Serialization of 'SensitiveParameterValue' is not allowed #13
Description
Hi guys,
First thanks to your amazing work here.
As you know, PHP 8.2 introduced SensitiveParameter and SensitiveParameterValue
In PHP 8.2 and later, it is possible to mark sensitive parameters with a PHP attribute named SensitiveParameter, which makes PHP redact the sensitive information from the stack trace.
Now, mysqli constructor uses this for the password parameter and we use MySQLi in MysqliDB.php
$log->info('connect to '.$this->username.'@'.$this->host.':'.$this->port.'/'.$this->db);
$this->_mysqli = @new \mysqli($this->host, $this->username, $this->password, $this->db, $this->port);But the problem come into the party when we run a packages\base\Process instance and it's faces an exception of type mysqli_sql_exception in my case, or generally, any exception that contains an object that uses SensitiveParameter.
Because of we try to serialize the result of the process and save it to out Process instance, we got this exception:
Throwable: Exception: Serialization of 'SensitiveParameterValue' is not allowed in /var/www/html/packages/base/libraries/db/dbObject.php:958
Stack trace:
#0 /var/www/html/packages/base/libraries/db/dbObject.php(958): serialize(Object(mysqli_sql_exception))
#1 /var/www/html/packages/base/libraries/db/dbObject.php(359): packages\base\db\DBObject->prepareData()
#2 /var/www/html/packages/base/libraries/db/dbObject.php(390): packages\base\db\DBObject->update(NULL)
#3 /var/www/html/packages/base/libraries/background/Process.php(184): packages\base\db\DBObject->save()
#4 /var/www/html/packages/base/libraries/router/router.php(448): packages\base\Process->run()
#5 /var/www/html/index.php(41): packages\base\Router::routing()
#6 {main}
Exception Object
(
[message:protected] => Serialization of 'SensitiveParameterValue' is not allowed
[string:Exception:private] => Exception: Serialization of 'SensitiveParameterValue' is not allowed in /var/www/html/packages/base/libraries/db/dbObject.php:958
Stack trace:
#0 /var/www/html/packages/base/libraries/db/dbObject.php(958): serialize(Object(mysqli_sql_exception))
#1 /var/www/html/packages/base/libraries/db/dbObject.php(359): packages\base\db\DBObject->prepareData()
#2 /var/www/html/packages/base/libraries/db/dbObject.php(390): packages\base\db\DBObject->update(NULL)
#3 /var/www/html/packages/base/libraries/background/Process.php(184): packages\base\db\DBObject->save()
#4 /var/www/html/packages/base/libraries/router/router.php(448): packages\base\Process->run()
#5 /var/www/html/index.php(41): packages\base\Router::routing()
#6 {main}
[code:protected] => 0
[file:protected] => /var/www/html/packages/base/libraries/db/dbObject.php
[line:protected] => 958
[trace:Exception:private] => Array
(
[0] => Array
(
[file] => /var/www/html/packages/base/libraries/db/dbObject.php
[line] => 958
[function] => serialize
[args] => Array
(
[0] => mysqli_sql_exception Object
(
[message:protected] => Too many connections
[string:Exception:private] =>
[code:protected] => 1040
[file:protected] => /var/www/html/packages/base/libraries/db/MysqliDb.php
[line:protected] => 330
[trace:Exception:private] => Array
(
[0] => Array
(
[file] => /var/www/html/packages/base/libraries/db/MysqliDb.php
[line] => 330
[function] => __construct
[class] => mysqli
[type] => ->
[args] => Array
(
[0] => mariadb
[1] => root
[2] => SensitiveParameterValue Object
[3] => jalno
[4] => 3306
)
)
[1] => Array
(
[file] => /var/www/html/packages/base/libraries/db/MysqliDb.php
[line] => 356
[function] => connect
[class] => packages\base\db\MysqliDb
[type] => ->
[args] => Array
(
)
)
.
.
.
This is an undocumented behavior of PHP and we didn't know about that!
So now we should take an action about it!
For future action, think about the SensitiveParameterValue synopsis like this:
final class SensitiveParameterValue {
private readonly mixed $value;
public function __construct(mixed $value) {
$this->value = $value;
}
public function getValue(): mixed {
return $this->value;
}
public function __debugInfo(): array {
return [];
}
public function __serialize(): array {
throw new \Exception("Serialization of 'SensitiveParameterValue' is not allowed");
}
public function __unserialize(array $data): void {
throw new \Exception("Unserialization of 'SensitiveParameterValue' is not allowed");
}
}It's a final class, and can not serialize and unserialize it.