From 1e683f6d7a44ecff010562e4610c1bdd30a98313 Mon Sep 17 00:00:00 2001 From: anirudhwarrier <12178754+anirudhwarrier@users.noreply.github.com> Date: Tue, 19 May 2026 21:21:18 +0400 Subject: [PATCH] Refactor secret handling to use byte arrays for values - Updated SecretItem struct to store secret values as byte arrays instead of strings. - Introduced ZeroUpsertSecretValues function to clear secret values from memory after use. - Modified EncryptSecret and encryptSecretWithLabel functions to accept byte arrays. - Updated tests to reflect changes in secret value type and ensure proper functionality. - Added memory safety measures in various handler methods to prevent sensitive data leakage. --- cmd/secrets/common/browser_flow.go | 2 ++ cmd/secrets/common/handler.go | 29 +++++++++++++++++++++-------- cmd/secrets/common/handler_test.go | 10 +++++----- cmd/secrets/create/create.go | 1 + cmd/secrets/update/update.go | 1 + 5 files changed, 30 insertions(+), 13 deletions(-) diff --git a/cmd/secrets/common/browser_flow.go b/cmd/secrets/common/browser_flow.go index 7cc5022c..40696a20 100644 --- a/cmd/secrets/common/browser_flow.go +++ b/cmd/secrets/common/browser_flow.go @@ -63,6 +63,8 @@ func digestHexString(digest [32]byte) string { // exchanges the code for a short-lived vault JWT, and POSTs the same JSON-RPC body to the gateway with Bearer auth. // Login tokens in ~/.cre/cre.yaml are not modified; that session stays separate from this vault-only token. func (h *Handler) executeBrowserUpsert(ctx context.Context, inputs UpsertSecretsInputs, method string) error { + defer ZeroUpsertSecretValues(inputs) + if h.Credentials.AuthType == credentials.AuthTypeApiKey { return fmt.Errorf("this sign-in flow requires an interactive login; API keys are not supported") } diff --git a/cmd/secrets/common/handler.go b/cmd/secrets/common/handler.go index d0ba25f2..c678f273 100644 --- a/cmd/secrets/common/handler.go +++ b/cmd/secrets/common/handler.go @@ -48,10 +48,17 @@ type UpsertSecretsInputs []SecretItem // SecretItem represents a single secret with its ID, value, and optional namespace. type SecretItem struct { ID string `json:"id" validate:"required"` - Value string `json:"value" validate:"required"` + Value []byte `json:"value" validate:"required"` Namespace string `json:"namespace"` } +// ZeroUpsertSecretValues overwrites secret payloads in memory. +func ZeroUpsertSecretValues(inputs UpsertSecretsInputs) { + for i := range inputs { + clear(inputs[i].Value) + } +} + type SecretsYamlConfig struct { SecretsNames map[string][]string `yaml:"secretsNames"` } @@ -157,13 +164,13 @@ func (h *Handler) ResolveInputs() (UpsertSecretsInputs, error) { if !ok { return nil, fmt.Errorf("environment variable %q for secret %q not found; please export it", envName, id) } - if !utf8.ValidString(envVal) { + if !utf8.Valid([]byte(envVal)) { return nil, fmt.Errorf("value for secret %q (env %q) contains invalid UTF-8", id, envName) } out = append(out, SecretItem{ ID: id, - Value: envVal, + Value: []byte(envVal), Namespace: "main", }) @@ -331,8 +338,10 @@ func (h *Handler) EncryptSecrets(rawSecrets UpsertSecretsInputs) ([]*vault.Encry } encryptedSecrets := make([]*vault.EncryptedSecret, 0, len(rawSecrets)) - for _, item := range rawSecrets { + for i := range rawSecrets { + item := &rawSecrets[i] cipherHex, err := EncryptSecret(item.Value, pubKeyHex, h.OwnerAddress) + clear(item.Value) if err != nil { return nil, fmt.Errorf("failed to encrypt secret (key=%s ns=%s): %w", item.ID, item.Namespace, err) } @@ -361,8 +370,10 @@ func (h *Handler) EncryptSecretsForBrowserOrg(rawSecrets UpsertSecretsInputs, or label := sha256.Sum256([]byte(orgID)) encryptedSecrets := make([]*vault.EncryptedSecret, 0, len(rawSecrets)) - for _, item := range rawSecrets { + for i := range rawSecrets { + item := &rawSecrets[i] cipherHex, err := encryptSecretWithLabel(item.Value, pubKeyHex, label) + clear(item.Value) if err != nil { return nil, fmt.Errorf("failed to encrypt secret (key=%s ns=%s): %w", item.ID, item.Namespace, err) } @@ -380,7 +391,7 @@ func (h *Handler) EncryptSecretsForBrowserOrg(rawSecrets UpsertSecretsInputs, or } // encryptSecretWithLabel encrypts a secret using the vault master public key and the given label. -func encryptSecretWithLabel(secret, masterPublicKeyHex string, label [32]byte) (string, error) { +func encryptSecretWithLabel(secret []byte, masterPublicKeyHex string, label [32]byte) (string, error) { masterPublicKey := tdh2easy.PublicKey{} masterPublicKeyBytes, err := hex.DecodeString(masterPublicKeyHex) if err != nil { @@ -390,7 +401,7 @@ func encryptSecretWithLabel(secret, masterPublicKeyHex string, label [32]byte) ( return "", fmt.Errorf("failed to unmarshal master public key: %w", err) } - cipher, err := tdh2easy.EncryptWithLabel(&masterPublicKey, []byte(secret), label) + cipher, err := tdh2easy.EncryptWithLabel(&masterPublicKey, secret, label) if err != nil { return "", fmt.Errorf("failed to encrypt secret: %w", err) } @@ -402,7 +413,7 @@ func encryptSecretWithLabel(secret, masterPublicKeyHex string, label [32]byte) ( } // EncryptSecret encrypts for the owner-key / web3 flow using a 32-byte label derived from the EOA (12 zero bytes + 20-byte address). -func EncryptSecret(secret, masterPublicKeyHex string, ownerAddress string) (string, error) { +func EncryptSecret(secret []byte, masterPublicKeyHex string, ownerAddress string) (string, error) { addr := common.HexToAddress(ownerAddress) // canonical 20-byte address var label [32]byte copy(label[12:], addr.Bytes()) // left-pad with 12 zero bytes @@ -452,6 +463,8 @@ func (h *Handler) Execute( duration time.Duration, secretsAuth string, ) error { + defer ZeroUpsertSecretValues(inputs) + if IsBrowserFlow(secretsAuth) { return h.executeBrowserUpsert(context.Background(), inputs, method) } diff --git a/cmd/secrets/common/handler_test.go b/cmd/secrets/common/handler_test.go index fb547b62..693c8940 100644 --- a/cmd/secrets/common/handler_test.go +++ b/cmd/secrets/common/handler_test.go @@ -67,8 +67,8 @@ func TestEncryptSecrets(t *testing.T) { } raw := UpsertSecretsInputs{ - {ID: "test-secret-1", Value: "value1", Namespace: "ns1"}, - {ID: "test-secret-2", Value: "another-value", Namespace: "ns2"}, + {ID: "test-secret-1", Value: []byte("value1"), Namespace: "ns1"}, + {ID: "test-secret-2", Value: []byte("another-value"), Namespace: "ns2"}, } enc, err := h.EncryptSecrets(raw) @@ -100,7 +100,7 @@ func TestEncryptSecrets(t *testing.T) { }, } - enc, err := h.EncryptSecrets(UpsertSecretsInputs{{ID: "s", Value: "v", Namespace: "n"}}) + enc, err := h.EncryptSecrets(UpsertSecretsInputs{{ID: "s", Value: []byte("v"), Namespace: "n"}}) require.Error(t, err) require.Nil(t, enc) require.Contains(t, err.Error(), "gateway POST failed") @@ -126,7 +126,7 @@ func TestEncryptSecrets(t *testing.T) { }, } - enc, err := h.EncryptSecrets(UpsertSecretsInputs{{ID: "s", Value: "v", Namespace: "n"}}) + enc, err := h.EncryptSecrets(UpsertSecretsInputs{{ID: "s", Value: []byte("v"), Namespace: "n"}}) require.Error(t, err) require.Nil(t, enc) require.Contains(t, err.Error(), "vault public key fetch error") @@ -248,7 +248,7 @@ func TestEncryptSecrets_OrgOwned(t *testing.T) { } raw := UpsertSecretsInputs{ - {ID: "secret-1", Value: "val1", Namespace: "main"}, + {ID: "secret-1", Value: []byte("val1"), Namespace: "main"}, } t.Run("uses orgID as owner when SecretsOrgOwned is true", func(t *testing.T) { diff --git a/cmd/secrets/create/create.go b/cmd/secrets/create/create.go index 4b25d3df..dd48d12a 100644 --- a/cmd/secrets/create/create.go +++ b/cmd/secrets/create/create.go @@ -66,6 +66,7 @@ func New(ctx *runtime.Context) *cobra.Command { if err != nil { return err } + defer common.ZeroUpsertSecretValues(inputs) if err := h.ValidateInputs(inputs); err != nil { return err diff --git a/cmd/secrets/update/update.go b/cmd/secrets/update/update.go index 24a1b0cd..21acd133 100644 --- a/cmd/secrets/update/update.go +++ b/cmd/secrets/update/update.go @@ -67,6 +67,7 @@ func New(ctx *runtime.Context) *cobra.Command { if err != nil { return err } + defer common.ZeroUpsertSecretValues(inputs) if err := h.ValidateInputs(inputs); err != nil { return err