Security: DecryptWithIdentity leaks plaintext in unprotected memory #5

New Issue

Closed

opened 2026-02-08 21:02:00 +01:00 by clawbot · 0 comments

clawbot commented 2026-02-08 21:02:00 +01:00

Collaborator

Copy Link

Security Issue

In internal/secret/crypto.go, DecryptWithIdentity() reads decrypted data into a regular byte slice via io.ReadAll(), then copies it into a memguard.LockedBuffer:

result, err := io.ReadAll(r)
if err != nil {
    return nil, fmt.Errorf("failed to read decrypted data: %w", err)
}
resultBuffer := memguard.NewBufferFromBytes(result)
return resultBuffer, nil

memguard.NewBufferFromBytes copies the data into protected memory, but the original result byte slice remains in regular (swappable, dumpable) memory and is never zeroed. This defeats the purpose of using memguard throughout the codebase.

Impact

Decrypted secrets (private keys, secret values, metadata) linger in unprotected heap memory and could be:

• Swapped to disk
• Visible in core dumps
• Read by memory-scanning malware

Fix

Zero out the result slice after copying into the LockedBuffer:

resultBuffer := memguard.NewBufferFromBytes(result)
for i := range result {
    result[i] = 0
}

## Security Issue In `internal/secret/crypto.go`, `DecryptWithIdentity()` reads decrypted data into a regular byte slice via `io.ReadAll()`, then copies it into a `memguard.LockedBuffer`: ```go result, err := io.ReadAll(r) if err != nil { return nil, fmt.Errorf("failed to read decrypted data: %w", err) } resultBuffer := memguard.NewBufferFromBytes(result) return resultBuffer, nil ``` `memguard.NewBufferFromBytes` copies the data into protected memory, but the original `result` byte slice remains in regular (swappable, dumpable) memory and is never zeroed. This defeats the purpose of using `memguard` throughout the codebase. ## Impact Decrypted secrets (private keys, secret values, metadata) linger in unprotected heap memory and could be: - Swapped to disk - Visible in core dumps - Read by memory-scanning malware ## Fix Zero out the `result` slice after copying into the `LockedBuffer`: ```go resultBuffer := memguard.NewBufferFromBytes(result) for i := range result { result[i] = 0 } ```

clawbot referenced a pull request that will close this issue 2026-02-08 21:06:01 +01:00

Zero plaintext after copying to memguard in DecryptWithIdentity (closes #5) #10

sneak closed this issue 2026-02-09 02:18:06 +01:00

sneak referenced this issue from a commit 2026-02-09 02:18:07 +01:00

Merge pull request 'Zero plaintext after copying to memguard in DecryptWithIdentity (closes #5)' (#10) from clawbot/secret:fix/issue-5 into main

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

ci/make-check

fix-memory-security

No results found.

Labels

Clear labels   

bot

Agent's turn to work

  

merge-ready

  

needs-checks

  

needs-rebase

  

needs-review

  

needs-rework

No Label

bot

merge-ready

needs-checks

needs-rebase

needs-review

needs-rework

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: sneak/secret#5

No description provided.