Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

issue-166 selecting encryption engine based on queryable parameter #499

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

MichaelCG8
Copy link

@MichaelCG8 MichaelCG8 commented Feb 14, 2021

issue-166 selecting encryption engine based on queryable parameter and documenting security considerations.

From issue #166

  • Removed user-configured engine selection and default to an internal selection of the FernetEngine.
  • Add the queryable parameter that switches to the as-standing AesEngine.
  • Add a warning block in the documentation that explains what the security risk is.
  • Make clear in the documentation that EncryptedType inherits from StringEncryptedType.
  • Add docstring of StringEncryptedType to the documentation.
  • Add notes about engines to StringEncryptedType docstring.
  • Update StringEncryptedType docstring to not reference EncryptedType.
  • Explain in the docstring of each engine whether searching is possible and if it is secure.

sbrunner added a commit to camptocamp/redirect that referenced this pull request Apr 7, 2022
```
  +==============================================================================+
  |                                                                              |
  |                               /$$$$$$            /$$                         |
  |                              /$$__  $$          | $$                         |
  |           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
  |          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
  |         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
  |          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
  |          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
  |         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
  |                                                          /$$  | $$           |
  |                                                         |  $$$$$$/           |
  |  by pyup.io                                              \______/            |
  |                                                                              |
  +==============================================================================+
  | REPORT                                                                       |
  | checked 54 packages, using free DB (updated once a month)                    |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | sqlalchemy-utils           | 0.38.2    | >=0.27.0                 | 42194    |
  +==============================================================================+
  | Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES     |
  | with CBC mode. The IV that it uses is not random though.                     |
  | kvesteri/sqlalchemy-utils#166                      |
  | kvesteri/sqlalchemy-utils#499                        |
  +==============================================================================+
  | ujson                      | 5.1.0     | <=5.1.0                  | 46499    |
  +==============================================================================+
  | UltraJSON (aka ujson) through 5.1.0 has a stack-based buffer overflow in     |
  | Buffer_AppendIndentUnchecked (called from encode). Exploitation can, for     |
  | example, use a large amount of indentation.                                  |
  +==============================================================================+
```
sbrunner added a commit to camptocamp/redirect that referenced this pull request Apr 7, 2022
```
  +==============================================================================+
  |                                                                              |
  |                               /$$$$$$            /$$                         |
  |                              /$$__  $$          | $$                         |
  |           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$           |
  |          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$           |
  |         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$           |
  |          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$           |
  |          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$           |
  |         |_______/  \_______/|__/     \_______/   \___/   \____  $$           |
  |                                                          /$$  | $$           |
  |                                                         |  $$$$$$/           |
  |  by pyup.io                                              \______/            |
  |                                                                              |
  +==============================================================================+
  | REPORT                                                                       |
  | checked 54 packages, using free DB (updated once a month)                    |
  +============================+===========+==========================+==========+
  | package                    | installed | affected                 | ID       |
  +============================+===========+==========================+==========+
  | sqlalchemy-utils           | 0.38.2    | >=0.27.0                 | 42194    |
  +==============================================================================+
  | Sqlalchemy-utils from version 0.27.0 'EncryptedType' uses by default AES     |
  | with CBC mode. The IV that it uses is not random though.                     |
  | kvesteri/sqlalchemy-utils#166                      |
  | kvesteri/sqlalchemy-utils#499                        |
  +==============================================================================+
  | ujson                      | 5.1.0     | <=5.1.0                  | 46499    |
  +==============================================================================+
  | UltraJSON (aka ujson) through 5.1.0 has a stack-based buffer overflow in     |
  | Buffer_AppendIndentUnchecked (called from encode). Exploitation can, for     |
  | example, use a large amount of indentation.                                  |
  +==============================================================================+
```
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant