From b74fe9e8c26b1a59b92a776d9075f858a5c7d46f Mon Sep 17 00:00:00 2001 From: Drew Smirnoff Date: Fri, 17 Apr 2026 19:34:43 +0400 Subject: [PATCH] fix!: cache not being decrypted (#664) --- config/encryption.go | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/config/encryption.go b/config/encryption.go index a4e11bac6c033a8397d963d8ddf204c703e49b75..de7a300c07edb010202a9bc19754e191b90bb9e0 100644 --- a/config/encryption.go +++ b/config/encryption.go @@ -262,23 +262,29 @@ func DisableSecureMode(cfg *Config) error { // Find config.json path to skip it (handled separately below) cfgPath, _ := configFile() - // Read and decrypt all cache files while we still have the session key - key := GetSessionKey() + // Copy the key so ClearSessionKey's in-place zeroing doesn't destroy it. + origKey := GetSessionKey() + key := make([]byte, len(origKey)) + copy(key, origKey) + + // Decrypt all cache files and write them back as plain data. + // We use Decrypt directly instead of toggling the session key, because + // ClearSessionKey zeroes the slice in-place which would corrupt our copy. for _, f := range files { if f == cfgPath { continue } - data, err := SecureReadFile(f) + encrypted, err := os.ReadFile(f) if err != nil { continue // File may not exist } - // Write plain - ClearSessionKey() - if err := os.WriteFile(f, data, 0600); err != nil { - SetSessionKey(key) // Restore on error + plain, err := Decrypt(encrypted, key) + if err != nil { + continue // File may not be encrypted + } + if err := os.WriteFile(f, plain, 0600); err != nil { return err } - SetSessionKey(key) } // Clear session key so SaveConfig writes plain JSON and restores passwords to keyring