profile
viewpoint
If you are wondering where the data of this site comes from, please visit https://api.github.com/users/paragonie-security/events. GitMemory does not store any data, but only uses NGINX to cache data for a period of time. The idea behind GitMemory is simply to give users a better reading experience.
P.I.E. Security Team paragonie-security Paragon Initiative Enterprises https://paragonie.com/security

paragonie-security/libsodium 1

A modern, portable, easy to use crypto library.

paragonie-security/libsodium-php 0

The PHP extension for libsodium.

paragonie-security/php-encryption 0

Simple Encryption in PHP.

issue commentparagonie/halite

Uncaught SodiumException ( not possible to securely wipe memory)

Just an update: I've managed to install Libsodium extension by using WHM > Module Installers > PHP Pecl > Libsodium

Thanks.

This solution is work for me. Thanks

udf2457

comment created time in 8 days

PR opened paragonie/halite

Update README.md

Fix namespaces on README example

+2 -2

0 comment

1 changed file

pr created time in 12 days

GollumEvent

issue commentparagonie/hidden-string

Keep getting exception error

It probably helps if you understand the problem being solved here.

Take a look at this code:

<?php
$secret = bin2hex(random_bytes(32)); // SECRET

function doSomething(string $secret)
{
    throw new Exception("It failed :'(");
}

doSomething($secret);

This produces the following stack trace:

Fatal error: Uncaught Exception: It failed :'( in /in/4WAgA:7
Stack trace:
#0 /in/4WAgA(10): doSomething('e5f01ddbc5d08be...')
#1 {main}
  thrown in /in/4WAgA on line 7

Process exited with code 255.

Which leaks our $secret: #0 /in/4WAgA(10): doSomething('e5f01ddbc5d08be...') (result is truncated in 3v4l, not in all environments).

The purpose of HiddenString is to prevent this leakage. Thus, you would never do (new HiddenString(STRING DATA))->getString();

What you will do is instantiate it $foo = new HiddenString(STRING_DATA); and then pass $foo around. When you need to actually inspect the value of $foo (which could be, like, a database password), you invoke $foo->getString() there, and only there. Then you can also strictly type your code to use HiddenString everywhere else.

Yes I know... Switching off error will also prevent this...

But I don't want to do that...

The problem is that... When am trying to decrypt the cypertext I passed it like this...

Symmetric::decrypt(HiddenString(STRING DATA));

But I keep getting the error again... And again...

This HiddenString object cannot be inlined as a string....

In the previous version, no errors were given but once I updated the library is started getting the error...

mitmelon

comment created time in 18 days

issue commentparagonie/hidden-string

Keep getting exception error

Not sure if it makes sense to use it like this... I don't think you gain anything here.

mitmelon

comment created time in 18 days

issue commentparagonie/hidden-string

Keep getting exception error

It means you're not invoking getString() on the HiddenString object, but trying to e.g. print it directly.

The entire point of HiddenString is to prevent data from leaking via e.g. stack traces, or accidentally var_dumping its contents.

So in such case it should be like this right (new HiddenString(STRING DATA))->getString();

If am correct

mitmelon

comment created time in 18 days

issue openedparagonie/hidden-string

Keep getting exception error

I keep getting exception error when using hidden string with halite.

The error was

This HiddenString object cannot be inlined as a string.

Am pasiing the cypher directly to halite and its showing that error

What does this mean and how to correct this...

created time in 19 days

pull request commentparagonie/constant_time_encoding

Show users the proper way of importing classes

Thank you.

szepeviktor

comment created time in 20 days

issue openedparagonie/hidden-string

Doesn't work when xdebug extension is enabled

Hello, This is not really a bug in hidden-string library, I just wanted to point out that when xdebug extension is enabled, it simply ignores __debugInfo() and dumps HiddenString object. Consider the following snippet:

require_once realpath(dirname(__DIR__)) . '/vendor/autoload.php';

$hs = new \ParagonIE\HiddenString\HiddenString('some string');
var_dump($hs); 

Output with xdebug enabled:

class ParagonIE\HiddenString\HiddenString#4 (3) {
  protected string $internalStringValue =>
  string(11) "some string"
  protected bool $disallowInline =>
  bool(true)
  protected bool $disallowSerialization =>
  bool(true)
}

Output with xdebug disabled:

object(ParagonIE\HiddenString\HiddenString)#4 (2) {
  ["internalStringValue"]=>
  string(1) "*"
  ["attention"]=>
  string(82) "If you need the value of a HiddenString, invoke getString() instead of dumping it."
}

Maybe it's good idea to point out that in documentation, or better, just throw an exception if extension is enabled. Maintener of Xdebug state's that this is intended behavior and won't be changed. I know that this fact is pointed out in HiddenString::__debugInfo() method comments, but not everyone reads the code :)

created time in 20 days

issue commentparagonie/sodium_compat

sodium_crypto_aead_xchacha20poly1305_ietf_encrypt doesn't take null as Argument 2

Yeah, I had a decrypt function and that decrypts well now.

