Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve encryption of Server Actions bound values #57297

Merged
merged 3 commits into from
Oct 23, 2023
Merged

Improve encryption of Server Actions bound values #57297

merged 3 commits into from
Oct 23, 2023

Conversation

shuding
Copy link
Member

@shuding shuding commented Oct 23, 2023

Removes the constant prefix and action ID from the IV value and makes it a fully random string. Then, we prefix the actual payload with the action ID to avoid submitting the payload from a different action, as well as using it as the checksum of the encryption data to ensure it's not damaged.

@ijjk
Copy link
Member

ijjk commented Oct 23, 2023

Stats from current PR

Default Build
General
vercel/next.js canary vercel/next.js shu/715f Change
buildDuration 10.7s 10.8s N/A
buildDurationCached 6.3s 6.4s N/A
nodeModulesSize 178 MB 177 MB N/A
nextStartRea..uration (ms) 401ms 404ms N/A
Client Bundles (main, webpack)
vercel/next.js canary vercel/next.js shu/715f Change
199-HASH.js gzip 27.9 kB 27.9 kB N/A
3f784ff6-HASH.js gzip 53.2 kB 53.2 kB N/A
99.HASH.js gzip 182 B 182 B
framework-HASH.js gzip 45.5 kB 45.5 kB
main-app-HASH.js gzip 254 B 251 B N/A
main-HASH.js gzip 33 kB 33 kB N/A
webpack-HASH.js gzip 1.75 kB 1.75 kB N/A
Overall change 45.7 kB 45.7 kB
Legacy Client Bundles (polyfills)
vercel/next.js canary vercel/next.js shu/715f Change
polyfills-HASH.js gzip 31 kB 31 kB
Overall change 31 kB 31 kB
Client Pages
vercel/next.js canary vercel/next.js shu/715f Change
_app-HASH.js gzip 206 B 205 B N/A
_error-HASH.js gzip 182 B 180 B N/A
amp-HASH.js gzip 506 B 505 B N/A
css-HASH.js gzip 322 B 323 B N/A
dynamic-HASH.js gzip 2.59 kB 2.59 kB
edge-ssr-HASH.js gzip 260 B 259 B N/A
head-HASH.js gzip 350 B 350 B
hooks-HASH.js gzip 369 B 369 B
image-HASH.js gzip 4.38 kB 4.38 kB N/A
index-HASH.js gzip 256 B 256 B
link-HASH.js gzip 2.67 kB 2.67 kB N/A
routerDirect..HASH.js gzip 316 B 318 B N/A
script-HASH.js gzip 385 B 384 B N/A
withRouter-HASH.js gzip 319 B 319 B
1afbb74e6ecf..834.css gzip 106 B 106 B
Overall change 3.99 kB 3.99 kB
Client Build Manifests
vercel/next.js canary vercel/next.js shu/715f Change
_buildManifest.js gzip 484 B 482 B N/A
Overall change 0 B 0 B
Rendered Page Sizes
vercel/next.js canary vercel/next.js shu/715f Change
index.html gzip 528 B 530 B N/A
link.html gzip 541 B 542 B N/A
withRouter.html gzip 524 B 524 B
Overall change 524 B 524 B
Edge SSR bundle Size
vercel/next.js canary vercel/next.js shu/715f Change
edge-ssr.js gzip 95.3 kB 95.3 kB N/A
page.js gzip 157 kB 157 kB N/A
Overall change 0 B 0 B
Middleware size
vercel/next.js canary vercel/next.js shu/715f Change
middleware-b..fest.js gzip 622 B 626 B N/A
middleware-r..fest.js gzip 150 B 151 B N/A
middleware.js gzip 22.9 kB 22.9 kB
edge-runtime..pack.js gzip 1.92 kB 1.92 kB
Overall change 24.8 kB 24.8 kB
Diff details
Diff for page.js

Diff too large to display

Commit: f7d22ff

@ijjk
Copy link
Member

ijjk commented Oct 23, 2023

Tests Passed

@kodiakhq kodiakhq bot merged commit 661c598 into canary Oct 23, 2023
100 of 105 checks passed
@kodiakhq kodiakhq bot deleted the shu/715f branch October 23, 2023 23:18
@franky47
Copy link
Contributor

franky47 commented Oct 24, 2023

This could be further improved in the following ways:

  • Change IV length from 16 to 12 bytes (96 bits), as recommended by the GCM specification (paper)
  • Use the AEAD capabilities of AES-GCM to authenticate the actionId by setting it as authenticated additional data (AAD), rather than prepending it to the cleartext and checking for a valid prefix after decryption.

Would you like me to open a PR?

@github-actions github-actions bot added the locked label Nov 8, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 8, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants