sec(age): zero out cached credentials

Dexmachi · Dexmachi · commit a3aacaac18cf · 2026-04-29T16:09:07.000-03:00
Signed-off-by: Caio Rocha de Oliveira &lt;caiorocoli@gmail.com&gt;
diff --git a/age/keysource.go b/age/keysource.go
@@ -399,6 +399,21 @@ func getUserConfigDir() (string, error) {
 	return os.UserConfigDir()
 }
 
+// ClearFileStreamCache wipes the cached stream secrets from memory by overwriting
+// the byte slices with zeros before deleting them from the map.
+// This is critical for security to prevent keys from lingering in RAM.
+func ClearFileStreamCache() {
+	fileStreamCache.Range(func(key, value interface{}) bool {
+		if byte, ok := value.([]byte); ok {
+			for i := range byte {
+				byte[i] = 0
+			}
+		}
+		fileStreamCache.Delete(key)
+		return true
+	})
+}
+
 // reads a file from the given path, if it is a stream (e.g., /dev/fd/* or /proc/*)
 // it caches the content in memory to avoid issues with multiple reads from the same stream.
 func readStreamSafe(path string) ([]byte, error) {
diff --git a/cmd/sops/main.go b/cmd/sops/main.go
@@ -75,6 +75,8 @@ func warnMoreThanOnePositionalArgument(c *cli.Context) {
 }
 
 func main() {
+	defer age.ClearFileStreamCache()
+
 	cli.VersionPrinter = version.PrintVersion
 	app := cli.NewApp()
 

Original file line number	Diff line number	Diff line change
`@@ -75,6 +75,8 @@ func warnMoreThanOnePositionalArgument(c *cli.Context) {`
`75`	`75`	`}`
`76`	`76`
`77`	`77`	`func main() {`
	`78`	`+ defer age.ClearFileStreamCache()`
	`79`	`+`
`78`	`80`	`cli.VersionPrinter = version.PrintVersion`
`79`	`81`	`app := cli.NewApp()`
`80`	`82`