Use secure_compare during signature verification

hieuk09 · hieuk09 · commit c18e0efa43a3 · 2025-04-06T22:53:21.000+08:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,7 @@
 ### 2.5.3 (Next)
 
 * [#549](https://github.com/slack-ruby/slack-ruby-client/pull/549): Add group ID formatting support for message mentions - [@n0h0](https://github.com/n0h0).
+* [#553](https://github.com/slack-ruby/slack-ruby-client/pull/553): Use secure_compare during signature verification - [@hieuk09](https://github.com/hieuk09).
 * Your contribution here.
 
 ### 2.5.2 (2025/02/19)
diff --git a/lib/slack/events/request.rb b/lib/slack/events/request.rb
@@ -59,7 +59,7 @@ def valid?
         signature_basestring = [version, timestamp, body].join(':')
         hex_hash = OpenSSL::HMAC.hexdigest(digest, signing_secret, signature_basestring)
         computed_signature = [version, hex_hash].join('=')
-        computed_signature == signature
+        secure_compare(computed_signature, signature)
       end
 
       # Validates the request signature and its expiration.
@@ -69,6 +69,19 @@ def verify!
 
         true
       end
+
+      private
+
+      def secure_compare(computed_signature, signature)
+        return false if computed_signature.bytesize != signature.bytesize
+
+        l = computed_signature.unpack "C#{computed_signature.bytesize}"
+
+        result = 0
+        signature.each_byte { |byte| result |= byte ^ l.shift }
+
+        result.zero?
+      end
     end
   end
 end
