Skip to content

Node v0.1.0-alpha.4 β€” 🚨 CRITICAL security fix

Pre-release
Pre-release

Choose a tag to compare

View all tags
@davidalmeidac davidalmeidac released this 07 May 04:31
· 91 commits to main since this release
node-v0.1.0-alpha.4
b375bb1

🚨 This release fixes a CRITICAL security issue in enterprise mode affecting 0.1.0-alpha.{1,2,3}.

The issue

Prior alpha versions embedded the operator's literal TOTP secret in the JWS payload of every minted unseal token. JWS payload is base64-encoded JSON (NOT encryption) β€” anyone observing a token (CI logs, container env dumps, kubectl describe pod, stack traces in error reporters) could extract the secret and, combined with the master key, mint unseal tokens for FUTURE deploys indefinitely. This breaks the entire threat model that "TOTP" provides.

Affected versions: 0.1.0-alpha.1, 0.1.0-alpha.2, 0.1.0-alpha.3 (npm and Maven Central). All are deprecated.

Status: the package was not yet adopted in production by anyone outside the author's own dogfooding. No known exploitation.

The fix

The token payload no longer carries the TOTP secret. Instead it carries a salt-bound HMAC derivative:

enterprise_epoch = HMAC-SHA256(totp_secret, salt || "epoch-v1")

The file commits to this via the new EPOCH-COMMIT field:

epoch_commit = HMAC-SHA256(derived_key, enterprise_epoch || "epoch-commit-v1")

A leaked token reveals only the salt-bound derivative β€” useless for minting tokens against re-sealed files (different salt β†’ different epoch). The TOTP secret never leaves the operator's machine.

Breaking changes

  • Wire format field renamed: TOTP-VERIFIER β†’ EPOCH-COMMIT
  • Token payload field renamed: totp_secret β†’ epoch
  • buildUnsealToken signature now requires the file's salt
  • Files sealed by 0.1.0-alpha.{1,2,3} are NOT readable by 0.1.0-alpha.4

Migration

# 1. Decrypt with the OLD version
npx sealed-env@0.1.0-alpha.3 decrypt .env.sealed > /tmp/.env.plaintext

# 2. Upgrade
npm i -D sealed-env@0.1.0-alpha.4

# 3. Re-init keys (TOTP rotation is mandatory)
sealed-env init --mode enterprise

# 4. Re-seal
sealed-env encrypt /tmp/.env.plaintext --mode enterprise

# 5. Wipe plaintext
shred -u /tmp/.env.plaintext

Regression tests

The new test suite verifies:

  • Serialized files do NOT contain TOTP-VERIFIER.
  • Minted tokens do NOT contain the literal secret in any encoding (hex, base64) or under the field name totp_secret.

Credit

Reported by an external reviewer who decoded a real minted token and matched the embedded value bit-for-bit against the operator's .env.local TOTP secret.

Full changelog: CHANGELOG.md

Assets 2
Loading