Merge pull request #102 from sean-nicholas/timing-attacks

Prevent timing attacks on keys / signatures
8 years ago · 4cdcab7283
4 changed files with 8 additions and 4 deletions
--- a/delete-unused-accounts-cron/functions/index.js
+++ b/delete-unused-accounts-cron/functions/index.js
@ -21,6 +21,7 @@ admin.initializeApp(functions.config().firebase);
 const rp = require('request-promise');
 const promisePool = require('es6-promise-pool');
 const PromisePool = promisePool.PromisePool;
+const secureCompare = require('secure-compare');
 // Maximum concurrent account deletions.
 const MAX_CONCURRENT = 3;

@ -33,7 +34,7 @@ exports.accountcleanup = functions.https.onRequest((req, res) => {
  const key = req.query.key;

  // Exit if the keys don't match
-  if (key !== functions.config().cron.key) {
+  if (!secureCompare(key, functions.config().cron.key)) {
    console.log('The key provided in the request does not match the key set in the environment. Check that', key,
        'matches the cron.key attribute in `firebase env:get`');
    res.status(403).send('Security key does not match. Make sure your "key" URL query parameter matches the ' +
--- a/delete-unused-accounts-cron/functions/package.json
+++ b/delete-unused-accounts-cron/functions/package.json
@ -8,6 +8,7 @@
    "googleapis": "^16.1.0",
    "request": "^2.79.0",
    "request-promise": "^4.1.1",
-    "request-promise-native": "^1.0.3"
+    "request-promise-native": "^1.0.3",
+    "secure-compare": "^3.0.1"
  }
 }
--- a/github-to-slack/functions/index.js
+++ b/github-to-slack/functions/index.js
@ -18,6 +18,7 @@
 const functions = require('firebase-functions');
 const rp = require('request-promise');
 const crypto = require('crypto');
+const secureCompare = require('secure-compare');

 /**
 * Webhook that will be called each time there is a new GitHub commit and will post a message to
@ -35,7 +36,7 @@ exports.githubWebhook = functions.https.onRequest((req, res) => {
  const expectedSignature = `${cipher}=${hmac}`;

  // Check that the body of the request has been signed with the GitHub Secret.
-  if (signature === expectedSignature) {
+  if (secureCompare(signature, expectedSignature)) {
    postToSlack(req.body.compare, req.body.commits.length, req.body.repository).then(() => {
      res.end();
    }).catch(error => {
--- a/github-to-slack/functions/package.json
+++ b/github-to-slack/functions/package.json
@ -6,6 +6,7 @@
    "firebase-admin": "^4.1.2",
    "firebase-functions": "^0.5.1",
    "request": "^2.80.0",
-    "request-promise": "^4.1.1"
+    "request-promise": "^4.1.1",
+    "secure-compare": "^3.0.1"
  }
 }