feat(rpc): scrub the raw response body for secret-bearing calls (B7)
The secret exports (z_exportmnemonic / z_exportkey / dumpprivkey) already scrub the parsed value at the call site, but the raw HTTP response string those RPCs build — the curl write buffer, which holds the same secret in the clear — was freed without zeroing. That's the "fuller fix belongs in the RPC layer" the identity-fetch comment flagged. Add RPCClient::callSecret(), a call() variant that sodium_memzeros the raw response body after parsing (on success and on throw). NRVO makes the returned string the very buffer curl wrote into, so one wipe covers it. Route every secret-bearing export through it: chat identity (mnemonic + z_exportkey fallback), Settings seed-phrase + single-key export, Export-all-keys, and the migrate-to-seed isolated-node mnemonic export. Purely additive — the parsed result is byte-identical, so no behavior change (safe for the fund-critical migrate path). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -180,7 +180,7 @@ void ExportAllKeysDialog::render(App* app)
|
||||
for (const auto& addr : z_addrs) {
|
||||
try {
|
||||
rpc::RPCClient::TraceScope trace("Settings / Export all keys");
|
||||
auto result = rpc->call("z_exportkey", {addr});
|
||||
auto result = rpc->callSecret("z_exportkey", {addr}); // zero the raw body too (B7)
|
||||
if (result.is_string()) {
|
||||
keys += "# Address: " + addr + "\n";
|
||||
keys += result.get<std::string>() + "\n\n";
|
||||
@@ -196,7 +196,7 @@ void ExportAllKeysDialog::render(App* app)
|
||||
for (const auto& addr : t_addrs) {
|
||||
try {
|
||||
rpc::RPCClient::TraceScope trace("Settings / Export all keys");
|
||||
auto result = rpc->call("dumpprivkey", {addr});
|
||||
auto result = rpc->callSecret("dumpprivkey", {addr}); // zero the raw body too (B7)
|
||||
if (result.is_string()) {
|
||||
keys += "# Address: " + addr + "\n";
|
||||
keys += result.get<std::string>() + "\n\n";
|
||||
|
||||
Reference in New Issue
Block a user