Add SHA-1 to subresource integrity format for download() checksums

npm packages commonly still use SHA-1. While it may be discouraged for its poor security, Bazel cannot enforce what external ecosystems currently do. I tested this locally against a feature we are working on in rules_nodejs. Closes bazelbuild#12777. PiperOrigin-RevId: 353633120
katre · Jan 25, 2021 · c9e2be5 · c9e2be5
1 parent 60d6f78
commit c9e2be5
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/src/main/java/com/google/devtools/build/lib/bazel/repository/downloader/Checksum.java b/src/main/java/com/google/devtools/build/lib/bazel/repository/downloader/Checksum.java
@@ -43,6 +43,11 @@ public static Checksum fromSubresourceIntegrity(String integrity) {
     byte[] hash = null;
     int expectedLength = 0;
 
+    if (integrity.startsWith("sha1-")) {
+      keyType = KeyType.SHA1;
+      expectedLength = 20;
+      hash = decoder.decode(integrity.substring(5));
+    }
     if (integrity.startsWith("sha256-")) {
       keyType = KeyType.SHA256;
       expectedLength = 32;
@@ -63,7 +68,7 @@ public static Checksum fromSubresourceIntegrity(String integrity) {
       throw new IllegalArgumentException(
           "Unsupported checksum algorithm: '"
               + integrity
-              + "' (expected SHA-256, SHA-384, or SHA-512)");
+              + "' (expected SHA-1, SHA-256, SHA-384, or SHA-512)");
     }
 
     if (hash.length != expectedLength) {