Open jimisaacs opened 2 years ago
Summary
Possible corner case for detect-possible-timing-attacks
rule.
Still relevant? Yes.
Next steps
IMHO technically that would be a vulnerability. Even if the lines don't make too much sense and include more dangerous vulnerabilities as hardcoding the value to check against, the use of null
as a secret, etc.
IMHO technically that would be a vulnerability.
@jesusprubio I disagree, as I'm struggling to imagine how this could result in a compromise taking place or how this falls within the scope of this rule. Isn't this vulnerability about comparisons that take an amount of time related to how correct they are? That should only possibly apply to strings, numbers, etc., not null
.
This doesn't seem right.