influxdb-client-csharp icon indicating copy to clipboard operation
influxdb-client-csharp copied to clipboard

Published 20 hours ago verified publisher icon influxdata

I used System Informer to check the HTTPS commands sent by influxdb-client-csharp and found that the Token, which is sensitive information, was not promptly cleared from memory.

Open Shirley-Ji-59 opened this issue 1 year ago • 1 comments
trafficstars

Steps to reproduce: List the minimal actions needed to reproduce the behavior.

  1. Use GetOrganizationApi.FindOrganizationsAsync() to get organization list.
  2. Use System Informer to get the application memory and found that we can read the Token information in the memory Capture1 Capture2

Expected behavior: the token sensitive information in memory is not visible.

Actual behavior: the token sensitive information in memory is visible.

Specifications:

  • InfluxDB Version: 4.14.0
  • Platform: Windows 10

Shirley-Ji-59 avatar Jun 20 '24 08:06 Shirley-Ji-59

Hi @Shirley-Ji-59,

Thank you for using our client. As you’ve noted, the token is currently stored as a simple string within InfluxDB.Client.InfluxDBClientOptions.Token. Given that SecureString in .NET is deprecated and no longer recommended for new development, do you know better alternatives to enhance the security of sensitive data like tokens?

We are very much open to community contributions in this area. If you have ideas or are interested in developing a more secure method of handling tokens, we would be thrilled to review your proposal or pull request. Implementing a more secure storage mechanism could be an improvement to our client’s security posture.

If you’re interested, please feel free to submit your changes, and let us know if you need any specific information or guidance to get started.

Best Regards

bednar avatar Jun 20 '24 09:06 bednar