Merge pull request #71 from billdybas/use-timing-safe-compare

aoberoi · web-flow · commit 1cb466a8901d · 2018-10-01T18:29:27.000-07:00
Use Timing Safe Compare
diff --git a/package.json b/package.json
@@ -29,7 +29,8 @@
     "lodash.isplainobject": "^4.0.6",
     "lodash.isregexp": "^4.0.1",
     "lodash.isstring": "^4.0.1",
-    "raw-body": "^2.3.3"
+    "raw-body": "^2.3.3",
+    "tsscmp": "^1.0.6"
   },
   "devDependencies": {
     "babel-cli": "^6.26.0",
diff --git a/src/http-handler.js b/src/http-handler.js
@@ -2,6 +2,7 @@ import debugFactory from 'debug';
 import getRawBody from 'raw-body';
 import querystring from 'querystring';
 import crypto from 'crypto';
+import timingSafeCompare from 'tsscmp';
 import { packageIdentifier } from './util';
 
 const debug = debugFactory('@slack/interactive-messages:http-handler');
@@ -80,7 +81,7 @@ export function createHTTPHandler(adapter) {
     const [version, hash] = signature.split('=');
     hmac.update(`${version}:${ts}:${body}`);
 
-    if (hash !== hmac.digest('hex')) {
+    if (!timingSafeCompare(hash, hmac.digest('hex'))) {
       debug('request signature is not valid');
       const error = new Error('Slack request signing verification failed');
       error.code = errorCodes.SIGNATURE_VERIFICATION_FAILURE;
