From 8c41ca783e6fba3d601f2cb4262fe6fa2ff0da3b Mon Sep 17 00:00:00 2001 From: Yash Anil Date: Sun, 14 Jun 2026 16:35:47 -0700 Subject: [PATCH] api: use SHA-256 for rule group pagination tokens Replace the deprecated SHA-1 hash used to generate rule group pagination tokens in getRuleGroupNextToken with SHA-256. The token is opaque and compared server-side only, so this does not change the API contract. Add a unit test covering the token format and determinism. Fixes #18841 Signed-off-by: Yash Anil --- web/api/v1/api.go | 4 ++-- web/api/v1/api_test.go | 14 ++++++++++++++ 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/web/api/v1/api.go b/web/api/v1/api.go index d906e105d8..fe8ab38310 100644 --- a/web/api/v1/api.go +++ b/web/api/v1/api.go @@ -15,7 +15,7 @@ package v1 import ( "context" - "crypto/sha1" + "crypto/sha256" "encoding/hex" "encoding/json" "errors" @@ -1794,7 +1794,7 @@ func parseListRulesPaginationRequest(r *http.Request) (int64, string, *apiFuncRe } func getRuleGroupNextToken(file, group string) string { - h := sha1.New() + h := sha256.New() h.Write([]byte(file + ";" + group)) return hex.EncodeToString(h.Sum(nil)) } diff --git a/web/api/v1/api_test.go b/web/api/v1/api_test.go index 03b454eb26..b8a473396f 100644 --- a/web/api/v1/api_test.go +++ b/web/api/v1/api_test.go @@ -15,6 +15,8 @@ package v1 import ( "context" + "crypto/sha256" + "encoding/hex" "encoding/json" "errors" "fmt" @@ -5015,3 +5017,15 @@ func TestDeleteSeriesEndpointRemoved(t *testing.T) { require.NotEqual(t, http.StatusInternalServerError, recorder.Code, "DELETE /api/v1/series should no longer return 500; the endpoint has been removed") } + +func TestGetRuleGroupNextToken(t *testing.T) { + // The token is a SHA-256 hex digest, so it must be deterministic and 64 + // characters long. + token := getRuleGroupNextToken("/path/to/file", "group") + require.Len(t, token, hex.EncodedLen(sha256.Size)) + require.Equal(t, token, getRuleGroupNextToken("/path/to/file", "group")) + + // Distinct file and group inputs must produce distinct tokens. + require.NotEqual(t, token, getRuleGroupNextToken("/path/to/file", "other")) + require.NotEqual(t, token, getRuleGroupNextToken("/other/file", "group")) +}