탐색 도움말
로그인
chiappa
/
irdb
의 미러 https://git.snix.ch/chiappa/irdb.git
1
0
포크 0
파일 이슈 0
트리: dd4f688f77
브랜치 태그
irdb
/
api
/
tests
/
Unit
/
Logging
/
SafeTraceTest.php

SafeTraceTest.php 2.4 KB
히스토리 Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980 
  1. <?php
    2. 

  2. 

  3. declare(strict_types=1);
    4. 

  4. 

  5. namespace App\Tests\Unit\Logging;
    6. 

  6. 

  7. use App\Infrastructure\Logging\SafeTrace;
    8. 

  8. use PHPUnit\Framework\TestCase;
    9. 

  9. use RuntimeException;
    10. 

  10. use Throwable;
    11. 

  11. 

  12. /**
    13. 

  13.  * Regression test for SEC_REVIEW F21: PHP's getTraceAsString() inlines
    14. 

  14.  * scalar args into each frame, which leaks plaintext secrets when an
    15. 

  15.  * exception is thrown from inside `password_verify`, an OIDC token
    16. 

  16.  * validation call, etc. SafeTrace must drop args entirely.
    17. 

  17.  */
    18. 

  18. final class SafeTraceTest extends TestCase
    19. 

  19. {
    20. 

  20.     public function testFormattedTraceDoesNotContainArgs(): void
    21. 

  21.     {
    22. 

  22.         $secret = 'super-plaintext-password-please-do-not-leak';
    23. 

  23.         $caught = $this->capture(fn () => $this->throwWithSecret($secret));
    24. 

  24. 

  25.         $trace = SafeTrace::format($caught);
    26. 

  26. 

  27.         self::assertStringNotContainsString($secret, $trace);
    28. 

  28.         self::assertStringContainsString('throwWithSecret', $trace);
    29. 

  29.     }
    30. 

  30. 

  31.     public function testFormattedTraceWalksPreviousChain(): void
    32. 

  32.     {
    33. 

  33.         $innerSecret = 'inner-secret-123';
    34. 

  34.         $outerSecret = 'outer-secret-456';
    35. 

  35. 

  36.         $caught = $this->capture(function () use ($innerSecret, $outerSecret): void {
    37. 

  37.             try {
    38. 

  38.                 $this->throwWithSecret($innerSecret);
    39. 

  39.             } catch (Throwable $inner) {
    40. 

  40.                 $this->wrap($outerSecret, $inner);
    41. 

  41.             }
    42. 

  42.         });
    43. 

  43. 

  44.         $trace = SafeTrace::format($caught);
    45. 

  45.         self::assertStringNotContainsString($innerSecret, $trace);
    46. 

  46.         self::assertStringNotContainsString($outerSecret, $trace);
    47. 

  47.         self::assertStringContainsString('Caused by', $trace);
    48. 

  48.     }
    49. 

  49. 

  50.     public function testFrameLayoutResemblesPhpNativeFormat(): void
    51. 

  51.     {
    52. 

  52.         $caught = $this->capture(fn () => $this->throwWithSecret('x'));
    53. 

  53. 

  54.         $trace = SafeTrace::format($caught);
    55. 

  55. 

  56.         // Numbered frames, file(line) suffix, class::method() call, then {main}.
    57. 

  57.         self::assertMatchesRegularExpression('/^#0 .+\(\d+\): .+\(\)$/m', $trace);
    58. 

  58.         self::assertStringEndsWith('{main}', $trace);
    59. 

  59.     }
    60. 

  60. 

  61.     private function capture(callable $fn): Throwable
    62. 

  62.     {
    63. 

  63.         try {
    64. 

  64.             $fn();
    65. 

  65.         } catch (Throwable $e) {
    66. 

  66.             return $e;
    67. 

  67.         }
    68. 

  68.         self::fail('expected callable to throw');
    69. 

  69.     }
    70. 

  70. 

  71.     private function throwWithSecret(string $secret): never
    72. 

  72.     {
    73. 

  73.         throw new RuntimeException('boom');
    74. 

  74.     }
    75. 

  75. 

  76.     private function wrap(string $secret, Throwable $inner): never
    77. 

  77.     {
    78. 

  78.         throw new RuntimeException('outer', 0, $inner);
    79. 

  79.     }
    80. 

  80. }
    81.