fix: prevent timing attack in webhook signature verification#469
Open
vaibhavchopra-wq wants to merge 6 commits into
Open
fix: prevent timing attack in webhook signature verification#469vaibhavchopra-wq wants to merge 6 commits into
vaibhavchopra-wq wants to merge 6 commits into
Conversation
Replace vulnerable string comparison (===) with crypto.timingSafeEqual() to prevent timing-based side-channel attacks on signature verification. The === operator short-circuits on first mismatch, allowing attackers to measure response times and potentially guess signatures character by character. timingSafeEqual() always compares all bytes in constant time regardless of input.
- Compare raw HMAC bytes (32 bytes) instead of hex strings (64 chars) - Decode incoming signature from hex to raw bytes - Handle invalid hex input gracefully with try/catch
Buffer.from(str, 'hex') never throws - it returns empty/partial Buffer on invalid hex input. The length check below catches this case.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Replace vulnerable string comparison (===) with crypto.timingSafeEqual() to prevent timing-based side-channel attacks on signature verification.
The === operator short-circuits on first mismatch, allowing attackers to measure response times and potentially guess signatures character by character. timingSafeEqual() always compares all bytes in constant time regardless of input.
Note :- Please follow the below points while attaching test cases document link below:
- If label
Testedis added then test cases document URL is mandatory.- Link added should be a valid URL and accessible throughout the org.
- If the branch name contains hotfix / revert by default the BVT workflow check will pass.