search

slackapi / node-slack-interactive-messages

Slack Buttons, Menus, and Dialogs made simpler for Node
MIT License
133 stars 41 forks source link

Use Timing Safe Compare #71

Closed billdybas closed 6 years ago

billdybas commented 6 years ago

Summary

This PR changes how equality checking is done when verifying the Slack request signature. Currently, !== is used; however, this might be vulnerable to timing attacks, and a timing safe compare function should be used instead.

I introduce the tsscmp package (a wrapper around Node's crypto.timingSafeEqual) and use its compare function instead.

Note, the API docs do recommend using a timing safe compare function (See: "Step-by-step walk-through for validating a request"), and the Python library verifies this way.

Related: slackapi/node-slack-events-api#77

Requirements

codecov[bot] commented 6 years ago

Codecov Report

Merging #71 into master will increase coverage by <.01%. The diff coverage is 100%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master      #71      +/-   ##
==========================================
+ Coverage   99.09%   99.09%   +<.01%     
==========================================
  Files           3        3              
  Lines         220      221       +1     
==========================================
+ Hits          218      219       +1     
  Misses          2        2
Impacted Files Coverage Δ
src/http-handler.js 98.38% <100%> (+0.02%) :arrow_up:

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update ced8f2a...3bbcb9b. Read the comment docs.

aoberoi commented 6 years ago

Thank you so much for this contribution and for helping keep users of this package safe.