Ensure private key copy is zeroed out if signing from block fails.

diff --git a/src/lib/block.ts b/src/lib/block.ts
index 34964c84b2e80e43e9af4d04534f144e345d4538..e74d04c7d3fe4ba59363583ebb437fe5445fb192 100644 (file)
--- a/src/lib/block.ts
+++ b/src/lib/block.ts
@@ -413,9 +413,13 @@ export class Block {
                        try {
                                if (typeof input === 'string' && /^[A-F0-9]{64}$/i.test(input)) {
                                        const prv = hex.toBytes(input)
-                                       const pub = nano25519_derive(prv)
-                                       const signature = nano25519_sign(hex.toBytes(this.hash), new Uint8Array([...prv, ...pub]))
-                                       this.signature = bytes.toHex(signature)
+                                       try {
+                                               const pub = nano25519_derive(prv)
+                                               const signature = nano25519_sign(hex.toBytes(this.hash), new Uint8Array([...prv, ...pub]))
+                                               this.signature = bytes.toHex(signature)
+                                       } finally {
+                                               prv.fill(0)
+                                       }
                                } else if (input instanceof Wallet && typeof index === 'number'
                                        && (frontier === undefined || frontier instanceof (this.constructor as typeof Block))
                                ) {