fix(transformations): compute empty md5 and sha1 digests lazily#1629
fix(transformations): compute empty md5 and sha1 digests lazily#1629jspdown wants to merge 1 commit into
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughTwo transformation files ( ChangesLazy sync.Once digest initialization
Estimated code review effort🎯 2 (Simple) | ⏱️ ~5 minutes 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1629 +/- ##
==========================================
- Coverage 87.66% 87.57% -0.09%
==========================================
Files 178 178
Lines 9134 9136 +2
==========================================
- Hits 8007 8001 -6
- Misses 858 866 +8
Partials 269 269
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
M4tteoP
left a comment
There was a problem hiding this comment.
Thanks for raising this. Overall looks good to me, but I get that this fixes it just at startup time. At runtime, if md5 or sha1 are used, it would still lead to a panic. Should we explore some other options, returning a more graceful error if that happens?
|
@M4tteoP I think that is a correct assumption, I think a. the best is to hardcode the value and b. we should support |
|
Thanks for the feedback. This PR could indeed go further and allow using Coraza with the
The As you mentioned, a solution could be to simply return an error if To verify that we satisfy FIPS 140-3 constrains we could add a new test target: GODEBUG=fips140=only go test ./...
GODEBUG=fips140=only go test ./testing/coreruleset This will report any violation with a panic or a failing test. |
The
md5andsha1transformations compute the digest of an empty input in aninitfunction. As a result, a binary built withGODEBUG=fips140=onlypanics at startup as soon as the package is imported, because MD5 and SHA-1 are not allowed in that mode, even when the transformation is never used. This change computes the empty digest lazily with async.Onceinstead of ininit, so importing the package no longer panics when these transformations are not exercised. Normal usage is unchanged.Summary by CodeRabbit