sneak/secret
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix: resolve critical security vulnerabilities in debug logging and command execution

Browse Source 
- Remove sensitive data from debug logs (vault/secrets.go, secret/version.go)
- Add input validation for GPG key IDs and keychain item names
- Resolve GPG key IDs to full fingerprints before storing in metadata
- Add comprehensive test coverage for validation functions
- Add golangci-lint configuration with additional linters

Security improvements:
- Debug logs no longer expose decrypted secret values or private keys
- GPG and keychain commands now validate input to prevent injection attacks
- All validation uses precompiled regex patterns for performance
This commit is contained in:
Jeffrey Paul
2025-06-20 07:50:26 -07:00
parent 004dce5472
commit 985d79d3c0
8 changed files with 529 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
pkg/bip85/bip85.go
View File

@@ -22,19 +22,19 @@ import (
const (
// BIP85_MASTER_PATH is the derivation path prefix for all BIP85 applications
BIP85_MASTER_PATH = "m/83696968'"
BIP85_MASTER_PATH = "m/83696968'" //nolint:revive // ALL_CAPS used for BIP85 constants
// BIP85_KEY_HMAC_KEY is the HMAC key used for deriving the entropy
BIP85_KEY_HMAC_KEY = "bip-entropy-from-k"
BIP85_KEY_HMAC_KEY = "bip-entropy-from-k" //nolint:revive // ALL_CAPS used for BIP85 constants
// Application numbers
APP_BIP39 = 39 // BIP39 mnemonics
APP_HD_WIF = 2 // WIF for Bitcoin Core
APP_XPRV = 32 // Extended private key
APP_HEX = 128169
APP_PWD64 = 707764 // Base64 passwords
APP_PWD85 = 707785 // Base85 passwords
APP_RSA = 828365
APP_BIP39 = 39 // BIP39 mnemonics //nolint:revive // ALL_CAPS used for BIP85 constants
APP_HD_WIF = 2 // WIF for Bitcoin Core //nolint:revive // ALL_CAPS used for BIP85 constants
APP_XPRV = 32 // Extended private key //nolint:revive // ALL_CAPS used for BIP85 constants
APP_HEX = 128169 //nolint:revive // ALL_CAPS used for BIP85 constants
APP_PWD64 = 707764 // Base64 passwords //nolint:revive // ALL_CAPS used for BIP85 constants
APP_PWD85 = 707785 // Base85 passwords //nolint:revive // ALL_CAPS used for BIP85 constants
APP_RSA = 828365 //nolint:revive // ALL_CAPS used for BIP85 constants
)
// Version bytes for extended keys

2
pkg/bip85/bip85_test.go
View File

@@ -1,5 +1,7 @@
package bip85
//nolint:gosec,revive,unparam // Test file with hardcoded test vectors
import (
"bytes"
"encoding/hex"