search

hjorslev / SteamPS

Module that utilizes PowerShell as a wrapper for SteamCMD and interacts with various Steam APIs.
https://www.powershellgallery.com/packages/SteamPS
MIT License
69 stars 14 forks source link

`SecureString` to plain text conversion using `NetWorkCredential` instead of marshalling #59

Closed santisq closed 4 months ago

santisq commented 4 months ago

PR Summary

Context

Sent the PR to the wrong repo 😅. Also added a few more changes to Add-EnvPath (the logic could be simplified).

Changes

Adding tools/Modules and output folder to .gitignore, otherwise the modules needed for CI/CD and the released module would get pushed to repository.

Added launch file for easier debugging, i.e.: Ctrl+Shift+Enter opens a new pwsh with the module already loaded.

Added tasks file, easier building, i.e.: Ctrl+Shift+B runs build.ps1 and F1 -> Run Test Task runs build.ps1 -Task Test.

Using NetworkCredential to decrypt the secure string instead of marshalling. This method properly handles the unmanaged memory, makes it simpler and correctly frees the unmanaged memory.

Otherwise, if marshalling:

  1. PtrToStringAuto should be PtrToStringBSTR instead to avoid encoding issues.
  2. There should be a finally block in the function that calls [System.Runtime.InteropServices.Marshal]::ZeroFreeBSTR($BSTR) to free the unmanaged memory, otherwise the plain text password lives in unmanaged memory while the pwsh process is alive.

Both points above are correctly managed by NetworkCredential.

Using [System.IO.Path]::PathSeparator instead of ; to split the path in case you want to make this module compatible with Linux in the future (its separator is :). Trim() to remove any extra trailing or leading whitespace from each token and then filtering any token that could be purely white space, i.e.:

PS /> 'foo;; bar; baz ;;'.Split([System.IO.Path]::PathSeparator).Trim() -ne '' -join ';'
foo;bar;baz

Same change to split using [System.IO.Path]::PathSeparator.

Checklist