diff --git a/web/api/v1/api.go b/web/api/v1/api.go index d906e105d8..fe8ab38310 100644 --- a/web/api/v1/api.go +++ b/web/api/v1/api.go @@ -15,7 +15,7 @@ package v1 import ( "context" - "crypto/sha1" + "crypto/sha256" "encoding/hex" "encoding/json" "errors" @@ -1794,7 +1794,7 @@ func parseListRulesPaginationRequest(r *http.Request) (int64, string, *apiFuncRe } func getRuleGroupNextToken(file, group string) string { - h := sha1.New() + h := sha256.New() h.Write([]byte(file + ";" + group)) return hex.EncodeToString(h.Sum(nil)) } diff --git a/web/api/v1/api_test.go b/web/api/v1/api_test.go index 03b454eb26..b8a473396f 100644 --- a/web/api/v1/api_test.go +++ b/web/api/v1/api_test.go @@ -15,6 +15,8 @@ package v1 import ( "context" + "crypto/sha256" + "encoding/hex" "encoding/json" "errors" "fmt" @@ -5015,3 +5017,15 @@ func TestDeleteSeriesEndpointRemoved(t *testing.T) { require.NotEqual(t, http.StatusInternalServerError, recorder.Code, "DELETE /api/v1/series should no longer return 500; the endpoint has been removed") } + +func TestGetRuleGroupNextToken(t *testing.T) { + // The token is a SHA-256 hex digest, so it must be deterministic and 64 + // characters long. + token := getRuleGroupNextToken("/path/to/file", "group") + require.Len(t, token, hex.EncodedLen(sha256.Size)) + require.Equal(t, token, getRuleGroupNextToken("/path/to/file", "group")) + + // Distinct file and group inputs must produce distinct tokens. + require.NotEqual(t, token, getRuleGroupNextToken("/path/to/file", "other")) + require.NotEqual(t, token, getRuleGroupNextToken("/other/file", "group")) +}