Merge pull request #534 from splitio/fix-vulnerability

chillaq · web-flow · commit 8097860d24ab · 2025-01-27T09:44:46.000-08:00
Fix vulnerability
diff --git a/LICENSE b/LICENSE
@@ -1,4 +1,4 @@
-Copyright © 2024 Split Software, Inc.
+Copyright © 2025 Split Software, Inc.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
diff --git a/client/src/main/java/io/split/client/JsonLocalhostSplitChangeFetcher.java b/client/src/main/java/io/split/client/JsonLocalhostSplitChangeFetcher.java
@@ -47,13 +47,13 @@ private SplitChange processSplitChange(SplitChange splitChange, long changeNumbe
             return null;
         }
         String splitJson = splitChange.splits.toString();
-        MessageDigest digest = MessageDigest.getInstance("SHA-1");
+        MessageDigest digest = MessageDigest.getInstance("SHA-256");
         digest.reset();
         digest.update(splitJson.getBytes());
         // calculate the json sha
         byte [] currHash = digest.digest();
         //if sha exist and is equal to before sha, or if till is equal to default till returns the same segmentChange with till equals to storage CN
-        if (Arrays.equals(lastHash, currHash) || splitChangeToProcess.till == -1) {
+        if (java.security.MessageDigest.isEqual(lastHash, currHash) || splitChangeToProcess.till == -1) {
             splitChangeToProcess.till = changeNumber;
         }
         lastHash = currHash;

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-Copyright © 2024 Split Software, Inc.`
	`1`	`+Copyright © 2025 Split Software, Inc.`
`2`	`2`
`3`	`3`	`Licensed under the Apache License, Version 2.0 (the "License");`
`4`	`4`	`you may not use this file except in compliance with the License.`