search

globocom / huskyCI

Performing security tests inside your CI
https://huskyci.opensource.globo.com
BSD 3-Clause "New" or "Revised" License
572 stars 137 forks source link

Fix #526: Local setup fails starting API due to non-unique hmac #529

Closed aranhams closed 3 years ago

aranhams commented 3 years ago

Description

For some reason, the latest version of GoLang (Go1.16.x) generates a panic error in the hmac package (the hash function does not produce unique values). This error occurs when huskyCI sends the hash function using an anonymous function in the argument.

hashedPass := pbkdf2.Key([]byte(DefaultAPIPassword), salt, iterations, keyLength, func() hash.Hash { return hashFunction })

If we send the hash algorithm directly to the function argument, the error will not occur. As I show in the example below:

hashedPass := pbkdf2.Key([]byte(DefaultAPIPassword), salt, iterations, keyLength, sha512.New)

However, sending the hash algorithm in this way is not recommended.

Closes #526

Proposed Changes

The simplest way to fix temporarily this problem is change the version of GoLang in the API Dockerfile to version 1.15.

aranhams commented 3 years ago

Reading the release note for Go 1.16, I possibly found the reason for the panic error (https://golang.org/doc/go1.16):

crypto/hmac

New will now panic if separate calls to the hash generation function fail to return new values. Previously, the behavior was undefined and invalid outputs were sometimes generated.

So far I haven't seen an easier way to fix the problem. 😄