Fixed decrypt method if a non hash is informed

Author: brenno-duarte

CHANGELOG.md

@@ -1,5 +1,13 @@
 # Released Notes
 
+## v3.1.4 - (2024-09-12)
+
+### Fixed
+
+- Fixed `decrypt` method if a non hash is informed
+
+-----------------------------------------------------------
+
 ## v3.1.3 - (2024-08-25)
 
 ### Added

composer.json

@@ -12,7 +12,7 @@
         "paragonie/sodium_compat": "^1.20"
     },
     "require-dev": {
-        "phpunit/phpunit": "^10"
+        "phpunit/phpunit": "^11"
     },
     "autoload": {
         "psr-4": {

src/Encrypt/Adapter/OpenSslEncryption.php

@@ -40,31 +40,40 @@ public function __construct(string $key)
     }
 
     /**
-     * Encrypt the message.
-     *
-     * @param mixed $data => data to be encrypted
-     *
-     * @return mixed
+     * {@inheritDoc}
      */
     public function encrypt(mixed $data): mixed
     {
         return base64_encode(
-            openssl_encrypt($data, $this->cipher, $this->key, 0, $this->iv) . '&&' . bin2hex($this->iv)
+            openssl_encrypt(
+                $data,
+                $this->cipher,
+                $this->key,
+                0,
+                $this->iv
+            ) . '&&' . bin2hex($this->iv)
         );
     }
 
     /**
-     * Decrypt the message.
-     *
-     * @param mixed $token => encrypted token
-
-     * @return string|bool
+     * {@inheritDoc}
      */
     public function decrypt(mixed $token): string|bool
     {
         $token = base64_decode($token);
-        list($token, $this->iv) = explode('&&', $token);
-        return openssl_decrypt($token, $this->cipher, $this->key, 0, hex2bin($this->iv));
+        $explode_value = explode('&&', $token);
+        if (!array_key_exists(1, $explode_value)) return false;
+
+        list($token, $this->iv) = $explode_value;
+        if (!$this->isHex($this->iv)) return false;
+
+        return openssl_decrypt(
+            $token,
+            $this->cipher,
+            $this->key,
+            0,
+            hex2bin($this->iv)
+        );
     }
 
     /**
@@ -78,4 +87,16 @@ protected function ivBytes(string $method): int
     {
         return openssl_cipher_iv_length($method);
     }
+
+    /**
+     * Check if String Is a Hexadecimal Value
+     *
+     * @param string $str
+     * 
+     * @return bool
+     */
+    private function isHex(string $str): bool
+    {
+        return preg_match('/^(?:0x)?[a-f0-9]{1,}$/i', $str);
+    }
 }

src/Encrypt/Adapter/SodiumEncryption.php

@@ -28,40 +28,53 @@ public function __construct(string $key)
     }
 
     /**
-     * Encrypt the message.
-     *
-     * @param string $data data to be encrypted
-     * 
-     * @return mixed
+     * {@inheritDoc}
      */
     public function encrypt(mixed $data): mixed
     {
         $nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
-        $token = base64_encode($nonce . sodium_crypto_secretbox($data, $nonce, $this->key) . '&&' . $this->key);
-        return $token;
+        return base64_encode(
+            $nonce . sodium_crypto_secretbox(
+                $data,
+                $nonce,
+                $this->key
+            ) . '&&' . $this->key
+        );
     }
 
     /**
-     * Decrypt the message.
-     *
-     * @param mixed $token encrypted token
-
-     * @return mixed
+     * {@inheritDoc}
      */
     public function decrypt(mixed $token): mixed
     {
         $decoded = base64_decode($token);
-        list($decoded, $this->key) = explode('&&', $decoded);
+        $explode_value = explode('&&', $decoded);
+        if (!array_key_exists(1, $explode_value)) return false;
+
+        list($decoded, $this->key) = $explode_value;
         if ($decoded === false) throw new \Exception('The decoding failed');
 
         if (
-            mb_strlen($decoded, '8bit') < (SODIUM_CRYPTO_SECRETBOX_NONCEBYTES + SODIUM_CRYPTO_SECRETBOX_MACBYTES)
+            mb_strlen($decoded, '8bit') <
+            (SODIUM_CRYPTO_SECRETBOX_NONCEBYTES + SODIUM_CRYPTO_SECRETBOX_MACBYTES)
         ) {
             throw new \Exception('The token was truncated');
         }
 
-        $nonce = mb_substr($decoded, 0, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES, '8bit');
-        $ciphertext = mb_substr($decoded, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES, null, '8bit');
+        $nonce = mb_substr(
+            $decoded,
+            0,
+            SODIUM_CRYPTO_SECRETBOX_NONCEBYTES,
+            '8bit'
+        );
+
+        $ciphertext = mb_substr(
+            $decoded,
+            SODIUM_CRYPTO_SECRETBOX_NONCEBYTES,
+            null,
+            '8bit'
+        );
+
         $plain = sodium_crypto_secretbox_open($ciphertext, $nonce, $this->key);
         if ($plain === false) throw new \Exception('The message was tampered with in transit');
         return $plain;

src/SecurePassword.php

@@ -39,7 +39,7 @@ public function __construct(
         ($this->config["algo"] instanceof AlgorithmEnum) ?
             $algo_config = $this->config["algo"]->value :
             $algo_config = $this->config["algo"];
-        
+
         $this->options = $this->config;
         $this->algo = ($algo_config == "default") ? PASSWORD_DEFAULT : $algo_config;
         $this->setPepper();
@@ -56,7 +56,13 @@ public function createHash(#[SensitiveParameter] string $password): SecurePasswo
     {
         $this->password = $password;
         $pwd_peppered = $this->passwordPeppered($this->password);
-        $this->pwd_hashed = password_hash($pwd_peppered, $this->algo, $this->options);
+
+        $this->pwd_hashed = password_hash(
+            $pwd_peppered,
+            $this->algo,
+            $this->options
+        );
+
         return $this;
     }
 
