Skip to content

Commit

Permalink
Add SHA-1 to subresource integrity format for download() checksums
Browse files Browse the repository at this point in the history
npm packages commonly still use SHA-1. While it may be discouraged for its poor security, Bazel cannot enforce what external ecosystems currently do.

I tested this locally against a feature we are working on in rules_nodejs.

Closes bazelbuild#12777.

PiperOrigin-RevId: 353633120
  • Loading branch information
Alex Eagle authored and copybara-github committed Jan 25, 2021
1 parent 60d6f78 commit c9e2be5
Showing 1 changed file with 6 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,11 @@ public static Checksum fromSubresourceIntegrity(String integrity) {
byte[] hash = null;
int expectedLength = 0;

if (integrity.startsWith("sha1-")) {
keyType = KeyType.SHA1;
expectedLength = 20;
hash = decoder.decode(integrity.substring(5));
}
if (integrity.startsWith("sha256-")) {
keyType = KeyType.SHA256;
expectedLength = 32;
Expand All @@ -63,7 +68,7 @@ public static Checksum fromSubresourceIntegrity(String integrity) {
throw new IllegalArgumentException(
"Unsupported checksum algorithm: '"
+ integrity
+ "' (expected SHA-256, SHA-384, or SHA-512)");
+ "' (expected SHA-1, SHA-256, SHA-384, or SHA-512)");
}

if (hash.length != expectedLength) {
Expand Down

0 comments on commit c9e2be5

Please sign in to comment.