Webpack hashing problems after Mastodon server update
Webpack hashing problems after Mastodon server update
I just updated my Mastodon server to the latest version due to a security vulnerability. I got a 500 page and error:0308010C:digital envelope routines::unsupported in the logs from mastodon-web.
I could reproduce by running bin/webpack from the command line. Some searching led me to try Node 16 LTS, but then I get an apparently blank page when I load the site and call to eval() blocked by CSP in the browser console.
The API works normally; this only affects the website.
Solved-ish.
I got webpack to run reliably by replacing its use of md4 with sha256 in these files:
$ grep -r md4 node_modules/webpack node_modules/webpack/lib/ModuleFilenameHelpers.js: const hash = createHash("md4"); node_modules/webpack/lib/optimize/ConcatenatedModule.js: const hash = createHash("md4"); node_modules/webpack/lib/optimize/SplitChunksPlugin.js: .createHash("md4") node_modules/webpack/lib/NamedModulesPlugin.js: const hash = createHash("md4"); node_modules/webpack/lib/SourceMapDevToolPlugin.js: contentHash: createHash("md4") node_modules/webpack/lib/WebpackOptionsDefaulter.js: this.set("output.hashFunction", "md4"); node_modules/webpack/lib/HashedModuleIdsPlugin.js: hashFunction: "md4",then in `config/initializers/content_security_policy.rb', I replaced the line
.script_src :self, assets_host, "'wasm-unsafe-eval'"with
p.script_src :self, assets_host, "'wasm-unsafe-eval' 'unsafe-eval'"This seems like way more tinkering with the code and defaults than I should need to keep the server running so I'll probably dig more later. I hope this post ends up being useful to anyone else having an issue.
Md4.....? Uh, even MD5 has been considered bad for literally decades