SHA-1 is not collision-resistant, which makes it easier for context-dependent attackers to conduct tampering attacks and alter the checksum which makes it possible to alter the file being uploaded itself. For a long time, it has been possible "to find collisions for SHA1 and that thus it is not secure to use for digital signatures, file integrity, and file identification purposes". see: https://arstechnica.com/information-technology/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/
Thanks for reporting. I'm aware of the issues with sha1 for security purposes but in this case the checksum is only used for verification of chunks sent by the client to make sure it has not been corrupted in transfer. The tus spec requires us to have support for sha1:
The Server MUST support at least the SHA1 checksum algorithm identified by sha1
To be able to use this as an exploit one would have to generate a sha1 that is broken for the exact chunk of the file being transferred by the client which I find unlikely. Adding support for sha256 and sha512 is not a big deal but in my experience very few clients use this feature.
SHA-1 is not collision-resistant, which makes it easier for context-dependent attackers to conduct tampering attacks and alter the checksum which makes it possible to alter the file being uploaded itself. For a long time, it has been possible "to find collisions for SHA1 and that thus it is not secure to use for digital signatures, file integrity, and file identification purposes". see: https://arstechnica.com/information-technology/2017/02/at-deaths-door-for-years-widely-used-sha1-function-is-now-dead/
Also:
https://www.cvedetails.com/cve/CVE-2005-4900/
https://cwe.mitre.org/data/definitions/328.html
Finding:
https://github.com/tusdotnet/tusdotnet/blob/ca23bdd88f5b63545c6fb9c2ed18b12984da3078/Source/tusdotnet/Extensions/Internal/FileStreamExtensions.cs
tusdotnet/Source/tusdotnet/Stores/TusDiskStore.cs
Line 190 in ca23bdd
tusdotnet/Source/tusdotnet/Interfaces/ITusChecksumStore.cs
Line 17 in 3d933e5
tusdotnet/Source/tusdotnet/Stores/TusDiskStore.cs
Line 248 in 2fdded4
https://github.com/tusdotnet/tusdotnet/blob/c3f6f93bd3f0c76a5fd6572835a8d0f5f15909db/Source/tusdotnet/Helpers/ChecksumTrailerHelper.cs
tusdotnet/Source/tusdotnet/Helpers/ChecksumTrailerHelper.cs
Line 15 in c3f6f93
The text was updated successfully, but these errors were encountered: