Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Secure input for requesting passwords from user input. #26482

Closed
hcldan opened this issue Mar 6, 2019 · 8 comments
Closed

Secure input for requesting passwords from user input. #26482

hcldan opened this issue Mar 6, 2019 · 8 comments
Labels
feature request Issues that request new features to be added to Node.js. readline Issues and PRs related to the built-in readline module. stale

Comments

@hcldan
Copy link

hcldan commented Mar 6, 2019

Is your feature request related to a problem? Please describe.
I'd like to do all I can to keep user passwords out of memory as soon as possible after being collected.
Ideally, I could use a Buffer and zero-out the memory after I use it... assuming that I never turn it into a string and only read it from the Buffer. I'm not 100% sure that even that mitigation will prevent the memory from being copied around by the VM... but I guess that's part of this feature request.

Describe the solution you'd like
The readline module allows you to read an input stream, but the events return strings instead of buffers... It would be nice if there were a method that could take a buffer for holding passwords from user input.
@bnoordhuis bnoordhuis added readline Issues and PRs related to the built-in readline module. feature request Issues that request new features to be added to Node.js. labels Mar 8, 2019
@bnoordhuis
Copy link
Member

The way Node.js reads asynchronously from the TTY (or any stream device) doesn't lend itself well to reading into a preallocated buffer. It's not completely impossible, but it is an awkward fit.

Perhaps a better solution is a readline.readPassphrase() method that makes some guarantees about the result, i.e., that it's a buffer that's mlock-ed into non-pageable memory, that it's zeroed on garbage collection, etc.

@hcldan
Copy link
Author

hcldan commented Mar 8, 2019

I believe that would fit my needs.

@hcldan
Copy link
Author

hcldan commented Mar 8, 2019
edited
Loading

A SecureBuffer class (or maybe even a SecureString class or internal) that has that behavior would also be great for handling sensitive information like keys and such.

If GC could happen immediately for just those types of objects, it could help so that I don't have to use buffers and avoid the unnatural interaction with streams.

@BridgeAR
Copy link
Member

Related: #30956

@github-actions
Copy link
Contributor

github-actions bot commented Mar 4, 2022

There has been no activity on this feature request for 5 months and it is unlikely to be implemented. It will be closed 6 months after the last non-automated comment.

For more information on how the project manages feature requests, please consult the feature request management document.

@github-actions github-actions bot added the stale label Mar 4, 2022
@hcldan
Copy link
Author

hcldan commented Mar 4, 2022

I would still really like this please.

@targos targos moved this to Pending Triage in Node.js feature requests Mar 6, 2022
@targos targos moved this from Pending Triage to Stale in Node.js feature requests Mar 6, 2022
@github-actions github-actions bot removed the stale label Mar 8, 2022
@github-actions
Copy link
Contributor

github-actions bot commented Sep 5, 2022

There has been no activity on this feature request for 5 months and it is unlikely to be implemented. It will be closed 6 months after the last non-automated comment.

For more information on how the project manages feature requests, please consult the feature request management document.

@github-actions github-actions bot added the stale label Sep 5, 2022
@github-actions
Copy link
Contributor

github-actions bot commented Oct 6, 2022

There has been no activity on this feature request and it is being closed. If you feel closing this issue is not the right thing to do, please leave a comment.

For more information on how the project manages feature requests, please consult the feature request management document.

@github-actions github-actions bot closed this as completed Oct 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request Issues that request new features to be added to Node.js. readline Issues and PRs related to the built-in readline module. stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bnoordhuis @hcldan @BridgeAR