Switch to SHA256-based hashing for ActiveSupport (with feature flag)
What does this MR do and why?
Part of https://gitlab.com/gitlab-org/gitlab/-/issues/220878.
Adds a facade from which we can use feature flags to switch Activesupport's Hash Digest class from
Digest::MD5
to OpenSSL::Digest::SHA256
Places where it's used in Rails, see also https://gitlab.com/gitlab-org/gitlab/-/issues/220878#note_958634137
$ gg ActiveSupport::Digest **/lib
actionpack/lib/action_dispatch/http/cache.rb: %("#{ActiveSupport::Digest.hexdigest(ActiveSupport::Cache.expand_cache_key(validators))}")
actionview/lib/action_view/digestor.rb: ActiveSupport::Digest.hexdigest("#{template.source}-#{dependency_digest(finder, stack)}")
activerecord/lib/active_record/relation.rb: query_signature = ActiveSupport::Digest.hexdigest(to_sql)
activesupport/lib/active_support/cache/file_store.rb: fname = ActiveSupport::Digest.hexdigest(key)
activesupport/lib/active_support/cache/mem_cache_store.rb: key = "#{key[0, 213]}:md5:#{ActiveSupport::Digest.hexdigest(key)}" if key.size > 250
activesupport/lib/active_support/railtie.rb: ActiveSupport::Digest.hash_digest_class = ::Digest::SHA1
activesupport/lib/active_support/railtie.rb: ActiveSupport::Digest.hash_digest_class = klass
Based on above, it seems ActiveSupport::Digest
is used:
- for ETag keys. E.g. snippet raw download
- and Query caching.
We don't directly use ActiveSupport::Digest
in the GitLab application code.
Screenshots or screen recordings
These are strongly recommended to assist reviewers and reduce the time to merge your change.
How to set up and validate locally
-
On master branch, go to an issue and upload a design
-
View the design. In Network tools, observe the ETag header response for the raw_image request. (e.g.
W/"37ed00aba86a92680dcda93537e64914"
) -
Switch to this branch, run
gdk restart
-
Refresh the page. In Network tools, observe the ETag header response for the raw_image request. It should be unchanged
-
Enable the feature flag with
Feature.enable :active_support_hash_digest_sha256
-
Refresh the page. In Network tools, observe the ETag header response for the raw_image request. It should be changed (e.g.
W/"23852fa09695051adf03aed7510ac2fa"
) -
Disable the feature flag with
Feature.disable :active_support_hash_digest_sha256
-
Refresh the page. In Network tools, observe the ETag header response for the raw_image request. It should be changed again to the previous value (e.g.
W/"37ed00aba86a92680dcda93537e64914"
)
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.