balderdashy / sails

Realtime MVC Framework for Node.js
https://sailsjs.com
MIT License
22.84k stars 1.95k forks source link

Decryption doesn't work for records querying with decrypted value on encrypted one. #7029

Open parthpkp97 opened 4 years ago

parthpkp97 commented 4 years ago

Node version: 10.0 Sails version (sails): 1.0.2 ORM hook version (sails-hook-orm): 2.0.1 Sockets hook version (sails-hook-sockets): 1.5.3 Organics hook version (sails-hook-organics): 0.14.5 Grunt hook version (sails-hook-grunt): 1.0.4 Uploads hook version (sails-hook-uploads): DB adapter & version (e.g. sails-mysql@5.55.5): sails-mysql@1.0.0


I have an user table where i need to store email in encrypted format. I am able to do that by setting value encrypted to true in User model. But when i am trying to get that data based on the email id. I am passing email id in plain text format without encrypted value and trying to find record with that value. But i am not able to find that always value is empty.

Is there any way to query record with with decrypted value and value stored is in encrypted format??

Following are the code snippet i am trying to do.

module.exports = {

  attributes: {

    //  ╔═╗╦═╗╦╔╦╗╦╔╦╗╦╦  ╦╔═╗╔═╗
    //  ╠═╝╠╦╝║║║║║ ║ ║╚╗╔╝║╣ ╚═╗
    //  ╩  ╩╚═╩╩ ╩╩ ╩ ╩ ╚╝ ╚═╝╚═╝
    email: { 
      type: 'string',
      required: true,
      isEmail: true,
      encrypt: true,
      maxLength: 512,
    }
  }
}

Saving record in table

await User.create({email: 'abc@domain.com'})

Finding record with this email

let userData = await User.find({email: 'abc@domain.com'}).decrypt();
console.log('user Data', userData)

Output i got is empty array instead of array with matching record

user data []

I also tried without decrypt. It is also giving empty value.

sailsbot commented 4 years ago

@parthpkp97 Thanks for posting! We'll take a look as soon as possible.

In the mean time, there are a few ways you can help speed things along:

Please remember: never post in a public forum if you believe you've found a genuine security vulnerability. Instead, disclose it responsibly.

For help with questions about Sails, click here.

eashaw commented 4 years ago

Hi @parthpkp97, thanks for using Sails! encrypt is not intended to be used for attributes you would need to query. We will be updating the docs to make this more clear.

parthpkp97 commented 4 years ago

Any other way in which sails can query on encrypted value with decrypted one?

As it would be very difficult to query on encrypted field.

rachaelshaw commented 4 years ago

@parthpkp97 if you're using encrypt: true for an attribute, you won't be able to look up records by the unencrypted value. .decrypt() just gives you the records with the auto-encrypted attributes decrypted, it doesn't change the query.

Could you tell us more about your use case for encrypting email addresses?

parthpkp97 commented 4 years ago

@rachaelshaw Use case scenario When user is doing signup with email address. Then due to some security reasons i am not saving email address in plain text rather than that i am saving email address in encrypted format. Using encrypt: true in User model and it is saving successfully in encrypted format.

But when user logins with same email address. I am not able to lookup into db that If email address exists in table or not. As the value saved in table is in encrypted format and query i am doing is plain text with email address.

Please let me know if some more information is needed.

neonexus commented 4 years ago

@parthpkp97 One trick you could do, is have a second column, where you store the email in a 1-way hash. This way, you can just hash the email on login, and query based on this hash.

xemuj commented 3 years ago

Would be great if some function encrypt the query data before like this

Users.findOne({email: sails.helpers.encrypt(unEncryptedEmail)}).decrypt()

eashaw commented 3 years ago

@xemuj could you tell me more about your use case for needing email addresses to be encrypted at rest?

xemuj commented 3 years ago

In fact in my project I encrypted name and lastName for security reasons but now I need to decrypt all data because this issue

What do I need is encrypt my search data an then I could compare in dB

neonexus commented 3 years ago

@xemuj you don't want encryption for search data. You want 1-way, repeatable hashes, like SHA256, or similar. Same data in, same final hash out. See this for an example, and good explanation of why it's used: https://xorbin.com/tools/sha256-hash-calculator

Encryption is 2-way, but generally involves "salts", which means same data in does not give same final hash out. This makes it virtually impossible to do searches with.

Hopefully that makes sense, and helps you a little bit.

eashaw commented 3 years ago

Thanks for the great explanation @neonexus!