search

aws / aws-sdk-js-v3

Modularized AWS SDK for JavaScript.
Apache License 2.0
2.98k stars 560 forks source link

KMS Encrypt - Full request context present in CiphertextBlob ArrayBuffer #5941

Closed JesseDavda closed 3 months ago

JesseDavda commented 3 months ago

Checkboxes for prior research

Describe the bug

When encrypting something using the EncryptCommand, the CiphertextBlob that is returned is a Uint8Array, when accessing the underlying ArrayBuffer I found it contains the entire request context including the AWS credentials that were used to create the request and the original plain text.

This is an issue as the underlying buffer can be used in node to get a base64 encoded string: Buffer.from(CiphertextBlob.buffer).toString('base64') which will the plain text, credentials and other sensitive data in that string which may be assumed secure.

SDK version number

@aws-sdk/client-kms@3.540.0

Which JavaScript Runtime is this issue in?

Node.js

Details of the browser/Node.js/ReactNative version

v20.11.1

Reproduction Steps

1) Ensure you have a valid credentials provider in place. 2) In the node REPL or a node script, import the KMSClient and EncryptCommand. 3) Create a new instance of the KMSClient. 4) Create a new instance of the EncryptCommand pointing at a KMS key that you have permission to use kms:Encrypt on with any base64 encoded string as the Plaintext option. 5) Send the command through the client and retrieve the CiphertextBlob property in the response. 6) Compare the bytes in the CiphertextBlob to the bytes in the CiphertextBlob.buffer. 7) Stringify the CiphertextBlob.buffer using Buffer.from(CiphertextBlob.buffer).toString('utf8') to view the full request config.

Observed Behavior

The full request config is contained in the CiphertextBlob's underlying ArrayBuffer.

Expected Behavior

The CiphertextBlob's underlying Array buffer should contain the same bytes that are in the Uint8Array.

Possible Solution

I think this is happening because the CiphertextBlob's Uint8Array is a sliced array of the request buffer. https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/TypedArray/buffer#accessing_the_underlying_buffer_from_a_sliced_array_view

Additional Information/Context

No response

kuhe commented 3 months ago

The Node.js Buffer class uses a shared underlying ArrayBuffer unless initialized with a specific ArrayBuffer. Data passing through Buffers can potentially be viewed by code in the same application process or memory context.

This behavior is mentioned in https://nodejs.org/api/buffer.html#bufbuffer and https://nodejs.org/api/buffer.html#bufbyteoffset. 

const a = Buffer.from("hello");
const b = Buffer.from(", world");

console.log(Buffer.from(b.buffer).toString()); 

// output: hello, world

Although sensitive information may pass through this object, they are only visible to code executing in the same process. The process already has access to such credentials and is assumed to be authorized by the customer side of the https://aws.amazon.com/compliance/shared-responsibility-model/.

That they can be viewed in multiple ways does not indicate an elevated level of exposure of those credentials. Code executing in the same process can already read credentials from the SDK client, or the Node.js http module, for example, by adding hooks on class prototypes.

github-actions[bot] commented 3 months ago

This issue has not received a response in 1 week. If you still think there is a problem, please leave a comment to avoid the issue from automatically closing.

github-actions[bot] commented 2 months ago

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.