Add #[\SensitiveParameter] to setApiKey() to prevent credential exposure#14
Add #[\SensitiveParameter] to setApiKey() to prevent credential exposure#14semgrep-code-badoo[bot] wants to merge 1 commit intomasterfrom
Conversation
Mark the `$api_key` parameter with `#[\SensitiveParameter]` attribute to prevent API key disclosure in stack traces. ## Changes - Added `#[\SensitiveParameter]` attribute to the `$api_key` parameter in `LiveProfiler::setApiKey()` ## Why If the application crashes or throws an exception, PHP includes function parameters in stack traces and error logs by default. Without the `#[\SensitiveParameter]` attribute, the API key value would be exposed in these logs. This PHP 8.2+ attribute instructs PHP to redact the parameter value in backtraces, preventing unintended credential disclosure. ## Semgrep Finding Details Function parameter like $apiKey, $api_key, $accessKey, or $access_key contains sensitive credentials but is not marked with #[\SensitiveParameter]. If the application crashes or throws an exception, this value may be included in stack traces or error logs, leading to unintended API key disclosure. Add the #[\SensitiveParameter] attribute to prevent exposure. @9071412 requested Semgrep Assistant generate this pull request to fix [a finding](https://semgrep.dev/orgs/bmbl/findings/695640277).
![semgrep-code-badoo[bot]](https://avatars.githubusercontent.com/u/1277442?s=60&v=4){kind=small}
| * @return $this | ||
| */ | ||
| public function setApiKey($api_key) | ||
| public function setApiKey(#[\SensitiveParameter] $api_key) |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Function parameter like $apiKey, $api_key, $accessKey, or $access_key contains sensitive credentials but is not marked with #[\SensitiveParameter]. If the application crashes or throws an exception, this value may be included in stack traces or error logs, leading to unintended API key disclosure. Add the #[\SensitiveParameter] attribute to prevent exposure.
To resolve this comment:
✨ Commit Assistant Fix Suggestion
- Add the sensitive parameter attribute above the setApiKey function by inserting
#[\SensitiveParameter]on the line immediately before the function definition. - The function definition should look like this:
#[\SensitiveParameter] public function setApiKey($api_key) - Make sure there is no docblock or comment line between the attribute and the function definition.
This attribute will help ensure that if an error or exception occurs, the value of $api_key will be protected from accidental exposure in error messages or stack traces.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by php-missing-sensitive-parameter-api-key.
You can view more details about this finding in the Semgrep AppSec Platform.
Mark the
$api_keyparameter with#[\SensitiveParameter]attribute to prevent API key disclosure in stack traces.Changes
#[\SensitiveParameter]attribute to the$api_keyparameter inLiveProfiler::setApiKey()Why
If the application crashes or throws an exception, PHP includes function parameters in stack traces and error logs by default. Without the
#[\SensitiveParameter]attribute, the API key value would be exposed in these logs. This PHP 8.2+ attribute instructs PHP to redact the parameter value in backtraces, preventing unintended credential disclosure.Semgrep Finding Details
Function parameter like $apiKey, $api_key, $accessKey, or $access_key contains sensitive credentials but is not marked with #[\SensitiveParameter]. If the application crashes or throws an exception, this value may be included in stack traces or error logs, leading to unintended API key disclosure. Add the #[\SensitiveParameter] attribute to prevent exposure.
@9071412 requested Semgrep Assistant generate this pull request to fix a finding.