From 61f18092e9aa525e0943603657fb4fa28838985c Mon Sep 17 00:00:00 2001 From: Stephen Toub Date: Thu, 10 Oct 2024 15:28:49 -0400 Subject: [PATCH] Add comment about use of hashing in CachingHelpers --- src/Libraries/Microsoft.Extensions.AI/CachingHelpers.cs | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/Libraries/Microsoft.Extensions.AI/CachingHelpers.cs b/src/Libraries/Microsoft.Extensions.AI/CachingHelpers.cs index 8128926f942..13637dc5226 100644 --- a/src/Libraries/Microsoft.Extensions.AI/CachingHelpers.cs +++ b/src/Libraries/Microsoft.Extensions.AI/CachingHelpers.cs @@ -44,7 +44,10 @@ public static string GetCacheKey(TValue value, bool flag, JsonSerializer } // The complete JSON representation is excessively long for a cache key, duplicating much of the content - // from the value. So we use a hash of it as the default key. + // from the value. So we use a hash of it as the default key, and we rely on collision resistance for security purposes. + // If a collision occurs, we'd serve the cached LLM response for a potentially unrelated prompt, leading to information + // disclosure. Use of SHA256 is an implementation detail and can be easily swapped in the future if needed, albeit + // invalidating any existing cache entries that may exist in whatever IDistributedCache was in use. #if NET8_0_OR_GREATER Span hashData = stackalloc byte[SHA256.HashSizeInBytes]; SHA256.HashData(jsonKeyBytes, hashData);