Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hidden text field messages not sanitized, and are visible in memory dump. #84708

Open
177shivam opened this issue Jun 16, 2021 · 28 comments
Open

Hidden text field messages not sanitized, and are visible in memory dump. #84708

177shivam opened this issue Jun 16, 2021 · 28 comments
Labels
c: new feature Nothing broken; request for a new capability engine flutter/engine repository. See also e: labels. found in release: 2.2 Found to occur in 2.2 found in release: 2.3 Found to occur in 2.3 has reproducible steps The issue has been confirmed reproducible and is ready to work on P3 Issues that are less important to the Flutter project team-engine Owned by Engine team triaged-engine Triaged by Engine team

Comments

@177shivam
Copy link

177shivam commented Jun 16, 2021
edited by TahaTesser

Details

I have created a Linux application having login form on which clicking the login button the dio netowrk request is made and the current page is route to another page with pushReplacement. But when I take memory dump of the process there I can see the entered password is visible in the dump file.

Target Platform: Ubuntu 18.04.1
Target Kernel version: 5.4.0-42-generic

Basic application code

code snippet 
@override
  Widget build(BuildContext context) {
    return WillPopScope(
      onWillPop: () async {
        if (Navigator.of(context).userGestureInProgress) {
          return false;
        } else {
          return true;
        }
      },
      child: Scaffold(
        appBar: AppBar(
          backgroundColor: Colors.white,
          elevation: 1,
          centerTitle: true,
          title: Text(
            "Login",
            style: TextStyle(color: Colors.black),
          ),
          leading: Icon(
            Icons.arrow_back,
            color: Colors.transparent,
          ),
        ),
        body: Center(
          child: Card(
            elevation: 8.0,
            child: Container(
              width: 600,
              height: 600,
              child: SingleChildScrollView(
                child: Column(
                  mainAxisAlignment: MainAxisAlignment.start,
                  crossAxisAlignment: CrossAxisAlignment.center,
                  children: <Widget>[
                    Row(
                      mainAxisAlignment: MainAxisAlignment.center,
                      crossAxisAlignment: CrossAxisAlignment.center,
                      children: <Widget>[
                        Container(
                          width: 140,
                          child: Text(
                            "Username : ",
                            style: TextStyle(color: Colors.grey),
                          ),
                        ),
                        SizedBox(
                          width: 16.0,
                        ),
                        Container(
                          decoration: BoxDecoration(
                            border: Border(
                                bottom: BorderSide(
                              color: Colors.grey,
                            )),
                          ),
                          width: 260,
                          key: usernameKey,
                          padding: EdgeInsets.all(8),
                          child: TextField(
                            controller: usernameController,
                            keyboardType: TextInputType.text,
                            style:TextStyle(fontSize: 16.0, color: Colors.black),
                            decoration: InputDecoration(
                                border: InputBorder.none,
                                hintText: "Enter username",
                                hintStyle: TextStyle(fontSize: 18.0)),
                            
                            onSubmitted: (text) {
                              fetchUpdateDetails();         
                            },
                          ),
                        ),
                        SizedBox(
                          width: 16.0,
                        ),
                        SizedBox(
                          width: 32,
                        ),
                      ],
                    ),
                    SizedBox(
                      height: 16,
                    ),
                    Row(
                      mainAxisAlignment: MainAxisAlignment.center,
                      crossAxisAlignment: CrossAxisAlignment.center,
                      children: <Widget>[
                        Container(
                          width: 140,
                          child: Text(
                            "Password : ",
                            style: TextStyle(color: Colors.grey),
                          ),
                        ),
                        SizedBox(
                          width: 16.0,
                        ),
                        Stack(
                          children: [
                            Container(
                              decoration: BoxDecoration(
                                border: Border(
                                  bottom: BorderSide(
                                    color: Colors.grey,
                                  ),
                                ),
                              ),
                              width: 260,
                              key: passwordKey,
                              padding: EdgeInsets.all(8),
                              child: TextField(
                                obscureText: true,
                                onChanged: (String new_val) {
                                  String newPass = "";
                                  for (int i = 0; i < new_val.length; i++) {
                                    newPass += "\u2022";
                                  }
                                  setState(() {
                                    this.passwordToShow = newPass;
                                    this.actualPassword = new_val;
                                  });
                                },
                                controller: passwordController,
                                keyboardType: TextInputType.text,
                                
                                textAlign: TextAlign.left,
                                onSubmitted: (String text) {
                                  fetchUpdateDetails();
                                },
                                style: TextStyle(
                                    fontSize: 16.0, color: Colors.transparent),
                                decoration: InputDecoration(
                                  border: InputBorder.none,
                                  hintText: "Enter password",
                                  hintStyle: TextStyle(fontSize: 18.0),
                                ),
                              ),
                            ),
                            Positioned(
                              top: 24,
                              left: 8,
                              child: Text(
                                "${passwordToShow}",
                                style: TextStyle(fontSize: 16),
                              ),
                            )
                          ],
                        ),
                        SizedBox(
                          width: 16.0,
                        ),
                      ],
                    ),
                    SizedBox(
                      height: 16,
                    ),
                    Row(
                      mainAxisAlignment: MainAxisAlignment.center,
                      crossAxisAlignment: CrossAxisAlignment.center,
                      children: <Widget>[
                        RaisedButton(
                          child: Text("LOGIN"),
                          onPressed: () {
                            loginUser();
                          },
                        ),
                      ],
                    ),
                    SizedBox(
                      height: 16,
                    ),
                  ],
                ),
              ),
            ),
          ),
        ),
      ),
    );
    
  }

Here loginUser() will make a dio network request and on response it will route to next page using pushReplacement. And before routing to next page i have made all the string(string which stored password or username) to null.

And i have disposed all TextEditingController.

Script used to take memory dump

#!/bin/bash

grep rw-p /proc/$1/maps \
| sed -n 's/^\([0-9a-f]*\)-\([0-9a-f]*\) .*$/\1 \2/p' \
| while read start stop; do \
    gdb --batch --pid $1 -ex \
        "dump memory $1-$start-$stop.dump 0x$start 0x$stop"; \
done

Run scipt by ./shript.sh [pid of application]

Flutter doctor -v

flutter doctor -v 
[✓] Flutter (Channel unknown, 2.0.3, on Linux, locale en_IN)
    • Flutter version 2.0.3 at /home/shivam/flut/flutter
    • Framework revision 4d7946a68d (3 months ago), 2021-03-18 17:24:33 -0700
    • Engine revision 3459eb2436
    • Dart version 2.12.2

[!] Android toolchain - develop for Android devices (Android SDK version 28.0.3)
    • Android SDK at /usr/lib/android-sdk
    ✗ Flutter requires Android SDK 29 and the Android BuildTools 28.0.3
      To update the Android SDK visit https://flutter.dev/docs/get-started/install/linux#android-setup for detailed instructions.
    ! Some Android licenses not accepted.  To resolve this, run: flutter doctor --android-licenses

[✓] Chrome - develop for the web
    • Chrome at google-chrome

[✓] Linux toolchain - develop for Linux desktop
    • clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
    • cmake version 3.10.2
    • ninja version 1.8.2
    • pkg-config version 0.29.1

[!] Android Studio (not installed)
    • Android Studio not found; download from https://developer.android.com/studio/index.html
      (or visit https://flutter.dev/docs/get-started/install/linux#android-setup for detailed instructions).