@@ -142,7 +148,9 @@ public function needsRehash(
         #[SensitiveParameter] string $password,
         #[SensitiveParameter] string $hash
     ): string|false {
-        return (password_needs_rehash($hash, $this->algo)) ? $this->createHash($password)->getHash() : false;
+        return (password_needs_rehash($hash, $this->algo)) ?
+            $this->createHash($password)->getHash() :
+            false;
     }
 
     /**

tests/EncryptionTest.php

@@ -2,9 +2,9 @@
 
 namespace Lablnet\Tests;
 
-use SecurePassword\Encrypt\Adapter\{OpenSslEncryption, SodiumEncryption};
-use SecurePassword\Encrypt\Encryption;
 use PHPUnit\Framework\TestCase;
+use SecurePassword\Encrypt\Encryption;
+use SecurePassword\Encrypt\Adapter\{OpenSslEncryption, SodiumEncryption};
 
 class EncryptionTest extends TestCase
 {
@@ -32,15 +32,13 @@ public function testEncryptAndDecryptWithOpenSsl()
 
     public function testEncryptAndDecryptWithSodium()
     {
-        if (extension_loaded('sodium')) {
-            $encryption = new Encryption(new SodiumEncryption('euyq74tjfdskjFDSGq74'));
-            $encryptedString = $encryption->encrypt('plain-text');
-            $decryptedString = $encryption->decrypt($encryptedString);
-
-            $this->assertStringEndsNotWith('==', $encryptedString);
-            $this->assertSame(112, strlen($encryptedString));
-            $this->assertSame('plain-text', $decryptedString);
-        }
+        $encryption = new Encryption(new SodiumEncryption('euyq74tjfdskjFDSGq74'));
+        $encryptedString = $encryption->encrypt('plain-text');
+        $decryptedString = $encryption->decrypt($encryptedString);
+
+        $this->assertStringEndsNotWith('==', $encryptedString);
+        $this->assertSame(112, strlen($encryptedString));
+        $this->assertSame('plain-text', $decryptedString);
     }
 
     public function testOpenSslEncrpytionEncryptOnEmptyStringKey()
@@ -51,9 +49,18 @@ public function testOpenSslEncrpytionEncryptOnEmptyStringKey()
 
     public function testSodiumEncrpytionEncryptOnEmptyStringKey()
     {
-        if (extension_loaded('sodium')) {
-            $this->expectException(\InvalidArgumentException::class);
-            new Encryption(new SodiumEncryption(''));
-        }
+        $this->expectException(\InvalidArgumentException::class);
+        new Encryption(new SodiumEncryption(''));
+    }
+
+    public function testDecryptWithNoHash()
+    {
+        $encryption1 = new Encryption(new OpenSslEncryption('12345678990-=====-==='));
+        $decryptedString1 = $encryption1->decrypt("wrong-hash");
+        $this->assertFalse($decryptedString1);
+
+        $encryption2 = new Encryption(new SodiumEncryption('12345678990-=====-==='));
+        $decryptedString2 = $encryption2->decrypt("wrong-hash");
+        $this->assertFalse($decryptedString2);
     }
 }

tests/SecurePasswordTest.php

@@ -18,12 +18,12 @@ public function testCreateHashWithConfig()
     {
         $config = [
             'algo' => AlgorithmEnum::ARGON2I,
-            'cost' => 10,
+            'cost' => 12,
             'memory_cost' => PASSWORD_ARGON2_DEFAULT_MEMORY_COST,
             'time_cost' => PASSWORD_ARGON2_DEFAULT_TIME_COST,
             'threads' => PASSWORD_ARGON2_DEFAULT_THREADS
         ];
-        
+
         $password = new SecurePassword($config);
         $hash = $password->createHash('my_password')->getHash();
 
@@ -67,22 +67,22 @@ public function testCreateWithAlgorithm()
 
     public function testCreateWithOtherAlgorithm()
     {
-        /* Example 1 */
+        // Example 1
         $password = new SecurePassword();
         $hash = $password->useArgon2()->createHash('my_password')->getHash();
         $needs = $password->useDefault()->needsRehash('my_password', $hash);
 
         $this->assertIsString($needs);
 
-        /* Example 2 */
+        // Example 2
         $password_bcrypt = new SecurePassword([
             'algo' => AlgorithmEnum::BCRYPT
         ]);
 
         $needs2 = $password_bcrypt->needsRehash('my_password', $hash);
         $this->assertIsString($needs2);
 
-        /* Example 3 */
+        // Example 3
         $password_argon = new SecurePassword([
             'algo' => AlgorithmEnum::ARGON2I
         ]);
@@ -101,7 +101,7 @@ public function testCreateAndVerifyHashChained()
     {
         $password = new SecurePassword();
         $hash = $password->createHash('my_password')->verifyHash();
-        $hash2 = $password->verifyHash(md5('WrongHashTest'), $this->wait_time);
+        $hash2 = $password->verifyHash(md5('WrongHashTest'), wait_microseconds: $this->wait_time);
 
         $this->assertTrue($hash);
         $this->assertFalse($hash2);