Great!

superpoincare

comment created time in 24 days

issue commentparagonie/sodium_compat

sodium_crypto_aead_xchacha20poly1305_ietf_encrypt doesn't take null as Argument 2

Thanks.

This is not giving an error now but using null doesn't decrypt.

superpoincare

comment created time in 24 days

PR opened paragonie/awesome-appsec

Added Spring Boot in Practice by Somnath Musib

Hi, I thought this title might be a great addition to your list of resources/videos/books. Thank you for your consideration.

+1 -0

0 comment

1 changed file

pr created time in a month

issue openedparagonie/halite

It is possible to store Halite key in Symfony "Vault" ?

I would like to know it is possible and if yes, how to store the key with Symfony Secret ?

Thank's a lot :-)

created time in a month

pull request commentparagonie/halite

Remove access modifier final from private methods (PHP 8 support)

@paragonie-scott @paragonie-staff Any chance of merging this soon for flawless PHP 8 support? Thanks!

junaidbinfarooq

comment created time in a month

PR opened paragonie/poly1305-js

Bump y18n from 4.0.0 to 4.0.1

Bumps y18n from 4.0.0 to 4.0.1. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/yargs/y18n/blob/master/CHANGELOG.md">y18n's changelog</a>.</em></p> <blockquote> <h1>Change Log</h1> <p>All notable changes to this project will be documented in this file. See <a href="https://github.com/conventional-changelog/standard-version">standard-version</a> for commit guidelines.</p> <h3><a href="https://www.github.com/yargs/y18n/compare/v5.0.4...v5.0.5">5.0.5</a> (2020-10-25)</h3> <h3>Bug Fixes</h3> <ul> <li>address prototype pollution issue (<a href="https://www.github-redirect.dependabot.com/yargs/y18n/issues/108">#108</a>) (<a href="https://www.github.com/yargs/y18n/commit/a9ac604abf756dec9687be3843e2c93bfe581f25">a9ac604</a>)</li> </ul> <h3><a href="https://www.github.com/yargs/y18n/compare/v5.0.3...v5.0.4">5.0.4</a> (2020-10-16)</h3> <h3>Bug Fixes</h3> <ul> <li><strong>exports:</strong> node 13.0 and 13.1 require the dotted object form <em>with</em> a string fallback (<a href="https://www.github-redirect.dependabot.com/yargs/y18n/issues/105">#105</a>) (<a href="https://www.github.com/yargs/y18n/commit/4f85d80dbaae6d2c7899ae394f7ad97805df4886">4f85d80</a>)</li> </ul> <h3><a href="https://www.github.com/yargs/y18n/compare/v5.0.2...v5.0.3">5.0.3</a> (2020-10-16)</h3> <h3>Bug Fixes</h3> <ul> <li><strong>exports:</strong> node 13.0-13.6 require a string fallback (<a href="https://www.github-redirect.dependabot.com/yargs/y18n/issues/103">#103</a>) (<a href="https://www.github.com/yargs/y18n/commit/e39921e1017f88f5d8ea97ddea854ffe92d68e74">e39921e</a>)</li> </ul> <h3><a href="https://www.github.com/yargs/y18n/compare/v5.0.1...v5.0.2">5.0.2</a> (2020-10-01)</h3> <h3>Bug Fixes</h3> <ul> <li><strong>deno:</strong> update types for deno ^1.4.0 (<a href="https://www.github-redirect.dependabot.com/yargs/y18n/issues/100">#100</a>) (<a href="https://www.github.com/yargs/y18n/commit/3834d9ab1332f2937c935ada5e76623290efae81">3834d9a</a>)</li> </ul> <h3><a href="https://www.github.com/yargs/y18n/compare/v5.0.0...v5.0.1">5.0.1</a> (2020-09-05)</h3> <h3>Bug Fixes</h3> <ul> <li>main had old index path (<a href="https://www.github-redirect.dependabot.com/yargs/y18n/issues/98">#98</a>) (<a href="https://www.github.com/yargs/y18n/commit/124f7b047ba9596bdbdf64459988304e77f3de1b">124f7b0</a>)</li> </ul> <h2><a href="https://www.github.com/yargs/y18n/compare/v4.0.0...v5.0.0">5.0.0</a> (2020-09-05)</h2> <h3>⚠ BREAKING CHANGES</h3> <ul> <li>exports maps are now used, which modifies import behavior.</li> <li>drops Node 6 and 4. begin following Node.js LTS schedule (<a href="https://github-redirect.dependabot.com/yargs/y18n/issues/89">#89</a>)</li> </ul> <h3>Features</h3> <ul> <li>add support for ESM and Deno <a href="https://www.github-redirect.dependabot.com/yargs/y18n/issues/95">#95</a>) (<a href="https://www.github.com/yargs/y18n/commit/4d7ae94bcb42e84164e2180366474b1cd321ed94">4d7ae94</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/yargs/y18n/commits">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~oss-bot">oss-bot</a>, a new releaser for y18n since your current version.</p> </details> <br />

