Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unclean exception handling in PasswordEncoderInterface::encodePassword() #29650

Closed
umulmrum opened this issue Dec 19, 2018 · 2 comments
Closed

Unclean exception handling in PasswordEncoderInterface::encodePassword() #29650

umulmrum opened this issue Dec 19, 2018 · 2 comments
Labels
Security

Comments

@umulmrum
Copy link
Contributor

Symfony version(s) affected: 2.4+

Description
PasswordEncoderInterface::encodePassword() doesn't declare any exceptions, yet implementations do throw some.

All built-in implementations throw BadCredentialsException if the password is excessively long.

Some implementations also throw LogicExceptions, e.g. Argon2iPasswordEncoder throws it if Argon2i isn't available).

PlaintextPasswordEncoder also throws an InvalidArgumentException if the passed salt contains invalid characters.

Possible Solution
The interface should declare all exceptions implementations are allowed to throw. I think it's safe to say that BadCredentialsException should be added.
Not sure about the others, though. Maybe ignore the fact that LogicExceptions are thrown (if we are quite sure that these exceptions only occur at dev time) and throw BadCredentialsException instead of InvalidArgumentException?
@stof
Copy link
Member

stof commented Dec 19, 2018

Some implementations also throw LogicExceptions, e.g. Argon2iPasswordEncoder throws it if Argon2i isn't available).

Well, that one is not an exception you are meant to catch in places using the encoder, as they are related to a bad configuration of the project.
Saying that we should declare them in the interface would be the same than saying we could throw a TypeError if you pass a wrong argument in a method. That's not something useful for the caller (they should bubble up to the global error handler).

Adding BadCredentialsException might make sense.

@umulmrum
Copy link
Contributor Author

umulmrum commented Jan 4, 2019

OK, so one question is yet open: What to do with the InvalidArgumentException thrown in mergePasswordAndSalt()? This method is called both from encodePassword() and from isPasswordValid().

The easiest (and actually fitting) solution is to also declare it for both methods.

@umulmrum umulmrum mentioned this issue Jan 4, 2019
Merged
chalasr pushed a commit that referenced this issue Jan 31, 2019
minor #29779 [Security] Declare exceptions that are already thrown by…
52a986b 
… implementations (umulmrum)

This PR was merged into the 3.4 branch.

Discussion
----------

[Security] Declare exceptions that are already thrown by implementations

| Q             | A
| ------------- | ---
| Branch?       | 3.4
| Bug fix?      | yes
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | #29650
| License       | MIT
| Doc PR        |

Adding exception declarations for PasswordEncoderInterface. I think it's a matter of opinion whether this change is a BC break. The BC promise doesn't cover such a case; I'd see it as a BC break to add exceptions in general, but in this case it's more of a "documentation" issue, as most implementations of the interface have been throwing those exceptions for years.

Commits
-------

f4cc30b Declare exceptions that are already thrown by implementations
@chalasr chalasr closed this as completed Jan 31, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@stof @xabbuh @umulmrum @chalasr