Skip to content

fix: resolve clear-text storage of encryption secrets#2

Merged
typelets merged 1 commit intomainfrom
security/fix-cleartext-storage
Sep 6, 2025
Merged

fix: resolve clear-text storage of encryption secrets#2
typelets merged 1 commit intomainfrom
security/fix-cleartext-storage

Conversation

@typelets
Copy link
Copy Markdown
Owner

@typelets typelets commented Sep 6, 2025

🔐 Security Issue

Resolves CodeQL security alert: js/clear-text-storage-of-sensitive-data

The encryption service was storing sensitive user secrets in plain text in
localStorage, making them accessible to attackers who gain access to browser
storage.

Vulnerability Details

Before (Vulnerable):
// Plain text storage - security risk
localStorage.setItem(storageKey, secret);
this.userSecrets.set(userId, secret);

After (Secure):
// Encrypted storage with session-based keys
await secureStorage.setSecureItem(storageKey, secret);
this.userSecrets.set(userId, secret); // Memory cache only

Security Improvements

New SecureStorage Module

  • Session-based encryption keys - Generated fresh on each session, cleared on
    page reload
  • AES-GCM encryption - Industry standard encryption before localStorage
  • Automatic IV generation - Unique initialization vector per storage operation
  • Legacy migration - Automatically removes old plain-text secrets

Enhanced Data Protection

  • Memory-only caching - Sensitive data cleared on browser close/reload
  • Secure cleanup - Proper session clearing on logout
  • Error resilience - Corrupted encrypted data automatically removed
  • Backward compatibility - No breaking changes to existing functionality

🧪 Testing

  • TypeScript compilation passes
  • Production build succeeds
  • Existing encryption/decryption functionality preserved
  • Master password system unaffected
  • Automatic migration from legacy plain-text storage

Files Changed

  • src/lib/encryption/secureStorage.ts - New encrypted storage wrapper
  • src/lib/encryption/index.ts - Updated to use secure storage

🎯 Impact

  • Zero breaking changes - Existing users unaffected
  • Enhanced security - Encryption secrets no longer stored in plain text
  • Performance maintained - Memory caching preserves speed
  • Future-proof - Session-based security model

This fix ensures compliance with security best practices by encrypting all
sensitive data before storage, while maintaining full backward compatibility and
performance.

@batalabs
fix: resolve clear-text storage of encryption secrets
2d43ceb 
  - Add SecureStorage wrapper to encrypt sensitive data before localStorage
  - Replace plain-text user secret storage with encrypted storage
  - Generate session-based encryption keys (cleared on page reload)
  - Update clearUserData to remove both encrypted and legacy plain-text secrets
  - Automatically migrate from legacy plain-text storage to encrypted storage

  This resolves the CodeQL security alert
  (js/clear-text-storage-of-sensitive-data)
  by ensuring all encryption secrets are encrypted before being stored in
  localStorage.

  Security improvements:
  - Session-based encryption keys (memory-only, cleared on reload)
  - Automatic cleanup of corrupted/legacy storage
  - Secure session clearing on logout
  - No breaking changes to existing functionality
@typelets typelets self-assigned this Sep 6, 2025
@typelets typelets merged commit 3ddbbc4 into main Sep 6, 2025
3 checks passed
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Sep 6, 2025

🎉 This PR is included in version 1.10.2 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@typelets typelets

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@typelets @batalabs