docs/adrs/0297-base64-masking-trailing-characters.md
Date 2020-01-21
Status Proposed
The Runner registers a number of Value Encoders, which mask various encodings of a provided secret. Currently, we register a 3 base64 Encoders:
This gives us good coverage across the board for secrets and secrets with a prefix (i.e. base64($user:$pass)).
However, we don't have great coverage for cases where the secret has a string appended to it before it is base64 encoded (i.e.: base64($pass\n))).
Most notably we've seen this as a result of user error where a user accidentally appends a newline or space character before encoding their secret in base64.
We are going to modify all existing base64 encoders to trim information before registering as a secret. We will trim:
= from the end of all base64 strings. This is a padding character that contains no information.
='s at the end of a base64 string, a malicious user could predict the length of the original secret modulo 3.
***==, they would know the secret could be 1,4,7,10... characters.= we will also trim the last non-padding character from the base64 secret.
We will also add back in the original base64 encoded secret encoder for four total encoders:
This allows us to fully cover the most common scenario where a user base64 encodes their secret and expects the entire thing to be masked. This will result in us only revealing length or bit information when a prefix or suffix is added to a secret before encoding.