Secure erasing of password from memory in Ruby

最后都变了- 提交于 2020-12-09 05:13:38

问题


I'm writing a Ruby application that will need to handle a user's enterprise password. I'd like to minimize the time the password is in memory to reduce the likelihood of the password being exposed.

In a native language, I would directly erase the data. In C#, I would use the SecureString class. In Java, I'd use char[]. But the best that I can find for Ruby is an old feature request that seems dead.

What is the standard for securely storing and erasing passwords from memory in Ruby? Is there a class that does this? A coding pattern similar to the char[] of Java?


回答1:


A ruby issue exists for 5 years now (5741), regarding secure erasure of secrets from memory. That issue contains also some links which explain, why it is a good thing to erase passwords from memory. Lately MacOs did have an issue with FileVault2, because the password was stored within memory.

One possible solution shown within issue 5741 is:

pass = ""
$stdin.sysread(256, pass) # assuming a line-buffered terminal
io = StringIO.new("\0" * pass.bytesize)
io.read(pass.bytesize, pass)

It seems to work with ruby 2.3.1p112, but I can't promise it.



来源:https://stackoverflow.com/questions/37714099/secure-erasing-of-password-from-memory-in-ruby

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!