Perform time constant HMAC verification to avoid timing attack. - Githubissues

pusher / pusher-http-ruby

Ruby library for Pusher Channels HTTP API

https://pusher.com/channels

MIT License

664 stars 123 forks source link

Perform time constant HMAC verification to avoid timing attack. #183

Closed ajinabraham closed 1 year ago

ajinabraham commented 1 year ago

Description

Add a short description of the change. If this is related to an issue, please add a reference to the issue.

HMAC verification should be time constant. Default ruby string comparisons are susceptible to timing attacks. Based on https://api.rubyonrails.org/v4.2.0/classes/ActiveSupport/SecurityUtils.html#method-c-secure_compare

Alternatively newer versions of OpenSSL also support secure_compare. https://github.com/ruby/openssl/pull/280/files

CHANGELOG

[CHANGED] Time constant HMAC verification

stale[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If you'd like this issue to stay open please leave a comment indicating how this issue is affecting you. Thank you.