Sails: Decryption doesn't work for records querying with decrypted value on encrypted one.

Created on 17 Aug 2020  ยท  11Comments  ยท  Source: balderdashy/sails

Node version: 10.0
Sails version _(sails)_: 1.0.2
ORM hook version _(sails-hook-orm)_: 2.0.1
Sockets hook version _(sails-hook-sockets)_: 1.5.3
Organics hook version _(sails-hook-organics)_: 0.14.5
Grunt hook version _(sails-hook-grunt)_: 1.0.4
Uploads hook version _(sails-hook-uploads)_:
DB adapter & version _(e.g. [email protected])_: [email protected]

I have an user table where i need to store email in encrypted format. I am able to do that by setting value encrypted to true in User model. But when i am trying to get that data based on the email id. I am passing email id in plain text format without encrypted value and trying to find record with that value. But i am not able to find that always value is empty.

Is there any way to query record with with decrypted value and value stored is in encrypted format??

Following are the code snippet i am trying to do.

module.exports = {

  attributes: {

    //  โ•”โ•โ•—โ•ฆโ•โ•—โ•ฆโ•”โ•ฆโ•—โ•ฆโ•”โ•ฆโ•—โ•ฆโ•ฆ  โ•ฆโ•”โ•โ•—โ•”โ•โ•—
    //  โ• โ•โ•โ• โ•ฆโ•โ•‘โ•‘โ•‘โ•‘โ•‘ โ•‘ โ•‘โ•šโ•—โ•”โ•โ•‘โ•ฃ โ•šโ•โ•—
    //  โ•ฉ  โ•ฉโ•šโ•โ•ฉโ•ฉ โ•ฉโ•ฉ โ•ฉ โ•ฉ โ•šโ• โ•šโ•โ•โ•šโ•โ•
    email: { 
      type: 'string',
      required: true,
      isEmail: true,
      encrypt: true,
      maxLength: 512,
    }
  }
}

Saving record in table

await User.create({email: '[email protected]'})

Finding record with this email

let userData = await User.find({email: '[email protected]'}).decrypt();
console.log('user Data', userData)

Output i got is empty array instead of array with matching record

user data []

I also tried without decrypt. It is also giving empty value.

does this answer your question?
Source
picture parthpkp97
👍1

Most helpful comment

@xemuj you don't want encryption for search data. You want 1-way, repeatable hashes, like SHA256, or similar. Same data in, same final hash out. See this for an example, and good explanation of why it's used: https://xorbin.com/tools/sha256-hash-calculator

Encryption is 2-way, but generally involves "salts", which means same data in does not give same final hash out. This makes it virtually impossible to do searches with.

Hopefully that makes sense, and helps you a little bit.

picture neonexus on 2 Dec 2020
2

All 11 comments

@parthpkp97 Thanks for posting! We'll take a look as soon as possible.

In the mean time, there are a few ways you can help speed things along:

  • look for a workaround. _(Even if it's just temporary, sharing your solution can save someone else a lot of time and effort.)_
  • tell us why this issue is important to you and your team. What are you trying to accomplish? _(Submissions with a little bit of human context tend to be easier to understand and faster to resolve.)_
  • make sure you've provided clear instructions on how to reproduce the bug from a clean install.
  • double-check that you've provided all of the requested version and dependency information. _(Some of this info might seem irrelevant at first, like which database adapter you're using, but we ask that you include it anyway. Oftentimes an issue is caused by a confluence of unexpected factors, and it can save everybody a ton of time to know all the details up front.)_
  • read the code of conduct.
  • if appropriate, ask your business to sponsor your issue. _(Open source is our passion, and our core maintainers volunteer many of their nights and weekends working on Sails. But you only get so many nights and weekends in life, and stuff gets done a lot faster when you can work on it during normal daylight hours.)_
  • let us know if you are using a 3rd party plugin; whether that's a database adapter, a non-standard view engine, or any other dependency maintained by someone other than our core team. _(Besides the name of the 3rd party package, it helps to include the exact version you're using. If you're unsure, check out this list of all the core packages we maintain.)_

Please remember: never post in a public forum if you believe you've found a genuine security vulnerability. Instead, disclose it responsibly.

For help with questions about Sails, click here.

sailsbot picture sailsbot on 17 Aug 2020

Hi @parthpkp97, thanks for using Sails! encrypt is not intended to be used for attributes you would need to query. We will be updating the docs to make this more clear.

eashaw picture eashaw on 20 Aug 2020

Any other way in which sails can query on encrypted value with decrypted one?

As it would be very difficult to query on encrypted field.

parthpkp97 picture parthpkp97 on 20 Aug 2020

@parthpkp97 if you're using encrypt: true for an attribute, you won't be able to look up records by the unencrypted value. .decrypt() just gives you the records with the auto-encrypted attributes decrypted, it doesn't change the query.

Could you tell us more about your use case for encrypting email addresses?

rachaelshaw picture rachaelshaw on 20 Aug 2020

@rachaelshaw
Use case scenario
When user is doing signup with email address. Then due to some security reasons i am not saving email address in plain text rather than that i am saving email address in encrypted format. Using encrypt: true in User model and it is saving successfully in encrypted format.

But when user logins with same email address. I am not able to lookup into db that If email address exists in table or not. As the value saved in table is in encrypted format and query i am doing is plain text with email address.

Please let me know if some more information is needed.

parthpkp97 picture parthpkp97 on 21 Aug 2020
👍1

@parthpkp97 One trick you could do, is have a second column, where you store the email in a 1-way hash. This way, you can just hash the email on login, and query based on this hash.

neonexus picture neonexus on 23 Aug 2020
👀1

Would be great if some function encrypt the query data before like this

Users.findOne({email: sails.helpers.encrypt(unEncryptedEmail)}).decrypt()

xemuj picture xemuj on 1 Dec 2020

@xemuj could you tell me more about your use case for needing email addresses to be encrypted at rest?

eashaw picture eashaw on 2 Dec 2020

In fact in my project I encrypted name and lastName for security reasons but now I need to decrypt all data because this issue

What do I need is encrypt my search data an then I could compare in dB

xemuj picture xemuj on 2 Dec 2020

@xemuj you don't want encryption for search data. You want 1-way, repeatable hashes, like SHA256, or similar. Same data in, same final hash out. See this for an example, and good explanation of why it's used: https://xorbin.com/tools/sha256-hash-calculator

Encryption is 2-way, but generally involves "salts", which means same data in does not give same final hash out. This makes it virtually impossible to do searches with.

Hopefully that makes sense, and helps you a little bit.

neonexus picture neonexus on 2 Dec 2020
2

Thanks for the great explanation @neonexus!

eashaw picture eashaw on 2 Dec 2020
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

danil-z picture danil-z  ยท  3Comments
victory-deployment picture victory-deployment  ยท  4Comments
mahfuzur picture mahfuzur  ยท  3Comments
svmn picture svmn  ยท  4Comments
Noitidart picture Noitidart  ยท  4Comments