'sha1' hash algorithm used at index.js is unsafe
dcamacho10 opened this issue · comments
The hashing algorithm used, sha1, has been found by researchers to be unsafe for protecting sensitive data with today's technology.
// hash
return crypto
.createHash('sha1')
.update(str, 'utf8')
.digest('hex')
My vulnerabilities scans are getting this, is there any plan to solve it?
Hey! 👋 What type of attack vector are you concerned about based on how session uses sha1 to serialize and check for data integrity in a session during the req/res cycle?
Hi! thanks for the quick answer,
Regarding the type of attack, those are the ones that I am concerned:
Collision Attacks
Preimage Attacks
Length Extension Attacks
Cryptanalysis Advances
✨: While SHA1 is considered insecure for cryptographic uses, its use in this codebase does not present a security risk. The hash is used internally by the server for the purpose of checking if the session object has changed, and is not exposed in a way that would allow it to be exploited by an attacker.