FIPS Compatibility - gravatar-url removal / update / replacement to correct md5 usage

Question

FIPS Compatibility - gravatar-url removal / update / replacement to correct md5 usage

TGPSKI opened this issue a year ago · 6 comments

Describe the feature request

The imported gravatar-url package uses md5 hash method (unsupported in FIPS environments), which prevents Unleash from running where FIPS is enforced.

# package.json

"gravatar-url": "^3.1.0"

There's a set of nested dependencies through sindresorhus repos, having to follow unleash -> gravatar-url -> md5-hex to actually get a crypto module change.

Background

https://en.gravatar.com/site/implement/hash/
https://github.com/sindresorhus/md5-hex/blob/main/index.js
aws/constructs#272

This problem is easy to fix in python. I can't find the same option to specify non-cryptographic use cases in node.

Solution suggestions

https://www.npmjs.com/package/md5 & replace gravatar-url
remove gravatar support (probably not popular?)

Answer 1 · 2023-08-22T21:32:03.000Z

Thanks for bringing this to our attention.

I see the easiest path forward to inline the "generateGravatar" function in to the unleash code base. There is not compelling reason to use a library for this, as it basically is a simple md5 of the email. It feels a bit like an unnecessary workaround to please the "FIPS" requirements. I am not sure if there are any way at all to flag this module as safe, as it does not contribute to any cryptographic activities.

Next steps:

Inline the generateGravatar(email) as a util function, using the md5 package instead of node built in module (src)
Write a few tests for it.

Any takers?

Answer 2 · 2023-09-16T03:48:25.000Z

Hi, Is the issue still open?

Answer 3 · 2023-09-18T21:52:43.000Z

Yes, @mahimairaja

Answer 4 · 2023-09-20T08:51:44.000Z

That great! I would like to work on this issue. Can you please assign this issue to me

Answer 5 · 2023-09-20T09:00:49.000Z

Next steps:

Inline the generateGravatar(email) as a util function, using the md5 package instead of node built in module (src)

Write a few tests for it.

Any takers?

So Can you please guide me. I could understand that I have to implement md5 hashing

but where should I implement it?
And what are the test cases are expected to be implemented?

Answer 6 · 2023-10-23T12:23:33.000Z

@mahimairaja - I'd look at src/lib/util/generateImageUrl.ts . replacing the gravatar-url with an inline private function.

Then add some tests confirming that you generate the valid URLs with query parameters. Preferably in a src/lib/util/generateImageUrl.test.ts