added encrypting sensitive data

kortirso · May 24, 2024 · 37aaf43 · 37aaf43
1 parent e69d9d5
commit 37aaf43
Show file tree

Hide file tree

Showing 12 changed files with 125 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,9 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
 ## Unreleased
+### Added
+- encrypting sensitive data
+
 ### Modified
 - LICENSE
 

diff --git a/README.md b/README.md
@@ -48,6 +48,12 @@ $ rails server -e test -p 5002
 $ yarn run cypress run --project ./spec/e2e
 ```
 
+### Sensitive information leaks
+
+```bash
+$ bearer scan .
+```
+
 ## Process
 
 ### Starting new week

diff --git a/app/javascript/components/atoms/Toggle.jsx b/app/javascript/components/atoms/Toggle.jsx
@@ -12,7 +12,10 @@ export const Toggle = ({ header, children }) => {
  <Chevron className={isOpen ? 'transition-transform rotate-180' : 'transition-transform rotate-0'} />
  </div>
  {children && isOpen ? (
- <div dangerouslySetInnerHTML={{ __html: children }} className="px-4 pb-4 bg-white border-t border-stone-300"></div>
+ <div
+ dangerouslySetInnerHTML={{ __html: sanitize(children) }}
+ className="px-4 pb-4 bg-white border-t border-stone-300"
+ ></div>
  ) : null}
  </div>
  );

diff --git a/app/models/identity.rb b/app/models/identity.rb
@@ -4,6 +4,8 @@ class Identity < ApplicationRecord
  TELEGRAM = 'telegram'
  GOOGLE = 'google'
 
+ encrypts :email, deterministic: true
+
  belongs_to :user
 
  enum provider: { TELEGRAM => 0, GOOGLE => 1 }

diff --git a/app/models/user.rb b/app/models/user.rb
@@ -5,6 +5,9 @@ class User < ApplicationRecord
  include Leagueable
  include Kudos::Achievementable
 
+ encrypts :email, deterministic: true
+ encrypts :username, deterministic: true
+
  has_secure_password
  has_secure_token :confirmation_token, length: 24
  has_secure_token :restore_token, length: 24

diff --git a/bearer.ignore b/bearer.ignore
@@ -0,0 +1,44 @@
+{
+ "e5e17cede9a731da09a639c9c78af007_0": {
+ "author": "Bogdanov Anton",
+ "comment": "Application-level encryption is used",
+ "false_positive": true,
+ "ignored_at": "2024-05-24T06:55:59Z"
+ },
+ "e5e17cede9a731da09a639c9c78af007_1": {
+ "author": "Bogdanov Anton",
+ "comment": "Player information, not a sensitive data",
+ "false_positive": true,
+ "ignored_at": "2024-05-24T06:56:47Z"
+ },
+ "e5e17cede9a731da09a639c9c78af007_2": {
+ "author": "Bogdanov Anton",
+ "comment": "Player information, not a sensitive data",
+ "false_positive": true,
+ "ignored_at": "2024-05-24T06:57:08Z"
+ },
+ "e5e17cede9a731da09a639c9c78af007_3": {
+ "author": "Bogdanov Anton",
+ "comment": "Player information, not a sensitive data",
+ "false_positive": true,
+ "ignored_at": "2024-05-24T06:57:44Z"
+ },
+ "e5e17cede9a731da09a639c9c78af007_4": {
+ "author": "Bogdanov Anton",
+ "comment": "Application-level encryption is used",
+ "false_positive": true,
+ "ignored_at": "2024-05-24T06:58:32Z"
+ },
+ "e5e17cede9a731da09a639c9c78af007_5": {
+ "author": "Bogdanov Anton",
+ "comment": "Application-level encryption is used",
+ "false_positive": true,
+ "ignored_at": "2024-05-24T06:58:54Z"
+ },
+ "ef0222913dafff59dac28ef69eba306a_0": {
+ "author": "Bogdanov Anton",
+ "comment": "using default md5 hashing",
+ "false_positive": true,
+ "ignored_at": "2024-05-24T06:43:49Z"
+ }
+}
diff --git a/bearer.yml b/bearer.yml
@@ -0,0 +1,29 @@
+disable-version-check: false
+log-level: info
+report:
+ fail-on-severity: critical,high,medium,low
+ format: ""
+ no-color: false
+ output: ""
+ report: security
+ severity: critical,high,medium,low,warning
+rule:
+ disable-default-rules: false
+ only-rule: []
+ skip-rule: []
+scan:
+ context: ""
+ data_subject_mapping: ""
+ disable-domain-resolution: true
+ domain-resolution-timeout: 3s
+ exit-code: -1
+ external-rule-dir: []
+ force: false
+ hide_progress_bar: false
+ internal-domains: []
+ parallel: 0
+ quiet: false
+ scanner:
+ - sast
+ skip-path: ["db/seeds/*"]
+ skip-test: true
diff --git a/config/application.rb b/config/application.rb
@@ -56,6 +56,10 @@ class Application < Rails::Application
  g.helper false
  end
 
+ # allow encrypted and unencrypted data to co-exist
+ config.active_record.encryption.support_unencrypted_data = true
+ config.active_record.encryption.extend_queries = true
+
  # Catch 404s
  config.after_initialize do |app|
  app.routes.append { match '*path', to: 'application#page_not_found', via: :all }

diff --git a/config/credentials.yml.enc b/config/credentials.yml.enc
@@ -1 +1 @@
-yWrn/QRPVRUzn8J91ayTCnMTcaX4Kvu/Xf+V0NnsdefUcC1feFK6WBAbzcqyNJmhkq51wwP98F4ukHwT1gN6yUXA4cAA5cplLmjDA2VBp0NGbX/HIkO1duTwIJ/VKIE53KWCQHYSXtcPbxx9ycFXpPVMoQJNXjC5qETgpOr44OZJguGDMNWq68+K0j9T24l4tSyGcBskQEo6PD9VWsiVn9toxwo/YxV3YIm2lN5f1tmbpKsRNgjnLnXCnEli/qVONtua6+I/dGNd/DltmFR2yWbt3hYs+pCVIyQ4v0DMd9Si9SDigXNA5rQT6MSL5mc9tQJmjOc7eb44QoN83Ka9kD3FxduJwsE6Y5gSEyeidMuEvkXpJJF8Va4DeTvZ7EBmXqfCTuQWuDs4D1DoYGTx89FcXCcMWpyIJMKhT98MaINYJuOqMGkPpe20lFvcKDMBJhhkBvrVQkC3grJYZ1v+ajXrJBNKROkek1oEtEtcnZClW6lzJZccY8Qz187YZ6HME6v7tV1kli1jDvjDwN1NiXXDk4Wg0A1kisCMMO0cK9PulTvktVNJq0JMZJHGpzsMnNA0b9cjg5a9DmPYz4PWGd4+iSdCOQFYxr9Sy4GP8eiyg8gCgeBFCNhLZXji+7eSAocyTml6txQQVG5YUNVdVzKf/aZRCHTKcNm/eL4JO7R0QB/JaR0DjEfxR28JJ0Ytr3lZeM4xio2dgvV3yxrPeTBxG66cyA7kW4Lh6hZCuc0By1s994MCOw36aU8V+nssKufxLGq0XHS3lgFX3BUMiwYpe5sqaYhpXuimvz0z0IUH+3LKrsVJ+EVgdC3nVp7Y/0oEeG8LoP2uE5EqyXrYjmAioc0zd1gGPi7ZDgXwjezsWtpgZ2T0IN+MjXqcv92q3TZ2ozMWtKkkq142NUJLCT6maJkjms+S47n6Urwph2O0+umu38znXicPhG7yf0RNa7Xgq/qIpBsus1DjdTUEnkgTJhomgqAqH72sJ4SOmr6mbG3B4fENo4J2G0Ph85OOdAG9RUZRNI4mOCazvnp3wvM5lf7MUy46g9OVr54A2AgzaSwVd2XhrfJwXV5gfViUxQeftImP69rZBIo9Q3W1QVeDMXhY4r1/VzU/9z/uLErK3u/u6Wx7wic4sfSIdI3sGN+9BSakW7x/ff2hwbfDMnec0QWEKKI7r019Rhx6zDiP6Z90kCcLeRj08SRBSHr7dxf5kqwoVnVP5XnCajK6EO/XbxgXHOaGwvVNEW1nswoCbA06oDjxFv8Zpw2/NgNXHOF7ncKH+8RbnzLmjOsDbgTmvfmHz76OUP2gb+qwveUR+pn+hqUQeVZzESnpX3Hm3h2ueZWnl3NubN6lnoSlAlMbuvwJgM9uFsCHoxeAX+J0Jv4Nuh1Xywb5E+S2vegJXpSVlGu9LwPh5oPfvESKuXYkoi4GCn7y2wLfAnNVgG+ibXsNN8EZbWZbKaOsMkpjO/J8UsUDrIu4PLjVLdqdx15DW9xbxF8WybxwI9DpWH+pdCdEVi1/8Rt3ZE8jpNF9ndUoKH6g88XiO/S57JoG8t+uc1xfXFpR5p3NAcunU2k4gBT7a0pR6yHEwEoZXOhS3s8erqvz8MxEtMBEESxY2qDd2jO6WTbqixRIV0YuxdASDUtW4kmIDzP6TumSvChGdm0lL261Ne21CPcfVIkpA83rBcjnCXJ4cNtNMO4TuzRU3za8oxzPvQVCwjEgWYycbf5jrP67IigqUKN+rjWRUtpsF4mSXVnyOzYZtAPLrSUSgs/c6JYU6fIsWDXfMtupmg6wV/mfvZ+nNaxr/WC8qeiqs2ypCVM/NWpzKXM2Pkm1XtaWRo/q0NFhkbSwsUD6grIVNWmhaXQx5at82NGjXWE1IOecL+O6BrzzGgdggt9zkG+HF/lxkVDnt97lSJPhaa1ZvnWJteWImge1fRwOLBbetdiguTA2nxsfZSZjFMlZB0CkUd2qSbJgp5IcP2+R9S13G4sTijrb4JnvFSvK/C3p2oIDbZRBCkKO134WbGn7ZmfzEaAGvfYlo0q70/9vFVQQNHnTVK8YUHZhtHZJV4Y0anfVGdxorA2sK3MgU/Rs7FB1dvX6JaIBUD/968nIh3005uPAAyE8cAh/PnScyC8pM3JFVYJqkYOwANDE8rk1IAn9uOtO8RlRom1mn2jUJ90K6IZBXXWC9TeEGpBLP0w4KecUQXtVQsBUToS3HOfi8JFh+4uxf1gjAqJ74OJxLWtM5ZOCyui7OFK8JwgGgs7GbtCdpEQbMEpoZUNpkylHXlKUkpX/Yb2q2xAl19k7mVqBVQTHI2r+6U80PxfUHAn1oJKi7PUqrKsY5aZ5cw==--KJAL+Inihta1Z5yC--4zMeBuyffQpWpDvEZ4Gmxg==
+WXFvV9WTuyfFsCLm/Vou4Rzn6/+fQKGBOSK/6EQgVom/30EQxth4QW+cq+QsO4cQE3rVrlVOin/0LJC6TZqvPOXUeWHcdVRfHBwByChitISFm0/Xoxr/XIGh3/mcZqy7kREowwjYes/dhAqftBmbpPigUWQ+pcTCIe3Q272GwqTDAxrS3II+iIW8kUqMKDCMhuPHYGP6/7DnRA+qr/gmg91cD5r5JHsl9POgEBdOTXj82gib6Y0tM0uWGC5PLYYQcjzDcva3q8mau/M6h4bwlSefgfiS8YEHjaXmxv4YYzxt/VXNhZehg1TWGqqctKsGl+WB0oCmP/42JQN72cKrXsJeicWJDNPhu/19E/JyUqHnKqahXOvlDYxVC7xbR5NORkek6I+1KReil00Xm+nNShaIQZOYJDq+9dMiIoluyF5n4XujfqBooG3HrGHg/ll9uHZQjVzGmy3v+sKFlj/Ry9VO4quLq+waxKNmDmN0uF2hD0zF1xDM6RlwbeyerY1zZOTbM4wWBXFzbjF65BXeHosq/cX6HdBX+drvnxfIj3e3BQdvnWps3Le+Lnb/EwWvDrp4nKfJLlxDt2maBJ7LXeZsjHKVf85wOef1syHfRy7ARhYKaZcCchCZSYkwQQ6GryQCqXBqOA2AY3gOMvHkCdZ4wGFPa1bm1QfWb75a41RI4EWEcDNdIhrbWE4aucM7qCPz0LSysh2EkHY6BxdD9yL/RzqtXTYu1MIOWA/V1c8POq+KTTr4NvmRWFunBFqpXHsqPnaZC54rGmz4qyWYSy1Ljhy7lOgrII15bekO2AtlPY3PE5PFRPyyS29vJhtqvYwfJWbQ6wXndMzCP/+XsWkqrPkCat2wFL56RDtW7DlsjfMCTmb+3fVUWsXv1u+rRl1dtn3ZN+GG9safcKbjZ0tz7dfIfCL1lyRF0YagUuptDCjpHAhlWR5kH6qpXCuLEA4mWF5hyqRHFrrD107k7F5fo1G7ZF/W6cAYXdwv4f51DyrGp6PwAHq5ITgwqTUdKlBOGGNzDDSs2kVZffIiDmHnDa8DPl6fx+d9vab4IUqAIDWRG6O70v7VomJq40RLeKzO94ky0okY2YjcHqDtFmnCSjlfghXYGSMFayH4Jj61FnfDUrPMxgZZikKCRlQ6I8Xy35sR6j654lnIbws3EpF0rM69pw+R1+NkaT6cpr2IGaANJwqRKqCl6sioCsYnmDs+xr+CUgOQzZE0jc38rDLComCZQRw8AweTBL/mHS35SDDUB9uqt2H6HPfu8yyMUBysJ5ecO+0uHMnX4/z8SdlLzNuoI/8FP9WBbBtWTrZvVuvhMYwxmhY4+K12haYQU81V5E6zuY22kKIVdn1GV4OZZyMLPO3BfB1zMB58M1uNmVck7x/Ups4MBSxJMowCRgdHTE15V3h8Zqu592WQ4Bc4/kDcYHkUP8DCQIZWdkWMUVdWWpHr4PA7n69FmN2Dam2/tCMjuk4U+g+T4/HpJt5P73dF6GHbWZ+ie6fMnL1ZHFPHP+OMUuSi7k0/cWXrUbSAhcyTVp+4IAF6I6JWd6tww/wlhionHyvEyFIOJ04GwfX8+PHzr8nsMhhHIYho27zHUOk9zp9pNsCkdsh9CpzT2LItJKzHlUZTjEPR1ZykMMXhDwjxPjas3gsXbEbDg9r7xqhOCKM2FDwYyb3OYjhLkDdsQ9i7oN9rZcML/Z2QqFlD1IvvLZtuZpjFABwJTLI1ZvCQ8ER35K0d2nLk//HukKwR/sg0iLaThm9reMNF44K+dsT6JyAfAtFDAvuUEHqR/ahp8dIsILWHGifK1T+Tsb1DXwEeqvqa7xPaPLryt1Jrzz748QLSkH5oZ7nNZfPlgT/1o/VZaj24TbYdWK/8+HK7jWbl+WJTxmMqmqp9g/CAMmg1dROFQyO1Pck+Cy2ZHhiij8xkctSVZ5V+CO8FsQm9+xp/BdkWzr3bvkYwW1gwxcD0KFN7CXJ+eNS5w+nCkH3MC71Bc5jp6YLx8T4loEk3vCvaYiGgtIvzLWnGQ2qvDuDNBnD7hFES6wHfTpEOeGfo1FMlK4t2YqJnlYqM3fiSm+n9rTPsceWy9hARhTgzsYN1JYI/+cyrJDG3ZO1cGWogmb7rWtZVExqtLHryMMtg1vPMpkObzG/cgi8cWa+syhVm8AMfNVKw0eoIldr0heU5IlybMb5r2bF8DzQ1ajkozVUHuk3uvKFgmJYqy29aNFBCqVMVSuk5m7CovYgfydSLMKHQ2MIPYujqiHWCs/qJmEshq7iGMbzpYPoic8OapNBbkCLtifMhu7ly4Tvr9ZY8niLmc0QtzAoa79Y2jTu9eFwBSOPSntnVXBNHfTfA2IvnBLEYJDUb0IfCZY39bq8OPpWV3pWHke7bgXmNSZMI064DWg79gn134lftP7G4/5pNjUNwY6oQs+5gbFoLtXEcs8yFqte3u/5edZVU7UDQCZSjn20glbh6186RSg7+VMNZIgKQnPF6nETGMeE7cZrvUQD57sYxlgf6T5hjdjPtHwgQeY19Z23qpT1x3AVY5/xoCcmlRo9NiEjT2wh2Bq12XgeMLxE1bcb8PwNsfxxu2Ofq--bWq9wSdc7RtTwezf--unIWVAftuFgjuIzCnA2Q2w==
diff --git a/config/environments/test.rb b/config/environments/test.rb
@@ -63,6 +63,10 @@
 
  # Annotate rendered view with file names.
  # config.action_view.annotate_rendered_view_with_filenames = true
+
+ config.active_record.encryption.primary_key = '1234567890qwertyuiopQWERTYUIOPas'
+ config.active_record.encryption.deterministic_key = 'QWERTYUIOPqwertyuiop1234567890as'
+ config.active_record.encryption.key_derivation_salt = 'qwertyuiop1234567890QWERTYUIOPas'
 end
 
 Rails.application.default_url_options = Rails.application.config.action_mailer.default_url_options
diff --git a/db/migrate/20240524064924_change_fields_for_encryption.rb b/db/migrate/20240524064924_change_fields_for_encryption.rb
@@ -0,0 +1,21 @@
+class ChangeFieldsForEncryption < ActiveRecord::Migration[7.1]
+ def up
+ safety_assured do
+ change_column :users, :username, :text
+ change_column :users, :email, :text
+ change_column :identities, :email, :text
+ end
+ end
+
+ def down
+ safety_assured do
+ # encrypted value could have length more than 255 symbols
+ User.find_each(&:decrypt)
+ Identity.find_each(&:decrypt)
+
+ change_column :users, :email, :string
+ change_column :users, :username, :string
+ change_column :identities, :email, :string
+ end
+ end
+end
diff --git a/db/structure.sql b/db/structure.sql
@@ -950,7 +950,7 @@ CREATE TABLE public.identities (
  uid character varying NOT NULL,
  provider integer DEFAULT 0 NOT NULL,
  login character varying,
- email character varying,
+ email text,
  created_at timestamp(6) without time zone NOT NULL,
  updated_at timestamp(6) without time zone NOT NULL
 );
@@ -1871,7 +1871,7 @@ ALTER SEQUENCE public.transfers_id_seq OWNED BY public.transfers.id;
 
 CREATE TABLE public.users (
  id bigint NOT NULL,
- email character varying DEFAULT ''::character varying,
+ email text DEFAULT ''::character varying,
  password_digest character varying DEFAULT ''::character varying NOT NULL,
  created_at timestamp(6) without time zone NOT NULL,
  updated_at timestamp(6) without time zone NOT NULL,
@@ -1882,7 +1882,7 @@ CREATE TABLE public.users (
  locale character varying DEFAULT 'en'::character varying NOT NULL,
  reset_password_sent_at timestamp(6) without time zone,
  banned_at timestamp(6) without time zone,
- username character varying
+ username text
 );
 
 
@@ -3271,6 +3271,7 @@ ALTER TABLE ONLY public.kudos_achievements
 SET search_path TO "$user", public;
 
 INSERT INTO "schema_migrations" (version) VALUES
+('20240524064924'),
 ('20240417155344'),
 ('20240329062740'),
 ('20240327093404'),