From c9e2be52a067dd9abf5efa4f5f55bb5b98cf5d3b Mon Sep 17 00:00:00 2001 From: Alex Eagle Date: Mon, 25 Jan 2021 06:21:38 -0800 Subject: [PATCH] Add SHA-1 to subresource integrity format for download() checksums npm packages commonly still use SHA-1. While it may be discouraged for its poor security, Bazel cannot enforce what external ecosystems currently do. I tested this locally against a feature we are working on in rules_nodejs. Closes #12777. PiperOrigin-RevId: 353633120 --- .../build/lib/bazel/repository/downloader/Checksum.java | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/main/java/com/google/devtools/build/lib/bazel/repository/downloader/Checksum.java b/src/main/java/com/google/devtools/build/lib/bazel/repository/downloader/Checksum.java index 0c992bf4c80d0b..0e3e9e005ed0b5 100644 --- a/src/main/java/com/google/devtools/build/lib/bazel/repository/downloader/Checksum.java +++ b/src/main/java/com/google/devtools/build/lib/bazel/repository/downloader/Checksum.java @@ -43,6 +43,11 @@ public static Checksum fromSubresourceIntegrity(String integrity) { byte[] hash = null; int expectedLength = 0; + if (integrity.startsWith("sha1-")) { + keyType = KeyType.SHA1; + expectedLength = 20; + hash = decoder.decode(integrity.substring(5)); + } if (integrity.startsWith("sha256-")) { keyType = KeyType.SHA256; expectedLength = 32; @@ -63,7 +68,7 @@ public static Checksum fromSubresourceIntegrity(String integrity) { throw new IllegalArgumentException( "Unsupported checksum algorithm: '" + integrity - + "' (expected SHA-256, SHA-384, or SHA-512)"); + + "' (expected SHA-1, SHA-256, SHA-384, or SHA-512)"); } if (hash.length != expectedLength) {