Merge pull request #355 from martijnc/feature/deprecate-sha256-default

Deprecate the default signed cookie algorithm

Author: Seldaek

Diff for: src/DependencyInjection/Configuration.php

@@ -253,7 +253,7 @@ private function getSignedCookiesNode(): ArrayNodeDefinition
                     ->defaultValue(['*'])
                 ->end()
                 ->scalarNode('secret')->defaultValue('%kernel.secret%')->end()
-                ->scalarNode('hash_algo')->defaultValue('sha256')->end()
+                ->scalarNode('hash_algo')->end()
                 ->scalarNode('legacy_hash_algo')
                     ->defaultNull()
                     ->info('Fallback algorithm to allow for frictionless hash algorithm upgrades. Use with caution and as a temporary measure as it allows for downgrade attacks.')

Diff for: src/DependencyInjection/NelmioSecurityExtension.php

@@ -35,7 +35,14 @@ public function load(array $configs, ContainerBuilder $container): void
             $loader->load('signed_cookie.php');
             $container->setParameter('nelmio_security.signed_cookie.names', $config['signed_cookie']['names']);
             $container->setParameter('nelmio_security.signer.secret', $config['signed_cookie']['secret']);
-            $container->setParameter('nelmio_security.signer.hash_algo', $config['signed_cookie']['hash_algo']);
+
+            if (isset($config['signed_cookie']['hash_algo'])) {
+                $container->setParameter('nelmio_security.signer.hash_algo', $config['signed_cookie']['hash_algo']);
+            } else {
+                trigger_deprecation('nelmio/security-bundle', '3.4.0', 'The default value for `signed_cookie.hash_algo` is deprecated and will change in 4.0. You should configure an algorithm explicitly.');
+                $container->setParameter('nelmio_security.signer.hash_algo', 'sha256');
+            }
+
             $container->setParameter('nelmio_security.signer.legacy_hash_algo', $config['signed_cookie']['legacy_hash_algo']);
             $container->setParameter('nelmio_security.signer.separator', $config['signed_cookie']['separator']);
         }

Diff for: tests/DependencyInjection/NelmioSecurityExtensionTest.php

@@ -22,10 +22,15 @@
 use Nelmio\SecurityBundle\ExternalRedirect\AllowListBasedTargetValidator;
 use Nelmio\SecurityBundle\Signer;
 use PHPUnit\Framework\TestCase;
+use Symfony\Bridge\PhpUnit\ExpectDeprecationTrait;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
 
 final class NelmioSecurityExtensionTest extends TestCase
 {
+    use ExpectDeprecationTrait {
+        ExpectDeprecationTrait::expectDeprecation as bridgeExpectDeprecation;
+    }
+
     private NelmioSecurityExtension $extension;
 
     protected function setUp(): void
@@ -58,6 +63,23 @@ public function testLoadSignedCookie(): void
         $this->assertServiceIdClass($container, 'nelmio_security.signer', Signer::class);
     }
 
+    /**
+     * @group legacy
+     */
+    public function testDeprecatedSignedCookieDefaultAlgorithm(): void
+    {
+        $this->bridgeExpectDeprecation('Since nelmio/security-bundle 3.4.0: The default value for `signed_cookie.hash_algo` is deprecated and will change in 4.0. You should configure an algorithm explicitly.');
+
+        $container = new ContainerBuilder();
+        $this->extension->load([
+            [
+                'signed_cookie' => [],
+            ],
+        ], $container);
+
+        $this->assertContainerWithParameterValue($container, 'nelmio_security.signer.hash_algo', 'sha256');
+    }
+
     public function testLoadClickJacking(): void
     {
         $container = new ContainerBuilder();