New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hidden text field messages not sanitized, and are visible in memory dump. #84708
Comments
Hi @177shivam Can you please upgrade to the latest If the problem persists, can you please provide your |
Hi @TahaTesser Futter doctor -v after upgradeFutter doctor -v
code snippetComplete code snippetmain.dart
app.dart
In this aplication i have entered username , password and then i haved clicked on login. On login i routed to next page app.dart After that i took memory dump using above shared script. screenshot showing memory leakflutter run -v
In screen shot below you can see that password which i entered("shivam@123") is visible. |
HI @177shivam On the stable channel, I can see password is visible flutter doctor -v[✓] Flutter (Channel stable, 2.2.2, on Linux, locale en_US.UTF-8)
• Flutter version 2.2.2 at /home/taha/Code/flutter_stable
• Framework revision d79295af24 (10 days ago), 2021-06-11 08:56:01 -0700
• Engine revision 91c9fc8fe0
• Dart version 2.13.3
[✓] Android toolchain - develop for Android devices (Android SDK version 30.0.3)
• Android SDK at /home/taha/Code/SDK
• Platform android-30, build-tools 30.0.3
• ANDROID_HOME = /home/taha/Code/SDK
• Java binary at: /home/taha/Code/android-studio/jre/bin/java
• Java version OpenJDK Runtime Environment (build 11.0.8+0-b944-P17168821)
• All Android licenses accepted.
[✓] Chrome - develop for the web
• Chrome at google-chrome
[✓] Linux toolchain - develop for Linux desktop
• Ubuntu clang version 12.0.0-1ubuntu1
• cmake version 3.18.4
• ninja version 1.8.2
• pkg-config version 0.29.2
[✓] Android Studio (version 4.2)
• Android Studio at /home/taha/Code/android-studio
• Flutter plugin can be installed from:
🔨 https://plugins.jetbrains.com/plugin/9212-flutter
• Dart plugin can be installed from:
🔨 https://plugins.jetbrains.com/plugin/6351-dart
• Java version OpenJDK Runtime Environment (build 11.0.8+0-b944-P17168821)
[✓] VS Code (version 1.56.2)
• VS Code at /usr/share/code
• Flutter extension version 3.23.0
[✓] Connected device (3 available)
• Redmi K20 Pro (mobile) • def0ad20 • android-arm64 • Android 10 (API 29)
• Linux (desktop) • linux • linux-x64 • Linux
• Chrome (web) • chrome • web-javascript • Google Chrome 91.0.4472.114
• No issues found!
However I tried on the latest Can you please upgrade to the latest |
Hi @TahaTesser After performing the folowing steps
I can still see the password (shivam@123)
flutter doctor -v
|
@177shivam flutter doctor -v[✓] Flutter (Channel master, 2.3.0-17.0.pre.414, on Pop!_OS 21.04 5.11.0-7614-generic, locale en_US.UTF-8)
• Flutter version 2.3.0-17.0.pre.414 at /home/taha/Code/flutter_master
• Upstream repository https://github.com/flutter/flutter.git
• Framework revision 757c3add14 (27 hours ago), 2021-06-20 22:29:02 -0400
• Engine revision 9520bb15b3
• Dart version 2.14.0 (build 2.14.0-228.0.dev)
[✓] Android toolchain - develop for Android devices (Android SDK version 30.0.3)
• Android SDK at /home/taha/Code/SDK
• Platform android-30, build-tools 30.0.3
• ANDROID_HOME = /home/taha/Code/SDK
• Java binary at: /home/taha/Code/android-studio/jre/bin/java
• Java version OpenJDK Runtime Environment (build 11.0.8+0-b944-P17168821)
• All Android licenses accepted.
