Respond to 13.1.1.

Uses Zeroizing for username/password in monero-simple-request-rpc.
2025-12-08 04:09:23 +00:00 · 2025-08-08 23:54:20 -04:00
parent 188fcc3cb4
commit d5077ae966
3 changed files with 10 additions and 7 deletions
--- a/networks/monero/rpc/simple-request/Cargo.toml
+++ b/networks/monero/rpc/simple-request/Cargo.toml
@@ -17,6 +17,7 @@ workspace = true

 [dependencies]
 hex = { version = "0.4", default-features = false, features = ["alloc"] }
+zeroize = { version = "^1.5", default-features = false, features = ["alloc", "std"] }
 digest_auth = { version = "0.3", default-features = false }
 simple-request = { path = "../../../../common/request", version = "0.1", default-features = false, features = ["tls"] }
 tokio = { version = "1", default-features = false }
--- a/networks/monero/rpc/simple-request/src/lib.rs
+++ b/networks/monero/rpc/simple-request/src/lib.rs
@@ -7,6 +7,7 @@ use std::{sync::Arc, io::Read, time::Duration};

 use tokio::sync::Mutex;

+use zeroize::Zeroizing;
 use digest_auth::{WwwAuthenticateHeader, AuthContext};
 use simple_request::{
  hyper::{StatusCode, header::HeaderValue, Request},
@@ -25,8 +26,8 @@ enum Authentication {
  // This ensures that if a nonce is requested, another caller doesn't make a request invalidating
  // it
  Authenticated {
-    username: String,
-    password: String,
+    username: Zeroizing<String>,
+    password: Zeroizing<String>,
    #[allow(clippy::type_complexity)]
    connection: Arc<Mutex<(Option<(WwwAuthenticateHeader, u64)>, Client)>>,
  },
@@ -77,7 +78,7 @@ impl SimpleRequestRpc {
  ) -> Result<SimpleRequestRpc, RpcError> {
    let authentication = if url.contains('@') {
      // Parse out the username and password
-      let url_clone = url;
+      let url_clone = Zeroizing::new(url);
      let split_url = url_clone.split('@').collect::<Vec<_>>();
      if split_url.len() != 2 {
        Err(RpcError::ConnectionError("invalid amount of login specifications".to_string()))?;
@@ -114,8 +115,8 @@ impl SimpleRequestRpc {
          .map_err(|e| RpcError::ConnectionError(format!("{e:?}")))?,
      )?;
      Authentication::Authenticated {
-        username: split_userpass[0].to_string(),
-        password: (*split_userpass.get(1).unwrap_or(&"")).to_string(),
+        username: Zeroizing::new(split_userpass[0].to_string()),
+        password: Zeroizing::new((*split_userpass.get(1).unwrap_or(&"")).to_string()),
        connection: Arc::new(Mutex::new((challenge, client))),
      }
    } else {
@@ -180,8 +181,8 @@ impl SimpleRequestRpc {
            *cnonce += 1;

            let mut context = AuthContext::new_post::<_, _, _, &[u8]>(
-              username,
-              password,
+              <_ as AsRef<str>>::as_ref(username),
+              <_ as AsRef<str>>::as_ref(password),
              "/".to_string() + route,
              None,
            );