Removing hash ids from model for security reasons. For explanation and replacement see https://paragonie.com/blog/2015/09/comprehensive-guide-url-parameter-encryption-in-php

lonnieezell · lonnieezell · commit f87ffec26b0d · 2017-11-12T23:03:48.000-06:00
diff --git a/system/Model.php b/system/Model.php
@@ -435,142 +435,6 @@ public function first()
 
 	//--------------------------------------------------------------------
 
-	/**
-	 * Finds a single record by a "hashed" primary key. Used in conjunction
-	 * with $this->getIDHash().
-	 *
-	 * THIS IS NOT VALID TO USE FOR SECURITY!
-	 *
-	 * @param string $hashedID
-	 *
-	 * @return array|null|object
-	 */
-	public function findByHashedID(string $hashedID)
-	{
-		return $this->find($this->decodeID($hashedID));
-	}
-
-	//--------------------------------------------------------------------
-
-	/**
-	 * Returns a "hashed id", which isn't really hashed, but that's
-	 * become a fairly common term for this. Essentially creates
-	 * an obfuscated id, intended to be used to disguise the
-	 * ID from incrementing IDs to get access to things they shouldn't.
-	 *
-	 * THIS IS NOT VALID TO USE FOR SECURITY!
-	 *
-	 * Note, at some point we might want to move to something more
-	 * complex. The hashid library is good, but only works on integers.
-	 *
-	 * @see http://hashids.org/php/
-	 * @see http://raymorgan.net/web-development/how-to-obfuscate-integer-ids/
-	 *
-	 * @param int|string $id
-	 *
-	 * @return string|false
-	 */
-	public function encodeID($id)
-	{
-		// Strings don't currently have a secure
-		// method, so simple base64 encoding will work for now.
-		if ( ! is_numeric($id))
-		{
-			return '=_' . base64_encode($id);
-		}
-
-		$id = (int) $id;
-		if ($id < 1)
-		{
-			return false;
-		}
-		if ($id > pow(2, 31))
-		{
-			return false;
-		}
-
-		$segment1 = $this->getHash($id, 16);
-		$segment2 = $this->getHash($segment1, 8);
-		$dec = (int) base_convert($segment2, 16, 10);
-		$dec = ($dec > $id) ? $dec - $id : $dec + $id;
-		$segment2 = base_convert($dec, 10, 16);
-		$segment2 = str_pad($segment2, 8, '0', STR_PAD_LEFT);
-		$segment3 = $this->getHash($segment1 . $segment2, 8);
-		$hex = $segment1 . $segment2 . $segment3;
-		$bin = pack('H*', $hex);
-		$oid = base64_encode($bin);
-		$oid = str_replace(['+', '/', '='], ['$', ':', ''], $oid);
-
-		return $oid;
-	}
-
-	//--------------------------------------------------------------------
-
-	/**
-	 * Decodes our hashed id.
-	 *
-	 * @see http://raymorgan.net/web-development/how-to-obfuscate-integer-ids/
-	 *
-	 * @param string $hash
-	 *
-	 * @return mixed
-	 */
-	public function decodeID($hash)
-	{
-		// Was it a simple string we encoded?
-		if (substr($hash, 0, 2) == '=_')
-		{
-			$hash = substr($hash, 2);
-
-			return base64_decode($hash);
-		}
-
-		if ( ! preg_match('/^[A-Z0-9\:\$]{21,23}$/i', $hash))
-		{
-			return 0;
-		}
-		$hash = str_replace(['$', ':'], ['+', '/'], $hash);
-		$bin = base64_decode($hash);
-		$hex = unpack('H*', $bin);
-		$hex = $hex[1];
-		if ( ! preg_match('/^[0-9a-f]{32}$/', $hex))
-		{
-			return 0;
-		}
-		$segment1 = substr($hex, 0, 16);
-		$segment2 = substr($hex, 16, 8);
-		$segment3 = substr($hex, 24, 8);
-		$exp2 = $this->getHash($segment1, 8);
-		$exp3 = $this->getHash($segment1 . $segment2, 8);
-		if ($segment3 != $exp3)
-		{
-			return 0;
-		}
-		$v1 = (int) base_convert($segment2, 16, 10);
-		$v2 = (int) base_convert($exp2, 16, 10);
-		$id = abs($v1 - $v2);
-
-		return $id;
-	}
-
-	//--------------------------------------------------------------------
-
-	/**
-	 * Used for our hashed IDs. Requires $salt to be defined
-	 * within the Config\App file.
-	 *
-	 * @param string $str
-	 * @param int    $len
-	 *
-	 * @return string
-	 */
-	protected function getHash($str, $len)
-	{
-		return substr(hash('sha256', $str . $this->salt), 0, $len);
-	}
-
-	//--------------------------------------------------------------------
-
 	/**
 	 * A convenience method that will attempt to determine whether the
 	 * data should be inserted or updated. Will work with either
diff --git a/tests/system/Database/Live/ModelTest.php b/tests/system/Database/Live/ModelTest.php
@@ -30,48 +30,6 @@ public function setUp()
 
 	//--------------------------------------------------------------------
 
-	public function testHashIDsWithNumber()
-	{
-	    $expected = '123';
-
-		$str = $this->model->encodeID($expected);
-
-		$this->assertNotEquals($expected, $str);
-
-		$this->assertEquals($expected, $this->model->decodeID($str));
-	}
-
-	//--------------------------------------------------------------------
-
-	public function testHashIDsWithString()
-	{
-		$expected = 'my test hash';
-
-		$str = $this->model->encodeID($expected);
-
-		$this->assertNotEquals($expected, $str);
-
-		$this->assertEquals($expected, $this->model->decodeID($str));
-	}
-
-	//--------------------------------------------------------------------
-
-	public function testHashedIdsWithFind()
-	{
-		$hash = $this->model->encodeId(4);
-
-		$this->model->setTable('job')
-					->withDeleted();
-
-		$user = $this->model->asObject()
-							->findByHashedID($hash);
-
-		$this->assertNotEmpty($user);
-		$this->assertEquals(4, $user->id);
-	}
-
-	//--------------------------------------------------------------------
-
 	public function testFindReturnsRow()
 	{
 	    $model = new JobModel($this->db);
diff --git a/user_guide_src/source/database/model.rst b/user_guide_src/source/database/model.rst
@@ -541,41 +541,6 @@ This is best used during cronjobs, data exports, or other large tasks.
 		// $data is a single row of data.
 	});
 
-Obfuscating IDs in URLs
------------------------
-
-Instead of displaying the resource's ID in the URL (i.e. /users/123), the model provides a simple
-way to obfuscate the ID. This provides some protection against attackers simply incrementing IDs in the
-URL to do bad things to your data.
-
-This is not a valid security use, but another simple layer of protection. Determined attackers could very easily
-determine the actual ID.
-
-The data is not stored in the database at any time, it is simply used to disguise the ID. When creating a URL
-you can use the **encodeID()** method to get the hashed ID.
-::
-
-	// Creates something like: http://exmample.com/users/MTIz
-	$url = '/users/'. $model->encodeID($user->id);
-
-When you need to grab the item in your controller, you can use the **findByHashedID()** method instead of the
-**find()** method.
-::
-
-	public function show($hashedID)
-	{
-		$user = $this->model->findByHashedID($hashedID);
-	}
-
-If you ever need to decode the hash, you may do so with the **decodeID()** method.
-::
-
-	$hash  = $model->encodeID(123);
-	$check = $model->decodeID($hash);
-
-.. note:: While the name is "hashed id", this is not actually a hashed variable, but that term has become
-		common in many circles to represent the encoding of an ID into a short, unique, identifier.
-
 Model Events
 ============
 
