openBox() with wrong key leads to wipe

isar / hive

Lightweight and blazing fast key-value database written in pure Dart.

Apache License 2.0

4.02k stars 399 forks source link

openBox() with wrong key leads to wipe #577

Open FaFre opened 3 years ago

FaFre commented 3 years ago

Steps to Reproduce Opening an encrypted box with a wrong key leads to the wipe of the complete box (= content of *.hive-file is then empty).

I was expecting "undefined behavior" but not a modification of existing data with openBox(). I initially wanted to derive a key from user password and wanted to use this as a decryption key.

Code sample

var encryptedBox =
      await Hive.openBox('vaultBox', encryptionCipher: HiveAesCipher(wrongKey));

Version

Platform: Linux
Flutter version: 1.27.0-4.0.pre
Hive version: 1.4.4+1

FaFre commented 3 years ago

Oh, after debugging a little bit, setting crashRecovery: false when opening the box prevents the wipe. Is it guaranteed with setting crashRecovery: false that noting is written during openBox, providing a wrong key (also in future versions)?

nuunoo1977 commented 2 years ago

How is this issue? I think this is a priority one, because it gives the malicious possibility of erasing the contents of protected box simply by trying to open it without an encryption key or with a wrong one.

FaFre commented 2 years ago

Is this still persistent?

nuunoo1977 commented 2 years ago

Yes. If we have an encrypted box and try to open it without encryption key or with a wrong one, the message flutter: Recovering corrupted box. appears on the debug console and the box entries disappear.

mlischka commented 1 year ago

This bug is still alive. Just run into same issue running Flutter v3.3.1 (Linux) with Hive v2.2.3. Opening a box with crashRecovery: false and catching the HiveError (Wrong checksum in hive file. Box may be corrupted.) seems to be the workaround.