12

In this question, Mubashar asks about storing sensitive info securely in memory using C#, and is pointed to the SecureString class from .NET. Is there an existing comparable tool that will do this in node.js? Otherwise, which is the way to go about doing this using node resources available?

Community
  • 1
  • 1
cjfont
  • 163
  • 1
  • 8

2 Answers2

0

These aren't the droids you're looking for.

(since deletion of accepted answers is not possible)

Paul Scheltema
  • 1,993
  • 15
  • 25
  • 1
    At that point, the password was already stored at the `password` variable and thus is in memory, unsecured. – Bruno Brant Oct 10 '16 at 14:17
  • 1
    password = undefined will not erase the memory used to store the password. – Stuart Schechter Feb 26 '19 at 02:16
  • 1
    This is a very dangerous ilusion of security. Strings are immutable, so there is nothing to change or free them. Anytime a string gets created, even if it is a "temporary" one, like when calling `console.log`, it will turn up in a heap dump. Closures or any form of obfuscation doesn't change anything – Marvin H. Oct 12 '19 at 15:53
0

The only way to go is to use a typed array like Uint8Array (the Buffer class is only a thin wrapper) and filling it with null or any other value after use.

But there are some things to consider:

When you get, for example, credentials, you most likely get them as JSON. In that case any efforts are for nought when you don't intercept so the request body doesn't get stored inside a string like any web-framework will do.

When you read API keys from text files, it should be obvious why memory safety might not be the biggest concern. For that one should consider a keystore.

But even then you cannot be really sure that there are no leaks. For example, I doubt that node.js streams clean up after themselves. And even if you override them manually, there could be leaks from copying or system APIs. Even password managers have issues with leaking password.

To summerize: Even if you consider everything, there most likely will be leaks which you cannot prevent.

Marvin H.
  • 1,239
  • 1
  • 9
  • 20