[✓] Chrome - develop for the web
• Chrome at google-chrome
[✓] Linux toolchain - develop for Linux desktop
• Ubuntu clang version 12.0.0-1ubuntu1
• cmake version 3.18.4
• ninja version 1.8.2
• pkg-config version 0.29.2
[✓] Android Studio (version 4.2)
• Android Studio at /home/taha/Code/android-studio
• Flutter plugin can be installed from:
🔨 https://plugins.jetbrains.com/plugin/9212-flutter
• Dart plugin can be installed from:
🔨 https://plugins.jetbrains.com/plugin/6351-dart
• Java version OpenJDK Runtime Environment (build 11.0.8+0-b944-P17168821)
[✓] VS Code (version 1.56.2)
• VS Code at /usr/share/code
• Flutter extension version 3.23.0
[✓] Connected device (2 available)
• Linux (desktop) • linux • linux-x64 • Pop!_OS 21.04 5.11.0-7614-generic
• Chrome (web) • chrome • web-javascript • Google Chrome 91.0.4472.114
• No issues found! Since you can reproduce on master, I feel safe to label for master |
This isn't really a memory leak, but regardless, it is memory that we should zero out after we're done reading it from the channel. |
Is there any way I can zero out the memory now? |
@gspencergoog For your information, android has the same issue. |
@gspencergoog this issue also affects mobile builds for iOS and Android platforms, and gets flagged by security scans as CWE-316 Cleartext Storage of Sensitive Information in Memory. As such, can this be elevated in priority? Also, are there any recommended work-arounds in the meantime? |
cc @zanderso Is there someone on the engine team that has time to take a look at this? It seems to be something systemic where we're not clearing out the strings containing the JSON being transferred over the system channel. |
Looking over the code samples, I need to point out that Dart |
Even after the String is garbage collected, the memory it once occupied will remain untouched until either the whole region is empty and returned to the OS or a new object is allocated at its address. |
OK, so what's the solution here? Do we need to encrypt data transfer between framework and engine? I'm sure that could obfuscate it, but it probably wouldn't be too hard to find out the keys used to encrypt/decrypt it. Would it be sufficient to overwrite the individual characters in the string with |
Nevermind. As Zach already said, they're not mutable, so that's out. |
Could we send the strings as a list of codepoints and then overwrite the list elements with zeros? Or would those replaced items just be unlinked from the list and left around? |
if it helps, java has a similar situation with immutable strings, and apparently addresses it in a similar fashion to the above suggestion (list of mutable codepoints): see JPasswordField and related tutorial. |
.net has SecureString, also an (encrypted) array of characters. |
CWE-316 seems misguided at best. You have to assume that any data accessible to the client can be compromised one way or another if somebody has direct access to the client device. Any attempts to hide it is a security theatre (security through obscurity at best).
This does not really work reliably if JVM uses moving GC (and usually they do). When GC moves array to a different place it usually does not zero the source location, so you are often left with data hanging around. So if you have something like
SecureString should not be used The best you can do (if you want to create some security theatre to satisfy requirements imposes on you), is to allocate the space for this data outside of the Dart heap (so that moving GC does not leave the copy around) and have methods for zeroing it out. Dart already has necessary pieces to achieve this (e.g. external strings and typed data, ffi pointers), so I don't think there is anything to be done on the Dart side for this. |
I've removed the desktop label, since this is a general issue that isn't desktop specific. |
可以问下是使用什么安全扫描工具吗 ? |
Hello guys, Or just please say how to achieve sanitisation of inputs? I see @mraleph mentioned some solutions above,
unfortunately that is not obvious how to access Flutter's Please, if someone have some thought how to do secure typed data, help us. Thank you! |
This comment was marked as off-topic.
This comment was marked as off-topic.
I'm dropping this to P6 to indicate that it is a valid feature request, but given the explanation from @mraleph above, it is not something we are likely to work on. |
This comment was marked as off-topic.
This comment was marked as off-topic.
Hello team, In the device memory the sensitive information is automatically stored in clear text format like password and token are exposed. |
Details
I have created a Linux application having login form on which clicking the login button the dio netowrk request is made and the current page is route to another page with pushReplacement. But when I take memory dump of the process there I can see the entered password is visible in the dump file.
Target Platform: Ubuntu 18.04.1
Target Kernel version: 5.4.0-42-generic
Basic application code
code snippet
Here loginUser() will make a dio network request and on response it will route to next page using pushReplacement. And before routing to next page i have made all the string(string which stored password or username) to null.
And i have disposed all TextEditingController.
Script used to take memory dump
Run scipt by ./shript.sh [pid of application]
Flutter doctor -v
flutter doctor -v
The text was updated successfully, but these errors were encountered: