-
-
Notifications
You must be signed in to change notification settings - Fork 980
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update sha1 to sha256 #748
base: master
Are you sure you want to change the base?
Conversation
Recent research shows that SHA1 is a weak hash function known to have collisions. Consider updating it to stronger collision resistant (at this time) hash functions like sha256. Ref: https://shattered.io/ https://shattered.io/static/shattered.pdf https://blog.qualys.com/ssllabs/2014/09/09/sha1-deprecation-what-you-need-to-know
Interesting. AFAIK this hash is used in a way in which would not be susceptible to that. Can you explain further on why you believe this usage would be at issue? How would a user cause a collision in the usage in this library? The site seems to state
But AFAIK that is not the use case for the changed part in question here, so if you can provide some further details, that would be very helpful ! Edit: The last link you provided seems to be specifically about the usage in certificates, which AFAIK is also not applicable in the usage here as well. |
This is applicable if user input anywhere from HTTP request reaches the
If you are aware of any alternative means by which user controlled input reaches the hash function, this issue is applicable and you should consider using a stronger hash function, otherwise this might not be applicable to the project. PS: I was doing a quick security scan on top node.js projects and this one popped out and I could only do a basic verification before opening this PR. EDIT: By |
All of the input into the |
Forgive me if I am misunderstanding, but I think vulnerabilities in sha1 do apply to this library:
I believe those at some use cases where the effect of a collision is more obvious, but it is not a complete list. My understanding of the weaknesses in sha1 from those links is that, in rare cases, it can yield collisions:
What is the repercussion in this library if two different inputs yield the same hash value? Looking at the code, Where can two different session states yielding the same hash cause problems? In
In
There might be or two other places ( The linked articles have an emphasis on security because the implication of the possibilities of collisions opens obvious opportunities for malicious actors. I think, in the case of this library, the nearest implication in the quote above is probably "file integrity". Perhaps this middleware could accept an |
A false positive for the isSaved and isModifed is not a security vulnerability, though. If you think it is, please email me a PoC that demonstrates how this would lead to a security vulnerability. |
9d2e29b
to
408229e
Compare
Recent research shows that SHA1 is a weak hash function known to have collisions. Consider updating it to stronger collision resistant (at this time) hash functions like sha256.
Ref:
https://shattered.io/
https://shattered.io/static/shattered.pdf
https://blog.qualys.com/ssllabs/2014/09/09/sha1-deprecation-what-you-need-to-know