SensitiveString 0.1.1

.NET 8.0

dotnet add package SensitiveString --version 0.1.1

NuGet\Install-Package SensitiveString -Version 0.1.1

This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.

<PackageReference Include="SensitiveString" Version="0.1.1" />

For projects that support PackageReference, copy this XML node into the project file to reference the package.

paket add SensitiveString --version 0.1.1

The NuGet Team does not provide support for this client. Please contact its maintainers for support.

#r "nuget: SensitiveString, 0.1.1"

#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.

// Install SensitiveString as a Cake Addin
#addin nuget:?package=SensitiveString&version=0.1.1

// Install SensitiveString as a Cake Tool
#tool nuget:?package=SensitiveString&version=0.1.1

The NuGet Team does not provide support for this client. Please contact its maintainers for support.

SensitiveString

Introducing SensitiveString, your shield against inadvertent exposure of sensitive information in application logs and beyond.

This lightweight NuGet package wraps strings in a protective layer, ensuring that sensitive data remains secure and inaccessible without explicit handling.

Safeguard your users' privacy and your application's integrity effortlessly with SensitiveString.

Example

Let's try to initialize and print a simple record with personal information:

internal record PersonDto(string Name, SensitiveString PhoneNumber, SensitiveEmail Email);

using SensitiveString;

var person = new PersonDto(
    "John Doe",
    "(800) 555‑0123".AsSensitive(),
    "john.doe@example.com".AsSensitiveEmail()
);

Console.WriteLine($"Person info: {person}");

What we get in the console is:

Person info: PersonDto { Name = John Doe, PhoneNumber = ***, Email = ***@example.com }

Now let's try to access the original information:

Console.WriteLine($"Phone number: {person.PhoneNumber.Reveal()}");
Console.WriteLine($"Email: {person.Email.Reveal()}");

And what we now get in the console is:

Phone number: (800) 555‑0123
Email: john.doe@example.com

How it works?

The SensitiveString and SensitiveEmail types are straightforward string wrappers. Without special handling, their content remains hidden from standard stringifiers and serializers. So if you're afraid some sensitive data may leak into application logs when stringified implicitly, use one of these two types to prevent that.

SensitiveEmail differs from SensitiveString only in how it masks the original value. If you prefer having emails fully masked rather than the login part before @, use the SensitiveString instead.

Serialization/deserialization

In client-server communication we want the information in its original form present in the data being transmitted between the parties. Because, however, of how the types are designed, without explicit handling, serializers will output nothing but an empty object.

Therefore, to use the type in DTOs, you'll need to extend your serializers in use with special converters to handle these types. Converters for the System.Text.Json.JsonSerializer are available in this repository and are part of the associated NuGet package. See below how serialization behaves with and without them.

Let's use the same person object as in the example used earlier:

using System.Text.Json;
...

var serialized = JsonSerializer.Serialize(person);
Console.WriteLine($"Serialized: {serialized}");

This is what we will get as the output:

Serialized: {"Name":"John Doe","PhoneNumber":{},"Email":{}}

As you can see, the sensitive strings are just empty JSON objects {}.

Now let's add appropriate converters to serializer options:

using System.Text.Json;
using SensitiveString.Json;
...

var serializerOptions = new JsonSerializerOptions();
serializerOptions.AddSensitiveStringSupport();

var serialized = JsonSerializer.Serialize(person, serializerOptions);
Console.WriteLine($"Serialized: {serialized}");

Now the output is complete:

Serialized: {"Name":"John Doe","PhoneNumber":"(800) 555\u20110123","Email":"john.doe@example.com"}

The same options should be used for deserialization.

REST API

To make sure your web API handles the types correctly, call this on startup:

builder.Services
   .AddControllers()
   .AddJsonOptions(
        o => o.JsonSerializerOptions.AddSensitiveStringSupport()
    );

builder.Services.ConfigureHttpJsonOptions(
    o => o.SerializerOptions.AddSensitiveStringSupport()
);

Disclaimer

This is a proof of concept. If you find any issues using the package or have any thoughts on it, your comments reported as issues are more than welcome!

Product	Compatible and additional computed target framework versions.
.NET	net8.0 is compatible. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed.

Compatible target framework(s)

Included target framework(s) (in package)

Learn more about Target Frameworks and .NET Standard.

net8.0
- No dependencies.

NuGet packages (2)

Showing the top 2 NuGet packages that depend on SensitiveString:

Package	Downloads
SensitiveString.HotChocolate This package extends SensitiveString to integrate it with HotChocolate so it can be used in inputs and responses.	277
SensitiveString.EntityFrameworkCore This package extends SensitiveString to seamlessly integrate it with EntityFrameworkCore entities.	152

GitHub repositories

This package is not used by any popular GitHub repositories.

Version	Downloads	Last updated
0.1.1	167	4/11/2024
0.1.0	71	4/11/2024

This initial package release is presented as a proof of concept. All comments and suggestions are warmly welcomed and encouraged to be reported as issues on GitHub. Your input is highly valued to help refine and improve this offering.

See also https://github.com/mariusz-schimke/SensitiveString/releases