Decrypt file

packages/backend-core/src/security/encryption.ts

@@ -7,9 +7,11 @@ import { join } from "path"
 const ALGO = "aes-256-ctr"
 const SEPARATOR = "-"
 const ITERATIONS = 10000
-const RANDOM_BYTES = 16
 const STRETCH_LENGTH = 32
 
+const SALT_LENGTH = 16
+const IV_LENGTH = 16
+
 export enum SecretOption {
   API = "api",
   ENCRYPTION = "encryption",
@@ -42,7 +44,7 @@ export function encrypt(
   input: string,
   secretOption: SecretOption = SecretOption.API
 ) {
-  const salt = crypto.randomBytes(RANDOM_BYTES)
+  const salt = crypto.randomBytes(SALT_LENGTH)
   const stretched = stretchString(getSecret(secretOption), salt)
   const cipher = crypto.createCipheriv(ALGO, stretched, salt)
   const base = cipher.update(input)
@@ -74,13 +76,15 @@ export async function encryptFile(
   const inputFile = fs.createReadStream(filePath)
   const outputFile = fs.createWriteStream(join(dir, outputFileName))
 
-  const salt = crypto.randomBytes(RANDOM_BYTES)
+  const salt = crypto.randomBytes(SALT_LENGTH)
+  const iv = crypto.randomBytes(IV_LENGTH)
   const stretched = stretchString(secret, salt)
-  const cipher = crypto.createCipheriv(ALGO, stretched, salt)
+  const cipher = crypto.createCipheriv(ALGO, stretched, iv)
 
-  const encrypted = inputFile.pipe(cipher).pipe(zlib.createGzip())
+  outputFile.write(salt)
+  outputFile.write(iv)
 
-  encrypted.pipe(outputFile)
+  inputFile.pipe(cipher).pipe(outputFile)
 
   return new Promise<{ filename: string; dir: string }>(r => {
     outputFile.on("finish", () => {
@@ -91,3 +95,54 @@ export async function encryptFile(
     })
   })
 }
+
+export async function decryptFile(
+  inputPath: string,
+  outputPath: string,
+  secret: string
+) {
+  const inputFile = fs.createReadStream(inputPath)
+  const outputFile = fs.createWriteStream(outputPath)
+
+  const salt = await readBytes(inputFile, SALT_LENGTH)
+  const iv = await readBytes(inputFile, IV_LENGTH)
+
+  const stretched = stretchString(secret, salt)
+  const decipher = crypto.createDecipheriv(ALGO, stretched, iv)
+
+  fs.createReadStream(inputPath, { start: SALT_LENGTH + IV_LENGTH })
+    .pipe(decipher)
+    .pipe(outputFile)
+
+  return new Promise<void>(r => {
+    outputFile.on("finish", () => {
+      r()
+    })
+  })
+}
+
+function readBytes(stream: fs.ReadStream, length: number) {
+  return new Promise<Buffer>((resolve, reject) => {
+    let bytesRead = 0
+    const data: Buffer[] = []
+
+    stream.on("readable", () => {
+      let chunk
+
+      while ((chunk = stream.read(length - bytesRead)) !== null) {
+        data.push(chunk)
+        bytesRead += chunk.length
+      }
+
+      resolve(Buffer.concat(data))
+    })
+
+    stream.on("end", () => {
+      reject(new Error("Insufficient data in the stream."))
+    })
+
+    stream.on("error", (error: any) => {
+      reject(error)
+    })
+  })
+}

packages/server/src/api/controllers/backup.ts

@@ -4,13 +4,14 @@ import { DocumentType } from "../../db/utils"
 import { isQsTrue } from "../../utilities"
 
 export async function exportAppDump(ctx: any) {
-  let { appId, excludeRows = false, encryptPassword } = ctx.query
+  let { appId, excludeRows = false, encryptPassword = "password" } = ctx.query
   // remove the 120 second limit for the request
   ctx.req.setTimeout(0)
   const appName = decodeURI(ctx.query.appname)
   excludeRows = isQsTrue(excludeRows)
-  const extension = encryptPassword ? "enc.tar.gz" : "tar.gz"
+  const backupIdentifier = `${appName}-export-${new Date().getTime()}${
-  const backupIdentifier = `${appName}-export-${new Date().getTime()}.${extension}`
+    encryptPassword ? "-enc" : ""
+  }.tar.gz`
   ctx.attachment(backupIdentifier)
   ctx.body = await sdk.backups.streamExportApp({
     appId,

packages/server/src/sdk/app/backups/imports.ts

@@ -1,4 +1,4 @@
-import { db as dbCore, objectStore } from "@budibase/backend-core"
+import { db as dbCore, encryption, objectStore } from "@budibase/backend-core"
 import { Database, Row } from "@budibase/types"
 import { getAutomationParams, TABLE_ROW_PREFIX } from "../../../db/utils"
 import { budibaseTempDir } from "../../../utilities/budibaseDir"
@@ -20,6 +20,7 @@ type TemplateType = {
   file?: {
     type: string
     path: string
+    password?: string
   }
   key?: string
 }
@@ -123,6 +124,15 @@ export function untarFile(file: { path: string }) {
   return tmpPath
 }
 
+async function decryptFiles(path: string) {
+  for (let file of fs.readdirSync(path)) {
+    const inputPath = join(path, file)
+    const outputPath = inputPath.replace(/\.enc$/, "")
+    await encryption.decryptFile(inputPath, outputPath, "password")
+    fs.rmSync(inputPath)
+  }
+}
+
 export function getGlobalDBFile(tmpPath: string) {
   return fs.readFileSync(join(tmpPath, GLOBAL_DB_EXPORT_FILE), "utf8")
 }
@@ -143,6 +153,9 @@ export async function importApp(
     template.file && fs.lstatSync(template.file.path).isDirectory()
   if (template.file && (isTar || isDirectory)) {
     const tmpPath = isTar ? untarFile(template.file) : template.file.path
+    if (isTar && template.file.password) {
+      await decryptFiles(tmpPath)
+    }
     const contents = fs.readdirSync(tmpPath)
     // have to handle object import
     if (contents.length) {