Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
filter-pouch
Advanced tools
Apply a transform function to documents before and after they are stored in the database. These functions are triggered invisibly for every get()
, put()
, post()
, bulkDocs()
, allDocs()
, changes()
, and also to documents added via replication.
This allows you to:
Note: This plugin was formerly known as filter-pouch
. The filter()
API is still supported, but deprecated.
To use this plugin, include the dist/pouchdb.transform-pouch.js
file after pouchdb.js
in your HTML page:
<script src="pouchdb.js"></script>
<script src="pouchdb.transform-pouch.js"></script>
It's also available in Bower:
bower install transform-pouch
Or to use it in Node.js, just npm install it:
npm install transform-pouch
And then attach it to the PouchDB
object:
var PouchDB = require('pouchdb');
PouchDB.plugin(require('transform-pouch'));
When you create a new PouchDB, you need to configure the transform functions:
var pouch = new PouchDB('mydb');
pouch.transform({
incoming: function (doc) {
// do something to the document before storage
return doc;
}
outgoing: function (doc) {
// do something to the document after retrieval
return doc;
}
});
Notes:
incoming
function, an outgoing
function, or both.incoming
functions apply to put()
, post()
, bulkDocs()
, and incoming replications.outgoing
functions apply to get()
, allDocs()
, changes()
, query()
, and outgoing replications.transform()
method is synchronous - no need for callbacks or promises.Update! Check out crypto-pouch, which is based on this plugin, and runs in both the browser and Node. The instructions below will only work in Node.
Using the Node.js crypto library, let's first set up our encrypt/decrypt functions:
var crypto = require('crypto');
function encrypt(text) {
var cipher = crypto.createCipher('aes-256-cbc', 'password');
var crypted = cipher.update(text, 'utf8', 'base64');
return crypted + cipher.final('base64');
}
function decrypt(text) {
var decipher = crypto.createDecipher('aes-256-cbc', 'password');
var dec = decipher.update(text, 'base64', 'utf8');
return dec + decipher.final('utf8');
}
Obviously you would want to change the 'password'
to be something only the user knows!
Next, let's set up our transforms:
pouch.transform({
incoming: function (doc) {
Object.keys(doc).forEach(function (field) {
if (field !== '_id' && field !== '_rev') {
doc[field] = encrypt(doc[field]);
}
});
return doc;
},
outgoing: function (doc) {
Object.keys(doc).forEach(function (field) {
if (field !== '_id' && field !== '_rev') {
doc[field] = decrypt(doc[field]);
}
});
return doc;
}
});
(transform-pouch
will automatically ignore deleted documents, so you don't need to handle that case.)
Now, the documents are encrypted whenever they're stored in the database. If you want to verify, try opening them with a Pouch
where you haven't set up any transforms
. You'll see documents like:
{
secret: 'YrAtAEbvp0bPLil8EpbNeA==',
_id: 'doc',
_rev: '1-bfc37cd00225f68671fe3187c054f9e3'
}
whereas privileged users will see:
{
secret: 'my super secret text!',
_id: 'doc',
_rev: '1-bfc37cd00225f68671fe3187c054f9e3'
}
This works for remote CouchDB databases as well. In fact, only the encrypted data is sent over the wire, so it's ideal for protecting sensitive information.
Since the remote CouchDB doesn't have accesss to the untransformed document, map/reduce functions that are executed directly against CouchDB will be applied to the untransformed version. PouchDB doesn't have this limitation, because everything is local.
So for instance, if you try to emit()
an encrypted field in your map function:
function (doc) {
emit(doc.secret, 'shhhhh');
}
... the emitted key will be encrypted when you query()
the remote database, but decrypted when you query()
a local database. So be aware that the query()
functionality is not exactly the same.
npm install
npm run build
This will run the tests in Node using LevelDB:
npm test
You can also check for 100% code coverage using:
npm run coverage
If you have mocha installed globally you can run single test with:
TEST_DB=local mocha --reporter spec --grep search_phrase
The TEST_DB
environment variable specifies the database that PouchDB should use (see package.json
).
Run npm run dev
and then point your favorite browser to http://127.0.0.1:8001/test/index.html.
The query param ?grep=mysearch
will search for tests matching mysearch
.
You can run e.g.
CLIENT=selenium:firefox npm test
CLIENT=selenium:phantomjs npm test
This will run the tests automatically and the process will exit with a 0 or a 1 when it's done. Firefox uses IndexedDB, and PhantomJS uses WebSQL.
FAQs
Transform Pouch (formerly Filter Pouch)
We found that filter-pouch demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.