sneak/secret
1
0
Fork 1
Code Issues 3 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

security: zero plaintext after copying to memguard in DecryptWithIdentity

Browse Source 
The decrypted data from io.ReadAll was copied into a memguard
LockedBuffer but the original byte slice was never zeroed, leaving
plaintext in swappable, dumpable heap memory.
This commit is contained in:
clawbot 2026-02-08 12:04:38 -08:00
parent 128c53a11d
commit fd77a047f9
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
internal/secret/crypto.go
View File

@ -68,6 +68,11 @@ func DecryptWithIdentity(data []byte, identity age.Identity) (*memguard.LockedBu
// Create a secure buffer for the decrypted data // Create a secure buffer for the decrypted data
resultBuffer := memguard.NewBufferFromBytes(result) resultBuffer := memguard.NewBufferFromBytes(result)
// Zero out the original slice to prevent plaintext from lingering in unprotected memory
for i := range result {
result[i] = 0
}
return resultBuffer, nil return resultBuffer, nil
} }