Fixing codeQL bugs :Updating hash algorithm #3318
Conversation
| @@ -39,7 +39,7 @@ const gravatarURLForAuthor = (email) => { | |||
| return "https://avatars.githubusercontent.com/u/49038?s=100&u=0b9ac5bf42a8ea2543a05191e150e0213456744e&v=4"; | |||
|
|
|||
| default: | |||
| return crypto.createHash("md5").update(email).digest("hex"); | |||
There was a problem hiding this comment.
I'm not a 100% sure if anything else is needed to make them work. It seems like this should be enough according to the createHash function description in the crypto package.
There was a problem hiding this comment.
The question is whether or not this breaks anything, but maybe it doesn't; I can't imagine a md5 hash of an email address ever worked as a URL?
There was a problem hiding this comment.
Yeah, so this actually can be sha256:
That should pass testing and also actually work.
navya9singh
added
the
deploy-preview
|
Azure Static Web Apps: Your stage site is ready! Visit it here: https://victorious-plant-05c166c10-3318.centralus.5.azurestaticapps.net |
| @@ -96,7 +96,7 @@ langs.forEach(lang => { | |||
| .replace(/\+/g, "-"), | |||
|
|
|||
| sortIndex: index, | |||
| hash: crypto.createHash("md5").update(contents).digest("hex"), | |||
| hash: crypto.createHash("sha512").update(contents).digest("hex"), | |||
There was a problem hiding this comment.
Checking this, the website still works fine here. It's put into data-hash in ShowExamples and that's just used to cache loading them.
| @@ -39,7 +39,7 @@ const gravatarURLForAuthor = (email) => { | |||
| return "https://avatars.githubusercontent.com/u/49038?s=100&u=0b9ac5bf42a8ea2543a05191e150e0213456744e&v=4"; | |||
|
|
|||
| default: | |||
| return crypto.createHash("md5").update(email).digest("hex"); | |||
There was a problem hiding this comment.
Yeah, so this actually can be sha256:
That should pass testing and also actually work.
| @@ -39,7 +39,7 @@ const gravatarURLForAuthor = (email) => { | |||
| return "https://avatars.githubusercontent.com/u/49038?s=100&u=0b9ac5bf42a8ea2543a05191e150e0213456744e&v=4"; | |||
|
|
|||
| default: | |||
| return crypto.createHash("md5").update(email).digest("hex"); | |||
| return crypto.createHash("sha512").update(email).digest("hex"); | |||
There was a problem hiding this comment.
| return crypto.createHash("sha512").update(email).digest("hex"); | |
| return crypto.createHash("sha256").update(email).digest("hex"); |
This pr fixes https://liquid.microsoft.com/codeql/issues/554838ed-6abd-48f1-bfa9-03546781e3c1?copilot_promptid=E91B0CE9-0C1B-4AC2-8A46-33F49B67E058 and https://liquid.microsoft.com/codeql/issues/df74a67a-14d7-41b4-9ed2-b8e9c2a184cb?copilot_promptid=E91B0CE9-0C1B-4AC2-8A46-33F49B67E058
Reference: https://liquid.microsoft.com/Web/Object/Read/MS.Security/Requirements/Microsoft.Security.Cryptography.10021#Zguidance