Skip to content

Key: permit empty keys only with ::empty() factory method#833

Merged
Ocramius merged 2 commits intolcobucci:4.2.xfrom
Slamdunk:no_empty_key
Apr 7, 2022
Merged

Key: permit empty keys only with ::empty() factory method#833
Ocramius merged 2 commits intolcobucci:4.2.xfrom
Slamdunk:no_empty_key

Conversation

@Slamdunk
Copy link
Copy Markdown
Collaborator

@Slamdunk Slamdunk commented Apr 7, 2022
edited
Loading

I consider this a security bug that should be addressed with urgent.

Before this PR, misconfigurations can easily lead to unsecured token issuance under the radar, expecially where creator = consumer.

@Slamdunk Slamdunk requested a review from Ocramius April 7, 2022 06:38
@Ocramius Ocramius added this to the 4.2.0 milestone Apr 7, 2022
@Ocramius
Copy link
Copy Markdown
Collaborator

Ocramius commented Apr 7, 2022

I'd still label it as BC break, but better to have a broken system, than a compromised one.

No need for CVE/security issue, since this is mis-configuration on the consumer side, if it happens: instructions on using safe randomly generated keys were already provided.

@Ocramius Ocramius self-assigned this Apr 7, 2022
Ocramius
Ocramius requested changes Apr 7, 2022
View reviewed changes
Ocramius
Ocramius approved these changes Apr 7, 2022
View reviewed changes
Copy link
Copy Markdown
Collaborator

@Ocramius Ocramius left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome, thanks @Slamdunk!

@Ocramius Ocramius changed the title Key: permit empty keys only with ::empty() factory method Key: permit empty keys only with ::empty() factory method Apr 7, 2022
Ocramius
Ocramius reviewed Apr 7, 2022
View reviewed changes
@Ocramius Ocramius merged commit ae3aac8 into lcobucci:4.2.x Apr 7, 2022
@Slamdunk Slamdunk deleted the no_empty_key branch April 7, 2022 10:51
@Slamdunk Slamdunk mentioned this pull request Apr 7, 2022
Closed
@lcobucci
Copy link
Copy Markdown
Owner

lcobucci commented Apr 8, 2022

IHMO we shouldn't use the baseline to ignore errors we will never fix. That's why we have the annotations to ignore things.

@Ocramius
Copy link
Copy Markdown
Collaborator

Ocramius commented Apr 8, 2022

IHMO we shouldn't use the baseline to ignore errors we will never fix.

We should probably remove the exception, at some point, and only leave the types

@Slamdunk Slamdunk mentioned this pull request Apr 8, 2022
Merged
@chalasr chalasr mentioned this pull request Apr 19, 2022
Merged
@Slamdunk Slamdunk mentioned this pull request Aug 22, 2022
Closed
@pkoenig10 pkoenig10 mentioned this pull request Aug 23, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Ocramius Ocramius Ocramius approved these changes

Assignees

@Ocramius Ocramius

Labels

Improvement Minor BC-break Security

Projects

None yet

Milestone

4.2.0

Development

Successfully merging this pull request may close these issues.

3 participants

@Slamdunk @Ocramius @lcobucci