search

campeon23 / split-fetcher

The code is a concurrent file downloader in Go that splits a file into multiple parts, downloads them in parallel, and assembles the final file, with support for Etag validation to ensure file integrity.
MIT License
1 stars 0 forks source link

Ensure Safer Decryption Process #153

Closed campeon23 closed 1 year ago

campeon23 commented 1 year ago

Description: In our decryption routine, decrypted content gets written back to the disk. This approach could expose sensitive plaintext content, even if temporarily.

Recommendation: Refrain from writing decrypted content back to the disk unless there's a compelling requirement. Ideally, handle decrypted content solely in memory.

Example Fix:

func DecryptFileToMemory(filePath string, key []byte) ([]byte, error) {
    encryptedData, err := ioutil.ReadFile(filePath)
    if err != nil {
        return nil, err
    }
    return decryptDataInMemory(encryptedData, key)
}

Acceptance Criteria:

  • Modify the decryption process to manage decrypted content in memory by default.
  • Implement tests to confirm the safety and functionality of the revised process.
  • Update related documentation to reflect this change and the rationale behind it.

Severity Level: Medium

campeon23 commented 1 year ago

Changes Implemented:

The decryption process has been overhauled to handle decrypted content in-memory by default. This modification bolsters security by substantially reducing the risk of inadvertent exposure on disk. New tests were introduced to ascertain both the safety and the efficacy of the in-memory decryption method. Pertinent documentation has been refreshed to encompass this change, with a clear exposition on the motivation for this security-centric improvement. Thank you to everyone involved in identifying the potential risk and working collaboratively on this enhancement.