc1f6",
-                "reference": "2132f0f293d856026d7d11bd81b9f4a23a1dc1f6",
+                "url": "https://api.github.com/repos/paragonie/constant_time_encoding/zipball/55af0dc01992b4d0da7f6372e2eac097bbbaffdb",
+                "reference": "55af0dc01992b4d0da7f6372e2eac097bbbaffdb",
                 "shasum": ""
             },
             "require": {
-                "php": "^5.3|^7"
+                "php": "^7"
             },
             "require-dev": {
-                "paragonie/random_compat": "^1.4|^2",
-                "phpunit/phpunit": "4.*|5.*",
-                "vimeo/psalm": "^0.3|^1"
+                "phpunit/phpunit": "^6|^7",
+                "vimeo/psalm": "^1|^2"
             },
             "type": "library",
             "autoload": {
@@ -1782,7 +1781,56 @@
                 "hex2bin",
                 "rfc4648"
             ],
-            "time": "2018-04-30T17:57:16+00:00"
+            "time": "2019-01-03T20:26:31+00:00"
+        },
+        {
+            "name": "paragonie/hidden-string",
+            "version": "v1.0.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/paragonie/hidden-string.git",
+                "reference": "0bbb00be0e33b8e1d48fa79ea35cd42d3091a936"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/paragonie/hidden-string/zipball/0bbb00be0e33b8e1d48fa79ea35cd42d3091a936",
+                "reference": "0bbb00be0e33b8e1d48fa79ea35cd42d3091a936",
+                "shasum": ""
+            },
+            "require": {
+                "paragonie/constant_time_encoding": "^2",
+                "paragonie/sodium_compat": "^1.6",
+                "php": "^7"
+            },
+            "require-dev": {
+                "phpunit/phpunit": "^6|^7",
+                "vimeo/psalm": "^1"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "ParagonIE\\HiddenString\\": "./src"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MPL-2.0"
+            ],
+            "authors": [
+                {
+                    "name": "Paragon Initiative Enterprises",
+                    "email": "info@paragonie.com",
+                    "homepage": "https://paragonie.com"
+                }
+            ],
+            "description": "Encapsulate strings in an object to hide them from stack traces",
+            "homepage": "https://github.com/paragonie/hidden-string",
+            "keywords": [
+                "hidden",
+                "stack trace",
+                "string"
+            ],
+            "time": "2018-05-07T20:28:06+00:00"
         },
         {
             "name": "paragonie/random_compat",
@@ -2793,12 +2841,12 @@
             "version": "v1.6.5",
             "source": {
                 "type": "git",
-                "url": "https://github.com/mikey179/vfsStream.git",
+                "url": "https://github.com/bovigo/vfsStream.git",
                 "reference": "d5fec95f541d4d71c4823bb5e30cf9b9e5b96145"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/mikey179/vfsStream/zipball/d5fec95f541d4d71c4823bb5e30cf9b9e5b96145",
+                "url": "https://api.github.com/repos/bovigo/vfsStream/zipball/d5fec95f541d4d71c4823bb5e30cf9b9e5b96145",
                 "reference": "d5fec95f541d4d71c4823bb5e30cf9b9e5b96145",
                 "shasum": ""
             },
@@ -3701,7 +3749,7 @@
                 }
             ],
             "description": "Provides the functionality to compare PHP values for equality",
-            "homepage": "http://www.github.com/sebastianbergmann/comparator",
+            "homepage": "https://github.com/sebastianbergmann/comparator",
             "keywords": [
                 "comparator",
                 "compare",
@@ -3803,7 +3851,7 @@
                 }
             ],
             "description": "Provides functionality to handle HHVM/PHP environments",
-            "homepage": "http://www.github.com/sebastianbergmann/environment",
+            "homepage": "https://github.com/sebastianbergmann/environment",
             "keywords": [
                 "Xdebug",
                 "environment",
@@ -3871,7 +3919,7 @@
                 }
             ],
             "description": "Provides the functionality to export PHP variables for visualization",
-            "homepage": "http://www.github.com/sebastianbergmann/exporter",
+            "homepage": "https://github.com/sebastianbergmann/exporter",
             "keywords": [
                 "export",
                 "exporter"
@@ -3923,7 +3971,7 @@
                 }
             ],
             "description": "Snapshotting of global state",
-            "homepage": "http://www.github.com/sebastianbergmann/global-state",
+            "homepage": "https://github.com/sebastianbergmann/global-state",
             "keywords": [
                 "global state"
             ],
@@ -4025,7 +4073,7 @@
                 }
             ],
             "description": "Provides functionality to recursively process PHP variables",
-            "homepage": "http://www.github.com/sebastianbergmann/recursion-context",
+            "homepage": "https://github.com/sebastianbergmann/recursion-context",
             "time": "2016-11-19T07:33:16+00:00"
         },
         {
@@ -4158,7 +4206,7 @@
                 },
                 {
                     "name": "Gert de Pagter",
-                    "email": "backendtea@gmail.com"
+                    "email": "BackEndTea@gmail.com"
                 }
             ],
             "description": "Symfony polyfill for ctype functions",

diff --git a/src/Core/Config/Cache/ConfigCache.php b/src/Core/Config/Cache/ConfigCache.php
index 3314e184f3519cf5f4a7ee388e37da8ce949fc41..9aea367d978c9c1867ddca3795fe079bbde024fb 100644 (file)
--- a/src/Core/Config/Cache/ConfigCache.php
+++ b/src/Core/Config/Cache/ConfigCache.php
@@ -2,6 +2,8 @@
 
 namespace Friendica\Core\Config\Cache;
 
