From ef32aa6c274a2d595e2f753b1d4f20d3557157e1 Mon Sep 17 00:00:00 2001
From: aubes <3941035+aubes@users.noreply.github.com>
Date: Mon, 16 Mar 2026 22:14:44 +0100
Subject: [PATCH] Add base64_decode check on DefaultEncryptor

---
 src/Encryptor/DefaultEncryptor.php | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/Encryptor/DefaultEncryptor.php b/src/Encryptor/DefaultEncryptor.php
index a597bd7..3002acd 100644
--- a/src/Encryptor/DefaultEncryptor.php
+++ b/src/Encryptor/DefaultEncryptor.php
@@ -10,6 +10,10 @@ public function __construct(
         private readonly string $key,
         private readonly string $cipher = 'aes-256-cbc',
     ) {
+        if (\strlen($key) < 16) {
+            throw new \InvalidArgumentException('Encryption key must be at least 16 bytes.');
+        }
+
         if (!\in_array($cipher, \openssl_get_cipher_methods(), true)) {
             throw new \InvalidArgumentException(\sprintf('Invalid cipher "%s".', $cipher));
         }
@@ -28,7 +32,13 @@ public function generateIv(): string
 
     public function encrypt(string $data, string $iv): string
     {
-        $encrypted = \openssl_encrypt($data, $this->cipher, $this->key, 0, \base64_decode($iv));
+        $decodedIv = \base64_decode($iv, true);
+
+        if ($decodedIv === false) {
+            throw new \InvalidArgumentException('Invalid IV: base64 decoding failed.');
+        }
+
+        $encrypted = \openssl_encrypt($data, $this->cipher, $this->key, 0, $decodedIv);
 
         if ($encrypted === false) {
             throw new \RuntimeException('Encryption failed.');