Properly erase password from memory (resolves #187)

venth · Sep 21, 2021 · 92ba75a · 92ba75a
1 parent 817ae21
commit 92ba75a
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 2 deletions.
diff --git a/aws_adfs/helpers.py b/aws_adfs/helpers.py
@@ -0,0 +1,9 @@
+import ctypes
+import platform
+import sys
+
+def memset_zero(secret):
+    if platform.python_implementation() == 'CPython':
+        strlen = len(secret)
+        offset = sys.getsizeof(secret) - strlen - 1
+        ctypes.memset(id(secret) + offset, 0, strlen)
diff --git a/aws_adfs/html_roles_fetcher.py b/aws_adfs/html_roles_fetcher.py
@@ -3,6 +3,8 @@
 from platform import system
 import requests
 
+from . import helpers
+
 try:
     import cookielib
 except ImportError:
@@ -129,7 +131,8 @@ def fetch_html_encoded_roles(
     del auth
     del data
     del username
-    password = '###################################################'
+    if password is not None:
+        helpers.memset_zero(password)
     del password
 
     # Decode the response

diff --git a/aws_adfs/login.py b/aws_adfs/login.py
@@ -11,6 +11,7 @@
 import sys
 import json
 from . import authenticator
+from . import helpers
 from . import prepare
 from . import role_chooser
 
@@ -167,7 +168,7 @@ def login(
 
         principal_roles, assertion, aws_session_duration = authenticator.authenticate(config, config.adfs_user, password)
 
-        password = '########################################'
+        helpers.memset_zero(password)
         del password
 
     if(role_arn is not None):

diff --git a/test/test_helpers_memset_zero.py b/test/test_helpers_memset_zero.py
@@ -0,0 +1,24 @@
+import platform
+import pytest
+from aws_adfs import helpers
+
+
+class TestHelpersMemsetZero:
+    def test_helpers_memset_zero(self):
+        if platform.python_implementation() != "CPython":
+            pytest.skip(
+                "Skipping memset_zero test becase Python implementation is not CPython: {}".format(
+                    platform.python_implementation()
+                )
+            )
+
+        secret = "verysecretstring"
+        copy = secret
+
+        assert copy is secret
+
+        helpers.memset_zero(secret)
+
+        assert secret == "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+        assert copy == "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+        assert copy is secret