-
Notifications
You must be signed in to change notification settings - Fork 59.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
sec(securing-your-webhooks): use constant time comparator #27265
sec(securing-your-webhooks): use constant time comparator #27265
Conversation
Despite noting the security vulnerability above, this gives a poor typescript example that is vulnerable in the exact way described - and a variety of node modules have copied this example exactly, inheriting the vulnerability.
Automatically generated comment ℹ️This comment is automatically generated and will be overwritten every time changes are committed to this branch. The table contains an overview of files in the Content directory changesYou may find it useful to copy this table into the pull request summary. There you can edit it to share links to important articles or changes and to give a high-level overview of how the changes in your pull request support the overall goals of the pull request.
fpt: Free, Pro, Team |
@coolaj86 Thanks so much for submitting a PR! I'll get this triaged for review ⚡ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for adding this! We'll get this merged down for you.
Thanks very much for contributing! Your pull request has been merged 🎉 You should see your changes appear on the site in approximately 24 hours. If you're looking for your next contribution, check out our help wanted issues ⚡ |
Despite noting the security vulnerability above, this gives a poor typescript example that is vulnerable in the exact way described - and a variety of node modules have copied this example exactly, inheriting the vulnerability.
Why:
Security.
What's being changed (if available, include any code snippets, screenshots, or gifs):
Using
crypto.timingSafeEqual()
in the TypeScript example.Check off the following:
data
directory.