fix: replace weak hash functions with SHA-256

Wesley Chiu · Wesley Chiu · commit 0e04025f2157 · 2025-06-18T17:38:47.000+08:00
diff --git a/gyp/pylib/gyp/MSVSNew.py b/gyp/pylib/gyp/MSVSNew.py
@@ -34,7 +34,7 @@ def MakeGuid(name, seed="msvs_new"):
 
   Args:
     name: Target name.
-    seed: Seed for MD5 hash.
+    seed: Seed for SHA-256 hash.
   Returns:
     A GUID-line string calculated from the name and seed.
 
@@ -44,8 +44,8 @@ def MakeGuid(name, seed="msvs_new"):
   determine the GUID to refer to explicitly.  It also means that the GUID will
   not change when the project for a target is rebuilt.
   """
-    # Calculate a MD5 signature for the seed and name.
-    d = hashlib.md5((str(seed) + str(name)).encode("utf-8")).hexdigest().upper()
+    # Calculate a SHA-256 signature for the seed and name.
+    d = hashlib.sha256((str(seed) + str(name)).encode("utf-8")).hexdigest().upper()
     # Convert most of the signature to GUID form (discard the rest)
     guid = (
         "{"
diff --git a/gyp/pylib/gyp/generator/make.py b/gyp/pylib/gyp/generator/make.py
@@ -2163,7 +2163,7 @@ def WriteMakeRule(
             # - The multi-output rule will have an do-nothing recipe.
 
             # Hash the target name to avoid generating overlong filenames.
-            cmddigest = hashlib.sha1(
+            cmddigest = hashlib.sha256(
                 (command or self.target).encode("utf-8")
             ).hexdigest()
             intermediate = "%s.intermediate" % cmddigest
diff --git a/gyp/pylib/gyp/generator/ninja.py b/gyp/pylib/gyp/generator/ninja.py
@@ -811,7 +811,7 @@ def cygwin_munge(path):
                 if self.flavor == "win":
                     # WriteNewNinjaRule uses unique_name to create a rsp file on win.
                     extra_bindings.append(
-                        ("unique_name", hashlib.md5(outputs[0]).hexdigest())
+                        ("unique_name", hashlib.sha256(outputs[0].encode("utf-8")).hexdigest())
                     )
 
                 self.ninja.build(
@@ -2811,7 +2811,7 @@ def GenerateOutputForConfig(target_list, target_dicts, data, params, config_name
             build_file, name, toolset
         )
         qualified_target_for_hash = qualified_target_for_hash.encode("utf-8")
-        hash_for_rules = hashlib.md5(qualified_target_for_hash).hexdigest()
+        hash_for_rules = hashlib.sha256(qualified_target_for_hash).hexdigest()
 
         base_path = os.path.dirname(build_file)
         obj = "obj"
diff --git a/gyp/pylib/gyp/xcodeproj_file.py b/gyp/pylib/gyp/xcodeproj_file.py
@@ -431,7 +431,7 @@ def _HashUpdate(hash, data):
             hash.update(data)
 
         if seed_hash is None:
-            seed_hash = hashlib.sha1()
+            seed_hash = hashlib.sha256()
 
         hash = seed_hash.copy()
 
@@ -454,8 +454,8 @@ def _HashUpdate(hash, data):
                 child.ComputeIDs(recursive, overwrite, child_hash)
 
         if overwrite or self.id is None:
-            # Xcode IDs are only 96 bits (24 hex characters), but a SHA-1 digest is
-            # is 160 bits.  Instead of throwing out 64 bits of the digest, xor them
+            # Xcode IDs are only 96 bits (24 hex characters), but a SHA-256 digest is
+            # is 256 bits.  Instead of throwing out bits of the digest, xor them
             # into the portion that gets used.
             assert hash.digest_size % 4 == 0
             digest_int_count = hash.digest_size // 4
