refactor: add #[SensitiveParameter] whenever necessary

patel-vansh · patel-vansh · commit 6a8694fedbeb · 2025-12-23T14:08:33.000+05:30
diff --git a/system/Encryption/Handlers/OpenSSLHandler.php b/system/Encryption/Handlers/OpenSSLHandler.php
@@ -14,6 +14,7 @@
 namespace CodeIgniter\Encryption\Handlers;
 
 use CodeIgniter\Encryption\Exceptions\EncryptionException;
+use SensitiveParameter;
 
 /**
  * Encryption handling for OpenSSL library
@@ -84,7 +85,7 @@ class OpenSSLHandler extends BaseHandler
     /**
      * {@inheritDoc}
      */
-    public function encrypt($data, $params = null)
+    public function encrypt(#[SensitiveParameter] $data, #[SensitiveParameter] $params = null)
     {
         // Allow key override
         if ($params !== null) {
@@ -120,7 +121,7 @@ public function encrypt($data, $params = null)
     /**
      * {@inheritDoc}
      */
-    public function decrypt($data, $params = null)
+    public function decrypt($data, #[SensitiveParameter] $params = null)
     {
         // Allow key override
         if ($params !== null) {
@@ -169,7 +170,7 @@ public function decrypt($data, $params = null)
      *
      * @throws EncryptionException
      */
-    protected function decryptWithKey($data, $key)
+    protected function decryptWithKey($data, #[SensitiveParameter] $key)
     {
         // derive a secret key
         $authKey = \hash_hkdf($this->digest, $key, 0, $this->authKeyInfo);
diff --git a/system/Encryption/Handlers/SodiumHandler.php b/system/Encryption/Handlers/SodiumHandler.php
@@ -14,6 +14,7 @@
 namespace CodeIgniter\Encryption\Handlers;
 
 use CodeIgniter\Encryption\Exceptions\EncryptionException;
+use SensitiveParameter;
 
 /**
  * SodiumHandler uses libsodium in encryption.
@@ -45,7 +46,7 @@ class SodiumHandler extends BaseHandler
     /**
      * {@inheritDoc}
      */
-    public function encrypt($data, $params = null)
+    public function encrypt(#[SensitiveParameter] $data, #[SensitiveParameter] $params = null)
     {
         $this->parseParams($params);
 
@@ -76,7 +77,7 @@ public function encrypt($data, $params = null)
     /**
      * {@inheritDoc}
      */
-    public function decrypt($data, $params = null)
+    public function decrypt($data, #[SensitiveParameter] $params = null)
     {
         $this->parseParams($params);
 
@@ -124,7 +125,7 @@ public function decrypt($data, $params = null)
      *
      * @throws EncryptionException
      */
-    protected function decryptWithKey($data, $key)
+    protected function decryptWithKey($data, #[SensitiveParameter] $key)
     {
         if (mb_strlen($data, '8bit') < (SODIUM_CRYPTO_SECRETBOX_NONCEBYTES + SODIUM_CRYPTO_SECRETBOX_MACBYTES)) {
             // message was truncated
@@ -165,7 +166,7 @@ protected function decryptWithKey($data, $key)
      *
      * @throws EncryptionException If key is empty
      */
-    protected function parseParams($params)
+    protected function parseParams(#[SensitiveParameter] $params)
     {
         if ($params === null) {
             return;
