Skip to content

πŸ”’ Fix timing attack vulnerability in token comparisons#22

Open
instax-dutta wants to merge 1 commit into
mainfrom
security-timing-safe-token-comparison-10910891533191577668
Open

πŸ”’ Fix timing attack vulnerability in token comparisons#22
instax-dutta wants to merge 1 commit into
mainfrom
security-timing-safe-token-comparison-10910891533191577668

Conversation

@instax-dutta

Copy link
Copy Markdown
Owner

🎯 What: The vulnerability fixed

This PR addresses a timing attack vulnerability in token comparisons throughout the API. Specifically, it replaces non-constant time string comparisons for sensitive tokens with a timing-safe alternative.

⚠️ Risk: The potential impact if left unfixed

A timing attack could allow an attacker to brute-force sensitive tokens (like deletion tokens or the INIT_SECRET) by measuring the time the server takes to respond. Because standard string comparisons return early on the first mismatch, the response time can reveal how many characters at the beginning of the string are correct, significantly reducing the search space for an attacker.

πŸ›‘οΈ Solution: How the fix addresses the vulnerability

I've introduced a safeCompare utility in src/lib/security.ts that uses node:crypto.timingSafeEqual for comparisons. This function ensures that the comparison takes the same amount of time regardless of how much of the string matches. It also safely handles comparisons of strings with different lengths by performing a dummy comparison to prevent throwing errors while still being timing-resistant.

The fix was applied to:

  • src/app/api/paste/[id]/rotate/route.ts: Comparing deletion tokens for link rotation.
  • src/app/api/paste/[id]/route.ts: Comparing deletion tokens for paste revocation.
  • src/app/api/init/route.ts: Comparing the INIT_SECRET for database initialization.

A new test file src/lib/security.test.ts was added to verify the correctness of the safeCompare function.


PR created automatically by Jules for task 10910891533191577668 started by @instax-dutta

- Implemented `safeCompare` utility using `node:crypto.timingSafeEqual`.
- Updated `/api/paste/[id]/rotate` to use `safeCompare` for deletion token.
- Updated `/api/paste/[id]` (DELETE) to use `safeCompare` for deletion token.
- Updated `/api/init` to use `safeCompare` for `INIT_SECRET`.
- Added unit tests for `safeCompare` in `src/lib/security.test.ts`.

Co-authored-by: instax-dutta <54683866+instax-dutta@users.noreply.github.com>
@google-labs-jules

Copy link
Copy Markdown
Contributor

πŸ‘‹ Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a πŸ‘€ emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.


For security, I will only act on instructions from the user who triggered this task.

@vercel

vercel Bot commented Mar 22, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
binify Ready Ready Preview, Comment Mar 22, 2026 9:34am

@coderabbitai

coderabbitai Bot commented Mar 22, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@instax-dutta has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 26 minutes and 1 seconds before requesting another review.

βŒ› How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
βš™οΈ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 07864dc6-7eb0-46a5-812d-1143d32f622c

πŸ“₯ Commits

Reviewing files that changed from the base of the PR and between 6c75fd8 and 396a7cb.

πŸ“’ Files selected for processing (5)
  • src/app/api/init/route.ts
  • src/app/api/paste/[id]/rotate/route.ts
  • src/app/api/paste/[id]/route.ts
  • src/lib/security.test.ts
  • src/lib/security.ts
✨ Finishing Touches
πŸ§ͺ Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch security-timing-safe-token-comparison-10910891533191577668

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❀️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Tip

CodeRabbit can generate a title for your PR based on the changes with custom instructions.

Set the reviews.auto_title_instructions setting to generate a title for your PR based on the changes in the PR with custom instructions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant