Jest is failing on a FIPS enabled machine

[sbel314]

🐛 Bug Report

Tried running Jest tests on a FIPS (Federal Information Processing Standards) compliant Linux machine. It failed immediately reporting that md5 is disabled for fips. Tracing through the Jest code, there is a "normalizeMissingOptions" function in normalize.js that calls "createHash" using md5 which OpenSSL cannot use under FIPS standards.

To Reproduce

Run a basic Jest test on a FIPS machine. Similar output should be returned as described above in the bug report.

Expected behavior

Similar output should be returned as described above in the bug report.

[SimenB]

Wanna send some PRs adding support? And can we run on CI to ensure we don't have regressions?

If it's just normalizeMissingOptions you can set name in your config to skip it and see if anything else works. I doubt it, we use it ini more places such as https://github.com/facebook/jest/blob/132e3d10068834e3f719651cdc99e31b7c149f3b/packages/babel-jest/src/index.ts#L110

Happy to use some other fast hashing algo, tho - it's just for revving

[lidoravitan]

I'd like to help here. could it be a good for first issue on this repo? thanks a lot

[SimenB]

If you have access to a FIPS system, sure! I don't know how the development workflow would be though

[lidoravitan]

Oops :( I do not have access to a FIPS system. I will look for another issue. thanks

[ahnpnl]

correct me if I'm wrong, so md5 is not allowed in a fips machine ? If so, it means the package @jest/create-cache-key-function will have issue too.

[sbel314]

Correct. md5 is not allowed on a FIPS machine so I agree that we'll see multiple issues getting hit across the codebase. SHA256 is an acceptable hashing algorithm if we can make it an alternate option.

[jeysal]

TBH I don't even see a reason to make it an alternate option, it can be the hashing algorithm for everything, it's pretty fast these days as well.

[sbel314]

That works too.

[woocash19]

Is there any plan to fix this issue soon?

[akisma]

About to dig in and fix this up, want to make sure I'm not re-inventing the wheel/it hasn't been fixed elsewhere. Is this still a need? (It's definitely a need for a project of mine and I have access to a FIPS environment.)

[SimenB]

PR very much welcome 🙂

Ideally we'd be able to run CI on such an environment (if not thee full CI at least some sort of smoke test), but I have no idea if GH actions (or others) provide such a thing

[akisma]

same - how would i find out? o.0

[SimenB]

I guess one option is to have our own Dockerfile with FIPS enabled (e.g. porting https://github.com/legrego/docker-node-fips/blob/master/Dockerfile) and then our own action (https://docs.github.com/en/actions/creating-actions/creating-a-docker-container-action specifically "Example using a private action")?

I have no idea if that container would actually run under FIPS or if that requires the underlying OS to use it a well? Just building that docker image and trying to use the md5 hash is probably a good test for that

[akisma]

Ok, sounds good. I have a FIPS environment i can test in, also.

Another question... what are the most comprehensive actions I could run in order to ensure everything works as before? I'm assuming this, while in most cases a minor code change, will touch many, many pieces of the codebase.

[SimenB]

Just running all the tests (yarn jest in root) should be fine as we have quite thorough e2e tests. I'd start by just making a single test work (e.g. yarn jest packages/jest-diff/src/__tests__/diff.test.ts) and once any basic tests pass move on to the snapshot and coverage tests (yarn jest snapshot and yarn jest coverage (or even yarn jest coverage snapshot for a single run) will pick up all of them). After that I think just running everything is a good idea 🙂

[akisma]

perfect, thanks!

[dvazquez1027]

Has there been any progress on fixing this issue?

[SimenB]

https://twitter.com/slicknet/status/782274190451671040

[shawnweeks]

I might be able to take care of this. Changing md5 to sha256 to all the calls for createHash seems to be sufficient to make Jest work on a FIPS machine. I'll need to review all the changes and make sure there is no unintended side affects.

As far as getting a FIPs machine to test on all you have to do is install Rocky 8 in a VM and enable FIPS.

[darmbrust]

Not sure what has happened to all of the folks above that were going to look at this, but here is a basic PR. https://github.com/facebook/jest/pull/12722

Note that babel-loader is also broken https://github.com/babel/babel-loader/issues/910 - I'll make a PR for this shortly.... and v8flags was too https://github.com/gulpjs/v8flags/issues/56 - the dependencies for this need to be updated to get the latest version.

At least, those were two other projects that I had in the dependency stack around jest that were failing on a fips system.

I'm not a node developer... please adjust the patch to fit your needs.

[SimenB]

Landed #12722 which will be out in Jest 28 (possibly today, maybe tomorrow). As mentioned there, I'm unable to find a way to actually test this, but hopefully it keeps working! If anyone knows how to run tests on a FIPS machine, any help would be appreciated to ensure we don't regress 🙂

[SimenB]

Jest 28 is out if people missed it. Would love to hear if it works in FIPS envs?

[darmbrust]

I just tested it in our env, and it works for my use cases :) Thanks for merging so quickly.

[SimenB]

Great, thanks! Would be great to run unit tests as well, but I guess we can close for now 👍

[github-actions[bot]]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. Please note this issue tracker is not a help forum. We recommend using StackOverflow or our discord channel for questions.