From 589d7b90b43b451931352c184c15f6328c427a84 Mon Sep 17 00:00:00 2001 From: adlee-was-taken Date: Sun, 19 Apr 2026 21:57:42 -0400 Subject: [PATCH] fix(cli): zeroize image_secret + correct atomic_write temp path atomic_write now appends .tmp instead of replacing the extension (manifest.enc.tmp, not manifest.tmp). image_secret is wrapped in Zeroizing so both KDF inputs wipe on drop. Caught in Task 4 review. --- crates/relicario-cli/src/session.rs | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/crates/relicario-cli/src/session.rs b/crates/relicario-cli/src/session.rs index 672b81f..e4bb823 100644 --- a/crates/relicario-cli/src/session.rs +++ b/crates/relicario-cli/src/session.rs @@ -37,7 +37,7 @@ impl UnlockedVault { let image_path = get_image_path()?; let image_bytes = fs::read(&image_path) .with_context(|| format!("failed to read reference image {}", image_path.display()))?; - let image_secret = imgsecret::extract(&image_bytes)?; + let image_secret = Zeroizing::new(imgsecret::extract(&image_bytes)?); let passphrase = Zeroizing::new( rpassword::prompt_password("Passphrase: ") @@ -46,7 +46,7 @@ impl UnlockedVault { let master_key = derive_master_key( passphrase.as_bytes(), - &image_secret, + &*image_secret, &salt, ¶ms, )?; @@ -132,7 +132,9 @@ pub fn get_image_path() -> Result { /// Atomic write: write to .tmp, then rename over . Keeps the /// vault file consistent if we crash mid-write. fn atomic_write(path: &Path, data: &[u8]) -> Result<()> { - let tmp = path.with_extension("tmp"); + let mut tmp = path.as_os_str().to_owned(); + tmp.push(".tmp"); + let tmp = PathBuf::from(tmp); fs::write(&tmp, data).with_context(|| format!("failed to write {}", tmp.display()))?; fs::rename(&tmp, path).with_context(|| format!("failed to rename {}", path.display()))?; Ok(())