[✓] VS Code (version 1.47.1)
    • VS Code at /usr/share/code
    • Flutter extension version 3.14.1

[✓] Connected device (2 available)
    • Linux (desktop) • linux  • linux-x64      • Linux
    • Chrome (web)    • chrome • web-javascript • Google Chrome 89.0.4389.90
@177shivam 177shivam added the from: performance template Issues created via a performance issue template label Jun 16, 2021
@TahaTesser TahaTesser added in triage Presently being triaged by the triage team and removed from: performance template Issues created via a performance issue template labels Jun 17, 2021
@TahaTesser
Copy link
Member

Hi @177shivam

Can you please upgrade to the latest stable and try again
Execute the following commands to upgrade
flutter channel stable
flutter upgrade --force
flutter doctor -v

If the problem persists, can you please provide your flutter doctor -v with the upgrade, complete reproducible minimal code sample, and complete flutter run --verbose logs running the minimal code sample?
Thank you

@TahaTesser TahaTesser added the waiting for customer response The Flutter team cannot make further progress on this issue until the original reporter responds label Jun 17, 2021
@177shivam
Copy link
Author

Hi @TahaTesser

Futter doctor -v after upgrade

Futter doctor -v 
[✓] Flutter (Channel stable, 2.2.2, on Linux, locale en_IN)
    • Flutter version 2.2.2 at /home/shivam/flut/flutter
    • Framework revision d79295af24 (7 days ago), 2021-06-11 08:56:01 -0700
    • Engine revision 91c9fc8fe0
    • Dart version 2.13.3

[!] Android toolchain - develop for Android devices (Android SDK version 28.0.3)
    • Android SDK at /usr/lib/android-sdk
    ✗ Flutter requires Android SDK 29 and the Android BuildTools 28.0.3
      To update the Android SDK visit https://flutter.dev/docs/get-started/install/linux#android-setup for
      detailed instructions.
    ! Some Android licenses not accepted.  To resolve this, run: flutter doctor --android-licenses

[✓] Chrome - develop for the web
    • Chrome at google-chrome

[✓] Linux toolchain - develop for Linux desktop
    • clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
    • cmake version 3.10.2
    • ninja version 1.8.2
    • pkg-config version 0.29.1

[!] Android Studio (not installed)
    • Android Studio not found; download from https://developer.android.com/studio/index.html
      (or visit https://flutter.dev/docs/get-started/install/linux#android-setup for detailed instructions).

[✓] VS Code (version 1.47.1)
    • VS Code at /usr/share/code
    • Flutter extension version 3.14.1

[✓] Connected device (2 available)
    • Linux (desktop) • linux  • linux-x64      • Linux
    • Chrome (web)    • chrome • web-javascript • Google Chrome 89.0.4389.90

code snippet

Complete code snippet

main.dart

import 'package:flutter/material.dart';
import 'package:flutter/cupertino.dart';
import 'package:demo/app.dart';

void main() {
  runApp(MyApp());
}

class MyApp extends StatelessWidget {
  // This widget is the root of your application.
  @override
  Widget build(BuildContext context) {
    return MaterialApp(
      title: 'Flutter Demo',
      theme: ThemeData(
        primarySwatch: Colors.blue,
      ),
      home: MyHomePage(title: 'Flutter Demo Home Page'),
    );
  }
}

class MyHomePage extends StatefulWidget {
  MyHomePage({Key? key, required this.title}) : super(key: key);

  final String title;

  @override
  _MyHomePageState createState() => _MyHomePageState();
}

class _MyHomePageState extends State<MyHomePage> {
  int _counter = 0;
  GlobalKey usernameKey = GlobalKey();
  GlobalKey passwordKey = GlobalKey();

  String username="";
  String password="";
  String passwordToShow="" ;
  
  TextEditingController usernameController = TextEditingController();
  TextEditingController passwordController = TextEditingController();

  String actualPassword="";

  void _incrementCounter() {
    setState(() {
      _counter++;
    });
  }

  @override
  void dispose() {
    usernameController.dispose();
    passwordController.dispose();
    super.dispose();
  }

  @override
  Widget build(BuildContext context) {
    return WillPopScope(
      onWillPop: () async {
        if (Navigator.of(context).userGestureInProgress) {
          return false;
        } else {
          return true;
        }
      },
      child: Scaffold(
        appBar: AppBar(
          backgroundColor: Colors.white,
          elevation: 1,
          centerTitle: true,
          title: Text(
            "Login",
            style: TextStyle(color: Colors.black),
          ),
          leading: Icon(
            Icons.arrow_back,
            color: Colors.transparent,
          ),
        ),
        body: Center(
          child: Card(
            elevation: 8.0,
            child: Container(
              width: 600,
              height: 600,
              child: SingleChildScrollView(
                child: Column(
                  mainAxisAlignment: MainAxisAlignment.start,
                  crossAxisAlignment: CrossAxisAlignment.center,
                  children: <Widget>[
                    Row(
                      mainAxisAlignment: MainAxisAlignment.center,
                      crossAxisAlignment: CrossAxisAlignment.center,
                      children: <Widget>[
                        Container(
                          width: 140,
                          child: Text(
                            "Username : ",
                            style: TextStyle(color: Colors.grey),
                          ),
                        ),
                        SizedBox(
                          width: 16.0,
                        ),
                        Container(
                          decoration: BoxDecoration(
                            border: Border(
                                bottom: BorderSide(
                              color: Colors.grey,
                            )),
                          ),
                          width: 260,
                          key: usernameKey,
                          padding: EdgeInsets.all(8),
                          child: TextField(
                            controller: usernameController,
                            keyboardType: TextInputType.text,
                            style:TextStyle(fontSize: 16.0, color: Colors.black),
                            decoration: InputDecoration(
                                border: InputBorder.none,
                                hintText: "Enter username",
                                hintStyle: TextStyle(fontSize: 18.0)),
                            
                            onSubmitted: (text) {        
                            },
                          ),
                        ),
                        SizedBox(
                          width: 16.0,
                        ),
                        SizedBox(
                          width: 32,
                        ),
                      ],
                    ),
                    SizedBox(
                      height: 16,
                    ),
                    Row(
                      mainAxisAlignment: MainAxisAlignment.center,
                      crossAxisAlignment: CrossAxisAlignment.center,
                      children: <Widget>[
                        Container(
                          width: 140,
                          child: Text(
                            "Password : ",
                            style: TextStyle(color: Colors.grey),
                          ),
                        ),
                        SizedBox(
                          width: 16.0,
                        ),
                        Stack(
                          children: [
                            Container(
                              decoration: BoxDecoration(
                                border: Border(
                                  bottom: BorderSide(
                                    color: Colors.grey,
                                  ),
                                ),
                              ),
                              width: 260,
                              key: passwordKey,
                              padding: EdgeInsets.all(8),
                              child: TextField(
                                obscureText: true,
                                onChanged: (String new_val) {
                                  String newPass = "";
                                  for (int i = 0; i < new_val.length; i++) {
                                    newPass += "\u2022";
                                  }
                                  setState(() {
                                    this.passwordToShow = newPass;
                                    this.actualPassword = new_val;
                                  });
                                },
                                controller: passwordController,
                                keyboardType: TextInputType.text,
                                
