Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SHA1 has been compromised #2640

Closed
JacksonGL opened this issue Apr 14, 2017 · 12 comments
Closed

SHA1 has been compromised #2640

JacksonGL opened this issue Apr 14, 2017 · 12 comments
Labels
stale

Comments

@JacksonGL
Copy link

Report of a potential security vulnerability: by default, this package uses SHA-1 (code location) for authentication, which has been compromised (link) two months ago.
@mikeal
Copy link
Member

mikeal commented Apr 14, 2017

Per spec, do all other implementation have to support another hashing algorithm?

@JacksonGL
Copy link
Author

No, that's why its an opportunity to make this package safer than the other implementations. Plus SHA-1 may be deprecated in the near future if the practical attack is revealed.

@mikeal
Copy link
Member

mikeal commented Apr 14, 2017
edited

@JacksonGL my concern is that updating it would make it incompatible with those other implementations. if they don't support other hashing standards then we're breaking compatibility with those servers.

That said, we should add optional support for another hashing algorithm ASAP. At some point in the future we can consider a breaking change that would modify the default algorithm.

@JacksonGL
Copy link
Author

Yes. It would be great to add such an optional support.

@jstlns
Copy link

jstlns commented Jun 3, 2017

I would be fine with a major version bump to make SHA256 the default. I expect most places to move away from SHA-1 and may be forced to by security audit tools. Or find a different library.

@mikeal
Copy link
Member

mikeal commented Jun 5, 2017

I had a conversation with @hueniverse (author of OAuth) about this and the threat is a little exaggerated in this specific use case.

At this point I don't think it's reasonable to change the default. I'm all for adding the option though.

@stale
Copy link

stale bot commented Nov 23, 2018

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Nov 23, 2018
@stale stale bot closed this as completed Dec 3, 2018
@rupeshA rupeshA mentioned this issue Jul 25, 2019
Closed
@shankarkrupa
Copy link

shankarkrupa commented Jun 30, 2020
edited

Nexus.IQ reports this as an issue sonatype-2017-0655 preventing it from deploying in highly secured environments. Please consider reopening the issue.

@ananthakumar25
Copy link

As part of security analysis from Sonatype Nexus.IQ , this is an severe issue as it reports "The request package is vulnerable to Weak Authentication Algorithm. The function function in oauth.js uses SHA-1 for authentication which is no longer considered cryptographically secure." - This is preventing the code promotion to higher environment.

Could you please consider reopening this issue?

@mikeal
Copy link
Member

mikeal commented Jul 1, 2020

request is deprecated and is no longer shipping new releases.

@ananthakumar25
Copy link

request is deprecated and is no longer shipping new releases.

Do you have any alternate packages or versions to use?

@cyclone14
Copy link

check out issue #3143

@juppala juppala mentioned this issue Jul 8, 2020
Closed
@mattcolegate mattcolegate mentioned this issue Jan 14, 2021
Open
This was referenced Jan 15, 2021
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@mikeal @shankarkrupa @JacksonGL @jstlns @cyclone14 @ananthakumar25