Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
database-sanitizer
is a tool which retrieves an database dump from
relational database and performs sanitation on the retrieved data
according to rules defined in a configuration file. Currently the
sanitation tool supports both PostgreSQL and MySQL databases.
database-sanitizer
can be installed from PyPI with pip like this:
$ pip install database-sanitizer
If you are using MySQL, you need to install the package like this instead, so that additional requirements are included:
$ pip install database-sanitizer[MySQL]
Once the package has been installed, database-sanitizer
can be used
like this:
$ database-sanitizer <DATABASE-URL>
Command line argument DATABASE-URL
needs to be provided so the tool
knows how to retrieve the dump from the database. With PostgreSQL, it
would be something like this:
$ database-sanitizer postgres://user:password@host/database
However, unless an configuration file is provided, no sanitation will be performed on the retrieved database dump, which leads us to the next section which will be...
Rules for the sanitation can be given in a configuration file written in
YAML. Path to the configuration file is then given to the command line
utility with --config
argument (-c
for shorthand) like this:
$ database-sanitizer -c config.yml postgres://user:password@host/database
The configuration file uses following kind of syntax:
config:
addons:
- some.other.package
- yet.another.package
extra_parameters: # These parameters will be passed to the dump tool CLI
mysqldump:
- "--single-transaction" # Included by default
pg_dump:
- "--exclude-table=something"
strategy:
user:
first_name: name.first_name
last_name: name.last_name
secret_key: string.empty
access_log: skip_rows
In the example configuration above, there are first listed two "addon
packages", which are names of Python packages where the sanitizer will
be looking for sanitizer functions. They are completely optional and can
be omitted, in which case only sanitizer functions defined in package
called sanitizers
and built-in sanitizers will be used instead.
It's also possible to define extra parameters to pass to the dump tool (
mysqldump
or pg_dump
). By default, mysqldump
will include the
--single-transaction
extra parameter. You can disable this by defining the
extra parameters in the config file explicitly, e.g. with an empty array []
.
The strategy
portion of the configuration contains the actual
sanitation rules. First you define name of the database table (in the
example that would be user
) followed by column names in that table
which each one mapped to sanitation function name. The name of the
sanitation function consists from two parts separated from each other by
a dot: Python module name and name of the actual function, which will
be prefixed with sanitize_
, so name.first_name
would be a function
called sanitize_first_name
in a file called name.py
.
Table content can be left out completely from the sanitized dump by
setting table strategy to skip_rows
(check access_log
table in the
example config). This will leave out all INSERT INTO
(MySQL) or COPY
(PostgreSQL) statements from the sanitized dump file. CREATE TABLE
statements will not be removed.
FAQs
Sanitizes contents of a database.
We found that database-sanitizer demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.