Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove System.IO.Hashing dependency from Nrbf #103700

Merged
merged 3 commits into from
Jun 19, 2024
Merged

Remove System.IO.Hashing dependency from Nrbf #103700

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
04e8076
Revert "Add System.IO.Hashing dependency to windowsdesktop transport …
stephentoub Jun 19, 2024
3b68b70
Remove System.IO.Hashing dependency from Nrbf
stephentoub Jun 19, 2024
2c5d4ac
Use HashCode
stephentoub Jun 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion src/libraries/NetCoreAppLibrary.props
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -233,7 +233,6 @@
System.Diagnostics.PerformanceCounter;
System.DirectoryServices;
System.Formats.Nrbf;
System.IO.Hashing;
System.IO.Packaging;
System.Resources.Extensions;
System.Security.Cryptography.Pkcs;
Expand Down
1 change: 0 additions & 1 deletion src/libraries/System.Formats.Nrbf/ref/System.Formats.Nrbf.csproj
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@
</ItemGroup>

<ItemGroup>
<ProjectReference Include="$(LibrariesProjectRoot)System.IO.Hashing\ref\System.IO.Hashing.csproj" />
<ProjectReference Include="$(LibrariesProjectRoot)System.Reflection.Metadata\ref\System.Reflection.Metadata.csproj" />
</ItemGroup>

Expand Down
1 change: 0 additions & 1 deletion src/libraries/System.Formats.Nrbf/src/System.Formats.Nrbf.csproj
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,6 @@ System.Formats.Nrbf.NrbfDecoder</PackageDescription>
<DisablePackageBaselineValidation>true</DisablePackageBaselineValidation>
</PropertyGroup>
<ItemGroup>
<ProjectReference Include="$(LibrariesProjectRoot)\System.IO.Hashing\src\System.IO.Hashing.csproj" />
<ProjectReference Include="$(LibrariesProjectRoot)\System.Reflection.Metadata\src\System.Reflection.Metadata.csproj" />
</ItemGroup>
<ItemGroup Condition="'$(TargetFrameworkIdentifier)' == '.NETFramework'">
Expand Down
12 changes: 1 addition & 11 deletions src/libraries/System.Formats.Nrbf/src/System/Formats/Nrbf/SerializationRecordId.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@
using System.Collections.Generic;
using System.Formats.Nrbf.Utils;
using System.IO;
using System.IO.Hashing;
using System.Linq;
using System.Runtime.InteropServices;
using System.Text;
Expand Down Expand Up @@ -45,14 +44,5 @@ internal static SerializationRecordId Decode(BinaryReader reader)
public override bool Equals(object? obj) => obj is SerializationRecordId other && Equals(other);

/// <inheritdoc />
public override int GetHashCode()
{
int id = _id;
#if NET
Span<int> integers = new(ref id);
#else
Span<int> integers = stackalloc int[1] { id };
#endif
return (int)XxHash32.HashToUInt32(MemoryMarshal.AsBytes(integers));
}
public override int GetHashCode() => _id;
Copy link
Member

@adamsitnik adamsitnik Jun 19, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is done on purpose, to prevent from hashcode collision attacks (the attacker can create a payload with such Ids that would cause OOM in the dictionary)

cc @GrabYourPitchforks

Copy link
Member Author

@stephentoub stephentoub Jun 19, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's no randomization in xxhash32. this is just a deterministic mapping from one integer to another, with the only possibility of creating more collisions. to mitigate such attacks, this should use a random seed, eg System.HashCode.

Copy link
Member

@adamsitnik adamsitnik Jun 19, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's no randomization in xxhash32. this is just a deterministic mapping from one integer to another, with the only possibility of creating more collisions. to mitigate such attacks, this should use a random seed, eg System.HashCode

Thanks, I was not aware of that. I've assumed that it's the right thing to do since it got approved by @bartonjs.

This library needs to target Full Framework and .NET Standard, so we can not use System.HashCode for all TFMs. But... w can use it for #if NET. Would that solve the problem for windowsdesktop repo?

Copy link
Member Author

@stephentoub stephentoub Jun 19, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so we can not use System.HashCode for all TFMs

We can:
https://www.nuget.org/packages/Microsoft.Bcl.HashCode/

But if the goal here is just to include some randomness with a single integer, I'd assume we can just do something like:

private static readonly int s_seed = new Random().Next(-int.MaxValue, int.MaxValue);

public int GetHashCode() => _id ^ s_seed;

or some other form of incorporation that Jeremy and Levi bless.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can: https://www.nuget.org/packages/Microsoft.Bcl.HashCode/

Nice, I was not aware of the fact that such package exists. It's already used by Cbor, so we should be fine using it?

runtime/src/libraries/System.Formats.Cbor/src/System.Formats.Cbor.csproj

Line 56 in 9c51d32

<PackageReference Include="Microsoft.Bcl.HashCode" Version="$(MicrosoftBclHashCodeVersion)" />

But if the goal here is just to include some randomness with a single integer
or some other form of incorporation that Jeremy and Levi bless.

I would prefer to wait for @bartonjs or @GrabYourPitchforks feedback.

@stephentoub would you mind updating your PR to switch to HashCode type or would you prefer me to do it?

}
Loading