Skip to content

Switch to SHA256-based hashing for ActiveSupport (with feature flag)

Thong Kuah requested to merge switch_rails_digest into master

What does this MR do and why?

Part of https://gitlab.com/gitlab-org/gitlab/-/issues/220878.

Adds a facade from which we can use feature flags to switch Activesupport's Hash Digest class from Digest::MD5 to OpenSSL::Digest::SHA256

Places where it's used in Rails, see also https://gitlab.com/gitlab-org/gitlab/-/issues/220878#note_958634137

$ gg ActiveSupport::Digest **/lib
actionpack/lib/action_dispatch/http/cache.rb:          %("#{ActiveSupport::Digest.hexdigest(ActiveSupport::Cache.expand_cache_key(validators))}")
actionview/lib/action_view/digestor.rb:        ActiveSupport::Digest.hexdigest("#{template.source}-#{dependency_digest(finder, stack)}")
activerecord/lib/active_record/relation.rb:      query_signature = ActiveSupport::Digest.hexdigest(to_sql)
activesupport/lib/active_support/cache/file_store.rb:            fname = ActiveSupport::Digest.hexdigest(key)
activesupport/lib/active_support/cache/mem_cache_store.rb:            key = "#{key[0, 213]}:md5:#{ActiveSupport::Digest.hexdigest(key)}" if key.size > 250
activesupport/lib/active_support/railtie.rb:          ActiveSupport::Digest.hash_digest_class = ::Digest::SHA1
activesupport/lib/active_support/railtie.rb:          ActiveSupport::Digest.hash_digest_class = klass

Based on above, it seems ActiveSupport::Digest is used:

We don't directly use ActiveSupport::Digest in the GitLab application code.

Screenshots or screen recordings

These are strongly recommended to assist reviewers and reduce the time to merge your change.

Screen_Shot_2022-06-15_at_4.28.23_PM

How to set up and validate locally

  1. On master branch, go to an issue and upload a design

  2. View the design. In Network tools, observe the ETag header response for the raw_image request. (e.g. W/"37ed00aba86a92680dcda93537e64914")

  3. Switch to this branch, run gdk restart

  4. Refresh the page. In Network tools, observe the ETag header response for the raw_image request. It should be unchanged

  5. Enable the feature flag with

    Feature.enable :active_support_hash_digest_sha256

  6. Refresh the page. In Network tools, observe the ETag header response for the raw_image request. It should be changed (e.g. W/"23852fa09695051adf03aed7510ac2fa")

  7. Disable the feature flag with

    Feature.disable :active_support_hash_digest_sha256

  8. Refresh the page. In Network tools, observe the ETag header response for the raw_image request. It should be changed again to the previous value (e.g. W/"37ed00aba86a92680dcda93537e64914")

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

Edited by Thong Kuah

Merge request reports