Adds fix for integer keys generated by PHP and adds a note to README.md that integer keys should not be used. Closes #10

Sjustein · Sjustein · commit 4a25ec5d84ea · 2024-11-23T23:39:31.000+01:00
diff --git a/README.md b/README.md
@@ -53,7 +53,9 @@ It is an array of key names, for example:
 ```php
 $sensitive_keys = ['api_key'];
 ```
-Will hash the value of the `api_key`.
+Will hash the value of the `api_key`. Because of PHP's tendency to automatically add integer indexes to such an array,
+integers in sensitive keys will be ignored and might lead to unexpected results. To be on the safe side, only use
+sensitive string keys, or a nested tree of strings.
 
 #### 2. Create a Processor using the keys
 
diff --git a/src/Hasher.php b/src/Hasher.php
@@ -96,7 +96,7 @@ protected function traverseInputArray(array $inputArray, array $sensitiveKeys):
 
             // If the value is not an array or an object, hash it if it is a sensitive key
             if (is_scalar($value)) {
-                if (in_array($key, $sensitiveKeys) || array_key_exists($key, $sensitiveKeys)) {
+                if ($this->isSensitiveKey($key, $sensitiveKeys)) {
                     $inputArray[$key] = $this->hash(print_r($value, true));
                 }
 
@@ -105,7 +105,7 @@ protected function traverseInputArray(array $inputArray, array $sensitiveKeys):
 
             // The value is either an array or an object, let traverse handle the specifics
             // If the current key is a sensitive key, traverse the subtree.
-            if ((in_array($key, $sensitiveKeys) || array_key_exists($key, $sensitiveKeys))) {
+            if ($this->isSensitiveKey($key, $sensitiveKeys)) {
                 // If the current key doesn't have a subtree of sensitive keys (indicating the entire subtree,
                 //  and not a value somewhere in the subtree should be hashed)
                 if (!array_key_exists($key, $sensitiveKeys)) {
@@ -191,4 +191,31 @@ protected function traverseObject(object $object, array $sensitiveKeys): object
 
         return $object;
     }
+
+    /**
+     * @param int|string $key
+     *
+     * @param array<array-key, mixed> $sensitiveKeys Keys to redact
+     *
+     * @return bool Whether the key provided is a sensitiveKey
+     */
+    protected function isSensitiveKey(int|string $key, array $sensitiveKeys): bool
+    {
+        // Checks the values, if the key is in the value list of sensitive keys (the 'end' of the sensitive key lists)
+        if (in_array($key, $sensitiveKeys)) {
+            return true;
+        }
+
+        // When there is a sub array, check whether the key is in the sensitive key key list
+        if (array_key_exists($key, $sensitiveKeys)) {
+            if (is_int($key)) {
+                // If the key is an integer, this is php generated key, when sensitiveKeys should be a value list
+                return false;
+            }
+
+            return true;
+        }
+
+        return false;
+    }
 }
diff --git a/tests/HashSensitiveArrayTest.php b/tests/HashSensitiveArrayTest.php
@@ -86,18 +86,18 @@
 
 # Prevent bugs from re-appearing
 # Issue: https://github.com/Globy-App/hash-sensitive/issues/10
-it('does not hash values of integer keys', function (): void {
+it('10 - does not hash values of integer keys', function (): void {
     $integerKeys = new TestDataEntity([0 => 'foo', 1 => 'bar'], ['other', 'first', 'second']);
     $processor = new HashSensitiveProcessor($integerKeys->getSensitiveKeys());
 
     $record = $this->getRecord(context: $integerKeys->getInput());
-    expect($processor($record)->context)->toBe(['test' => [0 => 'foo', 1 => 'bar']]);
+    expect($processor($record)->context)->toBe([0 => 'foo', 1 => 'bar']);
 });
 
-it('does not throw an exception', function (): void {
+it('10 - does not throw an exception', function (): void {
     $integerKeys = new TestDataEntity([0 => ['id' => 1, 'value' => 'foo'], 1 => ['id' => 2, 'value' => 'bar']], ['other', 'first', 'second']);
     $processor = new HashSensitiveProcessor($integerKeys->getSensitiveKeys());
 
     $record = $this->getRecord(context: $integerKeys->getInput());
-    expect($processor($record)->context)->toBe(['test' => [0 => ['id' => 1, 'value' => 'foo'], 1 => ['id' => 2, 'value' => 'bar']]]);
+    expect($processor($record)->context)->toBe([0 => ['id' => 1, 'value' => 'foo'], 1 => ['id' => 2, 'value' => 'bar']]);
 });
diff --git a/tests/HashSensitiveObjectTest.php b/tests/HashSensitiveObjectTest.php
@@ -172,7 +172,7 @@
 
 # Prevent bugs from re-appearing
 # Issue: https://github.com/Globy-App/hash-sensitive/issues/
-it('does not throw an exception', function (): void {
+it('10 - does not throw an exception', function (): void {
     $nested1 = new \stdClass();
     $nested1->id = 1;
     $nested1->value = 'foo';