                                textAlign: TextAlign.left,
                                onSubmitted: (String text) {
                                },
                                style: TextStyle(
                                    fontSize: 16.0, color: Colors.transparent),
                                decoration: InputDecoration(
                                  border: InputBorder.none,
                                  hintText: "Enter password",
                                  hintStyle: TextStyle(fontSize: 18.0),
                                ),
                              ),
                            ),
                            Positioned(
                              top: 24,
                              left: 8,
                              child: Text(
                                "${passwordToShow}",
                                style: TextStyle(fontSize: 16),
                              ),
                            )
                          ],
                        ),
                        SizedBox(
                          width: 16.0,
                        ),
                      ],
                    ),
                    SizedBox(
                      height: 16,
                    ),
                    Row(
                      mainAxisAlignment: MainAxisAlignment.center,
                      crossAxisAlignment: CrossAxisAlignment.center,
                      children: <Widget>[
                        RaisedButton(
                          child: Text("LOGIN"),
                          onPressed: () {
                            loginUser();
                          },
                        ),
                      ],
                    ),
                    SizedBox(
                      height: 16,
                    ),
                  ],
                ),
              ),
            ),
          ),
        ),
      ),
    ); 
  }

  void loginUser() async {
    username = usernameController.text;

    if (username.isEmpty) {
      return;
    }

    if (actualPassword.isEmpty) {
      return;
    }

      setState(() {
        this.password = "";
        this.actualPassword = "";
        this.passwordToShow = "";
        passwordController.clear();
      });

      Navigator.of(context).pushReplacement(CupertinoPageRoute(
        builder: (context) => ApplicationsPage(),
      ));
  }

}

app.dart

import 'package:flutter/material.dart';
import 'package:flutter/cupertino.dart';


class ApplicationsPage extends StatefulWidget {

  @override
  ApplicationsPageState createState() => ApplicationsPageState();
}

class ApplicationsPageState extends State<ApplicationsPage>
    with SingleTickerProviderStateMixin {
  var _scaffoldKey = new GlobalKey<ScaffoldState>();



  @override
  Widget build(BuildContext context) {
     return Text('Hello, World!', style: Theme.of(context).textTheme.headline4);
 }

}

In this aplication i have entered username , password and then i haved clicked on login. On login i routed to next page app.dart

After that i took memory dump using above shared script.

screenshot showing memory leak

Screenshot from 2021-06-18 12-29-34

flutter run -v 
[ +162 ms] executing: uname -m
[  +64 ms] Exit code 0 from: uname -m
[        ] x86_64
[  +13 ms] executing: [/home/shivam/flut/flutter/] git -c log.showSignature=false log -n 1
--pretty=format:%H
[  +16 ms] Exit code 0 from: git -c log.showSignature=false log -n 1 --pretty=format:%H
[        ] d79295af24c3ed621c33713ecda14ad196fd9c31
[   +1 ms] executing: [/home/shivam/flut/flutter/] git tag --points-at
d79295af24c3ed621c33713ecda14ad196fd9c31
[  +25 ms] Exit code 0 from: git tag --points-at d79295af24c3ed621c33713ecda14ad196fd9c31
[        ] 2.2.2
[   +8 ms] executing: [/home/shivam/flut/flutter/] git rev-parse --abbrev-ref --symbolic @{u}
[   +9 ms] Exit code 0 from: git rev-parse --abbrev-ref --symbolic @{u}
[        ] origin/stable
[        ] executing: [/home/shivam/flut/flutter/] git ls-remote --get-url origin
[   +8 ms] Exit code 0 from: git ls-remote --get-url origin
[        ] https://github.com/flutter/flutter.git
[ +186 ms] executing: [/home/shivam/flut/flutter/] git rev-parse --abbrev-ref HEAD
[   +8 ms] Exit code 0 from: git rev-parse --abbrev-ref HEAD
[        ] stable
[ +118 ms] Artifact Instance of 'AndroidGenSnapshotArtifacts' is not required, skipping update.
[        ] Artifact Instance of 'AndroidInternalBuildArtifacts' is not required, skipping update.
[        ] Artifact Instance of 'IOSEngineArtifacts' is not required, skipping update.
[        ] Artifact Instance of 'FlutterWebSdk' is not required, skipping update.
[   +3 ms] Artifact Instance of 'WindowsEngineArtifacts' is not required, skipping update.
[        ] Artifact Instance of 'MacOSEngineArtifacts' is not required, skipping update.
[        ] Artifact Instance of 'LinuxEngineArtifacts' is not required, skipping update.
[        ] Artifact Instance of 'LinuxFuchsiaSDKArtifacts' is not required, skipping update.
[        ] Artifact Instance of 'MacOSFuchsiaSDKArtifacts' is not required, skipping update.
[        ] Artifact Instance of 'FlutterRunnerSDKArtifacts' is not required, skipping update.
[        ] Artifact Instance of 'FlutterRunnerDebugSymbols' is not required, skipping update.
[ +309 ms] executing: /usr/lib/android-sdk/platform-tools/adb devices -l
[ +194 ms] List of devices attached
[   +6 ms] Artifact Instance of 'AndroidGenSnapshotArtifacts' is not required, skipping update.
[        ] Artifact Instance of 'AndroidInternalBuildArtifacts' is not required, skipping update.
[        ] Artifact Instance of 'IOSEngineArtifacts' is not required, skipping update.
[  +36 ms] Artifact Instance of 'WindowsEngineArtifacts' is not required, skipping update.
[        ] Artifact Instance of 'MacOSEngineArtifacts' is not required, skipping update.
[   +5 ms] Artifact Instance of 'LinuxFuchsiaSDKArtifacts' is not required, skipping update.
[        ] Artifact Instance of 'MacOSFuchsiaSDKArtifacts' is not required, skipping update.
[        ] Artifact Instance of 'FlutterRunnerSDKArtifacts' is not required, skipping update.
[        ] Artifact Instance of 'FlutterRunnerDebugSymbols' is not required, skipping update.
[ +144 ms] Multiple devices found:
[  +83 ms] Linux (desktop) • linux  • linux-x64      • Linux
[   +1 ms] Chrome (web)    • chrome • web-javascript • Google Chrome 89.0.4389.90
[   +2 ms] [1]: Linux (linux)
[        ] [2]: Chrome (chrome)
[   +2 ms] Please choose one (To quit, press "q/Q")
[        ] : 
[ +576 ms] 1
[  +64 ms] Skipping pub get: version match.
[ +430 ms] Generating
/home/shivam/Desktop/accops/demo/android/app/src/main/java/io/flutter/plugins/GeneratedPluginRegistrant.java
[ +146 ms] Initializing file store
[  +43 ms] Skipping target: gen_localizations
[  +11 ms] complete
[   +6 ms] Launching lib/main.dart on Linux in debug mode...
[   +7 ms] /home/shivam/flut/flutter/bin/cache/dart-sdk/bin/dart --disable-dart-dev
/home/shivam/flut/flutter/bin/cache/artifacts/engine/linux-x64/frontend_server.dart.snapshot --sdk-root
/home/shivam/flut/flutter/bin/cache/artifacts/engine/common/flutter_patched_sdk/ --incremental
--target=flutter --debugger-module-names --experimental-emit-debug-metadata -DFLUTTER_WEB_AUTO_DETECT=true
--output-dill /tmp/flutter_tools.NHEUYP/flutter_tool.SAOZQW/app.dill --packages
/home/shivam/Desktop/accops/demo/.dart_tool/package_config.json -Ddart.vm.profile=false
-Ddart.vm.product=false --enable-asserts --track-widget-creation --filesystem-scheme org-dartlang-root
--initialize-from-dill build/3c113a45063dc6628e68a4111abcacad.cache.dill.track.dill
--enable-experiment=alternative-invalidation-strategy
[  +57 ms] Building Linux application...
[  +27 ms] <- compile package:demo/main.dart
[   +4 ms] executing: [build/linux/x64/debug/] cmake -G Ninja -DCMAKE_BUILD_TYPE=Debug
-DFLUTTER_TARGET_PLATFORM=linux-x64 /home/shivam/Desktop/accops/demo/linux
[ +304 ms] -- Configuring done
[  +39 ms] -- Generating done
[   +1 ms] -- Build files have been written to: /home/shivam/Desktop/accops/demo/build/linux/x64/debug
[   +6 ms] executing: ninja -C build/linux/x64/debug install
[  +20 ms] ninja: Entering directory `build/linux/x64/debug'
[+40403 ms] [1/5] Generating
/home/shivam/Desktop/accops/demo/linux/flutter/ephemeral/libflutter_linux_gtk.so,
/home/shivam/Desktop/accops/demo/linux/flutter/ephemeral/flutter_linux/fl_basic_message_channel.h,
/home/shivam/Desktop/accops/demo/linux/flutter/ephemeral/flutter_linux/fl_binary_codec.h,
/home/shivam/Desktop/accops/demo/linux/flutter/ephemeral/flutter_linux/fl_binary_messenger.h,
/home/shivam/Desktop/accops/demo/linux/flutter/ephemeral/flutter_linux/fl_dart_project.h,
/home/shivam/Desktop/accops/demo/linux/flutter/ephemeral/flutter_linux/fl_engine.h,
/home/shivam/Desktop/accops/demo/linux/flutter/ephemeral/flutter_linux/fl_json_message_codec.h,
/home/shivam/Desktop/accops/demo/linux/flutter/ephemeral/flutter_linux/fl_json_method_codec.h,
/home/shivam/Desktop/accops/demo/linux/flutter/ephemeral/flutter_linux/fl_message_codec.h,
/home/shivam/Desktop/accops/demo/linux/flutter/ephemeral/flutter_linux/fl_method_call.h,
/home/shivam/Desktop/accops/demo/linux/flutter/ephemeral/flutter_linux/fl_method_channel.h,
/home/shivam/Desktop/accops/demo/linux/flutter/ephemeral/flutter_linux/fl_method_codec.h,
/home/shivam/Desktop/accops/demo/linux/flutter/ephemeral/flutter_linux/fl_method_response.h,
/home/shivam/Desktop/accops/demo/linux/flutter/ephemeral/flutter_linux/fl_plugin_registrar.h,
/home/shivam/Desktop/accops/demo/linux/flutter/ephemeral/flutter_linux/fl_plugin_registry.h,
/home/shivam/Desktop/accops/demo/linux/flutter/ephemeral/flutter_linux/fl_standard_message_codec.h,
/home/shivam/Desktop/accops/demo/linux/flutter/ephemeral/flutter_linux/fl_standard_method_codec.h,
/home/shivam/Desktop/accops/demo/linux/flutter/ephemeral/flutter_linux/fl_string_codec.h,
/home/shivam/Desktop/accops/demo/linux/flutter/ephemeral/flutter_linux/fl_value.h,
/home/shivam/Desktop/accops/demo/linux/flutter/ephemeral/flutter_linux/fl_view.h,
/home/shivam/Desktop/accops/demo/linux/flutter/ephemeral/flutter_linux/flutter_linux.h, _phony_
[   +6 ms] [ +114 ms] executing: uname -m
[        ] [ +167 ms] Exit code 0 from: uname -m
[        ] [        ] x86_64
[        ] [  +15 ms] executing: [/home/shivam/flut/flutter/] git -c log.showSignature=false log -n 1
--pretty=format:%H
[        ] [   +9 ms] Exit code 0 from: git -c log.showSignature=false log -n 1 --pretty=format:%H
[        ] [        ] d79295af24c3ed621c33713ecda14ad196fd9c31
[        ] [   +1 ms] executing: [/home/shivam/flut/flutter/] git tag --points-at
d79295af24c3ed621c33713ecda14ad196fd9c31
[        ] [  +35 ms] Exit code 0 from: git tag --points-at d79295af24c3ed621c33713ecda14ad196fd9c31
[        ] [        ] 2.2.2
[        ] [  +15 ms] executing: [/home/shivam/flut/flutter/] git rev-parse --abbrev-ref --symbolic @{u}
[        ] [   +8 ms] Exit code 0 from: git rev-parse --abbrev-ref --symbolic @{u}
[        ] [        ] origin/stable
[        ] [        ] executing: [/home/shivam/flut/flutter/] git ls-remote --get-url origin
[        ] [   +6 ms] Exit code 0 from: git ls-remote --get-url origin
[        ] [        ] https://github.com/flutter/flutter.git
[        ] [ +190 ms] executing: [/home/shivam/flut/flutter/] git rev-parse --abbrev-ref HEAD
[        ] [  +15 ms] Exit code 0 from: git rev-parse --abbrev-ref HEAD
[        ] [        ] stable
[        ] [ +146 ms] Artifact Instance of 'AndroidGenSnapshotArtifacts' is not required, skipping update.
[        ] [        ] Artifact Instance of 'AndroidInternalBuildArtifacts' is not required, skipping update.
[        ] [        ] Artifact Instance of 'IOSEngineArtifacts' is not required, skipping update.
[        ] [        ] Artifact Instance of 'FlutterWebSdk' is not required, skipping update.
[        ] [   +6 ms] Artifact Instance of 'WindowsEngineArtifacts' is not required, skipping update.
