Fingerprinting issue | emberjs | Page 1

normal niche May 31, 2024, 12:27 PM

#

Hi,

While merging a dependabot security pull-request on terser we crashed our app because the hash of the files did not change whereas the content changed:

How can we avoid this in the future ?

#

Here is the commit that generate the crash...

📎 commit.txt

#

Is there a quick way to renew/invalidate all file hash on ember ? Something like: https://stackoverflow.com/questions/13873176/what-does-config-assets-version-do-in-rails ?

indigo nimbus May 31, 2024, 5:00 PM

#

Most if not everybody is at ember conference ... so you might not get a response for a lil while. but why did your app crash because it was expecting the certain hash for a js file?

normal niche Jun 2, 2024, 6:53 PM

#

When you compile with ember, in the index.html there is an integrity on script tags: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity

<script src="https://d1qo205ebapjj2.cloudfront.net/ember/assets/app-1242ed895260d3fc1f8cbc1eb8a596d1.js" integrity="sha256-q7Z74OTYNPJE1+m/hAuRuIgB+GTT8WFO4UIrSYkXzt8= sha512-n7rALze2ncRcU8ZqJmVL+ESs5yDXHLCyhRUi+7Nx1naPwCtxkhhzhCV0ywKq5mvLT6w26A173Mndcd/NXQqyqQ==" crossorigin="anonymous"  ></script>

When I upgraded terser I ended up with the same app-1242... file but with another integrity check. This broke as I am caching the file on my CDN (and on my clients browsers)

#

@indigo nimbus Thanks for the head's up about ember conf

indigo nimbus Jun 3, 2024, 12:00 AM

#

mhmmm what app is crashing? Your server? I know if you change anything in the file it should generate a new file hash and that will update the intergirty hash as well

#

@sudden helm would you know why this is happening?

sudden helm Jun 3, 2024, 12:06 AM

#

Hm does it happen if you downgrade terser?

normal niche Jun 3, 2024, 6:53 AM

#

@sudden helm I am able to reproduce the issue (when I am doing a build with or without terser the signature change) I had to revert and I am looking to change the signature of all assets by changing the

  fingerprint: { 
    customHash: md5Hash,
  }

with the following function:

const crypto = require('crypto');
const ASSET_VERSION = '0';
function md5Hash(buf) {
  const md5 = crypto.createHash('md5');
  md5.update(buf + ASSET_VERSION);
  return `${ASSET_VERSION}${md5.digest('hex')}`;
}

normal niche Jun 3, 2024, 8:17 AM

#

@sudden helm as my CDN was starting to have both version I had to revert a few version back. Because a simple revert was still having some file with the right signature and some file with the bad signature...

sudden helm Jun 3, 2024, 10:06 AM

#

normal niche <@125027097663111168> I am able to reproduce the issue (when I am doing a build ...

Does ember-cli-sri support custom hashes as well?

#

For your use case do you need the integrity checks?

#

A valid option is to rewove ember-cli-sri

normal niche Jun 3, 2024, 1:00 PM

#

I think ember-cli-sri is managing the custom hash without any issues.
I would say it is always better to have the integrity check. So we would rather keep it
My question is more how can I change all signature with a single change. Rails has this and I think it is useful for those case where for a weird reason your have a filename collision and ended up in bad situation with the cache...

#

Because it is super difficult to debug...

sudden helm Jun 3, 2024, 2:25 PM

#

For clarity, because i get confused easily, The suffix-hash is generated by fingerprinting, which is separate from SRI

#

You'd have to debug the Sri library to see where your mismatch is

#

And maybe hash your files yourself to see if they match what sri or your custom hash is expecting

#

Why do you have a custom hash? I don't think i asked that yet 😅

normal niche Jun 3, 2024, 7:10 PM

#

So I checkout twice the repo, before and after the commit. In each directory I did ember build --environment=production and check inside the dist folder. I have vendor.HASH.js and when I compute the signature (manually via the command line) I get a signature that match index.html

The issue I have is between the two build I get the same vendor.hash.js whereas the signature is not the same.

This mean when I deployed my security update, my users had the previous file in their cache (and in my CDN) and so the loading of the ressource crashed.

#

I tried adding a check on our CI with our production something like this:

But downgrading terser did not reproduce the error.

#!/bin/bash
set -e
trap 'echo "An error occurred."; exit 1' USR2

check(){
  i="$1"
  url="https://productionwebsite/ember/assets/$i"
  status=`curl -s -o /dev/null -I -w "%{http_code}" "$url"`;
  echo "$status $url";
  if [[ "$status" = "200" ]]; then
    a=`cat $i | openssl dgst -sha256 -binary | openssl base64 -A`;
    b=`curl -s "$url" | openssl dgst -sha256 -binary | openssl base64 -A`;
    if [[ "$a" != "$b" ]]; then
      echo "ERR $status $url $i $a $b";
      kill -USR2 $$
    fi;
  fi;
}

cd ./dist/assets;
for i in *.js; do
  check $i &
done
wait;
exit 0;

But we did other update in the meantime.... When I get back to the commits I see the difference inside the files (basically some changes of terser, the files are not minified the same way)

indigo nimbus Jun 5, 2024, 1:57 AM

#

I can check to see if I get the same signature on my builds

#

So I just did a build on my server and I got different chunk and hash even though I didn't change anything. So you shouldn't be getting the same signature, nor same chunk.hash.js file name

#

Screen_Shot_2024-06-04_at_10.06.02_PM.png

Screen_Shot_2024-06-04_at_10.05.53_PM.png

Screen_Shot_2024-06-04_at_10.05.45_PM.png

#

except the first one which I think is the ember library

jagged sphinx Jun 12, 2024, 4:27 AM

#

@normal niche if you're using ember-auto-import, check this: https://github.com/embroider-build/ember-auto-import/issues/519

#Fingerprinting issue