Skip to content

fix(common): use cryptographically secure SHA-256 for transfer cache key generation#69177

Merged
atscott merged 1 commit into
angular:21.2.xfrom
alan-agius4:sec-sha256-transfer-cache-21.2.x
Jun 5, 2026
Merged

fix(common): use cryptographically secure SHA-256 for transfer cache key generation#69177
atscott merged 1 commit into
angular:21.2.xfrom
alan-agius4:sec-sha256-transfer-cache-21.2.x

Conversation

@alan-agius4
Copy link
Copy Markdown
Contributor

@alan-agius4 alan-agius4 commented Jun 5, 2026

Backport of #69153 to 21.2.x branch

@pullapprove pullapprove Bot requested a review from kirjs June 5, 2026 07:09
@angular-robot angular-robot Bot added the area: common Issues related to APIs in the @angular/common package label Jun 5, 2026
@ngbot ngbot Bot added this to the Backlog milestone Jun 5, 2026
@alan-agius4 alan-agius4 requested review from JeanMeche and removed request for kirjs June 5, 2026 08:51
@alan-agius4 alan-agius4 added action: review The PR is still awaiting reviews from at least one requested reviewer target: lts This PR is targeting a version currently in long-term support labels Jun 5, 2026
@alan-agius4 alan-agius4 force-pushed the sec-sha256-transfer-cache-21.2.x branch from 7ea867c to 4eb37e6 Compare June 5, 2026 09:27
@alan-agius4
fix(common): use cryptographically secure SHA-256 for transfer cache …
270e1a4 
…key generation

Replace the custom 64-bit non-cryptographic combined DJB2 hashing implementation in HttpTransferCache with a robust, pure JavaScript, synchronous SHA-256 algorithm.

Using DJB2 is vulnerable to pre-image and second-preimage attacks due to its small 64-bit keyspace and mathematical simplicity. An attacker could craft colliding request inputs to poison the cache, potentially causing a CDN or the application to serve the wrong cached response to legitimate users.

SHA-256 provides strong cryptographic collision resistance, preventing cache key collision attacks. A custom synchronous implementation is required because the Web Crypto API (`crypto.subtle.digest`) is asynchronous, whereas the transfer cache state lookup and interceptor flow must operate synchronously.

Also, update the unit tests to dynamically verify the custom SHA-256 output against the native Web Crypto API.
@alan-agius4 alan-agius4 force-pushed the sec-sha256-transfer-cache-21.2.x branch from 4eb37e6 to 270e1a4 Compare June 5, 2026 09:41
@pullapprove pullapprove Bot requested review from atscott and kirjs June 5, 2026 09:41
@alan-agius4 alan-agius4 added action: merge The PR is ready for merge by the caretaker PullApprove: disable and removed action: review The PR is still awaiting reviews from at least one requested reviewer labels Jun 5, 2026
@alan-agius4
Copy link
Copy Markdown
Contributor Author

alan-agius4 commented Jun 5, 2026

Disabled pullapprove as this is a backport.

@alan-agius4 alan-agius4 removed request for atscott and kirjs June 5, 2026 11:15
@atscott atscott merged commit bc55749 into angular:21.2.x Jun 5, 2026
22 checks passed
@atscott
Copy link
Copy Markdown
Contributor

atscott commented Jun 5, 2026

This PR was merged into the repository. The changes were merged into the following branches:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JeanMeche JeanMeche JeanMeche approved these changes

Assignees

No one assigned

Labels

action: merge The PR is ready for merge by the caretaker area: common Issues related to APIs in the @angular/common package PullApprove: disable target: lts This PR is targeting a version currently in long-term support

Projects

None yet

Milestone

Backlog

Development

Successfully merging this pull request may close these issues.

3 participants

@alan-agius4 @atscott @JeanMeche