Skip to content

Commit 429f03a

Browse files
committed
Improve protect against timing attacks
1 parent affad88 commit 429f03a

File tree

3 files changed

+13
-3
lines changed

3 files changed

+13
-3
lines changed

src/admin/helpers.ts

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,10 @@ export function adminBearerAuth() {
2828
if (!config.adminAPI.enabled) return false;
2929

3030
const expected = config.adminAPI.token;
31-
if (token.length !== expected.length) return false;
31+
32+
if (token.length !== expected.length) {
33+
return !crypto.timingSafeEqual(Buffer.from(token), Buffer.from(token));
34+
}
3235

3336
return crypto.timingSafeEqual(Buffer.from(token), Buffer.from(expected));
3437
},

src/cache.ts

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -378,7 +378,10 @@ class CacheManager {
378378
return true;
379379
}
380380

381-
if (providedPassword.length !== statusPage.hashedPassword!.length) return false;
381+
if (providedPassword.length !== statusPage.hashedPassword!.length) {
382+
return !crypto.timingSafeEqual(Buffer.from(providedPassword), Buffer.from(providedPassword));
383+
}
384+
382385
return crypto.timingSafeEqual(Buffer.from(providedPassword), Buffer.from(statusPage.hashedPassword!));
383386
}
384387

src/routes/helpers.ts

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,11 @@ export function statusPageBearerAuth() {
1919
const slug = ctx.params["slug"]!;
2020
const statusPage: StatusPage | undefined = cache.getStatusPageBySlug(slug);
2121
if (!statusPage) return false;
22-
if (token.length !== statusPage.hashedPassword!.length) return false;
22+
23+
if (token.length !== statusPage.hashedPassword!.length) {
24+
return !crypto.timingSafeEqual(Buffer.from(token), Buffer.from(token));
25+
}
26+
2327
return crypto.timingSafeEqual(Buffer.from(token), Buffer.from(statusPage.hashedPassword!));
2428
},
2529
});

0 commit comments

Comments
 (0)