fix(docs): add security note to hashKey

zkat · Mar 2, 2017 · 03f81ba · 03f81ba
1 parent 45997d8
commit 03f81ba
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/lib/entry-index.js b/lib/entry-index.js
@@ -185,12 +185,20 @@ function bucketPath (cache, key) {
 
 module.exports._hashKey = hashKey
 function hashKey (key) {
-  // sha1 conflicts can be generated, but it doesn't matter in this case,
+  // NOTE (SECURITY)
+  //
+  // `sha1` conflicts can be generated, but it doesn't matter in this case,
   // since we intend for there to be regular conflicts anyway. You can have
   // the entire cache in a single bucket and all that'll do is just make a big
   // file with a lot of contention, if you can even pull it off in the `key`
   // string. So whatever. `sha1` is faster and it doesn't trigger the warnings
   // `md5` tends to (yet?...).
+  //
+  // Not to mention, that in the case of pacote/npm, the amount of control
+  // anyone would have over this key is so minimal that it's incredibly
+  // unlikely that they could intentionally generate a large number of
+  // conflicts just with a package key such that they'd do anything resembling
+  // a hash flood DOS.
   return crypto
   .createHash('sha1')
   .update(key.toLowerCase()) // lump case-variant keys into same bucket.