Skip to content

MLE-24397 - fix issue on Linux FIPS reported by consultant/customer a… #963

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 19, 2025
Merged

MLE-24397 - fix issue on Linux FIPS reported by consultant/customer a… #963

merged 1 commit into from
Sep 19, 2025

Conversation

@stevebio
Copy link
Collaborator

@stevebio stevebio commented Sep 19, 2025

…round exception caused by default load of FIPS-forbidden MD5 digest algorithm. Incorporate the source from the abandoned www-authenticate project and fix in place.

Copilot AI review requested due to automatic review settings September 19, 2025 20:14
Copilot AI reviewed Sep 19, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes a FIPS compliance issue where MD5 digest algorithms were being loaded by default, causing exceptions in FIPS-enabled Linux environments. The solution incorporates code from the abandoned www-authenticate project directly into the codebase and ensures MD5 is only loaded when actually needed.

  • Removes external dependency on www-authenticate package
  • Incorporates www-authenticate source code into the project with lazy MD5 loading
  • Adds comprehensive FIPS testing to verify MD5 is not loaded during module initialization

Reviewed Changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
package.json Removes www-authenticate dependency
lib/requester.js Updates import to use local www-authenticate implementation
lib/www-authenticate/www-authenticate.js Main authentication module with digest auth support
lib/www-authenticate/user-credentials.js User credential handling with MD5 digest support
lib/www-authenticate/parsers.js WWW-Authenticate header parsing logic
lib/www-authenticate/md5.js MD5 hash function wrapper
test-basic/digestauth-fips-nomd5load.js FIPS compliance test ensuring MD5 isn't loaded by default

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@stevebio
MLE-24397 - fix reported issue on Linux FIPS around exception caused …
8c9e5ff 
…by default load of FIPS-forbidden MD5 digest algorithm. Incorporate the source from the abandoned www-authenticate project and fix in place.
@stevebio stevebio requested a review from Copilot September 19, 2025 20:46
Copilot AI reviewed Sep 19, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 7 out of 8 changed files in this pull request and generated 2 comments.

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@stevebio stevebio merged commit 739c156 into marklogic:develop Sep 19, 2025
1 of 2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@anu3990 anu3990 anu3990 approved these changes

@BillFarber BillFarber Awaiting requested review from BillFarber BillFarber is a code owner

@rjrudin rjrudin Awaiting requested review from rjrudin rjrudin is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@stevebio @anu3990