fix: KMS client plaintext byteOffset (generate too) #47

seebees · 2019-04-10T20:29:28Z

Issue #, if available:

Description of changes:
The KMS Client may return a Buffer that is not isolated.
i.e. the byteOffset !== 0.
This means that the unencrypted data key is possibly accessible to someone else.
If this is the node shared Buffer, then other code within this process could find this secret.
Copy Plaintext to an isolated ArrayBuffer and zero the Plaintext.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

The KMS Client *may* return a Buffer that is not isolated. i.e. the byteOffset !== 0. This means that the unencrypted data key is possibly accessible to someone else. If this is the node shared Buffer, then other code within this process _could_ find this secret. Copy Plaintext to an isolated ArrayBuffer and zero the Plaintext.

seebees requested a review from a team April 10, 2019 20:29

lizroth approved these changes Apr 15, 2019

View reviewed changes

mattsb42-aws approved these changes Apr 15, 2019

View reviewed changes

seebees merged commit 1532b9e into aws:master Apr 16, 2019

seebees deleted the kms-plaintext-not-isolated2 branch April 16, 2019 16:30

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix: KMS client plaintext byteOffset (generate too) #47

fix: KMS client plaintext byteOffset (generate too) #47

Uh oh!

seebees commented Apr 10, 2019

Uh oh!

Uh oh!

fix: KMS client plaintext byteOffset (generate too) #47

fix: KMS client plaintext byteOffset (generate too) #47

Uh oh!

Conversation

seebees commented Apr 10, 2019

Uh oh!

Uh oh!