Fix remaining memory security issues

- Fixed gpgDecryptDefault to return *memguard.LockedBuffer instead of []byte - Updated GPGDecryptFunc signature and all implementations - Confirmed getSecretValue already returns LockedBuffer (was fixed earlier) - Improved passphrase string handling by removing intermediate variables - Note: String conversion for passphrases is unavoidable due to age library API - All GPG decrypted data is now immediately protected in memory
2025-07-15 09:08:51 +02:00
parent ff17b9b107
commit e53161188c
4 changed files with 21 additions and 17 deletions
--- a/internal/secret/pgpunlock_test.go
+++ b/internal/secret/pgpunlock_test.go
@@ -72,7 +72,7 @@ pinentry-mode loopback
 		return stdout.Bytes(), nil
 	}

-	secret.GPGDecryptFunc = func(encryptedData []byte) ([]byte, error) {
+	secret.GPGDecryptFunc = func(encryptedData []byte) (*memguard.LockedBuffer, error) {
 		cmd := exec.Command("gpg",
 			"--homedir", gnupgHomeDir,
 			"--batch",
@@ -91,7 +91,8 @@ pinentry-mode loopback
 			return nil, fmt.Errorf("GPG decryption failed: %w\nStderr: %s", err, stderr.String())
 		}

-		return stdout.Bytes(), nil
+		// Create a secure buffer for the decrypted data
+		return memguard.NewBufferFromBytes(stdout.Bytes()), nil
 	}

 	// Restore original functions after test