let5see/clawdbot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Security: fix timing attack vulnerability in LINE webhook signature validation

Browse Source
This commit is contained in:
Luka Zhang
2026-01-26 16:51:46 -08:00
committed by Shadow
parent 1e7cb23f00
commit 3b8792ee29
2 changed files with 47 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/line/webhook.ts
View File

@@ -12,7 +12,16 @@ export interface LineWebhookOptions {
function validateSignature(body: string, signature: string, channelSecret: string): boolean {
const hash = crypto.createHmac("SHA256", channelSecret).update(body).digest("base64");
return hash === signature;
const hashBuffer = Buffer.from(hash);
const signatureBuffer = Buffer.from(signature);
// Use constant-time comparison to prevent timing attacks
// Ensure buffers are same length before comparison to prevent timing leak
if (hashBuffer.length !== signatureBuffer.length) {
return false;
}
return crypto.timingSafeEqual(hashBuffer, signatureBuffer);
}
function readRawBody(req: Request): string | null {