[        ] [        ] Artifact Instance of 'MacOSEngineArtifacts' is not required, skipping update.
[        ] [        ] Artifact Instance of 'LinuxEngineArtifacts' is not required, skipping update.
[        ] [        ] Artifact Instance of 'LinuxFuchsiaSDKArtifacts' is not required, skipping update.
[        ] [        ] Artifact Instance of 'MacOSFuchsiaSDKArtifacts' is not required, skipping update.
[        ] [        ] Artifact Instance of 'FlutterRunnerSDKArtifacts' is not required, skipping update.
[        ] [        ] Artifact Instance of 'FlutterRunnerDebugSymbols' is not required, skipping update.
[        ] [ +230 ms] Artifact Instance of 'MaterialFonts' is not required, skipping update.
[        ] [        ] Artifact Instance of 'GradleWrapper' is not required, skipping update.
[        ] [        ] Artifact Instance of 'AndroidGenSnapshotArtifacts' is not required, skipping update.
[        ] [        ] Artifact Instance of 'AndroidInternalBuildArtifacts' is not required, skipping update.
[        ] [        ] Artifact Instance of 'IOSEngineArtifacts' is not required, skipping update.
[        ] [        ] Artifact Instance of 'FlutterWebSdk' is not required, skipping update.
[        ] [        ] Artifact Instance of 'FlutterSdk' is not required, skipping update.
[        ] [        ] Artifact Instance of 'WindowsEngineArtifacts' is not required, skipping update.
[        ] [        ] Artifact Instance of 'MacOSEngineArtifacts' is not required, skipping update.
[        ] [   +3 ms] Artifact Instance of 'LinuxFuchsiaSDKArtifacts' is not required, skipping update.
[        ] [        ] Artifact Instance of 'MacOSFuchsiaSDKArtifacts' is not required, skipping update.
[        ] [        ] Artifact Instance of 'FlutterRunnerSDKArtifacts' is not required, skipping update.
[        ] [        ] Artifact Instance of 'FlutterRunnerDebugSymbols' is not required, skipping update.
[        ] [        ] Artifact Instance of 'IosUsbArtifacts' is not required, skipping update.
[        ] [        ] Artifact Instance of 'IosUsbArtifacts' is not required, skipping update.
[        ] [        ] Artifact Instance of 'IosUsbArtifacts' is not required, skipping update.
[        ] [        ] Artifact Instance of 'IosUsbArtifacts' is not required, skipping update.
[        ] [        ] Artifact Instance of 'IosUsbArtifacts' is not required, skipping update.
[        ] [        ] Artifact Instance of 'FontSubsetArtifacts' is not required, skipping update.
[        ] [        ] Artifact Instance of 'PubDependencies' is not required, skipping update.
[        ] [  +90 ms] Initializing file store
[        ] [  +55 ms] Done initializing file store
[        ] [ +146 ms] Skipping target: gen_localizations
[        ] [+4550 ms] unpack_linux: Starting due to {InvalidatedReasonKind.inputChanged: The following
inputs have updated contents:
/home/shivam/Desktop/accops/demo/linux/flutter/ephemeral/libflutter_linux_gtk.so}
[   +2 ms] [+2773 ms] kernel_snapshot: Starting due to {InvalidatedReasonKind.inputChanged: The following
inputs have updated contents: /home/shivam/Desktop/accops/demo/lib/main.dart}
[        ] [  +14 ms] unpack_linux: Complete
[   +3 ms] [+1950 ms] /home/shivam/flut/flutter/bin/cache/dart-sdk/bin/dart --disable-dart-dev
/home/shivam/flut/flutter/bin/cache/artifacts/engine/linux-x64/frontend_server.dart.snapshot --sdk-root
/home/shivam/flut/flutter/bin/cache/artifacts/engine/common/flutter_patched_sdk/ --target=flutter
--no-print-incremental-dependencies -DFLUTTER_WEB_AUTO_DETECT=true -Ddart.vm.profile=false
-Ddart.vm.product=false --enable-asserts --track-widget-creation --packages
/home/shivam/Desktop/accops/demo/.dart_tool/package_config.json --output-dill
/home/shivam/Desktop/accops/demo/.dart_tool/flutter_build/4f6cb8847fce7711ecbaffee47a2630b/app.dill
--depfile
/home/shivam/Desktop/accops/demo/.dart_tool/flutter_build/4f6cb8847fce7711ecbaffee47a2630b/kernel_snapshot.d
package:demo/main.dart
[   +2 ms] [+21389 ms] kernel_snapshot: Complete
[   +1 ms] [+1407 ms] debug_bundle_linux-x64_assets: Starting due to {InvalidatedReasonKind.inputChanged:
The following inputs have updated contents:
/home/shivam/Desktop/accops/demo/.dart_tool/flutter_build/4f6cb8847fce7711ecbaffee47a2630b/app.dill,
InvalidatedReasonKind.outputMissing: The following outputs were missing:
/home/shivam/Desktop/accops/demo/build/flutter_assets/kernel_blob.bin}
[   +1 ms] [+2093 ms] debug_bundle_linux-x64_assets: Complete
[        ] [ +519 ms] Persisting file store
[        ] [  +87 ms] Done persisting file store
[        ] [ +217 ms] build succeeded.
[        ] [  +15 ms] "flutter assemble" took 35,597ms.
[        ] [ +259 ms] ensureAnalyticsSent: 252ms
[        ] [   +4 ms] Running shutdown hooks
[        ] [   +1 ms] Shutdown hooks complete
[        ] [   +1 ms] exiting with code 0
[+23142 ms] [2/5] Building CXX object CMakeFiles/demo.dir/flutter/generated_plugin_registrant.cc.o
[  +15 ms] [3/5] Building CXX object CMakeFiles/demo.dir/my_application.cc.o
[+1929 ms] [4/5] Linking CXX executable intermediates_do_not_run/demo
[        ] [4/5] Install the project...
[+1004 ms] -- Install configuration: "Debug"
[ +120 ms] -- Installing: /home/shivam/Desktop/accops/demo/build/linux/x64/debug/bundle/demo
[   +1 ms] -- Set runtime path of "/home/shivam/Desktop/accops/demo/build/linux/x64/debug/bundle/demo" to
"$ORIGIN/lib"
[   +1 ms] -- Installing: /home/shivam/Desktop/accops/demo/build/linux/x64/debug/bundle/data/icudtl.dat
[ +123 ms] -- Installing:
/home/shivam/Desktop/accops/demo/build/linux/x64/debug/bundle/lib/libflutter_linux_gtk.so
[+1307 ms] -- Installing: /home/shivam/Desktop/accops/demo/build/linux/x64/debug/bundle/data/flutter_assets
[   +1 ms] -- Installing:
/home/shivam/Desktop/accops/demo/build/linux/x64/debug/bundle/data/flutter_assets/AssetManifest.json
[   +1 ms] -- Installing:
/home/shivam/Desktop/accops/demo/build/linux/x64/debug/bundle/data/flutter_assets/FontManifest.json
[   +1 ms] -- Installing:
/home/shivam/Desktop/accops/demo/build/linux/x64/debug/bundle/data/flutter_assets/version.json
[        ] -- Installing:
/home/shivam/Desktop/accops/demo/build/linux/x64/debug/bundle/data/flutter_assets/fonts
[        ] -- Installing:
/home/shivam/Desktop/accops/demo/build/linux/x64/debug/bundle/data/flutter_assets/fonts/MaterialIcons-Regula
r.otf
[   +1 ms] -- Installing:
/home/shivam/Desktop/accops/demo/build/linux/x64/debug/bundle/data/flutter_assets/packages
[   +1 ms] -- Installing:
/home/shivam/Desktop/accops/demo/build/linux/x64/debug/bundle/data/flutter_assets/packages/cupertino_icons
[   +1 ms] -- Installing:
/home/shivam/Desktop/accops/demo/build/linux/x64/debug/bundle/data/flutter_assets/packages/cupertino_icons/a
ssets
[        ] -- Installing:
/home/shivam/Desktop/accops/demo/build/linux/x64/debug/bundle/data/flutter_assets/packages/cupertino_icons/a
ssets/CupertinoIcons.ttf
[   +1 ms] -- Installing:
/home/shivam/Desktop/accops/demo/build/linux/x64/debug/bundle/data/flutter_assets/kernel_blob.bin
[ +149 ms] -- Installing:
/home/shivam/Desktop/accops/demo/build/linux/x64/debug/bundle/data/flutter_assets/NOTICES
[ +443 ms] Building Linux application... (completed in 69.1s)
[+5451 ms] Observatory URL on device: http://127.0.0.1:33377/zypdvp_jmHc=/
[   +4 ms] Caching compiled dill
[ +438 ms] Connecting to service protocol: http://127.0.0.1:33377/zypdvp_jmHc=/
[ +419 ms] Launching a Dart Developer Service (DDS) instance at http://127.0.0.1:0, connecting to VM service
at http://127.0.0.1:33377/zypdvp_jmHc=/.
[ +136 ms] DDS is listening at http://127.0.0.1:40671/P__cu9rhkMM=/.
[ +140 ms] Successfully connected to service protocol: http://127.0.0.1:33377/zypdvp_jmHc=/
[  +98 ms] DevFS: Creating new filesystem on the device (null)
[  +58 ms] DevFS: Created new filesystem on the device (file:///tmp/demoNYWUVD/demo/)
[   +2 ms] Updating assets
[ +138 ms] Syncing files to device Linux...
[   +3 ms] <- reset
[        ] Compiling dart to kernel with 0 updated files
[   +4 ms] <- recompile package:demo/main.dart bdc92733-efc6-4a79-be49-79a17febff91
[        ] <- bdc92733-efc6-4a79-be49-79a17febff91
[ +771 ms] Updating files.
[        ] DevFS: Sync finished
[   +1 ms] Syncing files to device Linux... (completed in 780ms)
[        ] Synced 0.0MB.
[   +1 ms] <- accept
[  +14 ms] Connected to _flutterView/0x27cbbf0.
[  +16 ms] Flutter run key commands.
[   +3 ms] r Hot reload. 🔥🔥🔥
[   +2 ms] R Hot restart.
[        ] h Repeat this help message.
[        ] d Detach (terminate "flutter run" but leave application running).
[        ] c Clear the screen
[        ] q Quit (terminate the application on the device).
[        ] 💪 Running with sound null safety 💪
[   +1 ms] An Observatory debugger and profiler on Linux is available at:
http://127.0.0.1:40671/P__cu9rhkMM=/
[+3233 ms] The Flutter DevTools debugger and profiler on Linux is available at:
                  http://127.0.0.1:9101?uri=http%3A%2F%2F127.0.0.1%3A40671%2FP__cu9rhkMM%3D%2F

In screen shot below you can see that password which i entered("shivam@123") is visible.
What i think that password is visible due to TextEditingController().

@no-response no-response bot removed the waiting for customer response The Flutter team cannot make further progress on this issue until the original reporter responds label Jun 18, 2021
@TahaTesser
Copy link
Member

TahaTesser commented Jun 21, 2021
edited

HI @177shivam
Thanks for the code and details

On the stable channel, I can see password is visible
"args":[2,{"text":"1234","selectionBase":4,"selectionExtent":4,"composingBase":-1,"composingExtent":-1,"selection

flutter doctor -v 
[✓] Flutter (Channel stable, 2.2.2, on Linux, locale en_US.UTF-8)
    • Flutter version 2.2.2 at /home/taha/Code/flutter_stable
    • Framework revision d79295af24 (10 days ago), 2021-06-11 08:56:01 -0700
    • Engine revision 91c9fc8fe0
    • Dart version 2.13.3

[✓] Android toolchain - develop for Android devices (Android SDK version 30.0.3)
    • Android SDK at /home/taha/Code/SDK
    • Platform android-30, build-tools 30.0.3
    • ANDROID_HOME = /home/taha/Code/SDK
    • Java binary at: /home/taha/Code/android-studio/jre/bin/java
    • Java version OpenJDK Runtime Environment (build 11.0.8+0-b944-P17168821)
    • All Android licenses accepted.

[✓] Chrome - develop for the web
    • Chrome at google-chrome

[✓] Linux toolchain - develop for Linux desktop
    • Ubuntu clang version 12.0.0-1ubuntu1
    • cmake version 3.18.4
    • ninja version 1.8.2
    • pkg-config version 0.29.2

[✓] Android Studio (version 4.2)
    • Android Studio at /home/taha/Code/android-studio
    • Flutter plugin can be installed from:
      🔨 https://plugins.jetbrains.com/plugin/9212-flutter
    • Dart plugin can be installed from:
      🔨 https://plugins.jetbrains.com/plugin/6351-dart
    • Java version OpenJDK Runtime Environment (build 11.0.8+0-b944-P17168821)

[✓] VS Code (version 1.56.2)
    • VS Code at /usr/share/code
    • Flutter extension version 3.23.0

[✓] Connected device (3 available)
    • Redmi K20 Pro (mobile) • def0ad20 • android-arm64  • Android 10 (API 29)
    • Linux (desktop)        • linux    • linux-x64      • Linux
    • Chrome (web)           • chrome   • web-javascript • Google Chrome 91.0.4472.114

• No issues found!

However I tried on the latest master channel, I cannot see the password in any of the dump files

Can you please upgrade to the latest master and try again
Execute the following commands to upgrade
flutter channel master
flutter upgrade --force
flutter doctor -v

@TahaTesser TahaTesser added the waiting for customer response The Flutter team cannot make further progress on this issue until the original reporter responds label Jun 21, 2021
@177shivam
Copy link
Author

177shivam commented Jun 21, 2021
edited by TahaTesser

Hi @TahaTesser

After performing the folowing steps

flutter channel master
flutter upgrade --force
flutter clean

I can still see the password (shivam@123)

{"method":"TextInputClient.updateEditingState","args":[2,{"text":"shivam@123","selectionBase":10,"selectionExtent":10,"composingBase":-1,"composingExtent":-1,"selectionAffinity":"TextAffinity.downstream","selectionIsDirectional":false}]}

Screenshot from 2021-06-21 19-21-32
Screenshot from 2021-06-21 19-21-45

flutter doctor -v 
[✓] Flutter (Channel master, 2.3.0-17.0.pre.414, on Ubuntu 18.04.3 LTS 5.4.0-42-generic, locale en_IN)
   • Flutter version 2.3.0-17.0.pre.414 at /home/shivam/flut/flutter
   • Upstream repository https://github.com/flutter/flutter.git
   • Framework revision 757c3add14 (11 hours ago), 2021-06-20 22:29:02 -0400
   • Engine revision 9520bb15b3
   • Dart version 2.14.0 (build 2.14.0-228.0.dev)

