How do i clear sensitive data from memory after using it? #10852
-
|
I am currently working on a password manager app that has support for viewing and copying data to the clipboard. I am wondering how i could clear the data in the front-end after i used it. Consider the following code snippet: export interface Response<T> {
success: boolean;
body?: T;
}
async function copyToClipboard() {
let data: string | undefined = secretData;
if (data === undefined || data === "") {
// fetch data from the backend
let resp = await invoke<Response<GetSecretResponse | undefined>>(
"get_secret",
{
label: label,
},
);
data = resp.body?.data;
}
if (data !== undefined) {
clipboard
.writeText(data)
.then(() => {
showPopupMsg(MsgType.Success, "Text copied to clipboard");
})
.catch((err) => {
showPopupMsg(MsgType.Error, `Failed to copy into clipboard: ${err}`);
});
}
data = "";
}Here, i am fetching the data from the backend using invoke and receiving it as a string. After i copied the data to the user's clipboard, i want to erase it from memory for security. In the backend, i am currently using the zeroize crate to zero out the password in memory after sending it to the front-end. Just copying the data into the user's clipboard through rust might work but i also have a feature where the user can view the data in the front-end so I would still have a problem of having to clear that data. After searching for a bit, i found out that i i might just have to wait for the garbage collector to clear that part in memory but i am curious to know if there's a better approach than my current solution. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
For security this would really be the best. Period. There isn't reallyyy a way to clear the webview's memory. The closest thing would be Some say that using typed arrays and overwriting them with 0s work but that also only for relatively simple use cases. A bit tricky to make sure there are no copies made (i assume having to convert it to/from a readable string to show your user already invalidates this, but if not then the IPC itself does). Either way, i wouldn't rely on that for the simplest use cases either because browsers simply don't make any "promises" about memory behavior. I hope i'm just unexperienced and don't about something but knowing JavaScript and Browsers (to be fair, browsers try to prevent memory examination as best as they can) probably not. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the input. I guess, ill just go with sending the data to the clipboard through rust and warn the user that viewing the password is potentially unsafe... Though, copying it to the clipboard would also be unsafe if their machine was already infected in the first place so, shrug. |
Beta Was this translation helpful? Give feedback.
For security this would really be the best. Period.
There isn't reallyyy a way to clear the webview's memory. The closest thing would be
location.reload()but even that basically just raises the chance of the secret being cleared, not guarantee it.Some say that using typed arrays and overwriting them with 0s work but that also only for relatively simple use cases. A bit tricky to make sure there are no copies made (i assume having to convert it to/from a readable string to show y…