[FrameworkBundle] Never hash the empty decryption key to compute kernel.secret

nicolas-grekas · nicolas-grekas · commit 68ece90b3478 · 2024-09-30T17:23:31.000+02:00
diff --git a/Secrets/SodiumVault.php b/Secrets/SodiumVault.php
@@ -114,7 +114,7 @@ public function reveal(string $name): ?string
 
         $this->loadKeys();
 
-        if ('' === $this->decryptionKey) {
+        if ('' === $this->decryptionKey = (string) $this->decryptionKey) {
             $this->lastMessage = \sprintf('Secret "%s" cannot be revealed as no decryption key was found in "%s".', $name, $this->getPrettyPath(\dirname($this->pathPrefix).\DIRECTORY_SEPARATOR));
 
             return null;
@@ -181,8 +181,8 @@ public function loadEnvVars(): array
         }
 
         if ($this->derivedSecretEnvVar && !\array_key_exists($this->derivedSecretEnvVar, $envs)) {
-            $decryptionKey = $this->decryptionKey;
-            $envs[$this->derivedSecretEnvVar] = LazyString::fromCallable(static fn () => base64_encode(hash('sha256', $decryptionKey, true)));
+            $k = $this->decryptionKey;
+            $envs[$this->derivedSecretEnvVar] = LazyString::fromCallable(static fn () => '' !== ($k = (string) $k) ? base64_encode(hash('sha256', $k, true)) : '');
         }
 
         return $envs;
diff --git a/Tests/Secrets/SodiumVaultTest.php b/Tests/Secrets/SodiumVaultTest.php
@@ -14,6 +14,7 @@
 use PHPUnit\Framework\TestCase;
 use Symfony\Bundle\FrameworkBundle\Secrets\SodiumVault;
 use Symfony\Component\Filesystem\Filesystem;
+use Symfony\Component\String\LazyString;
 
 /**
  * @requires extension sodium
@@ -84,4 +85,17 @@ public function testDerivedSecretEnvVar()
 
         $this->assertSame(['FOO', 'MY_SECRET'], array_keys($vault->loadEnvVars()));
     }
+
+    public function testEmptySecretEnvVar()
+    {
+        $vault = new SodiumVault($this->secretsDir, '', 'MY_SECRET');
+        $envVars = $vault->loadEnvVars();
+        $envVars['MY_SECRET'] = (string) $envVars['MY_SECRET'];
+        $this->assertSame(['MY_SECRET' => ''], $envVars);
+
+        $vault = new SodiumVault($this->secretsDir, LazyString::fromCallable(fn () => ''), 'MY_SECRET');
+        $envVars = $vault->loadEnvVars();
+        $envVars['MY_SECRET'] = (string) $envVars['MY_SECRET'];
+        $this->assertSame(['MY_SECRET' => ''], $envVars);
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -114,7 +114,7 @@ public function reveal(string $name): ?string`
`114`	`114`
`115`	`115`	`$this->loadKeys();`
`116`	`116`
`117`		`- if ('' === $this->decryptionKey) {`
	`117`	`+ if ('' === $this->decryptionKey = (string) $this->decryptionKey) {`
`118`	`118`	`$this->lastMessage = \sprintf('Secret "%s" cannot be revealed as no decryption key was found in "%s".', $name, $this->getPrettyPath(\dirname($this->pathPrefix).\DIRECTORY_SEPARATOR));`
`119`	`119`
`120`	`120`	`return null;`
`@@ -181,8 +181,8 @@ public function loadEnvVars(): array`
`181`	`181`	`}`
`182`	`182`
`183`	`183`	`if ($this->derivedSecretEnvVar && !\array_key_exists($this->derivedSecretEnvVar, $envs)) {`
`184`		`- $decryptionKey = $this->decryptionKey;`
`185`		`- $envs[$this->derivedSecretEnvVar] = LazyString::fromCallable(static fn () => base64_encode(hash('sha256', $decryptionKey, true)));`
	`184`	`+ $k = $this->decryptionKey;`
	`185`	`+ $envs[$this->derivedSecretEnvVar] = LazyString::fromCallable(static fn () => '' !== ($k = (string) $k) ? base64_encode(hash('sha256', $k, true)) : '');`
`186`	`186`	`}`
`187`	`187`
`188`	`188`	`return $envs;`