[☠] Android toolchain - develop for Android devices (the doctor check crashed)
   ✗ Due to an error, the doctor check did not complete. If the error message below is not helpful, please let us know about this issue at
     https://github.com/flutter/flutter/issues.
   ✗ Null check operator used on a null value
   • #0      AndroidValidator.validate (package:flutter_tools/src/android/android_workflow.dart:206:40)
     #1      GroupedValidator.validate.<anonymous closure> (package:flutter_tools/src/doctor_validator.dart:87:56)
     #2      asyncGuard.<anonymous closure> (package:flutter_tools/src/base/async_guard.dart:111:32)
     #3      asyncGuard.<anonymous closure> (package:flutter_tools/src/base/async_guard.dart:109:18)
     #4      _rootRun (dart:async/zone.dart:1428:13)
     #5      _CustomZone.run (dart:async/zone.dart:1328:19)
     #6      _runZoned (dart:async/zone.dart:1863:10)
     #7      runZonedGuarded (dart:async/zone.dart:1851:12)
     #8      runZoned (dart:async/zone.dart:1782:12)
     #9      asyncGuard (package:flutter_tools/src/base/async_guard.dart:109:3)
     #10     GroupedValidator.validate (package:flutter_tools/src/doctor_validator.dart:87:11)
     #11     asyncGuard.<anonymous closure> (package:flutter_tools/src/base/async_guard.dart:111:32)
     #12     asyncGuard.<anonymous closure> (package:flutter_tools/src/base/async_guard.dart:109:18)
     #13     _rootRun (dart:async/zone.dart:1428:13)
     #14     _CustomZone.run (dart:async/zone.dart:1328:19)
     #15     _runZoned (dart:async/zone.dart:1863:10)
     #16     runZonedGuarded (dart:async/zone.dart:1851:12)
     #17     runZoned (dart:async/zone.dart:1782:12)
     #18     asyncGuard (package:flutter_tools/src/base/async_guard.dart:109:3)
     #19     Doctor.startValidatorTasks (package:flutter_tools/src/doctor.dart:200:9)
     #20     Doctor.diagnose (package:flutter_tools/src/doctor.dart:304:47)
     #21     DoctorCommand.runCommand (package:flutter_tools/src/commands/doctor.dart:50:47)
     #22     FlutterCommand.verifyThenRunCommand (package:flutter_tools/src/runner/flutter_command.dart:1275:12)
     <asynchronous suspension>
     #23     FlutterCommand.run.<anonymous closure> (package:flutter_tools/src/runner/flutter_command.dart:1126:27)
     <asynchronous suspension>
     #24     AppContext.run.<anonymous closure> (package:flutter_tools/src/base/context.dart:150:19)
     <asynchronous suspension>
     #25     CommandRunner.runCommand (package:args/command_runner.dart:196:13)
     <asynchronous suspension>
     #26     FlutterCommandRunner.runCommand.<anonymous closure> (package:flutter_tools/src/runner/flutter_command_runner.dart:284:9)
     <asynchronous suspension>
     #27     AppContext.run.<anonymous closure> (package:flutter_tools/src/base/context.dart:150:19)
     <asynchronous suspension>
     #28     FlutterCommandRunner.runCommand (package:flutter_tools/src/runner/flutter_command_runner.dart:232:5)
     <asynchronous suspension>
     #29     run.<anonymous closure>.<anonymous closure> (package:flutter_tools/runner.dart:62:9)
     <asynchronous suspension>
     #30     AppContext.run.<anonymous closure> (package:flutter_tools/src/base/context.dart:150:19)
     <asynchronous suspension>
     #31     main (package:flutter_tools/executable.dart:91:3)
     <asynchronous suspension>


[✓] Chrome - develop for the web
   • Chrome at google-chrome

[✓] Linux toolchain - develop for Linux desktop
   • clang version 6.0.0-1ubuntu2 (tags/RELEASE_600/final)
   • cmake version 3.10.2
   • ninja version 1.8.2
   • pkg-config version 0.29.1

[!] Android Studio (not installed)
   • Android Studio not found; download from https://developer.android.com/studio/index.html
     (or visit https://flutter.dev/docs/get-started/install/linux#android-setup for detailed instructions).

[✓] VS Code (version 1.47.1)
   • VS Code at /usr/share/code
   • Flutter extension version 3.14.1

[✓] Connected device (2 available)
   • Linux (desktop) • linux  • linux-x64      • Ubuntu 18.04.3 LTS 5.4.0-42-generic
   • Chrome (web)    • chrome • web-javascript • Google Chrome 89.0.4389.90

! Doctor found issues in 2 categories.

@no-response no-response bot removed the waiting for customer response The Flutter team cannot make further progress on this issue until the original reporter responds label Jun 21, 2021
@TahaTesser TahaTesser changed the title Memory leak on taking memory dump through gdb when building form by using row,container,stack,column Memory leak on taking memory dump through gdb, Form fields inputs are exposed Jun 22, 2021
@TahaTesser
Copy link
Member

@177shivam
Thanks for the update, I tried again on master, yet none of the files are containing this, so many fils are generated so maybe I am missing it

flutter doctor -v 
[✓] Flutter (Channel master, 2.3.0-17.0.pre.414, on Pop!_OS 21.04 5.11.0-7614-generic, locale en_US.UTF-8)
    • Flutter version 2.3.0-17.0.pre.414 at /home/taha/Code/flutter_master
    • Upstream repository https://github.com/flutter/flutter.git
    • Framework revision 757c3add14 (27 hours ago), 2021-06-20 22:29:02 -0400
    • Engine revision 9520bb15b3
    • Dart version 2.14.0 (build 2.14.0-228.0.dev)

[✓] Android toolchain - develop for Android devices (Android SDK version 30.0.3)
    • Android SDK at /home/taha/Code/SDK
    • Platform android-30, build-tools 30.0.3
    • ANDROID_HOME = /home/taha/Code/SDK
    • Java binary at: /home/taha/Code/android-studio/jre/bin/java
    • Java version OpenJDK Runtime Environment (build 11.0.8+0-b944-P17168821)
    • All Android licenses accepted.

[✓] Chrome - develop for the web
    • Chrome at google-chrome

[✓] Linux toolchain - develop for Linux desktop
    • Ubuntu clang version 12.0.0-1ubuntu1
    • cmake version 3.18.4
    • ninja version 1.8.2
    • pkg-config version 0.29.2

[✓] Android Studio (version 4.2)
    • Android Studio at /home/taha/Code/android-studio
    • Flutter plugin can be installed from:
      🔨 https://plugins.jetbrains.com/plugin/9212-flutter
    • Dart plugin can be installed from:
      🔨 https://plugins.jetbrains.com/plugin/6351-dart
    • Java version OpenJDK Runtime Environment (build 11.0.8+0-b944-P17168821)

[✓] VS Code (version 1.56.2)
    • VS Code at /usr/share/code
    • Flutter extension version 3.23.0

[✓] Connected device (2 available)
    • Linux (desktop) • linux  • linux-x64      • Pop!_OS 21.04 5.11.0-7614-generic
    • Chrome (web)    • chrome • web-javascript • Google Chrome 91.0.4472.114

• No issues found!

