-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[PM-6100] Test for memory leaks of secrets #641
Conversation
New Issues
|
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #641 +/- ##
=======================================
Coverage 60.53% 60.53%
=======================================
Files 172 172
Lines 10527 10527
=======================================
Hits 6373 6373
Misses 4154 4154 ☔ View full report in Codecov by Sentry. |
0c73c55
to
7e1f1fa
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like a great start. I'm somewhat pondering if we could write the python logic in rust and avoid having multiple programming languages.
We should also exclude the memory tool from codecov. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Few things based on how we are writing other Actions these days. Also room to fix a few others.
Type of change
Objective
Added a small test framework to test for secret leaks in memory.
This consists of a few parts:
memory-testing
, this compiles to a binary that usesbitwarden_crypto
to create some keys in memory and then frees them. The execution of this program goes like this:capture_dumps.py
Python script, it's purpose is starting the program and orchestrating the core dumps and sending inputs to the program to continue.Dockerfile
that will compile the program and run thecapture_dumps.py
script, this is needed because the dumps only work on a Linux environment.test.py
script that analyzes the memory dumps for secrets in memoryrun_tests.sh
script that builds and runs the docker container and the test script in one invocationI've tried other tools to run it natively on other operating systems like osxpmem on mac and they either don't work on ARM Macs or they require running as root and disabling System Integrity Protection.
I've also added a small workflow to run these tests, as that runs on a linux environment, it's run directly without docker.
The results are printed to a table now: