-
Notifications
You must be signed in to change notification settings - Fork 10.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dispose secret instances #51253
Dispose secret instances #51253
Conversation
…ispose-secret-instances
…ispose-secret-instances
Thanks for your PR, @alex-inftx. Someone from the team will get assigned to your PR shortly and we'll get it reviewed. |
FYI there is no memory leak here. Unreferenced instances will be reclaimed by the GC. |
return new CbcAuthenticatedEncryptor( | ||
keyDerivationKey: new Secret(secret), | ||
keyDerivationKey: key, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is wrong because the key passed in with the returned object will already be disposed when the caller will try to use it.
@halter73 would you agree?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking at the implementation of CbcAuthenticatedEncryptor
, it copies the buffer and then releases all references to the Secret
inside the constructor. So, it's probably safe, but it feels like it's relying on an implementation detail.
@GrabYourPitchforks is right that there is no memory leak, but it does look like it has a SafeHandle
field that needs to be finalized if you don't dispose it. It looks like this is generally used only once per key by the singleton KeyRingProvider
, so maybe the finalization is okay in order to not rely on the implementation details of the Encryptor
constructors.
What's your recommendation @GrabYourPitchforks?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The general pattern of passing Secret
instances around is that the receiver should make a standalone copy (via .ctor(ISecret)
) if they need a copy with a standalone lifetime, which allows the caller to maintain control over their own instance's lifetime. So I don't see any issues with this PR from a "this might break in the future" perspective.
The PR seems to be fine from a correctness / regression perspective.
This PR would prevent the finalization of a few objects: let's ballpark it at single digits count per day. The determination of whether this is valuable I'll leave up to the aspnet team. :)
Looks like this PR hasn't been active for some time and the codebase could have been changed in the meantime. |
/azp run |
Azure Pipelines successfully started running 3 pipeline(s). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Based on @GrabYourPitchforks feedback, I'm going to merge this. If we're not woried about potential regressions due to the encryptor holding onto the Secret instance, we can dispose the Secret to avoid finalization even if it rarely happens.
We can dispose Secret instances after use to avoid memory leak. Created Secrets used only for copy their content.