Skip to main content

Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

    •  
      request #14602 Harden handling of sensitive strings
    Actions
    Infos
    #14602
    Thomas Gerbet (tgerbet)
    2021-07-24 16:06
    2020-02-27 16:34
    15849
    Details
    Harden handling of sensitive strings
    Tuleap internal API exposes Tuleap\Cryptography\ConcealedString to handle string that are sensitive (e.g. password, token, encryption key...).

    However there is a few things that can be improved:
    * nothing is done to try to wipe the secret from the memory
    * a ConcealedString instance can be serialized which inadvertently the secret can end up in places it should not. This particularly easy to achieve by inadvertence by putting a ConcealedString in session (the secret might be stored in cleartext in a remote Redis instance).
    Other
    Empty
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Thomas Gerbet (tgerbet)
    Closed
    2021-07-24
    Attachments
    Artifact links

    Releases

    Fixed in

    Artifact ID Project Tracker Summary Status Last Update Date Submitted By Assigned to
    rel #14269 Tuleap Releases 11.12 Delivered 2020-04-06 14:21 Manuel Vacelet (vaceletm)
    Empty
    References
    Referencing request #14602

    Git commit

    tuleap/tuleap/stable

    Prevent serialization of a ConcealedString instance 7c2cf46e02
    User avatar Thomas Gerbet (tgerbet) , 2020-02-27 16:50
    Attempt to wipe sensitive strings from memory once they are not more needed c0a047afb2
    User avatar Thomas Gerbet (tgerbet) , 2020-02-28 10:46
    Prevent returning an unwrapped ConcealedString from a method or function 78447c677f
    User avatar Thomas Gerbet (tgerbet) , 2020-03-01 18:31
    Docker image used for the backend SVN does not have ext-sodium activated 781088900d
    User avatar Thomas Gerbet (tgerbet) , 2020-03-02 10:46
    Display settings

    Follow-ups

    User avatar
    Yannis ROSSETTO (rossettoy)2021-07-24 16:06

    Provided patches have been integrated. I close this request.

    • Status changed from Under implementation to Closed
    • Close date set to 2021-07-24