Replace Hmac by Hash avoiding hardcoded secret

Description

snyk.io correctly flags the empty string in crypto.createHmac('sha256', '') in coverage.js as a security issue because the secret of a Hmac must not be a public constant:

https://cwe.mitre.org/data/definitions/547.html

Replacing the Hmac algorithm by a hash algorithm is the way to fix it because only a hash is needed here.

Environment

None

Potential Workaround

None

Linked issues

is blocked by

UITEST-94

Code review and merge UITEST-91 "Replace Hmac by Hash"

Checklist

hide

TestRail: Results

Activity

Show:

Julian Ladisch March 10, 2022 at 4:48 PM

https://github.com/folio-org/stripes-testing/pull/254 "remove nightmarejs cruft"

Done

Details

Assignee

Unassigned

Reporter

Julian Ladisch

Labels

securitysecurity-reviewed

Priority

Development Team

Core: Platform

TestRail: Cases

Open TestRail: Cases

TestRail: Runs

Open TestRail: Runs

Created February 10, 2022 at 8:44 PM

Updated March 10, 2022 at 4:48 PM

Resolved March 10, 2022 at 4:48 PM

Configure

TestRail: Cases

TestRail: Runs