api: use SHA-256 for rule group pagination tokens

Replace the deprecated SHA-1 hash used to generate rule group pagination
tokens in getRuleGroupNextToken with SHA-256. The token is opaque and
compared server-side only, so this does not change the API contract. Add
a unit test covering the token format and determinism.

Fixes #18841

Signed-off-by: Yash Anil <yashanil98@gmail.com>
This commit is contained in:
Yash Anil 2026-06-14 16:35:47 -07:00
parent 2ad3a87170
commit 8c41ca783e
2 changed files with 16 additions and 2 deletions

View file

@ -15,7 +15,7 @@ package v1
import (
"context"
"crypto/sha1"
"crypto/sha256"
"encoding/hex"
"encoding/json"
"errors"
@ -1794,7 +1794,7 @@ func parseListRulesPaginationRequest(r *http.Request) (int64, string, *apiFuncRe
}
func getRuleGroupNextToken(file, group string) string {
h := sha1.New()
h := sha256.New()
h.Write([]byte(file + ";" + group))
return hex.EncodeToString(h.Sum(nil))
}

View file

@ -15,6 +15,8 @@ package v1
import (
"context"
"crypto/sha256"
"encoding/hex"
"encoding/json"
"errors"
"fmt"
@ -5015,3 +5017,15 @@ func TestDeleteSeriesEndpointRemoved(t *testing.T) {
require.NotEqual(t, http.StatusInternalServerError, recorder.Code,
"DELETE /api/v1/series should no longer return 500; the endpoint has been removed")
}
func TestGetRuleGroupNextToken(t *testing.T) {
// The token is a SHA-256 hex digest, so it must be deterministic and 64
// characters long.
token := getRuleGroupNextToken("/path/to/file", "group")
require.Len(t, token, hex.EncodedLen(sha256.Size))
require.Equal(t, token, getRuleGroupNextToken("/path/to/file", "group"))
// Distinct file and group inputs must produce distinct tokens.
require.NotEqual(t, token, getRuleGroupNextToken("/path/to/file", "other"))
require.NotEqual(t, token, getRuleGroupNextToken("/other/file", "group"))
}