Problem/Motivation

The $key argument is sensitive and should not be leaked in stack traces:

InvalidArgumentException:
Both parameters passed to \Drupal\Component\Utility\Crypt::hmacBase64 must be scalar values.

  at core/lib/Drupal/Component/Utility/Crypt.php:30
  at Drupal\Component\Utility\Crypt::hmacBase64(array(), 'private_key')
     (modules/custom/test/test.module:49)

Steps to reproduce

  ini_set('zend.exception_ignore_args', FALSE);
  Crypt::hmacBase64([], 'private_key');

Proposed resolution

Add #[SensitiveParameter] to the $key argument.

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

CommentFileSizeAuthor
#4 Screenshot from 2026-04-01 13-56-33.png189.71 KBsourav_paul

Issue fork drupal-3582514

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

prudloff created an issue. See original summary.

sourav_paul’s picture

sourav_paul
Location Kolkata
commented

Hi @prudloff
I'm willing to work on this issue, can you please share reproduction steps in more descriptive way?

prudloff’s picture

prudloff commented

I can't really, because this is not a bug to fix but a best practice to apply to code.

sourav_paul’s picture

sourav_paul
Location Kolkata
commented
StatusFileSize
new Screenshot from 2026-04-01 13-56-33.png189.71 KB

Thanks, for your response I've successfully reproduce the error message & verified the vulnerability.
Working on it..

img

sourav_paul changed the visibility of the branch 3582514-add-sensitiveparameter-attribute to hidden.

sourav_paul changed the visibility of the branch 3582514-add-sensitiveparameter-attribute to active.

sourav_paul opened merge request !15308

sourav_paul’s picture

sourav_paul
Location Kolkata
commented
Status: Active » Needs review
smustgrave’s picture

smustgrave commented
Status: Needs review » Reviewed & tested by the community

Seems straight forward, probably should of been tagged a novice task.

godotislate closed merge request !15308

  • godotislate committed 6ade36ae on main 
    fix: #3582514 Add SensitiveParameter attribute to Crypt::hmacBase64()...

  • godotislate committed a98b684f on 11.x 
    fix: #3582514 Add SensitiveParameter attribute to Crypt::hmacBase64()...

  • godotislate committed 36f5c460 on 10.6.x 
    fix: #3582514 Add SensitiveParameter attribute to Crypt::hmacBase64()...

  • godotislate committed 922c876f on 11.3.x 
    fix: #3582514 Add SensitiveParameter attribute to Crypt::hmacBase64()...
godotislate’s picture

godotislate
he/him
commented
Version: main » 10.6.x-dev

Committed and pushed 6ade36a to main, a98b684 to 11.x, 922c876 to 11.3.x, and 36f5c46 to 10.6.x. Thanks!

godotislate’s picture

godotislate
he/him
commented
Status: Reviewed & tested by the community » Fixed

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.