[Security] Private Key Material Cached in Class-Level Dict with Raw Key as Dict Key #508
Description
Bug Name
Private Key Material Cached in Class-Level Dict with Raw Key as Dict Key
Attack Scenario
The Signers class uses class-level dictionaries (_rsa_keys, _rsa_signers, _ed25519_keys, _ed25519_signers) to cache parsed key objects. The cache key is a tuple of (key_data_string, passphrase), meaning the full PEM private key content and passphrase are stored as dictionary keys in memory for the lifetime of the process.
Impact
In multi-tenant environments, long-running processes, or after a memory dump, private keys and passphrases are recoverable from the class-level cache. There is no cache eviction, no size limit, and no mechanism to clear secrets.
Components
File: common/src/binance_common/signature.py (lines 9-57). Class-level dicts: _rsa_keys, _rsa_signers, _ed25519_keys, _ed25519_signers. Method: get_rsa_key() at line 58.
Reproduction
- Create a ConfigurationRestAPI with an RSA private key.
- Inspect Signers._rsa_keys after any signed request.
- The full PEM key and passphrase are visible as dict keys.
Fix
Use a hash of the key material as the cache key (e.g., SHA256(key_data + passphrase)), or provide a clear_cache() method. Consider using weakref or TTL-based caching.
Details
Finding ID: SEC-01
Severity: Medium
Researcher: Independent Security Researcher -- Mefai Security Team
Researcher: Independent Security Researcher -- Mefai Security Team