authenticator: zeroize ValidatedClaims and OidcClaims on drop#35704
Merged
jasonhernandez merged 2 commits intomainfrom Apr 17, 2026
Merged
authenticator: zeroize ValidatedClaims and OidcClaims on drop#35704jasonhernandez merged 2 commits intomainfrom
jasonhernandez merged 2 commits intomainfrom
Conversation
Contributor
|
Thanks for opening this PR! Here are a few tips to help make the review process smooth for everyone. PR title guidelines
Pre-merge checklist
|
jasonhernandez
force-pushed
the
jasonhernandez/sec-115-authenticator-zeroize
branch
from
e9bc8be to
1c8aafa
Compare
jasonhernandez
force-pushed
the
jasonhernandez/sec-115-ore-zeroize-feature
branch
4 times, most recently
from
1308d53 to
9b3927b
Compare
Base automatically changed from
jasonhernandez/sec-115-ore-zeroize-feature
to
main
March 31, 2026 17:30
jasonhernandez
force-pushed
the
jasonhernandez/sec-115-authenticator-zeroize
branch
from
1c8aafa to
eb68d55
Compare
jasonhernandez
force-pushed
the
jasonhernandez/sec-115-authenticator-zeroize
branch
2 times, most recently
from
84c87e8 to
60e3a90
Compare
jasonhernandez
changed the title
jasonhernandez
force-pushed
the
jasonhernandez/sec-115-authenticator-zeroize
branch
2 times, most recently
from
3f2512b to
2860d6d
Compare
SangJunBak
reviewed
Apr 16, 2026
jasonhernandez
force-pushed
the
jasonhernandez/sec-115-authenticator-zeroize
branch
from
2860d6d to
20cc9b2
Compare
Implement Zeroize + ZeroizeOnDrop for ValidatedClaims and Zeroize for OidcClaims so sensitive identity data doesn't linger in memory. Callers that previously moved out of ValidatedClaims.user now use std::mem::take to avoid moving out of a ZeroizeOnDrop type. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
jasonhernandez
force-pushed
the
jasonhernandez/sec-115-authenticator-zeroize
branch
from
20cc9b2 to
f0c6181
Compare
SangJunBak
approved these changes
Apr 16, 2026
Forgot to commit the Cargo.lock change alongside the zeroize dependency addition in the previous commit; lint-and-rustfmt and lint-dependencies failed on the missing line. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
jasonhernandez
added a commit
that referenced
this pull request
Apr 17, 2026
Adds bin/git-hook-pre-push, which runs `cargo metadata --locked --offline` (~0.5s) when the pushed commits touch any Cargo.toml or Cargo.lock. If Cargo.lock is out of sync, the push is rejected with an actionable message instead of a 15-minute CI round-trip. Motivated by #35704, where a workspace dep was added but Cargo.lock wasn't committed, failing lint-and-rustfmt (check-no-diff.sh) and lint-dependencies (cargo tree --locked refused to run). Install is opt-in per clone: ln -sf ../../bin/git-hook-pre-push .git/hooks/pre-push Bypass with `git push --no-verify` if needed. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
3 tasks
def-
added a commit
to def-/materialize
that referenced
this pull request
Apr 17, 2026
Follow-up to MaterializeInc#35704. The existing `impl Zeroize for OidcClaims` was dead code in production: nothing in the runtime path called `.zeroize()` on it, and it did not implement `ZeroizeOnDrop` or a manual `Drop`. The only caller was the unit test. In `validate_token`, `jsonwebtoken::decode::<OidcClaims>` produces a `TokenData` whose `claims` field holds the full JWT payload including `unknown_claims` (email, sub, groups, preferred_username, etc.). When `token_data` drops at the end of the function, none of that is zeroed — the sensitive data stays in freed heap memory. Add `impl Drop` that calls `self.zeroize()` and an `unsafe impl ZeroizeOnDrop` so every `OidcClaims` instance is automatically zeroized when it goes out of scope. Add a compile-time regression test (`assert_zod::<OidcClaims>()`) to prevent silent removal of `ZeroizeOnDrop` in the future. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
def-
added a commit
to def-/materialize
that referenced
this pull request
Apr 17, 2026
Follow-up to MaterializeInc#35704. The previous `impl Zeroize for OidcClaims` added `Drop`-based zeroization, but `unknown_claims` (the field holding the actual sensitive JWT payload — email, sub, groups, preferred_username) was only handled with `BTreeMap::clear()`. That drops entries via their normal destructors without zeroing the backing memory first, so the sensitive strings remained in freed heap memory. Replace the `.clear()` call with a `pop_first()` drain loop that zeroizes each key and recursively walks each `serde_json::Value` via a new `zeroize_json_value` helper. String leaves are zeroized in-place, arrays are element-wise zeroized then cleared, and object maps are drained so owned keys can be zeroized too. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
def-
added a commit
that referenced
this pull request
Apr 21, 2026
…36137) Follow-up to #35704. The existing `impl Zeroize for OidcClaims` was dead code in production: nothing in the runtime path called `.zeroize()` on it, and it did not implement `ZeroizeOnDrop` or a manual `Drop`. The only caller was the unit test. In `validate_token`, `jsonwebtoken::decode::<OidcClaims>` produces a `TokenData` whose `claims` field holds the full JWT payload including `unknown_claims` (email, sub, groups, preferred_username, etc.). When `token_data` drops at the end of the function, none of that is zeroed — the sensitive data stays in freed heap memory. Add `impl Drop` that calls `self.zeroize()` and an `unsafe impl ZeroizeOnDrop` so every `OidcClaims` instance is automatically zeroized when it goes out of scope. Add a compile-time regression test (`assert_zod::<OidcClaims>()`) to prevent silent removal of `ZeroizeOnDrop` in the future. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
Defense-in-depth: zero user identity and JWT claim data from memory after use.
Description
Zeroize+ZeroizeOnDropforValidatedClaims(user identity string)ZeroizeforOidcClaims(issuer, audience, timestamps, unknown claims)OidcDecodingKeywraps opaquejsonwebtoken::DecodingKeyand cannot be zeroized&strparameters are the caller's responsibilityNo public API changes.
Depends on
ore::securemodule)Part of SEC-115.