Details
Description
PHP by default shows function arguments in stack traces. This can expose sensitive data like user IDs and passwords, if stack traces are exposed. 7.4 introduced zend.exception_ignore_args to disable this. Some distros package PHP with the setting set to hide arguments, the safest option. This should always be done for production sites.
https://doc.ibexa.co/en/latest/infrastructure_and_maintenance/security/security_checklist/#enable-zendexception_ignore_args-in-php-74-and-newer
PHP 8.2 introduces an attribute to hide specific arguments, while showing all others (if zend.exception_ignore_args is not set). It does not break anything in earlier PHP, so we can start using it right now. It's a good extra layer of protection.
https://www.php.net/manual/en/class.sensitive-parameter.php
It can be used for many things. Passwords, password hashes, user IDs/emails, session keys... Though it must be balanced against debugging needs.
This issue is labelled security, but is not private due to being a new feature, not a vulnerability.
Questions:
- If this is set for an argument in one method, does it cascade up/down to other methods using the same argument?
Answer: No, it must be set in all methods, above and below in the call stack. It also does not prevent you from outputing the sensitive parameter in the exception message, it only acts on the stack trace. Tested on 8.2 RC7. - Should it be set in interfaces? (probably not)
- Unrelated: Can we use such PHP attributes for custom tasks, like documentation?
Answer: Yes, we can. https://www.php.net/manual/en/language.attributes.overview.php