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

+4 -4

0 comment

1 changed file

pr created time in a month

create barnchparagonie/poly1305-js

branch : dependabot/npm_and_yarn/y18n-4.0.1

created branch time in a month

create barnchparagonie/ciphersweet-js

branch : dependabot/npm_and_yarn/y18n-4.0.1

created branch time in a month

PR opened paragonie/ciphersweet-js

Bump y18n from 4.0.0 to 4.0.1

Bumps y18n from 4.0.0 to 4.0.1. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/yargs/y18n/blob/master/CHANGELOG.md">y18n's changelog</a>.</em></p> <blockquote> <h1>Change Log</h1> <p>All notable changes to this project will be documented in this file. See <a href="https://github.com/conventional-changelog/standard-version">standard-version</a> for commit guidelines.</p> <h3><a href="https://www.github.com/yargs/y18n/compare/v5.0.4...v5.0.5">5.0.5</a> (2020-10-25)</h3> <h3>Bug Fixes</h3> <ul> <li>address prototype pollution issue (<a href="https://www.github-redirect.dependabot.com/yargs/y18n/issues/108">#108</a>) (<a href="https://www.github.com/yargs/y18n/commit/a9ac604abf756dec9687be3843e2c93bfe581f25">a9ac604</a>)</li> </ul> <h3><a href="https://www.github.com/yargs/y18n/compare/v5.0.3...v5.0.4">5.0.4</a> (2020-10-16)</h3> <h3>Bug Fixes</h3> <ul> <li><strong>exports:</strong> node 13.0 and 13.1 require the dotted object form <em>with</em> a string fallback (<a href="https://www.github-redirect.dependabot.com/yargs/y18n/issues/105">#105</a>) (<a href="https://www.github.com/yargs/y18n/commit/4f85d80dbaae6d2c7899ae394f7ad97805df4886">4f85d80</a>)</li> </ul> <h3><a href="https://www.github.com/yargs/y18n/compare/v5.0.2...v5.0.3">5.0.3</a> (2020-10-16)</h3> <h3>Bug Fixes</h3> <ul> <li><strong>exports:</strong> node 13.0-13.6 require a string fallback (<a href="https://www.github-redirect.dependabot.com/yargs/y18n/issues/103">#103</a>) (<a href="https://www.github.com/yargs/y18n/commit/e39921e1017f88f5d8ea97ddea854ffe92d68e74">e39921e</a>)</li> </ul> <h3><a href="https://www.github.com/yargs/y18n/compare/v5.0.1...v5.0.2">5.0.2</a> (2020-10-01)</h3> <h3>Bug Fixes</h3> <ul> <li><strong>deno:</strong> update types for deno ^1.4.0 (<a href="https://www.github-redirect.dependabot.com/yargs/y18n/issues/100">#100</a>) (<a href="https://www.github.com/yargs/y18n/commit/3834d9ab1332f2937c935ada5e76623290efae81">3834d9a</a>)</li> </ul> <h3><a href="https://www.github.com/yargs/y18n/compare/v5.0.0...v5.0.1">5.0.1</a> (2020-09-05)</h3> <h3>Bug Fixes</h3> <ul> <li>main had old index path (<a href="https://www.github-redirect.dependabot.com/yargs/y18n/issues/98">#98</a>) (<a href="https://www.github.com/yargs/y18n/commit/124f7b047ba9596bdbdf64459988304e77f3de1b">124f7b0</a>)</li> </ul> <h2><a href="https://www.github.com/yargs/y18n/compare/v4.0.0...v5.0.0">5.0.0</a> (2020-09-05)</h2> <h3>⚠ BREAKING CHANGES</h3> <ul> <li>exports maps are now used, which modifies import behavior.</li> <li>drops Node 6 and 4. begin following Node.js LTS schedule (<a href="https://github-redirect.dependabot.com/yargs/y18n/issues/89">#89</a>)</li> </ul> <h3>Features</h3> <ul> <li>add support for ESM and Deno <a href="https://www.github-redirect.dependabot.com/yargs/y18n/issues/95">#95</a>) (<a href="https://www.github.com/yargs/y18n/commit/4d7ae94bcb42e84164e2180366474b1cd321ed94">4d7ae94</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/yargs/y18n/commits">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~oss-bot">oss-bot</a>, a new releaser for y18n since your current version.</p> </details> <br />