Since you can reproduce on master, I feel safe to label for master

@TahaTesser TahaTesser added a: desktop Running on desktop engine flutter/engine repository. See also e: labels. found in release: 2.2 Found to occur in 2.2 found in release: 2.3 Found to occur in 2.3 has reproducible steps The issue has been confirmed reproducible and is ready to work on perf: memory Performance issues related to memory platform-linux Building on or for Linux specifically and removed in triage Presently being triaged by the triage team labels Jun 22, 2021
@gspencergoog gspencergoog changed the title Memory leak on taking memory dump through gdb, Form fields inputs are exposed Hidden text field messages not sanitized, and are visible in memory dump. Jun 24, 2021
@gspencergoog
Copy link
Contributor

This isn't really a memory leak, but regardless, it is memory that we should zero out after we're done reading it from the channel.

@gspencergoog gspencergoog added the P1 High-priority issues at the top of the work list label Jun 24, 2021
@masanggil1986
Copy link

Is there any way I can zero out the memory now?

@masanggil1986
Copy link

@gspencergoog For your information, android has the same issue.

@ellemenno
Copy link

@gspencergoog this issue also affects mobile builds for iOS and Android platforms, and gets flagged by security scans as CWE-316 Cleartext Storage of Sensitive Information in Memory. As such, can this be elevated in priority? Also, are there any recommended work-arounds in the meantime?

@gspencergoog gspencergoog removed the platform-linux Building on or for Linux specifically label Mar 2, 2022
@gspencergoog
Copy link
Contributor

cc @zanderso Is there someone on the engine team that has time to take a look at this? It seems to be something systemic where we're not clearing out the strings containing the JSON being transferred over the system channel.

@zanderso
Copy link
Member

zanderso commented Mar 3, 2022

Looking over the code samples, I need to point out that Dart String objects are not mutable. Once a plaintext String is in the Dart heap, there's no way to ensure that it will ever be sanitized.

@rmacnak-google @a-siva

@rmacnak-google
Copy link
Contributor

Even after the String is garbage collected, the memory it once occupied will remain untouched until either the whole region is empty and returned to the OS or a new object is allocated at its address.

@gspencergoog
Copy link
Contributor

OK, so what's the solution here? Do we need to encrypt data transfer between framework and engine? I'm sure that could obfuscate it, but it probably wouldn't be too hard to find out the keys used to encrypt/decrypt it.

Would it be sufficient to overwrite the individual characters in the string with String.replaceRange? I suspect that might work sometimes and not others, depending on the algorithm that String uses to do replacements.

@gspencergoog
Copy link
Contributor

gspencergoog commented Mar 3, 2022
edited

Would it be sufficient to overwrite the individual characters in the string with String.replaceRange? I suspect that might work sometimes and not others, depending on the algorithm that String uses to do replacements.

Nevermind. As Zach already said, they're not mutable, so that's out.

@gspencergoog
Copy link
Contributor

gspencergoog commented Mar 3, 2022
edited

Could we send the strings as a list of codepoints and then overwrite the list elements with zeros? Or would those replaced items just be unlinked from the list and left around?

@ellemenno
Copy link

if it helps, java has a similar situation with immutable strings, and apparently addresses it in a similar fashion to the above suggestion (list of mutable codepoints): see JPasswordField and related tutorial.

@ellemenno
Copy link

.net has SecureString, also an (encrypted) array of characters.

@mraleph
Copy link
Member

mraleph commented Mar 3, 2022

CWE-316 seems misguided at best. You have to assume that any data accessible to the client can be compromised one way or another if somebody has direct access to the client device. Any attempts to hide it is a security theatre (security through obscurity at best).

if it helps, java has a similar situation with immutable strings, and apparently addresses it in a similar fashion to the above suggestion (list of mutable codepoints): see JPasswordField and related tutorial.

This does not really work reliably if JVM uses moving GC (and usually they do). When GC moves array to a different place it usually does not zero the source location, so you are often left with data hanging around. So if you have something like array = getPassword(); gc(); zero-out-array; you will still be left with the copy of array in memory.

.net has SecureString, also an (encrypted) array of characters.

SecureString should not be used

The best you can do (if you want to create some security theatre to satisfy requirements imposes on you), is to allocate the space for this data outside of the Dart heap (so that moving GC does not leave the copy around) and have methods for zeroing it out.

Dart already has necessary pieces to achieve this (e.g. external strings and typed data, ffi pointers), so I don't think there is anything to be done on the Dart side for this.

@mraleph mraleph removed the dependency: dart Dart team may need to help us label Mar 3, 2022
@cbracken cbracken removed the a: desktop Running on desktop label Jun 30, 2022
@cbracken
Copy link
Member

I've removed the desktop label, since this is a general issue that isn't desktop specific.

@Linxi-brave
Copy link

@gspencergoog此问题还会影响 iOS 和 Android 平台的移动版本,并被安全扫描标记为CWE-316 Cleartext Storage of Sensitive Information in Memory。因此,这可以提高优先级吗?此外,在此期间是否有任何推荐的解决方法?

可以问下是使用什么安全扫描工具吗 ?

@CarGuo
Copy link

CarGuo commented Aug 24, 2022

@Linxi-brave https://juejin.cn/post/7090798254241087495

@vscmaster
Copy link

Hello guys,
any updates on the topic?

Or just please say how to achieve sanitisation of inputs?

I see @mraleph mentioned some solutions above,

Dart already has necessary pieces to achieve this (e.g. external strings and typed data, ffi pointers), so I don't think there is anything to be done on the Dart side for this.

unfortunately that is not obvious how to access Flutter's TextInputClient and do the trick.

Please, if someone have some thought how to do secure typed data, help us.

Thank you!

@Linxi-brave

This comment was marked as off-topic.

Sign in to view
@zanderso zanderso added P3 Issues that are less important to the Flutter project and removed P1 High-priority issues at the top of the work list labels Feb 15, 2023
@zanderso
Copy link
Member

I'm dropping this to P6 to indicate that it is a valid feature request, but given the explanation from @mraleph above, it is not something we are likely to work on.

@zanderso zanderso added P6 c: new feature Nothing broken; request for a new capability and removed P3 Issues that are less important to the Flutter project perf: memory Performance issues related to memory labels Feb 15, 2023
@Adeel-Sultan

This comment was marked as off-topic.

Sign in to view
@flutter flutter deleted a comment from Linxi-brave Jun 21, 2023
@zanderso
Copy link
Member

@Adeel-Sultan Please see https://github.com/flutter/flutter/wiki/Issue-hygiene#do-not-add-me-too-or-same-or-is-there-an-update-comments-to-bugs.

@flutter-triage-bot flutter-triage-bot bot added P3 Issues that are less important to the Flutter project and removed P6 labels Jun 28, 2023
@flutter-triage-bot flutter-triage-bot bot added team-engine Owned by Engine team triaged-engine Triaged by Engine team labels Jul 8, 2023
@naninydhruva
Copy link

Hello team,

In the device memory the sensitive information is automatically stored in clear text format like password and token are exposed.
can anyone let me know any feature of flutter provides to not expose the sensitive data in memory.

@Linxi-brave

This comment was marked as off-topic.

Sign in to view
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
c: new feature Nothing broken; request for a new capability engine flutter/engine repository. See also e: labels. found in release: 2.2 Found to occur in 2.2 found in release: 2.3 Found to occur in 2.3 has reproducible steps The issue has been confirmed reproducible and is ready to work on P3 Issues that are less important to the Flutter project team-engine Owned by Engine team triaged-engine Triaged by Engine team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests