'sha1' hash algorithm used at index.js is unsafe

Question

'sha1' hash algorithm used at index.js is unsafe

dcamacho10 opened this issue 3 months ago · comments

The hashing algorithm used, sha1, has been found by researchers to be unsafe for protecting sensitive data with today's technology.

// hash
return crypto
.createHash('sha1')
.update(str, 'utf8')
.digest('hex')

My vulnerabilities scans are getting this, is there any plan to solve it?

Jon Church · Answer 1 · Sat Mar 02 2024 08:05:59 GMT+0800 (China Standard Time)

Hey! 👋 What type of attack vector are you concerned about based on how session uses sha1 to serialize and check for data integrity in a session during the req/res cycle?

Diogo Camacho · Answer 2 · Mon Mar 04 2024 20:25:53 GMT+0800 (China Standard Time)

Hi! thanks for the quick answer,
Regarding the type of attack, those are the ones that I am concerned:

Collision Attacks
Preimage Attacks
Length Extension Attacks
Cryptanalysis Advances

Jon Church · Answer 3 · Wed Mar 06 2024 13:53:24 GMT+0800 (China Standard Time)

✨: While SHA1 is considered insecure for cryptographic uses, its use in this codebase does not present a security risk. The hash is used internally by the server for the purpose of checking if the session object has changed, and is not exposed in a way that would allow it to be exploited by an attacker.