fix(compiler-cli): change default ngcc hash algorithm to be FIPS compliant (#42582)

The previous default algorithm was `md5`, which is not compliant with FIPS. The default is now set to `sha256`, which is compliant. Fixes #42577 PR Close #42582
2021-06-16 12:29:57 +01:00 · 2021-06-16 12:29:57 +01:00 · 874de59d35
parent b8ef83b10f
commit 874de59d35
3 changed files with 16 additions and 15 deletions
--- a/packages/compiler-cli/ngcc/src/packages/configuration.ts
+++ b/packages/compiler-cli/ngcc/src/packages/configuration.ts
@ -28,7 +28,7 @@ export interface NgccProjectConfig<T = RawNgccPackageConfig> {
  /**
   * Name of hash algorithm used to generate hashes of the configuration.
   *
-   * Defaults to `md5`.
+   * Defaults to `sha256`.
   */
  hashAlgorithm?: string;
 }
@ -308,7 +308,7 @@ export class NgccConfiguration {

  private processProjectConfig(projectConfig: NgccProjectConfig): PartiallyProcessedConfig {
    const processedConfig:
-        PartiallyProcessedConfig = {packages: {}, locking: {}, hashAlgorithm: 'md5'};
+        PartiallyProcessedConfig = {packages: {}, locking: {}, hashAlgorithm: 'sha256'};

    // locking configuration
    if (projectConfig.locking !== undefined) {
--- a/packages/compiler-cli/ngcc/test/packages/configuration_spec.ts
+++ b/packages/compiler-cli/ngcc/test/packages/configuration_spec.ts
@ -48,9 +48,9 @@ runInEachFileSystem(() => {
        }]);
        const project1Conf = new NgccConfiguration(fs, project1);
        const expectedProject1Config =
-            `{"packages":{"package-1":[{"entryPoints":{"./entry-point-1":{}},"versionRange":"*"}]},"locking":{},"hashAlgorithm":"md5"}`;
+            `{"packages":{"package-1":[{"entryPoints":{"./entry-point-1":{}},"versionRange":"*"}]},"locking":{},"hashAlgorithm":"sha256"}`;
        expect(project1Conf.hash)
-            .toEqual(createHash('md5').update(expectedProject1Config).digest('hex'));
+            .toEqual(createHash('sha256').update(expectedProject1Config).digest('hex'));

        const project2 = _Abs('/project-2');
        const project2Config = fs.resolve(project2, 'ngcc.config.js');
@ -66,18 +66,19 @@ runInEachFileSystem(() => {
        }]);
        const project2Conf = new NgccConfiguration(fs, project2);
        const expectedProject2Config =
-            `{"packages":{"package-1":[{"entryPoints":{"./entry-point-1":{"ignore":true}},"versionRange":"*"}]},"locking":{},"hashAlgorithm":"md5"}`;
+            `{"packages":{"package-1":[{"entryPoints":{"./entry-point-1":{"ignore":true}},"versionRange":"*"}]},"locking":{},"hashAlgorithm":"sha256"}`;
        expect(project2Conf.hash)
-            .toEqual(createHash('md5').update(expectedProject2Config).digest('hex'));
+            .toEqual(createHash('sha256').update(expectedProject2Config).digest('hex'));
      });

      it('should compute a hash even if there is no project configuration', () => {
        loadTestFiles([{name: _Abs('/project-1/empty.js'), contents: ``}]);
        const configuration = new NgccConfiguration(fs, _Abs('/project-1'));
        expect(configuration.hash)
-            .toEqual(createHash('md5')
-                         .update(JSON.stringify({packages: {}, locking: {}, hashAlgorithm: 'md5'}))
-                         .digest('hex'));
+            .toEqual(
+                createHash('sha256')
+                    .update(JSON.stringify({packages: {}, locking: {}, hashAlgorithm: 'sha256'}))
+                    .digest('hex'));
      });

      it('should use a custom hash algorithm if specified in the config', () => {
@ -91,15 +92,15 @@ runInEachFileSystem(() => {
              packages: {
                'package-1': {entryPoints: {'./entry-point-1': {}}},
              },
-              hashAlgorithm: 'sha256',
+              hashAlgorithm: 'md5',
            };`
        }]);
        const project1Conf = new NgccConfiguration(fs, project1);
        const expectedProject1Config =
-            `{"packages":{"package-1":[{"entryPoints":{"./entry-point-1":{}},"versionRange":"*"}]},"locking":{},"hashAlgorithm":"sha256"}`;
+            `{"packages":{"package-1":[{"entryPoints":{"./entry-point-1":{}},"versionRange":"*"}]},"locking":{},"hashAlgorithm":"md5"}`;
        expect(JSON.stringify((project1Conf as any).projectConfig)).toEqual(expectedProject1Config);
        expect(project1Conf.hash)
-            .toEqual(createHash('sha256').update(expectedProject1Config).digest('hex'));
+            .toEqual(createHash('md5').update(expectedProject1Config).digest('hex'));
      });
    });

--- a/packages/compiler-cli/ngcc/test/packages/entry_point_manifest_spec.ts
+++ b/packages/compiler-cli/ngcc/test/packages/entry_point_manifest_spec.ts
@ -40,7 +40,7 @@ runInEachFileSystem(() => {
      beforeEach(() => {
        manifestFile = {
          ngccVersion: NGCC_VERSION,
-          lockFileHash: createHash('md5').update('LOCK FILE CONTENTS').digest('hex'),
+          lockFileHash: createHash('sha256').update('LOCK FILE CONTENTS').digest('hex'),
          configFileHash: config.hash,
          entryPointPaths: []
        };
@ -278,7 +278,7 @@ runInEachFileSystem(() => {
            JSON.parse(fs.readFile(_Abs('/project/node_modules/__ngcc_entry_points__.json'))) as
            EntryPointManifestFile;
        expect(file.lockFileHash)
-            .toEqual(createHash('md5').update('LOCK FILE CONTENTS').digest('hex'));
+            .toEqual(createHash('sha256').update('LOCK FILE CONTENTS').digest('hex'));
      });

      it('should write a hash of the package-lock.json file', () => {
@ -288,7 +288,7 @@ runInEachFileSystem(() => {
            JSON.parse(fs.readFile(_Abs('/project/node_modules/__ngcc_entry_points__.json'))) as
            EntryPointManifestFile;
        expect(file.lockFileHash)
-            .toEqual(createHash('md5').update('LOCK FILE CONTENTS').digest('hex'));
+            .toEqual(createHash('sha256').update('LOCK FILE CONTENTS').digest('hex'));
      });

      it('should write a hash of the project config', () => {