Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Proposing to have `flush()` method

See original GitHub issue

_privKey and _pubKey are always accessible that’s make me uncomfortable. I’m propose to have this one.

Wallet.prototype.flush = function () {
  assert(Buffer.isBuffer(this._privKey), 'Private key should be an instance of Buffer')
  this._privKey.fill(0x00);
  assert(Buffer.isBuffer(this._pubKey), 'Public key should be an instance of Buffer')
  this._pubKey.fill(0x00);
}

Issue Analytics

State:
Created 4 years ago
Comments:7 (6 by maintainers)

Top GitHub Comments

2reactions

alcuadradocommented, Jul 31, 2019

IMO having such a method would give a false sense of security to the users of this library. It’s not easy to be sure that every copy of the key was erased, especially when the private key is used by external libraries.

0reactions

chiro-hirocommented, May 27, 2019

I’m not fully sure what problem this is solving, since the key is not cleared from memory.

I’ve tried to do some experiments and observe result. We can’t remove the value from the memory easily even using delete but we can overwrite it.

const readline = require('readline');
let mem = Buffer.from('112233445566778899aabbccddeeff', 'hex');

readline.emitKeypressEvents(process.stdin);

process.stdin.on('keypress', (str, key) => {

  if (str === '\u0003' || (key.name === 'c' && key.ctrl)) {
    process.exit();
  }

  let fillValue = ((Math.random() * 0xff) | 0) >>> 0;
  console.log('Fill buffer with:', fillValue.toString(16));
  mem.fill(fillValue)

});