search

globocom / huskyCI

Performing security tests inside your CI
https://huskyci.opensource.globo.com
BSD 3-Clause "New" or "Revised" License
572 stars 137 forks source link

Fix hash-related method signatures #531

Open gustavocovas opened 3 years ago

gustavocovas commented 3 years ago

...to prevent hash functions that do not produce unique values

Description

Closes #530.

Proposed Changes

Since pbkdf2 works with a func() Hash.hash type, returning such type at GetValidHashFunction in api/auth/authmongo.go should simplify the calls to pbkdf2.Key. Our hash functions passed to pbkdf2.Key should not produce unique values anymore (#526), and we can upgrade our Dockerfile to Go 1.16.

Testing

Test locally and check that the panic: crypto/hmac: hash generation function does not produce unique values is not called anymore.

make test
make install
source .env
make run-client
docker logs -f -t <huskyci-api-container-id>

You might want to make more checks. I believe that the stored hashes for users passwords in a production system should not be valid anymore, since apparently we were not using the pbkdf2 library correctly.

rogeriobastos commented 3 years ago

Hi guys, I've been testing this fix in a fresh new installation and it works fine. I think this fix shouldn't be blocked to new users.