π Fix timing attack vulnerability in token comparisons#22
π Fix timing attack vulnerability in token comparisons#22instax-dutta wants to merge 1 commit into
Conversation
- Implemented `safeCompare` utility using `node:crypto.timingSafeEqual`. - Updated `/api/paste/[id]/rotate` to use `safeCompare` for deletion token. - Updated `/api/paste/[id]` (DELETE) to use `safeCompare` for deletion token. - Updated `/api/init` to use `safeCompare` for `INIT_SECRET`. - Added unit tests for `safeCompare` in `src/lib/security.test.ts`. Co-authored-by: instax-dutta <54683866+instax-dutta@users.noreply.github.com>
|
π Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a π emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Warning Rate limit exceeded
β How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. π¦ How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. βΉοΈ Review infoβοΈ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: π Files selected for processing (5)
β¨ Finishing Touchesπ§ͺ Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment Tip CodeRabbit can generate a title for your PR based on the changes with custom instructions.Set the |
π― What: The vulnerability fixed
This PR addresses a timing attack vulnerability in token comparisons throughout the API. Specifically, it replaces non-constant time string comparisons for sensitive tokens with a timing-safe alternative.
A timing attack could allow an attacker to brute-force sensitive tokens (like deletion tokens or the
INIT_SECRET) by measuring the time the server takes to respond. Because standard string comparisons return early on the first mismatch, the response time can reveal how many characters at the beginning of the string are correct, significantly reducing the search space for an attacker.π‘οΈ Solution: How the fix addresses the vulnerability
I've introduced a
safeCompareutility insrc/lib/security.tsthat usesnode:crypto.timingSafeEqualfor comparisons. This function ensures that the comparison takes the same amount of time regardless of how much of the string matches. It also safely handles comparisons of strings with different lengths by performing a dummy comparison to prevent throwing errors while still being timing-resistant.The fix was applied to:
src/app/api/paste/[id]/rotate/route.ts: Comparing deletion tokens for link rotation.src/app/api/paste/[id]/route.ts: Comparing deletion tokens for paste revocation.src/app/api/init/route.ts: Comparing theINIT_SECRETfor database initialization.A new test file
src/lib/security.test.tswas added to verify the correctness of thesafeComparefunction.PR created automatically by Jules for task 10910891533191577668 started by @instax-dutta