Hashing clean up (#26417)

* Improve hashing

* Updates checksum assertion for test stability

* Fix test assertion

Author: lewis-sanchez

build/gulpfile.vscode.js

@@ -250,7 +250,7 @@ function computeChecksum(filename) {
 	const contents = fs.readFileSync(filename);
 
 	const hash = crypto
-		.createHash('md5')
+		.createHash('sha256')
 		.update(contents)
 		.digest('base64')
 		.replace(/=+$/, '');

src/vs/base/node/crypto.ts

@@ -10,7 +10,7 @@ import { once } from 'vs/base/common/functional';
 export async function checksum(path: string, sha1hash: string | undefined): Promise<void> {
 	const checksumPromise = new Promise<string | undefined>((resolve, reject) => {
 		const input = fs.createReadStream(path);
-		const hash = crypto.createHash('sha1');
+		const hash = crypto.createHash('sha1'); // CodeQL [SM04514] Used by the update service to verify ADS update packages from Microsoft
 		input.pipe(hash);
 
 		const done = once((err?: Error, result?: string) => {

src/vs/base/parts/ipc/node/ipc.net.ts

@@ -773,7 +773,7 @@ export function createRandomIPCHandle(): string {
 }
 
 export function createStaticIPCHandle(directoryPath: string, type: string, version: string): string {
-	const scope = createHash('md5').update(directoryPath).digest('hex');
+	const scope = createHash('md5').update(directoryPath).digest('hex'); // CodeQL [SM04514] The hash is just creating consistent, short identifiers for IPC socket names.
 
 	// Windows: use named pipe
 	if (process.platform === 'win32') {

src/vs/platform/backup/electron-main/backupMainService.ts

@@ -410,6 +410,6 @@ export class BackupMainService implements IBackupMainService {
 			key = folderUri.toString().toLowerCase();
 		}
 
-		return createHash('md5').update(key).digest('hex');
+		return createHash('md5').update(key).digest('hex'); // CodeQL [SM04514] The hash doesn't need cryptographic strength - it just needs to create consistent, unique identifiers for backup folders.
 	}
 }

src/vs/platform/checksum/node/checksumService.ts

@@ -18,7 +18,7 @@ export class ChecksumService implements IChecksumService {
 	async checksum(resource: URI): Promise<string> {
 		const stream = (await this.fileService.readFileStream(resource)).value;
 		return new Promise<string>((resolve, reject) => {
-			const hash = createHash('md5');
+			const hash = createHash('sha256'); // {{ SQL CARBON EDIT }} - Use sha256
 
 			listenStream(stream, {
 				onData: data => hash.update(data.buffer),

src/vs/platform/checksum/test/node/checksumService.test.ts

@@ -34,6 +34,8 @@ suite('Checksum Service', () => {
 		const checksumService = new ChecksumService(fileService);
 
 		const checksum = await checksumService.checksum(URI.file(FileAccess.asFileUri('vs/platform/checksum/test/node/fixtures/lorem.txt').fsPath));
-		assert.ok(checksum === '8mi5KF8kcb817zmlal1kZA' || checksum === 'DnUKbJ1bHPPNZoHgHV25sg'); // depends on line endings git config
+		console.log(`Checksum value: ${checksum}`)
+		// {{ SQL CARBON EDIT }} - Update checksum assertion
+		assert.ok(checksum === '8mi5KF8kcb817zmlal1kZA' || checksum === 'DnUKbJ1bHPPNZoHgHV25sg' || checksum === 'eJeeTIS0dzi8MZY+nHhjPBVtNbmGqxfVvgEOB4sqVIc' || checksum === 'd/9bMU0ydNCmc/hg8ItWeiLT/ePnf7gyPRQVGpd6tRI', `Checksum: ${checksum}`); // depends on line endings git config
 	});
 });

src/vs/platform/languagePacks/node/languagePacks.ts

@@ -169,7 +169,7 @@ class LanguagePacksCache extends Disposable {
 
 	private updateHash(languagePack: ILanguagePack): void {
 		if (languagePack) {
-			const md5 = createHash('md5');
+			const md5 = createHash('md5'); // CodeQL [SM04514] The hash just needs to be unique and consistent for the same language pack version combination.
 			for (const extension of languagePack.extensions) {
 				md5.update(extension.extensionIdentifier.uuid || extension.extensionIdentifier.id).update(extension.version); // CodeQL [SM01510] The extension UUID is not sensitive info and is not manually created by a user
 			}

src/vs/platform/workspaces/node/workspaces.ts

@@ -29,7 +29,7 @@ export function getWorkspaceIdentifier(configPath: URI): IWorkspaceIdentifier {
 			configPathStr = configPathStr.toLowerCase(); // sanitize for platform file system
 		}
 
-		return createHash('md5').update(configPathStr).digest('hex');
+		return createHash('md5').update(configPathStr).digest('hex'); // CodeQL [SM04514] The MD5 usage here is perfectly safe since it's only used to generate deterministic, unique identifiers from paths - not for security.
 	}
 
 	return {
@@ -50,7 +50,7 @@ export function getSingleFolderWorkspaceIdentifier(folderUri: URI, folderStat?:
 
 		// Remote: produce a hash from the entire URI
 		if (folderUri.scheme !== Schemas.file) {
-			return createHash('md5').update(folderUri.toString()).digest('hex');
+			return createHash('md5').update(folderUri.toString()).digest('hex'); // CodeQL [SM04514] The MD5 usage here is perfectly safe since it's only used to generate deterministic, unique identifiers from paths - not for security.
 		}
 
 		// Local: we use the ctime as extra salt to the
@@ -77,7 +77,7 @@ export function getSingleFolderWorkspaceIdentifier(folderUri: URI, folderStat?:
 			}
 		}
 
-		return createHash('md5').update(folderUri.fsPath).update(ctime ? String(ctime) : '').digest('hex');
+		return createHash('md5').update(folderUri.fsPath).update(ctime ? String(ctime) : '').digest('hex'); // CodeQL [SM04514] The MD5 usage here is perfectly safe since it's only used to generate deterministic, unique identifiers from paths - not for security.
 	}
 
 	const folderId = getFolderId();

src/vs/server/node/remoteExtensionHostAgentServer.ts

@@ -204,7 +204,7 @@ class RemoteExtensionHostAgentServer extends Disposable implements IServerAPI {
 
 		// https://tools.ietf.org/html/rfc6455#section-4
 		const requestNonce = req.headers['sec-websocket-key'];
-		const hash = crypto.createHash('sha1');
+		const hash = crypto.createHash('sha1'); // CodeQL [SM04514] This sha1 is part of the WebSocket RFC 6455 standard.
 		hash.update(requestNonce + '258EAFA5-E914-47DA-95CA-C5AB0DC85B11');
 		const responseNonce = hash.digest('base64');