Skip to content

Potential fix for code scanning alert no. 4: Clear text storage of sensitive information #223

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
longsizhuo wants to merge 1 commit into from
Closed

Potential fix for code scanning alert no. 4: Clear text storage of sensitive information #223

longsizhuo wants to merge 1 commit into from

Conversation

@longsizhuo
Copy link
Member

@longsizhuo longsizhuo commented Nov 2, 2025

Potential fix for https://github.com/InvolutionHell/involutionhell/security/code-scanning/4

General fix:
Sensitive information like API keys should never be persisted in localStorage in cleartext. You should either avoid storing these secrets at all, or encrypt them before saving them, storing only encrypted values in localStorage. Decryption should only occur in-memory when needed and with a key/password only the user knows.

Best approach for the provided code:
The best way, without removing any existing functionality, is to encrypt the openaiApiKey and geminiApiKey fields before persisting and decrypt them after reading. One standard approach for browser environments is to use the Web Crypto API (window.crypto.subtle), as third-party modules like crypto-js are large and discouraged for new projects.

The general steps:

  • Encrypt openaiApiKey and geminiApiKey (if present) before storage using a secret only the user knows (for example, a passphrase supplied by the user—not stored in localStorage).
  • Decrypt these fields after reading from storage.
  • The encryption key cannot be hardcoded if this is to be secure; for demonstration, we may use a placeholder/environment value, but the user should be prompted to supply the passphrase on load.

Code changes needed:

  • Add encryption/decryption helper functions (using Web Crypto API).
  • Modify the code in the useEffect that saves to localStorage (line 92) to store encrypted versions of the API keys.
  • Modify the parsing code (in parseStoredSettings and related) to decrypt the keys when they are loaded.
  • Add logic for the user to provide a passphrase/key (not shown in the snippet—must assume it's available in some form, such as a context or prompt).
  • Add necessary async handling, as Web Crypto API is async.

Given that only this file is accessible for modifications, the encryption/decryption helpers and modifications must be in app/hooks/useAssistantSettings.tsx.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

@longsizhuo @github-advanced-security
Potential fix for code scanning alert no. 4: Clear text storage of se…
75de3d0 
…nsitive information

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@vercel
Copy link

vercel bot commented Nov 2, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
involutionhell-github-io Ready Ready Preview Comment Nov 2, 2025 4:48pm
website-preview Ready Ready Preview Comment Nov 2, 2025 4:48pm

@longsizhuo longsizhuo closed this Nov 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@longsizhuo