alihan/awesome-reviewers
1
0
Fork 0
mirror of https://github.com/baz-scm/awesome-reviewers.git synced 2025-08-20 18:58:52 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
e6440b93e28c77a2ae6de2980e3bbb5166133e0a
awesome-reviewers/_reviewers/aws-sdk-js-isolate-sensitive-buffer-data.md
nimrodkor e6440b93e2 Extract comments to separate file
2025-07-03 10:48:16 +03:00

1.9 KiB
Raw Blame History

title, description, repository, label, language, comments_count, repository_stars
title description repository label language comments_count repository_stars
Isolate sensitive buffer data When handling sensitive data in Node.js, protect against data leakage by isolating sensitive content in dedicated buffers. Node.js can create Buffers that aren't fully isolated, where `buf.byteLength !== buf.buffer.byteLength`, meaning sensitive data might be accessible to other code through the shared buffer memory. aws/aws-sdk-js Security Javascript 1 7628

When handling sensitive data in Node.js, protect against data leakage by isolating sensitive content in dedicated buffers. Node.js can create Buffers that aren't fully isolated, where buf.byteLength !== buf.buffer.byteLength, meaning sensitive data might be accessible to other code through the shared buffer memory.

For sensitive operations like decoding credentials or encryption keys:

// Secure approach for handling sensitive binary data
function handleSensitiveData(base64Value) {
  // Decode the base64 data
  const buf = util.base64.decode(value);
  
  // For sensitive data, ensure isolation in Node.js
  if (this.isSensitive && util.isNode() && typeof util.Buffer.alloc === 'function') {
    /* Node.js can create a Buffer that is not isolated.
     * i.e. buf.byteLength !== buf.buffer.byteLength
     * This means that sensitive data is accessible to anyone with access to buf.buffer.
     * If this is the node shared Buffer, then other code within this process _could_ find this secret.
     * Copy sensitive data to an isolated Buffer and zero the sensitive data.
     */
    const copy = util.Buffer.alloc(buf.length);
    buf.copy(copy);
    buf.fill(0); // Zero the original buffer
    return copy;
  }
  
  return buf;
}

Always consider whether your data is sensitive and might require this additional protection. This pattern is particularly important when handling authentication tokens, encryption keys, and other credentials.