search

ishefi / semantle-he

A Hebrew version of Semantle.
Other
53 stars 19 forks source link

Timing side channel attack #62

Closed JPDevelop closed 1 year ago

JPDevelop commented 1 year ago

In handlers.py:133 there are the following lines:

if api_key != request.app.state.api_key:
    raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)

This piece of code is vulnerable to a timing side channel attack and should be replaced with the constant time comparison method hmac.compare_digest

Iddoyadlin commented 1 year ago

@JPDevelop very nice! wanna make a PR?

ishefi commented 1 year ago

Closing as this became redundant with: https://github.com/ishefi/semantle-he/commit/3e898f59ca1ec816a4544ae8079988832b7c2a2d