•  
      request #14602 Harden handling of sensitive strings
    Infos
    #14602
    Thomas Gerbet (tgerbet)
    2021-07-24 16:06
    2020-02-27 16:34
    15846
    Details
    Harden handling of sensitive strings
    Tuleap internal API exposes Tuleap\Cryptography\ConcealedString to handle string that are sensitive (e.g. password, token, encryption key...).

    However there is a few things that can be improved:
    * nothing is done to try to wipe the secret from the memory
    * a ConcealedString instance can be serialized which inadvertently the secret can end up in places it should not. This particularly easy to achieve by inadvertence by putting a ConcealedString in session (the secret might be stored in cleartext in a remote Redis instance).
    Other
    Empty
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Thomas Gerbet (tgerbet)
    Closed
    2021-07-24
    Attachments
    Empty
    References

    Follow-ups

    User avatar

    Provided patches have been integrated. I close this request.


    • Status changed from Under implementation to Closed
    • Close date set to 2021-07-24