Is this a timing attack?

eslint-community / eslint-plugin-security

ESLint rules for Node Security

Apache License 2.0

2.16k stars 108 forks source link

Is this a timing attack? #70

Open jimisaacs opened 2 years ago

jimisaacs commented 2 years ago

This doesn't seem right.

jesusprubio commented 2 years ago

Summary Possible corner case for detect-possible-timing-attacks rule.

Rule: https://github.com/nodesecurity/eslint-plugin-security/blob/main/rules/detect-possible-timing-attacks.js

Still relevant? Yes.

Next steps

Decide if we consider this case a vulnerable code.
If we decide to consider this a valid timing based vector we should verify or update our rule to support it.

jesusprubio commented 2 years ago

IMHO technically that would be a vulnerability. Even if the lines don't make too much sense and include more dangerous vulnerabilities as hardcoding the value to check against, the use of null as a secret, etc.

GrantGryczan commented 7 months ago

IMHO technically that would be a vulnerability.

@jesusprubio I disagree, as I'm struggling to imagine how this could result in a compromise taking place or how this falls within the scope of this rule. Isn't this vulnerability about comparisons that take an amount of time related to how correct they are? That should only possibly apply to strings, numbers, etc., not null.