Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clear contents of sensitive header values on drop #662

Open
Cyborus04 opened this issue Jan 10, 2024 · 2 comments
Open

Clear contents of sensitive header values on drop #662

Cyborus04 opened this issue Jan 10, 2024 · 2 comments

Comments

@Cyborus04
Copy link

Cyborus04 commented Jan 10, 2024

Since sensitive data can be stored in headers (i.e. credentials in an Authorization header), it would be nice for the value to be "zero-ed out" when they are dropped so as to not leave their data in memory. This is difficult as HeaderValue stores its contents in Bytes, but I think it would be possible to add a try_as_mut(&mut self) -> Option<&mut [u8]> method to Bytes to accomplish this.

I am fully willing to implement this myself, and have already started work towards that in tokio-rs/bytes#643, but I thought it good to make sure this goal is something you'd be interested in before continuing.

@seanmonstar
Copy link
Member

I don't think this is currently something we should try to promise. The point of the sensitive flag is as a hint so the value does not get stored in the h2/h3 dynamic table. It's not meant to be a comprehensive secret container.

@Cyborus04
Copy link
Author

I don't mean this as an explicit promise, more as a "better safe than sorry" implementation detail. An alternative is to still try to get try_as_mut into bytes, then create a Bytes value that I give to http and zeroize it myself. Other than that, I'm not sure how to securely include credentials.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants