Skip to content

fix(common): use cryptographically secure SHA-256 for transfer cache key generation#69176

Merged
atscott merged 1 commit into
angular:22.0.xfrom
alan-agius4:sec-sha256-transfer-cache-22.0.x
Jun 5, 2026
Merged

fix(common): use cryptographically secure SHA-256 for transfer cache key generation#69176
atscott merged 1 commit into
angular:22.0.xfrom
alan-agius4:sec-sha256-transfer-cache-22.0.x

Conversation

@alan-agius4
Copy link
Copy Markdown
Contributor

@alan-agius4 alan-agius4 commented Jun 5, 2026

Backport of #69153 to 22.0.x branch

@pullapprove pullapprove Bot requested a review from kirjs June 5, 2026 07:05
@angular-robot angular-robot Bot added the area: common Issues related to APIs in the @angular/common package label Jun 5, 2026
@ngbot ngbot Bot added this to the Backlog milestone Jun 5, 2026
@alan-agius4 alan-agius4 requested review from JeanMeche and removed request for kirjs June 5, 2026 08:51
@alan-agius4 alan-agius4 added action: review The PR is still awaiting reviews from at least one requested reviewer target: patch This PR is targeted for the next patch release labels Jun 5, 2026
@alan-agius4
fix(common): use cryptographically secure SHA-256 for transfer cache …
d31f515 
…key generation

Replace the custom 64-bit non-cryptographic combined DJB2 hashing implementation in HttpTransferCache with a robust, pure JavaScript, synchronous SHA-256 algorithm.

Using DJB2 is vulnerable to pre-image and second-preimage attacks due to its small 64-bit keyspace and mathematical simplicity. An attacker could craft colliding request inputs to poison the cache, potentially causing a CDN or the application to serve the wrong cached response to legitimate users.

SHA-256 provides strong cryptographic collision resistance, preventing cache key collision attacks. A custom synchronous implementation is required because the Web Crypto API (`crypto.subtle.digest`) is asynchronous, whereas the transfer cache state lookup and interceptor flow must operate synchronously.

Also, update the unit tests to dynamically verify the custom SHA-256 output against the native Web Crypto API.
@alan-agius4 alan-agius4 force-pushed the sec-sha256-transfer-cache-22.0.x branch from 28f31f8 to d31f515 Compare June 5, 2026 09:27
@alan-agius4 alan-agius4 added action: merge The PR is ready for merge by the caretaker and removed action: review The PR is still awaiting reviews from at least one requested reviewer labels Jun 5, 2026
@atscott atscott merged commit 1d87c49 into angular:22.0.x Jun 5, 2026
20 checks passed
@atscott
Copy link
Copy Markdown
Contributor

atscott commented Jun 5, 2026

This PR was merged into the repository. The changes were merged into the following branches:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JeanMeche JeanMeche JeanMeche approved these changes

Assignees

No one assigned

Labels

action: merge The PR is ready for merge by the caretaker area: common Issues related to APIs in the @angular/common package target: patch This PR is targeted for the next patch release

Projects

None yet

Milestone

Backlog

Development

Successfully merging this pull request may close these issues.

3 participants

@alan-agius4 @atscott @JeanMeche