[英]String immutability concern with request parameters in nodejs/expressjs
I am working on a project where an issue has been raised from my security team about the sensitive information that we captured in string and about the presence of that information in memory heap. 我正在开发一个项目,其中我的安全团队已经提出了一个问题,即我们在字符串中捕获的敏感信息以及内存堆中是否存在该信息。
As per the best practices I found over the internet is clearing out all your variables to null to wipe out the original value from memory. 根据我在互联网上找到的最佳实践,将所有变量清除为null以从内存中清除原始值。 But Strings are immutable and they will be there in memory even if we set variables to null.
但是字符串是不可变的,即使我们将变量设置为null,它们也会存在于内存中。 so the value of string will always be there.
所以string的值总是在那里。
Image demo for string memory allocation 字符串内存分配的图像演示
So I think this value stays in memory till the next GC cycle.setting null will not wiped out this immediatly. 所以我认为这个值会保留在内存中直到下一个GC循环。设置null不会立即消除掉。
A suggestion came to me is, not using string for such tasks. 我得到的一个建议是,不使用字符串来执行此类任务。 They suggest me to use buffers in nodejs.
他们建议我在nodejs中使用缓冲区。
Now I have some assumptions and some questions where I need advice. 现在我有一些假设和一些问题需要建议。
app.use(bodyParser.json({ verify: function(req, res, buf, encoding) { req.rawBody = buf; console.log("rawBody", req.rawBody); // print buffer info console.log("rawBody in json", JSON.parse(req.rawBody.toString())); // print json format of request body } }));
callSomeSecurityFun (Buffer.from(request.body.password)); function callSomeSecurityFun (passwordBuf) { var encryptedPassword = someencryptionLib.encryptPass (passwordBuf.toString(),'<some key>', '<some algo>'); passwordBuf.fil (0);// clearing the buffer. return encryptedPassword; }
Thoughts/Suggestion? 思考/建议?
sgoyal sgoyal
But Strings are immutable and they will be there in memory even if we set variables to null.
但是字符串是不可变的,即使我们将变量设置为null,它们也会存在于内存中。 so the value of string will always be there.
所以string的值总是在那里。
Like any other value, the string will be there until the garbage collector will be activated. 与任何其他值一样,字符串将一直存在,直到垃圾收集器被激活。 Setting the variable to
null
causes the value to become garbage (ie nothing points to it), so it will be cleaned from the heap eventually. 将变量设置为
null
会导致值变为垃圾(即没有任何内容指向它),因此最终将从堆中清除它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.