Closed billdybas closed 6 years ago
Merging #71 into master will increase coverage by
<.01%
. The diff coverage is100%
.
@@ Coverage Diff @@
## master #71 +/- ##
==========================================
+ Coverage 99.09% 99.09% +<.01%
==========================================
Files 3 3
Lines 220 221 +1
==========================================
+ Hits 218 219 +1
Misses 2 2
Impacted Files | Coverage Δ | |
---|---|---|
src/http-handler.js | 98.38% <100%> (+0.02%) |
:arrow_up: |
Continue to review full report at Codecov.
Legend - Click here to learn more
Δ = absolute <relative> (impact)
,ø = not affected
,? = missing data
Powered by Codecov. Last update ced8f2a...3bbcb9b. Read the comment docs.
Thank you so much for this contribution and for helping keep users of this package safe.
Summary
This PR changes how equality checking is done when verifying the Slack request signature. Currently,
!==
is used; however, this might be vulnerable to timing attacks, and a timing safe compare function should be used instead.I introduce the
tsscmp
package (a wrapper around Node'scrypto.timingSafeEqual
) and use its compare function instead.Note, the API docs do recommend using a timing safe compare function (See: "Step-by-step walk-through for validating a request"), and the Python library verifies this way.
Related: slackapi/node-slack-events-api#77
Requirements