Skip to content
Snippets Groups Projects
Commit 7923a061 authored by Thong Kuah's avatar Thong Kuah
Browse files

Switch ActiveSupport::HashDigest to SHA256

MD5 is not supported in FIPS mode

Removes the feature flag, and enables the switch starting in GitLab 15.2

Changelog: other
parent a13b9a10
No related branches found
No related tags found
1 merge request!91247Switch ActiveSupport::HashDigest to SHA256
......@@ -20,6 +20,8 @@ class Application < Rails::Application
config.view_component.preview_route = "/-/view_component/previews"
config.active_support.hash_digest_class = ::OpenSSL::Digest::SHA256
# This section contains configuration from Rails upgrades to override the new defaults so that we
# keep existing behavior.
#
......@@ -38,7 +40,6 @@ class Application < Rails::Application
# Rails 5.2
config.action_dispatch.use_authenticated_cookie_encryption = false
config.active_support.use_authenticated_message_encryption = false
config.active_support.hash_digest_class = ::Digest::MD5 # New default is ::Digest::SHA1
config.action_controller.default_protect_from_forgery = false
config.action_view.form_with_generates_ids = false
......
---
name: active_support_hash_digest_sha256
introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/90098
rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/365314
milestone: '15.1'
type: development
group: group::sharding
default_enabled: false
# frozen_string_literal: true
Rails.application.configure do
# We set ActiveSupport::Digest.hash_digest_class directly copying
# See https://github.com/rails/rails/blob/6-1-stable/activesupport/lib/active_support/railtie.rb#L96-L98
#
# Note that is the only usage of config.active_support.hash_digest_class
config.after_initialize do
ActiveSupport::Digest.hash_digest_class = Gitlab::HashDigest::Facade
end
end
# frozen_string_literal: true
module Gitlab
module HashDigest
# Used for rolling out to use OpenSSL::Digest::SHA256
# for ActiveSupport::Digest
class Facade
class << self
def hexdigest(...)
hash_digest_class.hexdigest(...)
end
def hash_digest_class
if use_sha256?
::OpenSSL::Digest::SHA256
else
::Digest::MD5 # rubocop:disable Fips/MD5
end
end
def use_sha256?
return false unless Feature.feature_flags_available?
Feature.enabled?(:active_support_hash_digest_sha256)
end
end
end
end
end
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe 'setting ActiveSupport::Digest.hash_digest_class' do
it 'sets overrides config.active_support.hash_digest_class' do
expect(ActiveSupport::Digest.hash_digest_class).to eq(Gitlab::HashDigest::Facade)
end
end
# frozen_string_literal: true
require 'spec_helper'
RSpec.describe Gitlab::HashDigest::Facade do
describe '.hexdigest' do
let(:plaintext) { 'something that is plaintext' }
let(:sha256_hash) { OpenSSL::Digest::SHA256.hexdigest(plaintext) }
let(:md5_hash) { Digest::MD5.hexdigest(plaintext) } # rubocop:disable Fips/MD5
it 'uses SHA256' do
expect(described_class.hexdigest(plaintext)).to eq(sha256_hash)
end
context 'when feature flags is not available' do
before do
allow(Feature).to receive(:feature_flags_available?).and_return(false)
end
it 'uses MD5' do
expect(described_class.hexdigest(plaintext)).to eq(md5_hash)
end
end
context 'when active_support_hash_digest_sha256 FF is disabled' do
before do
stub_feature_flags(active_support_hash_digest_sha256: false)
end
it 'uses MD5' do
expect(described_class.hexdigest(plaintext)).to eq(md5_hash)
end
end
end
end
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment