Open parthpkp97 opened 4 years ago
@parthpkp97 Thanks for posting! We'll take a look as soon as possible.
In the mean time, there are a few ways you can help speed things along:
Please remember: never post in a public forum if you believe you've found a genuine security vulnerability. Instead, disclose it responsibly.
For help with questions about Sails, click here.
Hi @parthpkp97, thanks for using Sails! encrypt
is not intended to be used for attributes you would need to query. We will be updating the docs to make this more clear.
Any other way in which sails can query on encrypted value with decrypted one?
As it would be very difficult to query on encrypted field.
@parthpkp97 if you're using encrypt: true
for an attribute, you won't be able to look up records by the unencrypted value. .decrypt()
just gives you the records with the auto-encrypted attributes decrypted, it doesn't change the query.
Could you tell us more about your use case for encrypting email addresses?
@rachaelshaw
Use case scenario
When user is doing signup with email address. Then due to some security reasons i am not saving email address in plain text rather than that i am saving email address in encrypted format. Using encrypt: true
in User model and it is saving successfully in encrypted format.
But when user logins with same email address. I am not able to lookup into db that If email address exists in table or not. As the value saved in table is in encrypted format and query i am doing is plain text with email address.
Please let me know if some more information is needed.
@parthpkp97 One trick you could do, is have a second column, where you store the email in a 1-way hash. This way, you can just hash the email on login, and query based on this hash.
Would be great if some function encrypt the query data before like this
Users.findOne({email: sails.helpers.encrypt(unEncryptedEmail)}).decrypt()
@xemuj could you tell me more about your use case for needing email addresses to be encrypted at rest?
In fact in my project I encrypted name and lastName for security reasons but now I need to decrypt all data because this issue
What do I need is encrypt my search data an then I could compare in dB
@xemuj you don't want encryption for search data. You want 1-way, repeatable hashes, like SHA256, or similar. Same data in, same final hash out. See this for an example, and good explanation of why it's used: https://xorbin.com/tools/sha256-hash-calculator
Encryption is 2-way, but generally involves "salts", which means same data in does not give same final hash out. This makes it virtually impossible to do searches with.
Hopefully that makes sense, and helps you a little bit.
Thanks for the great explanation @neonexus!
Node version: 10.0 Sails version (sails): 1.0.2 ORM hook version (sails-hook-orm): 2.0.1 Sockets hook version (sails-hook-sockets): 1.5.3 Organics hook version (sails-hook-organics): 0.14.5 Grunt hook version (sails-hook-grunt): 1.0.4 Uploads hook version (sails-hook-uploads): DB adapter & version (e.g. sails-mysql@5.55.5): sails-mysql@1.0.0
I have an user table where i need to store email in encrypted format. I am able to do that by setting value encrypted to true in User model. But when i am trying to get that data based on the email id. I am passing email id in plain text format without encrypted value and trying to find record with that value. But i am not able to find that always value is empty.
Is there any way to query record with with decrypted value and value stored is in encrypted format??
Following are the code snippet i am trying to do.
Saving record in table
Finding record with this email
Output i got is empty array instead of array with matching record
I also tried without decrypt. It is also giving empty value.