Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FIX: [CodeQL: SM02196] Weak cryptography in TrackingConfigHashAlgorithm.cs #5065

Open
wants to merge 11 commits into
base: master
Choose a base branch
from
Open

FIX: [CodeQL: SM02196] Weak cryptography in TrackingConfigHashAlgorithm.cs #5065

wants to merge 11 commits into from

Conversation

MantavyaDh
Copy link
Contributor

@MantavyaDh MantavyaDh commented Dec 18, 2024
edited
Loading

Context

In TrackingConfigHashAlgorithm.cs, SHA1 was being used to compute the hashKey, which is used to identify the tracking config file in the agent system and hence the workspace identifier.

Change Description

The PR addresses the CodeQL warning of using a weak hash algortihm by replacing it with SHA256 based on the recommendations - SM02196

Also it updates the existing Unit Tests with the updated hash values from the new algorithm.

The PR also introduces a new dynamic Feature Flag (UseSha256InComputeHash) in case we want to rollback.

Validations

  • Locally debugged the agent and checked that the new hashes are being generated from the SHA256 algorithm.
  • Verified that the tracking config file has the new hash in azure-pipelines-agent_layout\win-x64_work\SourceRootMapping\collectionID\definitionID
  • Ran the unit and functional tests.
  • Validated the functionality of Feature Flag by turning its state on and off, on devfabric.

@MantavyaDh
Copy link
Contributor Author

@MantavyaDh please read the following Contributor License Agreement(CLA). If you agree with the CLA, please reply with the following information.

@microsoft-github-policy-service agree [company="{your company}"]

Options:

  • (default - no company specified) I have sole ownership of intellectual property rights to my Submissions and I am not making Submissions in the course of work for my employer.
@microsoft-github-policy-service agree
  • (when company given) I am making Submissions in the course of work for my employer (or my employer has intellectual property rights in my Submissions by contract or applicable law). I have permission from my employer to make Submissions and enter into this Agreement on behalf of my employer. By signing below, the defined term “You” includes me and my employer.
@microsoft-github-policy-service agree company="Microsoft"

Contributor License Agreement

@microsoft-github-policy-service agree company="Microsoft"

@MantavyaDh MantavyaDh added the bug label Dec 18, 2024
@MantavyaDh MantavyaDh marked this pull request as ready for review December 20, 2024 12:09
@MantavyaDh MantavyaDh requested review from a team as code owners December 20, 2024 12:09
@MantavyaDh MantavyaDh requested a review from a team as a code owner February 4, 2025 09:33
tarunramsinghani
tarunramsinghani reviewed Feb 13, 2025
View reviewed changes
src/Test/L0/Worker/Build/TrackingConfigL0.cs
@@ -99,7 +103,14 @@ public void TrackingConfig_ctor_should_fill_in_fields_correctly()
Assert.Equal(DefinitionName, config.DefinitionName);
Assert.Equal(3, config.FileFormatVersion);
Assert.Equal(null, config.FileLocation);
Assert.Equal("ea7c71421cca06c927f73627b66d6b4f4c3a5f4a", config.HashKey);
if (useSha256)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How is this being tested for both configurations ? i.e. UseSha256InComputeHash is off and when it is on.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The variable useSha256 will capture the value of knob, and then we compare with the respective hash value

tarunramsinghani
tarunramsinghani reviewed Feb 13, 2025
View reviewed changes
src/Test/L0/Worker/Build/TrackingConfigHashAlgorithmL0.cs

// Make sure that different coll creates different hash
Assert.Equal("2a41800cd3e7f5983a7643698f67104ed95101f3", TrackingConfigHashAlgorithm.ComputeHash("FFFA5D79-7735-49E3-87DA-02E76CF8D03A", definitionId, new[] { repo1 }));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we keep old ones as well instead of replacing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tarunramsinghani tarunramsinghani tarunramsinghani approved these changes

@DergachevE DergachevE DergachevE left review comments

Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@MantavyaDh @tarunramsinghani @DergachevE