字符串不变性与nodejs / expressjs中的请求参数有关
[英]String immutability concern with request parameters in nodejs/expressjs
问题描述
I am working on a project where an issue has been raised from my security team about the sensitive information that we captured in string and about the presence of that information in memory heap. 
我正在开发一个项目,其中我的安全团队已经提出了一个问题,即我们在字符串中捕获的敏感信息以及内存堆中是否存在该信息。
As per the best practices I found over the internet is clearing out all your variables to null to wipe out the original value from memory. 根据我在互联网上找到的最佳实践,将所有变量清除为null以从内存中清除原始值。 But Strings are immutable and they will be there in memory even if we set variables to null. 但是字符串是不可变的,即使我们将变量设置为null,它们也会存在于内存中。 so the value of string will always be there. 所以string的值总是在那里。
Image demo for string memory allocation 字符串内存分配的图像演示
So I think this value stays in memory till the next GC cycle.setting null will not wiped out this immediatly. 所以我认为这个值会保留在内存中直到下一个GC循环。设置null不会立即消除掉。
A suggestion came to me is, not using string for such tasks. 我得到的一个建议是,不使用字符串来执行此类任务。 They suggest me to use buffers in nodejs. 他们建议我在nodejs中使用缓冲区。
Now I have some assumptions and some questions where I need advice. 现在我有一些假设和一些问题需要建议。
- We can get request body from body-parser module in form of buffers. 我们可以以缓冲区的形式从body-parser模块获取请求体。 But in that case I am not sure how to use that information if I want to insert records in DB etc. 但在这种情况下,如果我想在DB等中插入记录,我不知道如何使用该信息。
app.use(bodyParser.json({ verify: function(req, res, buf, encoding) { req.rawBody = buf; console.log("rawBody", req.rawBody); // print buffer info console.log("rawBody in json", JSON.parse(req.rawBody.toString())); // print json format of request body } }));
- If I create Buffer from a request.body.key and pass it to some function and use buffer's tostring() method to use it and then I zero out the buffer to remove the original value then does this toString() method create a memory space for text value and does not go away when I clear the buffer? 如果我从request.body.key创建Buffer并将其传递给某个函数并使用buffer的tostring()方法来使用它然后我将缓冲区清零以删除原始值然后执行此toString()方法创建一个内存空间对于文本值,当我清除缓冲区时不会消失?
callSomeSecurityFun (Buffer.from(request.body.password)); function callSomeSecurityFun (passwordBuf) { var encryptedPassword = someencryptionLib.encryptPass (passwordBuf.toString(),'<some key>', '<some algo>'); passwordBuf.fil (0);// clearing the buffer. return encryptedPassword; }
- How nodejs memory allocation for all the request.body parameters works? 所有request.body参数的nodejs内存分配如何工作? Is every value inside body object which is string is immutable? 身体对象中的每个值都是字符串是不可变的吗? and always there in memory? 永远在记忆中? If yes what if somebody dumped the heap and have access to all the sensitive information? 如果是的话,如果有人转储堆并可以访问所有敏感信息呢? Or I am completely wrong about it? 或者我完全错了?
Thoughts/Suggestion? 思考/建议?
sgoyal sgoyal
1 个解决方案
解决方案1
0 2016-12-08 11:37:27
But Strings are immutable and they will be there in memory even if we set variables to null.
Like any other value, the string will be there until the garbage collector will be activated. 与任何其他值一样,字符串将一直存在,直到垃圾收集器被激活。 Setting the variable to null causes the value to become garbage (ie nothing points to it), so it will be cleaned from the heap eventually. 将变量设置为null会导致值变为垃圾(即没有任何内容指向它),因此最终将从堆中清除它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.