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


<details> <summary>Dependabot commands and options</summary> <br />

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

</details>

+3 -3

0 comment

1 changed file

pr created time in a month

issue commentparagonie/halite

Remove non-visible characters from key, that was read from file

But in this case, how I should setup pipeline to deploy new version of my app, but use the key that was generated previously? Right now I store generated key in secrets storage, and put it in place right before application start. An at his moment I faced with this issue. What recommendations how to manage key in CICD processes? On 26 Mar 2021, 13:05 +0200, Sebastiaan Stok ***@***.***>, wrote:

You shouldn't use anything else but the provided KeyFactory to generate a key file, this ensures the key-file Hex encoded. Using anything else doesn't guarantee that Halite is able to process the key-file. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or unsubscribe.

tarabopm

comment created time in a month

issue commentparagonie/halite

Invalid message authentication code in

Ok, i try use other higher v4 but problem still exists. Could the problem be the version of libsodium? I got 1.0.18

dev-studio

comment created time in a month

issue commentparagonie/halite

Invalid message authentication code in

Some minor things have changed in Halite 4.1, https://github.com/paragonie/halite/blob/master/CHANGELOG.md#version-410-2018-01-05 it might be related to your problem.

dev-studio

comment created time in a month

issue commentparagonie/halite

Remove non-visible characters from key, that was read from file

You shouldn't use anything else but the provided KeyFactory to generate a key file, this ensures the key-file Hex encoded.

Using anything else doesn't guarantee that Halite is able to process the key-file.

tarabopm

comment created time in a month

issue commentparagonie/paseto-io

Is single use of a PASETO enforced by the specification?

Nothing inside PASETO will stop the same token from being used multiple times before it expires.

If you need true single-use tokens for a security purpose that expiration isn't sufficient for, or if you need something that allows a token to be "revoked", you will probably want some technology other than PASETO. Something that can statefully track token usage, such as a row in a database.

The main technical reason for this is that PASETO embeds a payload of claims into the token itself, and is then signed. The bearer of the token can't be trusted to not just send the old, unmodified version of the token instead of the new one. I've heard people come up with a scheme to have a list of "used/invalid tokens", but once you are keeping state, you could probably have just used a different technology.

lucasvwamp

comment created time in a month

Pull request review commentparagonie/paseto-io

Begin Enterprise support section

+<div class="enterprise">+    <table>+        <tr>+            <td class="company"><img src="/okta.svg" alt="Okta" /></td>+            <td class="offering">+                Supports <a href="https://devops.com/okta-offers-paseto-as-alternative-to-json-tokens/">PASETO integration</a>+                in their authentication products; created <a href="https://developer.okta.com/blog/2020/07/23/introducing-jpaseto">JPaseto</a>+                for the community.

This is not true. @bdemers just created a JPaseto OSS Project.

paragonie-security

comment created time in 2 months

issue commentparagonie/awesome-appsec

Is this list still maintained?

I have forked this list here: https://github.com/adds68/awesome-appsec

I will also be changing the upstream Awesome URL to this Fork: https://github.com/sindresorhus/awesome/issues/1971

adds68

comment created time in 2 months

issue openedparagonie/halite

Invalid message authentication code in

Hi. PHP 7.3.22 Halite 4.1.7
Fatal error: Uncaught ParagonIE\Halite\Alerts\InvalidMessage: Invalid message authentication code in ParagonIE/Halite/File.php:1430

In PHP 7.0 and Halite 4.0 there were no problems. Any solutions?

created time in 2 months

startedparagonie-security/jpaseto

started time in 2 months

startedparagonie-security/jpaseto

started time in 2 months

fork maxbyz/libsodium

A modern, portable, easy to use crypto library.

https://libsodium.org

fork in 2 months