Skip to content

Commit

Permalink
fix: timing attach vulnerability
Browse files Browse the repository at this point in the history
  • Loading branch information
gr2m committed Nov 27, 2017
1 parent 1feb63e commit b6fcbe5
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 5 deletions.
4 changes: 3 additions & 1 deletion package.json
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,9 @@
"lib": "lib",
"test": "test"
},
"dependencies": {},
"dependencies": {
"buffer-equal-constant-time": "^1.0.1"
},
"devDependencies": {
"axios": "^0.17.1",
"coveralls": "^3.0.0",
Expand Down
26 changes: 22 additions & 4 deletions verify/index.js
Original file line number Diff line number Diff line change
@@ -1,16 +1,34 @@
module.exports = verify

const crypto = require('crypto')
const Buffer = require('buffer').Buffer

const timingSafeEqualPolyfill = require('buffer-equal-constant-time')

const sign = require('../sign')

function verify (secret, eventPayload, signature) {
if (!secret || !eventPayload || !signature) {
throw new TypeError('secret, eventPayload & signature required')
}

return Buffer.compare(
Buffer.from(signature),
Buffer.from(sign(secret, eventPayload))
) === 0
const signatureBuffer = Buffer.from(signature)
const verificationBuffer = Buffer.from(sign(secret, eventPayload))

if (signatureBuffer.length !== verificationBuffer.length) {
return false
}

return timingSafeEqual(signatureBuffer, verificationBuffer)
}

/* istanbul ignore next */
function timingSafeEqual (signatureBuffer, verificationBuffer) {
// crypto.verificationBuffer was added in Node 6.6
// https://nodejs.org/docs/latest-v6.x/api/crypto.html#crypto_crypto_timingsafeequal_a_b
if ('timingSafeEqual' in crypto) {
return crypto.timingSafeEqual(signatureBuffer, verificationBuffer)
}

return timingSafeEqualPolyfill(signatureBuffer, verificationBuffer)
}

0 comments on commit b6fcbe5

Please sign in to comment.