mirror of
				https://gitcode.com/gitea/gitea.git
				synced 2025-10-26 13:16:28 +08:00 
			
		
		
		
	Unify hashing for avatar (#22289)
- Unify the hashing code for repository and user avatars into a function. - Use a sane hash function instead of MD5. - Only require hashing once instead of twice(w.r.t. hashing for user avatar). - Improve the comment for the hashing code of why it works. Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: Yarden Shoham <hrsi88@gmail.com>
This commit is contained in:
		
							
								
								
									
										28
									
								
								modules/avatar/hash.go
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										28
									
								
								modules/avatar/hash.go
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,28 @@ | |||||||
|  | // Copyright 2023 The Gitea Authors. All rights reserved. | ||||||
|  | // SPDX-License-Identifier: MIT | ||||||
|  |  | ||||||
|  | package avatar | ||||||
|  |  | ||||||
|  | import ( | ||||||
|  | 	"crypto/sha256" | ||||||
|  | 	"encoding/hex" | ||||||
|  | 	"strconv" | ||||||
|  | ) | ||||||
|  |  | ||||||
|  | // HashAvatar will generate a unique string, which ensures that when there's a | ||||||
|  | // different unique ID while the data is the same, it will generate a different | ||||||
|  | // output. It will generate the output according to: | ||||||
|  | // HEX(HASH(uniqueID || - || data)) | ||||||
|  | // The hash being used is SHA256. | ||||||
|  | // The sole purpose of the unique ID is to generate a distinct hash Such that | ||||||
|  | // two unique IDs with the same data will have a different hash output. | ||||||
|  | // The "-" byte is important to ensure that data cannot be modified such that | ||||||
|  | // the first byte is a number, which could lead to a "collision" with the hash | ||||||
|  | // of another unique ID. | ||||||
|  | func HashAvatar(uniqueID int64, data []byte) string { | ||||||
|  | 	h := sha256.New() | ||||||
|  | 	h.Write([]byte(strconv.FormatInt(uniqueID, 10))) | ||||||
|  | 	h.Write([]byte{'-'}) | ||||||
|  | 	h.Write(data) | ||||||
|  | 	return hex.EncodeToString(h.Sum(nil)) | ||||||
|  | } | ||||||
| @ -5,7 +5,6 @@ package repository | |||||||
|  |  | ||||||
| import ( | import ( | ||||||
| 	"context" | 	"context" | ||||||
| 	"crypto/md5" |  | ||||||
| 	"fmt" | 	"fmt" | ||||||
| 	"image/png" | 	"image/png" | ||||||
| 	"io" | 	"io" | ||||||
| @ -27,7 +26,7 @@ func UploadAvatar(repo *repo_model.Repository, data []byte) error { | |||||||
| 		return err | 		return err | ||||||
| 	} | 	} | ||||||
|  |  | ||||||
| 	newAvatar := fmt.Sprintf("%d-%x", repo.ID, md5.Sum(data)) | 	newAvatar := avatar.HashAvatar(repo.ID, data) | ||||||
| 	if repo.Avatar == newAvatar { // upload the same picture | 	if repo.Avatar == newAvatar { // upload the same picture | ||||||
| 		return nil | 		return nil | ||||||
| 	} | 	} | ||||||
|  | |||||||
| @ -5,14 +5,13 @@ package repository | |||||||
|  |  | ||||||
| import ( | import ( | ||||||
| 	"bytes" | 	"bytes" | ||||||
| 	"crypto/md5" |  | ||||||
| 	"fmt" |  | ||||||
| 	"image" | 	"image" | ||||||
| 	"image/png" | 	"image/png" | ||||||
| 	"testing" | 	"testing" | ||||||
|  |  | ||||||
| 	repo_model "code.gitea.io/gitea/models/repo" | 	repo_model "code.gitea.io/gitea/models/repo" | ||||||
| 	"code.gitea.io/gitea/models/unittest" | 	"code.gitea.io/gitea/models/unittest" | ||||||
|  | 	"code.gitea.io/gitea/modules/avatar" | ||||||
|  |  | ||||||
| 	"github.com/stretchr/testify/assert" | 	"github.com/stretchr/testify/assert" | ||||||
| ) | ) | ||||||
| @ -28,7 +27,7 @@ func TestUploadAvatar(t *testing.T) { | |||||||
|  |  | ||||||
| 	err := UploadAvatar(repo, buff.Bytes()) | 	err := UploadAvatar(repo, buff.Bytes()) | ||||||
| 	assert.NoError(t, err) | 	assert.NoError(t, err) | ||||||
| 	assert.Equal(t, fmt.Sprintf("%d-%x", 10, md5.Sum(buff.Bytes())), repo.Avatar) | 	assert.Equal(t, avatar.HashAvatar(10, buff.Bytes()), repo.Avatar) | ||||||
| } | } | ||||||
|  |  | ||||||
| func TestUploadBigAvatar(t *testing.T) { | func TestUploadBigAvatar(t *testing.T) { | ||||||
|  | |||||||
| @ -5,7 +5,6 @@ package user | |||||||
|  |  | ||||||
| import ( | import ( | ||||||
| 	"context" | 	"context" | ||||||
| 	"crypto/md5" |  | ||||||
| 	"fmt" | 	"fmt" | ||||||
| 	"image/png" | 	"image/png" | ||||||
| 	"io" | 	"io" | ||||||
| @ -241,11 +240,7 @@ func UploadAvatar(u *user_model.User, data []byte) error { | |||||||
| 	defer committer.Close() | 	defer committer.Close() | ||||||
|  |  | ||||||
| 	u.UseCustomAvatar = true | 	u.UseCustomAvatar = true | ||||||
| 	// Different users can upload same image as avatar | 	u.Avatar = avatar.HashAvatar(u.ID, data) | ||||||
| 	// If we prefix it with u.ID, it will be separated |  | ||||||
| 	// Otherwise, if any of the users delete his avatar |  | ||||||
| 	// Other users will lose their avatars too. |  | ||||||
| 	u.Avatar = fmt.Sprintf("%x", md5.Sum([]byte(fmt.Sprintf("%d-%x", u.ID, md5.Sum(data))))) |  | ||||||
| 	if err = user_model.UpdateUserCols(ctx, u, "use_custom_avatar", "avatar"); err != nil { | 	if err = user_model.UpdateUserCols(ctx, u, "use_custom_avatar", "avatar"); err != nil { | ||||||
| 		return fmt.Errorf("updateUser: %w", err) | 		return fmt.Errorf("updateUser: %w", err) | ||||||
| 	} | 	} | ||||||
|  | |||||||
		Reference in New Issue
	
	Block a user
	 Gusted
					Gusted