(groovy) branch master updated: GROOVY-11459: MD5 is already an insecure hash algorithm, replacing it with SHA256 i… (#2112)

[paulk]

This is an automated email from the ASF dual-hosted git repository.

paulk pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/groovy.git


The following commit(s) were added to refs/heads/master by this push:
     new 22d10dbedc GROOVY-11459: MD5 is already an insecure hash algorithm, 
replacing it with SHA256 i… (#2112)
22d10dbedc is described below

commit 22d10dbedce6a37aa17b0336e83f6b37caa9a278
Author: zhangwei911 <zhangwei911_l...@163.com>
AuthorDate: Thu Sep 12 14:04:31 2024 +0800

    GROOVY-11459: MD5 is already an insecure hash algorithm, replacing it with 
SHA256 i… (#2112)
    
    * MD5 is already an insecure hash algorithm, replacing it with SHA256 is 
more secure
    
    * Modify the use of EncodingGroove yMethods. md5 to configure the 
MD5/SHA-256 algorithm through the environment variable 
GROOV_CACHED_KEY_LLGORITHMS
    
    * Modify comments
    
    * Add
    
    * Update GroovyClassLoader.java
    
    * Update GroovyClassLoader.java
---
 src/main/java/groovy/lang/GroovyClassLoader.java | 67 ++++++++++++++++++++----
 1 file changed, 57 insertions(+), 10 deletions(-)

diff --git a/src/main/java/groovy/lang/GroovyClassLoader.java 
b/src/main/java/groovy/lang/GroovyClassLoader.java
index 5a081c1775..3bc59e6ed5 100644
--- a/src/main/java/groovy/lang/GroovyClassLoader.java
+++ b/src/main/java/groovy/lang/GroovyClassLoader.java
@@ -66,6 +66,7 @@ import java.util.Collection;
 import java.util.Enumeration;
 import java.util.Optional;
 import java.util.concurrent.atomic.AtomicInteger;
+import java.lang.System;
 
 /*
  * TODO: multi-threaded compiling of the same class but with different roots 
for
@@ -86,6 +87,8 @@ public class GroovyClassLoader extends URLClassLoader {
     private static final URL[] EMPTY_URL_ARRAY = new URL[0];
 
     private static final AtomicInteger scriptNameCounter = new 
AtomicInteger(1_000_000); // 1,000,000 avoids conflicts with names from the 
GroovyShell
+    private static final String MD5 = "MD5";
+    private static final String SHA_256 = "SHA-256";
 
     /**
      * This cache contains the loaded classes or PARSING, if the class is 
currently parsed.
@@ -261,11 +264,7 @@ public class GroovyClassLoader extends URLClassLoader {
      * @return the main class defined in the given script
      */
     public Class parseClass(final String text) throws 
CompilationFailedException {
-        try {
-            return parseClass(text, "Script_" + 
EncodingGroovyMethods.md5(text) + ".groovy");
-        } catch (java.security.NoSuchAlgorithmException e) {
-            throw new GroovyRuntimeException(e);
-        }
+        return parseClass(text, "Script_" + genEncodingString(text) + 
".groovy");
     }
 
     public Class parseClass(final Reader reader, final String fileName) throws 
CompilationFailedException {
@@ -325,11 +324,7 @@ public class GroovyClassLoader extends URLClassLoader {
             strToDigest.append("name:").append(codeSource.getName());
         }
 
-        try {
-            return EncodingGroovyMethods.md5(strToDigest);
-        } catch (java.security.NoSuchAlgorithmException e) {
-            throw new GroovyRuntimeException(e);
-        }
+        return genEncodingString(strToDigest.toString());
     }
 
     private Class<?> doParseClass(final GroovyCodeSource codeSource) {
@@ -1188,4 +1183,56 @@ public class GroovyClassLoader extends URLClassLoader {
             }
         }
     }
+
+    /**
+     * Retrieves the configured algorithms from a system property.
+     * If the system property is not set, a default algorithm is returned.
+     *
+     * @return The configured algorithms or a default value if not set.
+     */
+    public String getAlgorithms() {
+        // Attempt to retrieve the algorithms from a system property.
+        // Note: "CACHED_KEY_ALGORITHMS" is a placeholder and should be 
replaced with the actual property name.
+        String algorithms = System.getProperty("GROOVY_CACHED_KEY_ALGORITHMS");
+
+        // If the system property is set (i.e., not null), return its value.
+        if (algorithms != null) {
+            return algorithms;
+        }
+
+        // If the system property is not set, return a default algorithm.
+        // Note: MD5 is used here as a default, but it's generally not 
recommended for security-sensitive applications due to its weaknesses.
+        return "MD5";
+    }
+
+    /**
+     * Generates an encoded string based on the specified text and the 
algorithm configured.
+     * If the configured algorithm is MD5, an MD5 hash of the text is returned.
+     * If the configured algorithm is SHA-256, an SHA-256 hash of the text is 
returned.
+     * If an unrecognized algorithm is configured, defaults to returning an 
MD5 hash of the text.
+     *
+     * @param text The text to encode.
+     * @return The encoded string.
+     */
+    public String genEncodingString(String text) {
+        try {
+            String algorithms = getAlgorithms();
+
+            // Check if the configured algorithm is MD5.
+            if (algorithms.equals(MD5)) {
+                return EncodingGroovyMethods.md5(text);
+            }
+            // Check if the configured algorithm is SHA-256.
+            else if (algorithms.equals(SHA_256)) {
+                return EncodingGroovyMethods.sha256(text);
+            }
+            // If an unrecognized algorithm is configured, default to MD5.
+            else {
+                // Fallback to MD5 hashing.
+                return EncodingGroovyMethods.md5(text);
+            }
+        } catch (java.security.NoSuchAlgorithmException e) {
+            throw new GroovyRuntimeException(e);
+        }
+    }
 }