Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Key: permit empty keys only with ::empty() factory method #833

Merged
merged 2 commits into from
Apr 7, 2022
Merged

Key: permit empty keys only with ::empty() factory method #833

merged 2 commits into from
Apr 7, 2022

Conversation

Slamdunk
Copy link
Collaborator

@Slamdunk Slamdunk commented Apr 7, 2022
edited
Loading

I consider this a security bug that should be addressed with urgent.

Before this PR, misconfigurations can easily lead to unsecured token issuance under the radar, expecially where creator = consumer.

@Slamdunk Slamdunk requested a review from Ocramius April 7, 2022 06:38
@Ocramius Ocramius added this to the 4.2.0 milestone Apr 7, 2022
@Ocramius
Copy link
Sponsor Collaborator

Ocramius commented Apr 7, 2022

I'd still label it as BC break, but better to have a broken system, than a compromised one.

No need for CVE/security issue, since this is mis-configuration on the consumer side, if it happens: instructions on using safe randomly generated keys were already provided.

@Ocramius Ocramius self-assigned this Apr 7, 2022
Ocramius
Ocramius approved these changes Apr 7, 2022
View reviewed changes
Copy link
Sponsor Collaborator

@Ocramius Ocramius left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome, thanks @Slamdunk!

@Ocramius Ocramius changed the title Key: permit empty keys only with ::empty() factory method Key: permit empty keys only with ::empty() factory method Apr 7, 2022
@Ocramius Ocramius merged commit ae3aac8 into lcobucci:4.2.x Apr 7, 2022
@Slamdunk Slamdunk deleted the no_empty_key branch April 7, 2022 10:51
@Slamdunk Slamdunk mentioned this pull request Apr 7, 2022
Closed
@lcobucci
Copy link
Owner

lcobucci commented Apr 8, 2022

IHMO we shouldn't use the baseline to ignore errors we will never fix. That's why we have the annotations to ignore things.

@Ocramius
Copy link
Sponsor Collaborator

Ocramius commented Apr 8, 2022

IHMO we shouldn't use the baseline to ignore errors we will never fix.

We should probably remove the exception, at some point, and only leave the types

@Slamdunk Slamdunk mentioned this pull request Apr 8, 2022
Merged
@chalasr chalasr mentioned this pull request Apr 19, 2022
Merged
@Slamdunk Slamdunk mentioned this pull request Aug 22, 2022
Closed
@pkoenig10 pkoenig10 mentioned this pull request Aug 23, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Ocramius Ocramius Ocramius approved these changes

Assignees

@Ocramius Ocramius

Labels
Improvement Minor BC-break Security
Projects
None yet
Milestone
4.2.0
Development

Successfully merging this pull request may close these issues.
3 participants
@Slamdunk @Ocramius @lcobucci