Open neonexus opened 4 years ago
@neonexus Thanks for posting! We'll take a look as soon as possible.
In the mean time, there are a few ways you can help speed things along:
Please remember: never post in a public forum if you believe you've found a genuine security vulnerability. Instead, disclose it responsibly.
For help with questions about Sails, click here.
After 2 years, can I get another look at this? I would love to get this fixed, but I can't seem to find where this is happening down the pipeline.
Node version: 14.5.0 (any really) Sails version (sails): 1.2.4 ORM hook version (sails-hook-orm): 3.0.1 (I think this is where my issue is) Sockets hook version (sails-hook-sockets): N/A Organics hook version (sails-hook-organics): N/A Grunt hook version (sails-hook-grunt): N/A Uploads hook version (sails-hook-uploads): N/A DB adapter & version (e.g. sails-mysql@5.55.5): N/A Skipper adapter & version (e.g. skipper-s3@5.55.5): N/A
Preface
So, I know this is overkill, but frankly, overkill security is sometimes needed; but there is a second use-case I will describe after my current delima, that I think should be discussed.
My thoughts
So, I want to hash passwords with Scrypt KDF, then have said hash encrypted via Waterline's encryption system. Again, I know it's a bit of overkill, but here is my train of thought: why WOULDN'T you mix the 2? Hashes still have the inherent problem of being able to be compared, even with Scrypt KDF with salts. All it takes is MASSIVE computing power (which isn't hard anymore with crypto). And since it is meant to be validated, it's a simple yes / no problem. BUT, if you encrypt the hashes, suddenly there is a ton more complexity to solving the problem (which very quickly renders brute-forcing basically use-less).
So what's the actual problem?
Waterline, for some reason, is encrypting whatever BEFORE the
beforeCreate
/beforeUpdate
functions. This is a big headache, because now I have to move my password hashing to the controllers (or a helper), when I feel like it should be the job of the model to handle this level of work. Why are things encrypted BEFOREbeforeCreate
?My final thoughts
What if, I want to deal with a field, where if it is blank on creation, I generate it, (or hell, even modify the value on create / update) then wanted it encrypted? I don't believe I can do that, seeing as things are encrypted BEFORE
beforeCreate
is called... So again, I ask why? Why are fields encrypted BEFOREbeforeCreate
andbeforeUpdate
? I would most certainly expect them encrypted BEFOREafterCreate
/afterUpdate
, and AFTERbeforeCreate
/beforeUpdate
...For reference, here is the model (or a version of it) I'm describing: https://github.com/neonexus/sails-react-bootstrap-webpack/blob/release/api/models/User.js