+use ParagonIE\HiddenString\HiddenString;
+
 /**
  * The Friendica config cache for the application
  * Initial, all *.config.php files are loaded into this cache with the
@@ -14,11 +16,18 @@ class ConfigCache implements IConfigCache, IPConfigCache
         */
        private $config;
 
+       /**
+        * @var bool
+        */
+       private $hidePasswordOutput;
+
        /**
         * @param array $config    A initial config array
+        * @param bool  $hidePasswordOutput True, if cache variables should take extra care of password values
         */
-       public function __construct(array $config = [])
+       public function __construct(array $config = [], $hidePasswordOutput = true)
        {
+               $this->hidePasswordOutput = $hidePasswordOutput;
                $this->load($config);
        }
 
@@ -84,8 +93,12 @@ class ConfigCache implements IConfigCache, IPConfigCache
                        $this->config[$cat] = [];
                }
 
-               $this->config[$cat][$key] = $value;
-
+               if ($this->hidePasswordOutput &&
+                       $key == 'password') {
+                       $this->config[$cat][$key] = new HiddenString($value);
+               } else {
+                       $this->config[$cat][$key] = $value;
+               }
                return true;
        }
 

diff --git a/src/Core/Config/Configuration.php b/src/Core/Config/Configuration.php
index 532ed982a9d46498d3de738e741f58db33b26cbc..18191d0429c45bfd2fb5fc9f860fb71eaca2b008 100644 (file)
--- a/src/Core/Config/Configuration.php
+++ b/src/Core/Config/Configuration.php
@@ -88,7 +88,7 @@ class Configuration
 
                        if (isset($dbvalue)) {
                                $this->configCache->set($cat, $key, $dbvalue);
-                               return $dbvalue;
+                               unset($dbvalue);
                        }
                }
 

diff --git a/src/Factory/DBFactory.php b/src/Factory/DBFactory.php
index 1c01f733192d6604940415c77b7ddf394d358e22..7caa63ec46755d8e74abdb11736fc9d784be9171 100644 (file)
--- a/src/Factory/DBFactory.php
+++ b/src/Factory/DBFactory.php
@@ -6,6 +6,7 @@ use Friendica\Core\Config\Cache;
 use Friendica\Database;
 use Friendica\Util\Logger\VoidLogger;
 use Friendica\Util\Profiler;
+use ParagonIE\HiddenString\HiddenString;
 
 class DBFactory
 {
@@ -45,7 +46,7 @@ class DBFactory
                        } else {
                                $db_user = $server['MYSQL_USER'];
                        }
-                       $db_pass = (string) $server['MYSQL_PASSWORD'];
+                       $db_pass = new HiddenString((string) $server['MYSQL_PASSWORD']);
                        $db_data = $server['MYSQL_DATABASE'];
                }
 

diff --git a/tests/src/Core/Config/Cache/ConfigCacheTest.php b/tests/src/Core/Config/Cache/ConfigCacheTest.php
index e6ac8255e9f7b3b454aced052381a62e71a44c04..76ee26438fc8387f016bb5bb6e9c8472eb231c79 100644 (file)
--- a/tests/src/Core/Config/Cache/ConfigCacheTest.php
+++ b/tests/src/Core/Config/Cache/ConfigCacheTest.php
@@ -275,4 +275,38 @@ class ConfigCacheTest extends MockedTest
 
                $this->assertEmpty($configCache->keyDiff($diffConfig));
        }
+
+       /**
+        * Test the default hiding of passwords inside the cache
+        */
+       public function testPasswordHide()
+       {
+               $configCache = new ConfigCache([
+                       'database' => [
+                               'password' => 'supersecure',
+                               'username' => 'notsecured',
+                       ],
+               ]);
+
+               $this->assertEquals('supersecure', $configCache->get('database', 'password'));
+               $this->assertNotEquals('supersecure', print_r($configCache->get('database', 'password'), true));
+               $this->assertEquals('notsecured', print_r($configCache->get('database', 'username'), true));
+       }
+
+       /**
+        * Test disabling the hiding of passwords inside the cache
+        */
+       public function testPasswordShow()
+       {
+               $configCache = new ConfigCache([
+                       'database' => [
+                               'password' => 'supersecure',
+                               'username' => 'notsecured',
+                       ],
+               ], false);
+
+               $this->assertEquals('supersecure', $configCache->get('database', 'password'));
+               $this->assertEquals('supersecure', print_r($configCache->get('database', 'password'), true));
+               $this->assertEquals('notsecured', print_r($configCache->get('database', 'username'), true));
+       }
 }