Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

timing attack vulnerability #7

Closed
sjmiller609 opened this issue Apr 13, 2017 · 2 comments
Closed

timing attack vulnerability #7

sjmiller609 opened this issue Apr 13, 2017 · 2 comments
Assignees
@nmarus

Comments

@sjmiller609
Copy link

You need to replace a line in flint-bot/sparky/blob/master/lib/res/webhooks.js

offending line:
...
if(sig === hmac.digest('hex')) {
...

Solution: replace triple equals with time-constant comparison from crypto lib
nodejs/node#3073

vulnerability explanation:
https://en.wikipedia.org/wiki/Timing_attack

discussion (in depth explanation):
nodejs/node-v0.x-archive#8560

Thank you for building this framework.

Steven Miller
Cisco Systems, IT Engineer
nmarus added a commit that referenced this issue Apr 13, 2017
@nmarus
fix for issue #7
2ca296f
@nmarus nmarus self-assigned this Apr 13, 2017
@nmarus
Copy link
Member

nmarus commented Apr 13, 2017

Thanks. Fix applied in 4.0.8.

@nmarus nmarus closed this as completed Apr 13, 2017
@sjmiller609
Copy link
Author

sjmiller609 commented Apr 13, 2017 via email
edited
Loading

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nmarus nmarus

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nmarus @sjmiller609