FIPS Compatibility - gravatar-url removal / update / replacement to correct md5 usage
TGPSKI opened this issue · 6 comments
Describe the feature request
The imported gravatar-url
package uses md5 hash method (unsupported in FIPS environments), which prevents Unleash from running where FIPS is enforced.
# package.json
"gravatar-url": "^3.1.0"
There's a set of nested dependencies through sindresorhus
repos, having to follow unleash -> gravatar-url -> md5-hex to actually get a crypto module change.
Background
https://en.gravatar.com/site/implement/hash/
https://github.com/sindresorhus/md5-hex/blob/main/index.js
aws/constructs#272
This problem is easy to fix in python. I can't find the same option to specify non-cryptographic use cases in node.
Solution suggestions
- https://www.npmjs.com/package/md5 & replace
gravatar-url
- remove gravatar support (probably not popular?)
Thanks for bringing this to our attention.
I see the easiest path forward to inline the "generateGravatar" function in to the unleash code base. There is not compelling reason to use a library for this, as it basically is a simple md5 of the email. It feels a bit like an unnecessary workaround to please the "FIPS" requirements. I am not sure if there are any way at all to flag this module as safe, as it does not contribute to any cryptographic activities.
Next steps:
- Inline the
generateGravatar(email)
as a util function, using the md5 package instead of node built in module (src) - Write a few tests for it.
Any takers?
Hi, Is the issue still open?
Yes, @mahimairaja
That great! I would like to work on this issue. Can you please assign this issue to me
Next steps:
- Inline the
generateGravatar(email)
as a util function, using the md5 package instead of node built in module (src)- Write a few tests for it.
Any takers?
So Can you please guide me. I could understand that I have to implement md5 hashing
- but where should I implement it?
- And what are the test cases are expected to be implemented?
@mahimairaja - I'd look at src/lib/util/generateImageUrl.ts . replacing the gravatar-url with an inline private function.
Then add some tests confirming that you generate the valid URLs with query parameters. Preferably in a src/lib/util/generateImageUrl.test.ts