implement security recommendations from code review

mythz · mythz · commit feaa625709fe · 2026-06-10T12:03:46.000+08:00
diff --git a/ServiceStack.Text/src/ServiceStack.Text/StreamExtensions.cs b/ServiceStack.Text/src/ServiceStack.Text/StreamExtensions.cs
@@ -472,8 +472,16 @@ public static byte[] ToMd5Bytes(this Stream stream)
         return System.Security.Cryptography.MD5.Create().ComputeHash(stream);
     }
 
+    /// <summary>
+    ///  Returns the MD5 hash of the stream as a hex string.
+    ///  Do not use for passwords, tokens, or signatures.
+    /// </summary>
     public static string ToMd5Hash(this Stream stream) => ToMd5Bytes(stream).ToHex();
 
+    /// <summary>
+    ///  Returns the MD5 hash of the stream as a hex string.
+    ///  Do not use for passwords, tokens, or signatures.
+    /// </summary>
     public static string ToMd5Hash(this byte[] bytes) =>
         System.Security.Cryptography.MD5.Create().ComputeHash(bytes).ToHex();
 
diff --git a/ServiceStack/src/ServiceStack/Auth/SaltedHash.cs b/ServiceStack/src/ServiceStack/Auth/SaltedHash.cs
@@ -96,15 +96,28 @@ public static string HexHash(HashAlgorithm hash, byte[] bytes)
         return bytes == null || bytes.Length == 0 ? null : _.ComputeHash(bytes).ToHex();
     }
 
+    /// <summary>
+    ///  Returns the SHA-1 hash of the string as a hex string.
+    ///  Do not use for passwords, tokens, or signatures.
+    /// </summary>
     public static string ToSha1Hash(this string value) => HexHash(TextConfig.CreateSha(), value);
 
+    /// <summary>
+    /// Returns the SHA-1 hash of the byte array as a hex string.
+    /// Do not use for passwords, tokens, or signatures.
+    /// </summary>
     public static byte[] ToSha1HashBytes(this byte[] bytes)
     {
         using var hash = TextConfig.CreateSha();
         return hash.ComputeHash(bytes);
     }
 
     public static string ToSha256Hash(this string value) => HexHash(SHA256.Create(), value);
+
+    /// <summary>
+    ///  Returns the MD5 hash of the stream as a hex string.
+    ///  Do not use for passwords, tokens, or signatures.
+    /// </summary>
     public static string ToMd5Hash(this string value) => HexHash(MD5.Create(), value);
 
     public static byte[] ToSha256HashBytes(this byte[] bytes)
