Support the actual #[\SensitiveParameter] attribute in stubs (php#8836)

Author: TimWolla

Diff for: Zend/zend_attributes.h

@@ -117,19 +117,6 @@ static zend_always_inline zend_attribute *zend_add_class_constant_attribute(zend
 	return zend_add_attribute(&c->attributes, name, argc, flags, 0, 0);
 }
 
-static zend_always_inline zend_attribute *zend_mark_function_parameter_as_sensitive(const HashTable *table, const char *func_name, uint32_t parameter)
-{
-	zend_function *func = zend_hash_str_find_ptr(table, func_name, strlen(func_name));
-	ZEND_ASSERT(func != NULL);
-
-	return zend_add_parameter_attribute(
-		func,
-		parameter,
-		zend_ce_sensitive_parameter->name,
-		0
-	);
-}
-
 void zend_register_attribute_ce(void);
 void zend_attributes_shutdown(void);
 

Diff for: build/gen_stub.php

@@ -815,33 +815,35 @@ class ArgInfo {
     public $phpDocType;
     /** @var string|null */
     public $defaultValue;
-    /** @var bool */
-    public $isSensitive;
+    /** @var AttributeInfo[] */
+    public $attributes;
 
+    /**
+     * @param AttributeInfo[] $attributes
+     */
     public function __construct(
         string $name,
         int $sendBy,
         bool $isVariadic,
         ?Type $type,
         ?Type $phpDocType,
         ?string $defaultValue,
-        bool $isSensitive
+        array $attributes
     ) {
         $this->name = $name;
         $this->sendBy = $sendBy;
         $this->isVariadic = $isVariadic;
         $this->setTypes($type, $phpDocType);
         $this->defaultValue = $defaultValue;
-        $this->isSensitive = $isSensitive;
+        $this->attributes = $attributes;
     }
 
     public function equals(ArgInfo $other): bool {
         return $this->name === $other->name
             && $this->sendBy === $other->sendBy
             && $this->isVariadic === $other->isVariadic
             && Type::equals($this->type, $other->type)
-            && $this->defaultValue === $other->defaultValue
-            && $this->isSensitive === $other->isSensitive;
+            && $this->defaultValue === $other->defaultValue;
     }
 
     public function getSendByString(): string {
@@ -2570,7 +2572,7 @@ function (Name $item) {
             }
         }
 
-        if ($attributeInitializationCode = generateAttributeInitialization($this->funcInfos, $this->cond)) {
+        if ($attributeInitializationCode = generateAttributeInitialization($this->funcInfos, $this->cond, $allConstInfos)) {
             if (!$php82MinimumCompatibility) {
                 $code .= "#if (PHP_VERSION_ID >= " . PHP_82_VERSION_ID . ")\n";
             }
@@ -3151,7 +3153,7 @@ public function getVariableName(): string {
 
         if ($this->name === "param") {
             preg_match('/^\s*[\w\|\\\\\[\]]+\s*\$(\w+).*$/', $value, $matches);
-        } elseif ($this->name === "prefer-ref" || $this->name === "sensitive-param") {
+        } elseif ($this->name === "prefer-ref") {
             preg_match('/^\s*\$(\w+).*$/', $value, $matches);
         }
 
@@ -3242,7 +3244,6 @@ function parseFunctionLike(
                         break;
 
                     case 'prefer-ref':
-                    case 'sensitive-param':
                         $varName = $tag->getVariableName();
                         if (!isset($paramMeta[$varName])) {
                             $paramMeta[$varName] = [];
@@ -3260,7 +3261,12 @@ function parseFunctionLike(
         foreach ($func->getParams() as $i => $param) {
             $varName = $param->var->name;
             $preferRef = !empty($paramMeta[$varName]['prefer-ref']);
-            $isSensitive = !empty($paramMeta[$varName]['sensitive-param']);
+            $attributes = [];
+            foreach ($param->attrGroups as $attrGroup) {
+                foreach ($attrGroup->attrs as $attr) {
+                    $attributes[] = new AttributeInfo($attr->name->toString(), $attr->args);
+                }
+            }
             unset($paramMeta[$varName]);
 
             if (isset($varNameSet[$varName])) {
@@ -3308,7 +3314,7 @@ function parseFunctionLike(
                 $type,
                 isset($docParamTypes[$varName]) ? Type::fromString($docParamTypes[$varName]) : null,
                 $param->default ? $prettyPrinter->prettyPrintExpr($param->default) : null,
-                $isSensitive
+                $attributes
             );
             if (!$param->default && !$param->variadic) {
                 $numRequiredArgs = $i + 1;
@@ -3962,7 +3968,7 @@ static function (FuncInfo $funcInfo) use ($fileInfo, &$generatedFunctionDeclarat
     }
 
     if ($fileInfo->generateClassEntries) {
-        $attributeInitializationCode = generateAttributeInitialization($fileInfo->funcInfos);
+        $attributeInitializationCode = generateAttributeInitialization($fileInfo->funcInfos, null, $allConstInfos);
 
         if ($attributeInitializationCode !== "" || !empty($fileInfo->constInfos)) {
             $code .= "\nstatic void register_{$stubFilenameWithoutExtension}_symbols(int module_number)\n";
@@ -4029,25 +4035,23 @@ function generateFunctionEntries(?Name $className, array $funcInfos, ?string $co
 /**
  * @param iterable<FuncInfo> $funcInfos
  */
-function generateAttributeInitialization(iterable $funcInfos, ?string $parentCond = null): string {
+function generateAttributeInitialization(iterable $funcInfos, ?string $parentCond = null, iterable $allConstInfos): string {
     return generateCodeWithConditions(
         $funcInfos,
         "",
-        static function (FuncInfo $funcInfo) {
+        static function (FuncInfo $funcInfo) use ($allConstInfos) {
             $code = null;
 
             foreach ($funcInfo->args as $index => $arg) {
-                if (!$arg->isSensitive) {
-                    continue;
-                }
-
                 if ($funcInfo->name instanceof MethodName) {
                     $functionTable = "&class_entry->function_table";
                 } else {
                     $functionTable = "CG(function_table)";
                 }
 
-                $code .= "\tzend_mark_function_parameter_as_sensitive($functionTable, \"" . $funcInfo->name->getNameForAttributes() . "\", $index);\n";
+                foreach ($arg->attributes as $attribute) {
+                    $code .= $attribute->generateCode("zend_add_parameter_attribute(zend_hash_str_find_ptr($functionTable, \"" . $funcInfo->name->getNameForAttributes() . "\", sizeof(\"" . $funcInfo->name->getNameForAttributes() . "\") - 1), $index", "{$funcInfo->name->getMethodSynopsisFilename()}_arg{$index}", $allConstInfos);
+                }
             }
 
             return $code;

Diff for: ext/ftp/ftp.stub.php

@@ -75,8 +75,7 @@ function ftp_connect(string $hostname, int $port = 21, int $timeout = 90): FTP\C
     function ftp_ssl_connect(string $hostname, int $port = 21, int $timeout = 90): FTP\Connection|false {}
     #endif
 
-    /** @sensitive-param $password */
-    function ftp_login(FTP\Connection $ftp, string $username, string $password): bool {}
+    function ftp_login(FTP\Connection $ftp, string $username, #[\SensitiveParameter] string $password): bool {}
     function ftp_pwd(FTP\Connection $ftp): string|false {}
     function ftp_cdup(FTP\Connection $ftp): bool {}
     function ftp_chdir(FTP\Connection $ftp, string $directory): bool {}

Diff for: ext/ftp/ftp_arginfo.h

@@ -15,22 +15,19 @@ function hash(string $algo, string $data, bool $binary = false, array $options =
 function hash_file(string $algo, string $filename, bool $binary = false, array $options = []): string|false {}
 
 /**
- * @sensitive-param $key
  * @refcount 1
  */
-function hash_hmac(string $algo, string $data, string $key, bool $binary = false): string {}
+function hash_hmac(string $algo, string $data, #[\SensitiveParameter] string $key, bool $binary = false): string {}
 
 /**
- * @sensitive-param $key
  * @refcount 1
  */
-function hash_hmac_file(string $algo, string $filename, string $key, bool $binary = false): string|false {}
+function hash_hmac_file(string $algo, string $filename, #[\SensitiveParameter] string $key, bool $binary = false): string|false {}
 
 /**
- * @sensitive-param $key
  * @refcount 1
  */
-function hash_init(string $algo, int $flags = 0, string $key = "", array $options = []): HashContext {}
+function hash_init(string $algo, int $flags = 0, #[\SensitiveParameter] string $key = "", array $options = []): HashContext {}
 
 function hash_update(HashContext $context, string $data): bool {}
 
@@ -59,22 +56,16 @@ function hash_algos(): array {}
 function hash_hmac_algos(): array {}
 
 /**
- * @sensitive-param $password
  * @refcount 1
  */
-function hash_pbkdf2(string $algo, string $password, string $salt, int $iterations, int $length = 0, bool $binary = false): string {}
+function hash_pbkdf2(string $algo, #[\SensitiveParameter] string $password, string $salt, int $iterations, int $length = 0, bool $binary = false): string {}
 
-/**
- * @sensitive-param $known_string
- * @sensitive-param $user_string
- */
-function hash_equals(string $known_string, string $user_string): bool {}
+function hash_equals(#[\SensitiveParameter] string $known_string, #[\SensitiveParameter] string $user_string): bool {}
 
 /**
- * @sensitive-param $key
  * @refcount 1
  */
-function hash_hkdf(string $algo, string $key, int $length = 0, string $info = "", string $salt = ""): string {}
+function hash_hkdf(string $algo, #[\SensitiveParameter] string $key, int $length = 0, string $info = "", string $salt = ""): string {}
 
 #ifdef PHP_MHASH_BC
 /** @deprecated */

Diff for: ext/hash/hash.stub.php

@@ -405,8 +405,7 @@
      */
     const IMAP_GC_TEXTS = UNKNOWN;
 
-    /** @sensitive-param $password */
-    function imap_open(string $mailbox, string $user, string $password, int $flags = 0, int $retries = 0, array $options = []): IMAP\Connection|false {}
+    function imap_open(string $mailbox, string $user, #[\SensitiveParameter] string $password, int $flags = 0, int $retries = 0, array $options = []): IMAP\Connection|false {}
 
     function imap_reopen(IMAP\Connection $imap, string $mailbox, int $flags = 0, int $retries = 0): bool {}
 

Diff for: ext/hash/hash_arginfo.h

@@ -610,10 +610,7 @@
 #endif
 
     #ifdef HAVE_ORALDAP
-    /**
-     * @sensitive-param $password
-     */
-    function ldap_connect(?string $uri = null, int $port = 389, string $wallet = UNKNOWN, string $password = UNKNOWN, int $auth_mode = GSLC_SSL_NO_AUTH): LDAP\Connection|false {}
+    function ldap_connect(?string $uri = null, int $port = 389, string $wallet = UNKNOWN, #[\SensitiveParameter] string $password = UNKNOWN, int $auth_mode = GSLC_SSL_NO_AUTH): LDAP\Connection|false {}
     #else
     function ldap_connect(?string $uri = null, int $port = 389): LDAP\Connection|false {}
     #endif
@@ -623,21 +620,12 @@ function ldap_unbind(LDAP\Connection $ldap): bool {}
     /** @alias ldap_unbind */
     function ldap_close(LDAP\Connection $ldap): bool {}
 
-    /**
-     * @sensitive-param $password
-     */
-    function ldap_bind(LDAP\Connection $ldap, ?string $dn = null, ?string $password = null): bool {}
+    function ldap_bind(LDAP\Connection $ldap, ?string $dn = null, #[\SensitiveParameter] ?string $password = null): bool {}
 
-    /**
-     * @sensitive-param $password
-     */
-    function ldap_bind_ext(LDAP\Connection $ldap, ?string $dn = null, ?string $password = null, ?array $controls = null): LDAP\Result|false {}
+    function ldap_bind_ext(LDAP\Connection $ldap, ?string $dn = null, #[\SensitiveParameter] ?string $password = null, ?array $controls = null): LDAP\Result|false {}
 
     #ifdef HAVE_LDAP_SASL
-    /**
-     * @sensitive-param $password
-     */
-    function ldap_sasl_bind(LDAP\Connection $ldap, ?string $dn = null, ?string $password = null, ?string $mech = null, ?string $realm = null, ?string $authc_id = null, ?string $authz_id = null, ?string $props = null): bool {}
+    function ldap_sasl_bind(LDAP\Connection $ldap, ?string $dn = null, #[\SensitiveParameter] ?string $password = null, ?string $mech = null, ?string $realm = null, ?string $authc_id = null, ?string $authz_id = null, ?string $props = null): bool {}
     #endif
 
     /** @param LDAP\Connection|array $ldap */
@@ -791,10 +779,8 @@ function ldap_exop(LDAP\Connection $ldap, string $request_oid, ?string $request_
     #ifdef HAVE_LDAP_PASSWD
     /**
      * @param array $controls
-     * @sensitive-param $old_password
-     * @sensitive-param $new_password
      */
-    function ldap_exop_passwd(LDAP\Connection $ldap, string $user = "", string $old_password = "", string $new_password = "", &$controls = null): string|bool {}
+    function ldap_exop_passwd(LDAP\Connection $ldap, string $user = "", #[\SensitiveParameter] string $old_password = "", #[\SensitiveParameter] string $new_password = "", &$controls = null): string|bool {}
     #endif