From 84fe77868426cb78f90997e783b528b548e028ae Mon Sep 17 00:00:00 2001 From: NLmejiro Date: Wed, 1 Apr 2026 13:17:05 +0000 Subject: [PATCH] fix: specify authTagLength in AES-GCM decipheriv calls Fixes missing authTagLength parameter in createDecipheriv calls using AES-256-GCM mode. Without explicit tag length specification, the application may be tricked into accepting shorter authentication tags, potentially allowing ciphertext spoofing. CWE-310: Cryptographic Issues (gcm-no-tag-length) --- apps/sim/lib/api-key/crypto.ts | 2 +- apps/sim/lib/core/security/encryption.ts | 2 +- packages/db/scripts/migrate-block-api-keys-to-byok.ts | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apps/sim/lib/api-key/crypto.ts b/apps/sim/lib/api-key/crypto.ts index 3cac7ee0f5c..21b945bc838 100644 --- a/apps/sim/lib/api-key/crypto.ts +++ b/apps/sim/lib/api-key/crypto.ts @@ -81,7 +81,7 @@ export async function decryptApiKey(encryptedValue: string): Promise<{ decrypted const authTag = Buffer.from(authTagHex, 'hex') try { - const decipher = createDecipheriv('aes-256-gcm', key, iv) + const decipher = createDecipheriv('aes-256-gcm', key, iv, { authTagLength: 16 }) decipher.setAuthTag(authTag) let decrypted = decipher.update(encrypted, 'hex', 'utf8') diff --git a/apps/sim/lib/core/security/encryption.ts b/apps/sim/lib/core/security/encryption.ts index ab4fcdab71d..23f074bcf5f 100644 --- a/apps/sim/lib/core/security/encryption.ts +++ b/apps/sim/lib/core/security/encryption.ts @@ -54,7 +54,7 @@ export async function decryptSecret(encryptedValue: string): Promise<{ decrypted const authTag = Buffer.from(authTagHex, 'hex') try { - const decipher = createDecipheriv('aes-256-gcm', key, iv) + const decipher = createDecipheriv('aes-256-gcm', key, iv, { authTagLength: 16 }) decipher.setAuthTag(authTag) let decrypted = decipher.update(encrypted, 'hex', 'utf8') diff --git a/packages/db/scripts/migrate-block-api-keys-to-byok.ts b/packages/db/scripts/migrate-block-api-keys-to-byok.ts index 06a507a5e92..34c5bf64499 100644 --- a/packages/db/scripts/migrate-block-api-keys-to-byok.ts +++ b/packages/db/scripts/migrate-block-api-keys-to-byok.ts @@ -146,7 +146,7 @@ async function decryptSecret(encryptedValue: string): Promise { const iv = Buffer.from(ivHex, 'hex') const authTag = Buffer.from(authTagHex, 'hex') - const decipher = createDecipheriv('aes-256-gcm', key, iv) + const decipher = createDecipheriv('aes-256-gcm', key, iv, { authTagLength: 16 }) decipher.setAuthTag(authTag) let decrypted = decipher.update(encrypted, 'hex', 'utf8')