Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FIPS Compatibility - gravatar-url removal / update / replacement to correct md5 usage #4475

Closed
TGPSKI opened this issue Aug 10, 2023 · 6 comments · Fixed by #5128
Closed

FIPS Compatibility - gravatar-url removal / update / replacement to correct md5 usage #4475

TGPSKI opened this issue Aug 10, 2023 · 6 comments · Fixed by #5128
Assignees
@ivarconr
Labels
enhancement good first issue

Comments

@TGPSKI
Copy link

TGPSKI commented Aug 10, 2023
edited
Loading

Describe the feature request

The imported gravatar-url package uses md5 hash method (unsupported in FIPS environments), which prevents Unleash from running where FIPS is enforced.

# package.json

"gravatar-url": "^3.1.0"

There's a set of nested dependencies through sindresorhus repos, having to follow unleash -> gravatar-url -> md5-hex to actually get a crypto module change.

Background

https://en.gravatar.com/site/implement/hash/
https://github.com/sindresorhus/md5-hex/blob/main/index.js
aws/constructs#272

This problem is easy to fix in python. I can't find the same option to specify non-cryptographic use cases in node.

Solution suggestions
@ivarconr
Copy link
Member

Thanks for bringing this to our attention.

I see the easiest path forward to inline the "generateGravatar" function in to the unleash code base. There is not compelling reason to use a library for this, as it basically is a simple md5 of the email. It feels a bit like an unnecessary workaround to please the "FIPS" requirements. I am not sure if there are any way at all to flag this module as safe, as it does not contribute to any cryptographic activities.

Next steps:

  1. Inline the generateGravatar(email) as a util function, using the md5 package instead of node built in module (src)
  2. Write a few tests for it.

Any takers?

@nunogois nunogois moved this from New to Todo in Issues and PRs Sep 4, 2023
@mahimairaja
Copy link

Hi, Is the issue still open?

@ivarconr
Copy link
Member

Yes, @mahimairaja

@mahimairaja
Copy link

That great! I would like to work on this issue. Can you please assign this issue to me

@mahimairaja
Copy link

Next steps:

  1. Inline the generateGravatar(email) as a util function, using the md5 package instead of node built in module (src)
  2. Write a few tests for it.

Any takers?

So Can you please guide me. I could understand that I have to implement md5 hashing

  1. but where should I implement it?
  2. And what are the test cases are expected to be implemented?

@chriswk
Copy link
Member

chriswk commented Oct 23, 2023

@mahimairaja - I'd look at src/lib/util/generateImageUrl.ts . replacing the gravatar-url with an inline private function.

Then add some tests confirming that you generate the valid URLs with query parameters. Preferably in a src/lib/util/generateImageUrl.test.ts

chriswk added a commit that referenced this issue Oct 23, 2023
@chriswk
feat: replace gravatar-url with inline function
78a4c96 
fixes: Linear https://linear.app/unleash/issue/SR-112/gh-support-swap-out-gravatar-url-lib
closes: #4475
@chriswk chriswk mentioned this issue Oct 23, 2023
Merged
chriswk added a commit that referenced this issue Oct 23, 2023
@chriswk
feat: replace gravatar-url with inline function
cc422f7 
fixes: Linear https://linear.app/unleash/issue/SR-112/gh-support-swap-out-gravatar-url-lib
closes: #4475
@github-project-automation github-project-automation bot moved this from Todo to Done in Issues and PRs Oct 24, 2023
chriswk pushed a commit that referenced this issue Oct 24, 2023
feat: replace gravatar-url with inline function (#5128)
c60bca7 
As #4475 says, MD5 is not available in secure places anymore. This PR
swaps out gravatar-url with an inline function using crypto:sha256 which
is FIPS-140-2 compliant. Since we only used this method for generating
avatar URLs the extra customization wasn't needed and we could hard code
the URL parameters.
 
fixes: Linear
https://linear.app/unleash/issue/SR-112/gh-support-swap-out-gravatar-url-lib
closes: #4475
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ivarconr ivarconr

Labels
enhancement good first issue
Projects
Unleash Public Roadmap 🚀
Status: Q4-2023
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: replace gravatar-url with inline function Unleash/unleash
4 participants
@ivarconr @chriswk @TGPSKI @mahimairaja