
Research
PyPI Package Disguised as Instagram Growth Tool Harvests User Credentials
A deceptive PyPI package posing as an Instagram growth tool collects user credentials and sends them to third-party bot services.
A set of utility functions for dealing with ASCII Armor (http://www.ietf.org/rfc/rfc2440.txt) and padding, and a collection of Django field classes that utilize these functions in a way that is compatible with pgcrypto functions.
pip install django-pgcrypto
There are several encrypted versions of Django fields that you can use (mostly) as you would use a normal Django field:
from django.db import models
import pgcrypto
class Employee (models.Model):
name = models.CharField(max_length=100)
ssn = pgcrypto.EncryptedTextField()
pay_rate = pgcrypto.EncryptedDecimalField()
date_hired = pgcrypto.EncryptedDateField(key="datekey", auto_now_add=True)
If not specified when creating the field (as in ssn
and pay_rate
above), fields are encrypted according to the following settings:
PGCRYPTO_DEFAULT_CIPHER
(only aes
is currently supported) - The default algorithm to use when encrypting fields.PGCRYPTO_DEFAULT_KEY
(default: settings.SECRET_KEY
) - The default key to use for encryption.You must also make sure the pgcrypto extension is installed in your database. Django makes this easy with a CryptoExtension migration.
It is possible to filter on encrypted fields as you would normal fields via exact
, gt
, gte
, lt
, lte
, contains
, icontains
, startswith
, istartswith
, endswith
, and iendswith
lookups. For example, querying the model above is possible like so:
Employee.objects.filter(date_hired__gt="1981-01-01", salary__lt=60000)
This library encrypts and encodes data in a way that works with pgcrypto's raw encryption functions. All the warnings there about using direct keys and the lack of integrity checking apply here.
This library also predates Django's BinaryField, which is why the fields are essentially TextField
s that store armored encrypted data. This may or may not be ideal for your application, and a hypothetical future version might include a switch to store binary data.
FAQs
Python and Django utilities for encrypted fields using pgcrypto.
We found that django-pgcrypto demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
A deceptive PyPI package posing as an Instagram growth tool collects user credentials and sends them to third-party bot services.
Product
Socket now supports pylock.toml, enabling secure, reproducible Python builds with advanced scanning and full alignment with PEP 751's new standard.
Security News
Research
Socket uncovered two npm packages that register hidden HTTP endpoints to delete all files on command.