mirror of
https://github.com/koala73/worldmonitor.git
synced 2026-04-25 17:14:57 +02:00
4cc99629be
- CVE-1: search-gdelt-documents — add 500-char query cap + SHA-256 hash for cache key (was raw user input, no length limit) - CVE-2: get-country-intel-brief — replace FNV-1a hashString() with sha256Hex() for attacker-controlled context param - BONUS: summary-cache-key — remove .slice(0,6) truncation that collapsed hash space from 2^52 to ~2.18B values - Harden: classify-event + deduct-situation — same sha256Hex() migration - Add sha256Hex() utility using crypto.subtle (Edge/Vercel/Node 18+) Reported by: Cody Richard (Sstrickys) via responsible disclosure
34 lines
1.0 KiB
TypeScript
34 lines
1.0 KiB
TypeScript
/**
|
|
* FNV-1a 52-bit hash — fast, non-cryptographic.
|
|
*
|
|
* WARNING: Do NOT use for cache keys derived from attacker-controlled input.
|
|
* Use sha256Hex() instead for any server-side cache key with user input.
|
|
* Retained for client-side non-security contexts (e.g. vector-db dedup).
|
|
*/
|
|
export function hashString(input: string): string {
|
|
let h = 0xcbf29ce484222325n;
|
|
const FNV_PRIME = 0x100000001b3n;
|
|
const MASK_52 = (1n << 52n) - 1n;
|
|
|
|
for (let i = 0; i < input.length; i++) {
|
|
h ^= BigInt(input.charCodeAt(i));
|
|
h = (h * FNV_PRIME) & MASK_52;
|
|
}
|
|
|
|
return Number(h).toString(36);
|
|
}
|
|
|
|
/**
|
|
* SHA-256 hex digest via Web Crypto (available in Edge/Vercel/Node 18+).
|
|
* Use for all server-side cache keys derived from user-controlled input.
|
|
*/
|
|
export async function sha256Hex(input: string): Promise<string> {
|
|
const buf = await crypto.subtle.digest(
|
|
'SHA-256',
|
|
new TextEncoder().encode(input),
|
|
);
|
|
return Array.from(new Uint8Array(buf))
|
|
.map(b => b.toString(16).padStart(2, '0'))
|
|
.join('');
|
|
}
|