staticman icon indicating copy to clipboard operation
staticman copied to clipboard
verified publisher icon eduardoboucas

Access email before it's hashed?

Open binarymist opened this issue 8 years ago • 9 comments

Hi, and thanks for the hard work on this project.

Is there a way using the staticman API to somehow access the commenters email (if I've configured it to be md5'd (because that's just the right thing to do))? Obviously we don't want it in a PR, but it could be sent in the email notification ethically. How about technically? Is this possible?

Thanks.

binarymist avatar Dec 29 '17 22:12 binarymist

I see this is possible if the commenter subscribes via mailgun, but is there any other way? Is this a feature that we could look at doing?

binarymist avatar Jan 01 '18 06:01 binarymist

...

binarymist avatar Jan 17 '18 03:01 binarymist

I'm not sure I understand the use case. Where would you want to access the email address from?

eduardoboucas avatar Mar 17 '18 13:03 eduardoboucas

"sent in the email notification", as in, commenter submits comment, email notification comes through with posters email address?

binarymist avatar Mar 17 '18 21:03 binarymist

You could use PKI to encrypt the email yourself and send it as a separate field. Then it would exist (encrypted) in the PR and in your repo, but only you would be able to decrypt it.

StephenCleary avatar Jun 07 '18 17:06 StephenCleary

To add to my last comment, right before the email address is md5'd (in staticman SaaS) could it be emailed to the website owner via mailgun?

@StephenCleary : Yip, that's a great idea. The webiste owner would have to provide the public key as a hidden field (possibly one of the form fields) as the website visitor posts, the usual md5 process as it is currently in staticman could be modified to encrypt the email address using the supplied public key, as opposed to how it's done now with single key, which only staticman has. Then the only person that can view the email address would be the website owner that has the private key to decrypt.

This sounds pretty doable. What have we missed?

binarymist avatar Jun 08 '18 00:06 binarymist

If you're willing to stick to modern browsers, you can encrypt it entirely client-side with the Web Crypto API.

StephenCleary avatar Jun 08 '18 01:06 StephenCleary

True, I'll have to have a play with this. Some resources I wrote for others that want to try this:

  • risks: https://f1.holisticinfosecforwebdevelopers.com/chap06.html#web-applications-identify-risks-cryptography-on-the-client
  • countermeasures: https://f1.holisticinfosecforwebdevelopers.com/chap06.html#web-applications-countermeasures-cryptography-on-the-client

binarymist avatar Jun 08 '18 01:06 binarymist

Just wrote up a proof-of-concept: a webpage that encrypts using WebCrypto and a C# console app that decrypts the values.

However, this solution is limited to browsers that support WebCrypto, and a lot of the mobile browsers do not. A fallback to an API call (or a feature of Staticman) would be necessary to cover all cases. A simple "encrypt" serverless API should be easy enough to write up; perhaps I'll get around to it...

StephenCleary avatar Jun 09 '18 03:06 StephenCleary