Skip to content

Refactor secret handling to use byte arrays for values#444

Draft
anirudhwarrier wants to merge 1 commit into
mainfrom
DEVSVCS-4954/zero-secret
Draft

Refactor secret handling to use byte arrays for values#444
anirudhwarrier wants to merge 1 commit into
mainfrom
DEVSVCS-4954/zero-secret

Conversation

@anirudhwarrier
Copy link
Copy Markdown
Collaborator

@anirudhwarrier anirudhwarrier commented May 20, 2026

DEVSVCS-4954

  • Updated SecretItem struct to store secret values as byte arrays instead of strings.
  • Introduced ZeroUpsertSecretValues function to clear secret values from memory after use.
  • Modified EncryptSecret and encryptSecretWithLabel functions to accept byte arrays.
  • Updated tests to reflect changes in secret value type and ensure proper functionality.
  • Added memory safety measures in various handler methods to prevent sensitive data leakage.

@anirudhwarrier
Refactor secret handling to use byte arrays for values
1e683f6 
- Updated SecretItem struct to store secret values as byte arrays instead of strings.
- Introduced ZeroUpsertSecretValues function to clear secret values from memory after use.
- Modified EncryptSecret and encryptSecretWithLabel functions to accept byte arrays.
- Updated tests to reflect changes in secret value type and ensure proper functionality.
- Added memory safety measures in various handler methods to prevent sensitive data leakage.
@anirudhwarrier anirudhwarrier requested a review from timothyF95 May 20, 2026 02:59
@anirudhwarrier anirudhwarrier marked this pull request as ready for review May 20, 2026 02:59
@anirudhwarrier anirudhwarrier requested a review from a team as a code owner May 20, 2026 02:59
@anirudhwarrier anirudhwarrier requested a review from Copilot May 20, 2026 03:43
Copilot AI reviewed May 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Refactors the secrets CLI flow to hold secret payloads as []byte and proactively zero secret material after use to reduce the risk of sensitive data lingering in memory.

Changes:

  • Changed SecretItem.Value from string to []byte and updated encryption helpers to accept byte slices.
  • Added ZeroUpsertSecretValues and applied it (via defer) across create/update and browser flows.
  • Updated tests to use []byte secret values.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
cmd/secrets/update/update.go Defers zeroing of resolved secret values for update flow.
cmd/secrets/create/create.go Defers zeroing of resolved secret values for create flow.
cmd/secrets/common/handler.go Switches secret value type to []byte, adds zeroing helper, updates encryption and adds additional in-flow wiping.
cmd/secrets/common/handler_test.go Updates test inputs to use []byte values.
cmd/secrets/common/browser_flow.go Adds deferred zeroing for browser upsert flow.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread cmd/secrets/common/handler.go
Comment on lines 163 to 174
envVal, ok := os.LookupEnv(envName)
if !ok {
return nil, fmt.Errorf("environment variable %q for secret %q not found; please export it", envName, id)
}
if !utf8.ValidString(envVal) {
if !utf8.Valid([]byte(envVal)) {
return nil, fmt.Errorf("value for secret %q (env %q) contains invalid UTF-8", id, envName)
}

out = append(out, SecretItem{
ID: id,
Value: envVal,
Value: []byte(envVal),
Namespace: "main",
Comment thread cmd/secrets/common/handler.go
Comment on lines 340 to 345
encryptedSecrets := make([]*vault.EncryptedSecret, 0, len(rawSecrets))
for _, item := range rawSecrets {
for i := range rawSecrets {
item := &rawSecrets[i]
cipherHex, err := EncryptSecret(item.Value, pubKeyHex, h.OwnerAddress)
clear(item.Value)
if err != nil {
Comment thread cmd/secrets/common/browser_flow.go
Comment on lines +66 to +67
defer ZeroUpsertSecretValues(inputs)

Comment thread cmd/secrets/common/handler_test.go
Comment on lines 250 to 252
raw := UpsertSecretsInputs{
{ID: "secret-1", Value: "val1", Namespace: "main"},
{ID: "secret-1", Value: []byte("val1"), Namespace: "main"},
}
@anirudhwarrier anirudhwarrier marked this pull request as draft May 20, 2026 13:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@timothyF95 timothyF95 Awaiting requested review from timothyF95

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@anirudhwarrier