Body:
The get_auth_headers function in auth_provider.py uses hmac.new to generate the API signature. Specifically, it decodes the secret key using base64.b64decode(secret_key) every time a request is made. This is inefficient, but more importantly, exposes the secret key in plaintext in memory for a longer duration than necessary, increasing the window for potential compromise through memory dumps or other attacks.
Recommendation:
- Decode the
secret_key once in the AuthProvider constructor and store the decoded value as an attribute.
- Use the stored, decoded value directly in
hmac.new calls. This avoids repeated decoding and minimizes the exposure of the plaintext secret in memory.
Body:
The
get_auth_headersfunction inauth_provider.pyuseshmac.newto generate the API signature. Specifically, it decodes the secret key usingbase64.b64decode(secret_key)every time a request is made. This is inefficient, but more importantly, exposes the secret key in plaintext in memory for a longer duration than necessary, increasing the window for potential compromise through memory dumps or other attacks.Recommendation:
secret_keyonce in theAuthProviderconstructor and store the decoded value as an attribute.hmac.newcalls. This avoids repeated decoding and minimizes the exposure of the plaintext secret in memory.