Login New User
    •  
      request #14602 Harden handling of sensitive strings
    Infos
    #14602
    Thomas Gerbet (tgerbet)
    2020-03-02 11:55
    2020-02-27 16:34
    15272
    Details
    Harden handling of sensitive strings
    Tuleap internal API exposes Tuleap\Cryptography\ConcealedString to handle string that are sensitive (e.g. password, token, encryption key...).

    However there is a few things that can be improved:
    * nothing is done to try to wipe the secret from the memory
    * a ConcealedString instance can be serialized which inadvertently the secret can end up in places it should not. This particularly easy to achieve by inadvertence by putting a ConcealedString in session (the secret might be stored in cleartext in a remote Redis instance).
    Empty
    Other
    Empty
    Empty
    Empty
    Stage
    Thomas Gerbet (tgerbet)
    Under implementation
    Empty
    Attachments
    Empty
    References

    Follow-ups