Skip to content

fix: prevent timing attack in webhook signature verification#473

Draft
vaibhavchopra-wq wants to merge 1 commit into
masterfrom
ai-week/fix-node-2026-05-07-92fe1ce
Draft

fix: prevent timing attack in webhook signature verification#473
vaibhavchopra-wq wants to merge 1 commit into
masterfrom
ai-week/fix-node-2026-05-07-92fe1ce

Conversation

@vaibhavchopra-wq
Copy link
Copy Markdown

@vaibhavchopra-wq vaibhavchopra-wq commented May 7, 2026

Replace vulnerable string comparison with constant-time comparison to prevent timing-based side-channel attacks on signature verification.

The previous operator short-circuits on first mismatch, allowing attackers to measure response times and potentially guess signatures character by character. The replacement compares all bytes in constant time regardless of input.

Findings applied:

  • V1: Timing-unsafe signature comparison — replace with constant-time compare (lib/utils/razorpay-utils.js:102)
  • V6: axios uses caret-pinned version — pin exactly for reproducibility (package.json:51)

Findings deferred for human decision

  • V4: Secret slicing without length guard — short/empty secret produces malformed ciphertext silently — breaking change requiring versioned migration

Note :- Please follow the below points while attaching test cases document link below:

- If label Tested is added then test cases document URL is mandatory.

- Link added should be a valid URL and accessible throughout the org.

- If the branch name contains hotfix / revert by default the BVT workflow check will pass.

Test Case Document URL
Please paste test case document link here....

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vaibhavchopra-wq