Closed JesseDavda closed 3 months ago
The Node.js Buffer
class uses a shared underlying ArrayBuffer
unless initialized with a specific ArrayBuffer
.
Data passing through Buffer
s can potentially be viewed by code in the same application process or memory context.
This behavior is mentioned in https://nodejs.org/api/buffer.html#bufbuffer and https://nodejs.org/api/buffer.html#bufbyteoffset.
const a = Buffer.from("hello");
const b = Buffer.from(", world");
console.log(Buffer.from(b.buffer).toString());
// output: hello, world
Although sensitive information may pass through this object, they are only visible to code executing in the same process. The process already has access to such credentials and is assumed to be authorized by the customer side of the https://aws.amazon.com/compliance/shared-responsibility-model/.
That they can be viewed in multiple ways does not indicate an elevated level of exposure of those credentials. Code executing in the same process can already read credentials from the SDK client, or the Node.js http module, for example, by adding hooks on class prototypes.
This issue has not received a response in 1 week. If you still think there is a problem, please leave a comment to avoid the issue from automatically closing.
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.
Checkboxes for prior research
Describe the bug
When encrypting something using the EncryptCommand, the
CiphertextBlob
that is returned is aUint8Array
, when accessing the underlyingArrayBuffer
I found it contains the entire request context including the AWS credentials that were used to create the request and the original plain text.This is an issue as the underlying buffer can be used in node to get a base64 encoded string:
Buffer.from(CiphertextBlob.buffer).toString('base64')
which will the plain text, credentials and other sensitive data in that string which may be assumed secure.SDK version number
@aws-sdk/client-kms@3.540.0
Which JavaScript Runtime is this issue in?
Node.js
Details of the browser/Node.js/ReactNative version
v20.11.1
Reproduction Steps
1) Ensure you have a valid credentials provider in place. 2) In the node REPL or a node script, import the KMSClient and EncryptCommand. 3) Create a new instance of the KMSClient. 4) Create a new instance of the EncryptCommand pointing at a KMS key that you have permission to use
kms:Encrypt
on with any base64 encoded string as thePlaintext
option. 5) Send the command through the client and retrieve theCiphertextBlob
property in the response. 6) Compare the bytes in theCiphertextBlob
to the bytes in theCiphertextBlob.buffer
. 7) Stringify theCiphertextBlob.buffer
usingBuffer.from(CiphertextBlob.buffer).toString('utf8')
to view the full request config.Observed Behavior
The full request config is contained in the
CiphertextBlob
's underlying ArrayBuffer.Expected Behavior
The
CiphertextBlob
's underlying Array buffer should contain the same bytes that are in theUint8Array
.Possible Solution
I think this is happening because the
CiphertextBlob
'sUint8Array
is a sliced array of the request buffer. https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/TypedArray/buffer#accessing_the_underlying_buffer_from_a_sliced_array_viewAdditional Information/Context
No response