From fb55ac879ba83087428e457cf4d99478bbb4d6b3 Mon Sep 17 00:00:00 2001 From: gammazero <11790789+gammazero@users.noreply.github.com> Date: Mon, 25 Aug 2025 19:53:58 -1000 Subject: [PATCH 1/2] remove sha1 from list of hashes allowed in IPFS This will close kubo issue https://github.com/ipfs/kubo/issues/8703 when the kubo PR with this update is merged. --- verifcid/allowlist.go | 3 +-- verifcid/allowlist_test.go | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/verifcid/allowlist.go b/verifcid/allowlist.go index b572de3a6..926ccf3c1 100644 --- a/verifcid/allowlist.go +++ b/verifcid/allowlist.go @@ -52,9 +52,8 @@ func (defaultAllowlist) IsAllowed(code uint64) bool { mh.IDENTITY, mh.SHA3_224, mh.SHA3_256, mh.SHA3_384, mh.SHA3_512, - mh.KECCAK_224, mh.KECCAK_256, mh.KECCAK_384, mh.KECCAK_512, + mh.KECCAK_224, mh.KECCAK_256, mh.KECCAK_384, mh.KECCAK_512: - mh.SHA1: // not really secure but still useful for git return true default: if code >= mh.BLAKE2B_MIN+19 && code <= mh.BLAKE2B_MAX { diff --git a/verifcid/allowlist_test.go b/verifcid/allowlist_test.go index b6057502f..71060bc35 100644 --- a/verifcid/allowlist_test.go +++ b/verifcid/allowlist_test.go @@ -34,7 +34,7 @@ func TestDefaultAllowList(t *testing.T) { assertTrue(allowlist.IsAllowed(mh.DBL_SHA2_256)) assertTrue(allowlist.IsAllowed(mh.KECCAK_256)) assertTrue(allowlist.IsAllowed(mh.SHA3)) - assertTrue(allowlist.IsAllowed(mh.SHA1)) + assertFalse(allowlist.IsAllowed(mh.SHA1)) assertFalse(allowlist.IsAllowed(mh.BLAKE2B_MIN + 5)) cases := []struct { From 30175430168b4c188884e41f6b42f806d7d5a77a Mon Sep 17 00:00:00 2001 From: gammazero <11790789+gammazero@users.noreply.github.com> Date: Mon, 25 Aug 2025 19:57:52 -1000 Subject: [PATCH 2/2] update changelog --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5f83b5e59..61bc3cf3e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,6 +20,8 @@ The following emojis are used to highlight certain changes: ### Removed +- remove sha1 from list of hashes allowed in IPFS [#1013](https://github.com/ipfs/boxo/pull/1013) + ### Fixed ### Security