fix(drivers): reject empty or dotted encrypter ids

RomainLanz · RomainLanz · commit 770da035c934 · 2026-02-06T22:48:06.000+01:00
diff --git a/README.md b/README.md
@@ -45,6 +45,8 @@ const encryption = new Encryption(
 )
 ```
 
+`id` must be a non-empty string and cannot contain `.`.
+
 ### 2. Encrypt & Decrypt
 
 ```typescript
diff --git a/src/drivers/base_driver.ts b/src/drivers/base_driver.ts
@@ -27,6 +27,7 @@ export abstract class BaseDriver {
 
   protected constructor(config: BaseConfig) {
     const key = this.#validateAndGetSecret(config.key)
+    this.#validateId(config.id)
     this.cryptoKey = createHash('sha256').update(key).digest()
 
     const rawBlindIndexKey = hkdfSync(
@@ -57,6 +58,19 @@ export abstract class BaseDriver {
     return revealedSecret
   }
 
+  /**
+   * Validates encrypter id format when provided.
+   */
+  #validateId(id?: string) {
+    if (typeof id !== 'string') {
+      return
+    }
+
+    if (id.trim().length === 0 || id.includes(this.separator)) {
+      throw new errors.E_INVALID_ENCRYPTER_ID()
+    }
+  }
+
   protected computeReturns(values: string[]) {
     return values.join(this.separator) as CypherText
   }
diff --git a/src/exceptions.ts b/src/exceptions.ts
@@ -22,6 +22,11 @@ export const E_MISSING_ENCRYPTER_ID = createError(
   'E_MISSING_ENCRYPTER_ID'
 )
 
+export const E_INVALID_ENCRYPTER_ID = createError(
+  'Invalid id. The id must be a non-empty string and cannot contain "."',
+  'E_INVALID_ENCRYPTER_ID'
+)
+
 export const E_DETERMINISTIC_DRIVER_EXPIRES_IN_NOT_SUPPORTED = createError(
   'Deterministic encryption does not support expiresIn',
   'E_DETERMINISTIC_DRIVER_EXPIRES_IN_NOT_SUPPORTED'
diff --git a/tests/drivers/aes_256_cbc.spec.ts b/tests/drivers/aes_256_cbc.spec.ts
@@ -34,6 +34,20 @@ test.group('AES-256-CBC', () => {
     )
   })
 
+  test('fail when id contains separator', ({ assert }) => {
+    assert.throws(
+      () => new AES256CBC({ id: 'lan.z', key: SECRET }),
+      'Invalid id. The id must be a non-empty string and cannot contain "."'
+    )
+  })
+
+  test('fail when id is empty', ({ assert }) => {
+    assert.throws(
+      () => new AES256CBC({ id: '', key: SECRET }),
+      'Invalid id. The id must be a non-empty string and cannot contain "."'
+    )
+  })
+
   test('encrypt value', ({ assert }) => {
     const encryption = new AES256CBC({ id: 'lanz', key: SECRET })
     assert.notEqual(encryption.encrypt('hello-world'), 'hello-world')
diff --git a/tests/drivers/aes_256_gcm.spec.ts b/tests/drivers/aes_256_gcm.spec.ts
@@ -34,6 +34,20 @@ test.group('AES-256-GCM', () => {
     )
   })
 
+  test('fail when id contains separator', ({ assert }) => {
+    assert.throws(
+      () => new AES256GCM({ id: 'lan.z', key: SECRET }),
+      'Invalid id. The id must be a non-empty string and cannot contain "."'
+    )
+  })
+
+  test('fail when id is empty', ({ assert }) => {
+    assert.throws(
+      () => new AES256GCM({ id: '', key: SECRET }),
+      'Invalid id. The id must be a non-empty string and cannot contain "."'
+    )
+  })
+
   test('encrypt value', ({ assert }) => {
     const driver = new AES256GCM({ id: 'lanz', key: SECRET })
 
diff --git a/tests/drivers/aes_siv.spec.ts b/tests/drivers/aes_siv.spec.ts
@@ -34,6 +34,20 @@ test.group('AES-SIV', () => {
     )
   })
 
+  test('fail when id contains separator', ({ assert }) => {
+    assert.throws(
+      () => new AESSIV({ id: 'lan.z', key: SECRET }),
+      'Invalid id. The id must be a non-empty string and cannot contain "."'
+    )
+  })
+
+  test('fail when id is empty', ({ assert }) => {
+    assert.throws(
+      () => new AESSIV({ id: '', key: SECRET }),
+      'Invalid id. The id must be a non-empty string and cannot contain "."'
+    )
+  })
+
   test('accept single key in deterministic driver config', ({ assert }) => {
     const config = aessiv({ id: 'lanz', key: SECRET })
     assert.equal(config.keys.length, 1)
diff --git a/tests/drivers/chacha20_poly1305.spec.ts b/tests/drivers/chacha20_poly1305.spec.ts
@@ -34,6 +34,20 @@ test.group('ChaCha20-Poly1305', () => {
     )
   })
 
+  test('fail when id contains separator', ({ assert }) => {
+    assert.throws(
+      () => new ChaCha20Poly1305({ id: 'lan.z', key: SECRET }),
+      'Invalid id. The id must be a non-empty string and cannot contain "."'
+    )
+  })
+
+  test('fail when id is empty', ({ assert }) => {
+    assert.throws(
+      () => new ChaCha20Poly1305({ id: '', key: SECRET }),
+      'Invalid id. The id must be a non-empty string and cannot contain "."'
+    )
+  })
+
   test('encrypt value', ({ assert }) => {
     const driver = new ChaCha20Poly1305({ id: 'lanz', key: SECRET })
 

Original file line number	Diff line number	Diff line change
`@@ -45,6 +45,8 @@ const encryption = new Encryption(`
`45`	`45`	`)`
`46`	`46`	```
`47`	`47`
	`48`	+`id` must be a non-empty string and cannot contain `.`.
	`49`	`+`
`48`	`50`	`### 2. Encrypt & Decrypt`
`49`	`51`
`50`	`52`	```typescript