search

ScottONeal / githooked

githooked is a tiny library and companion CLI tool for handling GitHub webooks.
MIT License
8 stars 1 forks source link

Use crypto.timingSafeEqual to avoid timing-based attacks #6

Closed ryangreenberg closed 6 years ago

ryangreenberg commented 6 years ago

Node added a function to its crypto library, timingSafeEqual which can be used to mitigate the risk of a timing-based attack on signatures. (See https://codahale.com/a-lesson-in-timing-attacks for a good explanation of timing attacks).

In short, using a normal string comparison function leaks information about how different the provided signature is from the correct one because a string with a longer matching prefix will take longer to return. This change uses the existing string comparison when timingSafeEqual is not available.

ScottONeal commented 6 years ago

Hey sorry for my delay in responding to this! Looks great! Thanks for you assistance. I'll update npm as well.

ryangreenberg commented 6 years ago

No worries, thanks for merging @ScottONeal!