Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
mongoose-field-encryption
Advanced tools
A simple symmetric encryption plugin for fields with string values.
A simple symmetric encryption plugin for individual fields. The goal of this plugin is to encrypt data but still allow searching over the fields. This plugin relies on the Node crypto
module. Encryption and decryption happen transparently during save and find.
At present this plugin only works on fields with string values. Also consider mongoose-encryption if you have other requirements.
Encryption is performed using AES-256-CTR
. To encrypt, the relevant fields are encrypted with the provided secret and the resulting hex string is put in place of the actual value. An extra boolean
field with the prefix __enc_
is added to the document which indicates if the provided field is encrypted or not.
>=4.4.7
>=2.6.10
npm install mongoose-field-encryption
Keep your secret a secret. Ideally it should only live as an environment variable and
For example, given a schema as follows:
let mongoose = require('mongoose');
let mongooseFieldEncryption = require('mongoose-field-encryption');
let Schema = mongoose.Schema;
let Post = new Schema({
title: String,
message: String
});
Post.plugin(mongooseFieldEncyption, {fields: ['message'], secret: 'some secret key'});
The resulting documents will have the following format:
{
_id: ObjectId,
title: String,
message: String, // encrypted hex value as string
__enc_message: true // boolean marking if the field is encrypted or not
}
find
works transparently and you can make new documents as normal, but you should not use the lean
option on a find if you want the fields of the document to be decrypted. findOne
, findById
and save
also all work as normal. update
works, but you would also need to manually set the __enc_
field value to false if you're updating an encrypted field.
From the mongoose documentation: Note that findAndUpdate/Remove do not execute any hooks or validation before making the change in the database. If you need hooks and validation, first query for the document and then save it.
Also note that if you manually set the value __enc_
prefix field to true then the encryption is not run on the corresponding field and this may result in the plaintext value being stored in the db.
For performance reasons, once the document has been encrypted, it remains so. The following methods are thus added to the schema:
encryptFieldsSync()
: synchronous call that encrypts all fields as given by the plugin optionsdecryptFieldsSync()
: synchronous call that decrypts encrypted fields as given by the plugin optionsnpm install
and install mongo if you don't have it yet.mongod
.npm test
. Additionally you can pass your own mongodb uri as an environment variable if you would like to test against your own database, for e.g. URI='mongodb://username:password@localhost/mongoose-field-encryption-test' npm test
FAQs
A simple symmetric encryption plugin for individual fields. Dependency free, only mongoose peer dependency.
The npm package mongoose-field-encryption receives a total of 4,351 weekly downloads. As such, mongoose-field-encryption popularity was classified as popular.
We found that mongoose-field-encryption demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.