Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FIX: [CodeQL: SM02196] Weak cryptography in TrackingConfigHashAlgorithm.cs #5065

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

FIX: [CodeQL: SM02196] Weak cryptography in TrackingConfigHashAlgorithm.cs #5065

wants to merge 6 commits into from

Conversation

MantavyaDh
Copy link
Contributor

@MantavyaDh MantavyaDh commented Dec 18, 2024
edited
Loading

Context

In TrackingConfigHashAlgorithm.cs, SHA1 was being used to compute the hashKey, which is used to identify the tracking config file in the agent system and hence the workspace identifier.

Change Description

The PR addresses the CodeQL warning of using a weak hash algortihm by replacing it with SHA256 based on the recommendations - SM02196

Also it updates the existing Unit Tests with the updated hash values from the new algorithm.

The PR also introduces a new dynamic Feature Flag (UseSha256InComputeHash) in case we want to rollback.

Validations

  • Locally debugged the agent and checked that the new hashes are being generated from the SHA256 algorithm.
  • Verified that the tracking config file has the new hash in azure-pipelines-agent_layout\win-x64_work\SourceRootMapping\collectionID\definitionID
  • Ran the unit and functional tests.
  • Validated the functionality of Feature Flag by turning its state on and off, on devfabric.

@MantavyaDh
Copy link
Contributor Author

@MantavyaDh please read the following Contributor License Agreement(CLA). If you agree with the CLA, please reply with the following information.

@microsoft-github-policy-service agree [company="{your company}"]

Options:

  • (default - no company specified) I have sole ownership of intellectual property rights to my Submissions and I am not making Submissions in the course of work for my employer.
@microsoft-github-policy-service agree
  • (when company given) I am making Submissions in the course of work for my employer (or my employer has intellectual property rights in my Submissions by contract or applicable law). I have permission from my employer to make Submissions and enter into this Agreement on behalf of my employer. By signing below, the defined term “You” includes me and my employer.
@microsoft-github-policy-service agree company="Microsoft"

Contributor License Agreement

@microsoft-github-policy-service agree company="Microsoft"

@MantavyaDh MantavyaDh added the bug label Dec 18, 2024
@MantavyaDh MantavyaDh marked this pull request as ready for review December 20, 2024 12:09
@MantavyaDh MantavyaDh requested review from a team as code owners December 20, 2024 12:09
@MantavyaDh MantavyaDh requested a review from a team as a code owner February 4, 2025 09:33
tarunramsinghani
tarunramsinghani reviewed Feb 4, 2025
View reviewed changes
src/Agent.Worker/Build/TrackingConfigHashAlgorithm.cs
}
else
{
using (SHA1 SHA1 = SHA1.Create())
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just realized if we have this code still here, the CODE QL warning will still be present. will need to take exception for this to resolve the CODQL warning.

DergachevE
DergachevE reviewed Feb 4, 2025
View reviewed changes
src/Agent.Sdk/Knob/AgentKnobs.cs
new PipelineFeatureSource("UseSha256InComputeHash"),
new RuntimeKnobSource("AGENT_USE_SHA256_IN_COMPUTE_HASH"),
new EnvironmentKnobSource("AGENT_USE_SHA256_IN_COMPUTE_HASH"),
new BuiltInDefaultKnobSource("true"));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it safe to have it true by default?

src/Agent.Worker/Build/TrackingConfigHashAlgorithm.cs
hexString.Append(data[i].ToString("x2"));
}
byte[] data = sha256Hash.ComputeHash(Encoding.UTF8.GetBytes(hashInput));
StringBuilder hexString = new StringBuilder();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nitpick: var

src/Agent.Worker/Build/TrackingConfigHashAlgorithm.cs
using (SHA1 SHA1 = SHA1.Create())
{
byte[] data = SHA1.ComputeHash(Encoding.UTF8.GetBytes(hashInput));
StringBuilder hexString = new StringBuilder();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nitpick: var

src/Agent.Worker/Build/TrackingConfigHashAlgorithm.cs
hexString.Append(data[i].ToString("x2"));
}
byte[] data = sha256Hash.ComputeHash(Encoding.UTF8.GetBytes(hashInput));
StringBuilder hexString = new StringBuilder();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This part is identical to the same in else
The only difference I see is how data is filled based on hash function used

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DergachevE DergachevE DergachevE left review comments

@tarunramsinghani tarunramsinghani tarunramsinghani left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@MantavyaDh @tarunramsinghani @DergachevE