fix(web): use constant-time comparison for media-server webhook secret#1933
Merged
Conversation
|
Paragon Review Skipped Hi @richiemcilroy! Your Polarity credit balance is insufficient to complete this review. Please visit https://app.paragon.run to finish your review. |
|
Superagent didn't find any vulnerabilities or security issues in this PR. |
![tembo[bot]](https://avatars.githubusercontent.com/in/1223475?s=60&v=4){kind=small}
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Member
Author
|
@greptileai please review the PR |
Member
Author
|
@greptileai please review the PR |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Uses a constant-time comparison for the media-server webhook shared secret, matching the cron routes.
Greptile Summary
This PR hardens the media-server webhook authentication by replacing a plain
===string comparison with a constant-time SHA-256-hash-then-timingSafeEqualcheck, bringing it in line with the cron route pattern.authHeaderandwebhookSecretare hashed to a fixed 32-byte SHA-256 digest beforetimingSafeEqualis called, so the buffers are always the same length (noRangeError) and no length pre-check is needed (no secret-size side-channel).!webhookSecretand!authHeadernull guards short-circuit on absent configuration or missing header — neither leaks information about the secret's value.Confidence Score: 5/5
The change is a targeted, self-contained security hardening of one auth check — safe to merge.
The hashing approach is correct: SHA-256 always produces a fixed 32-byte buffer, so timingSafeEqual will never throw, and the absence of a length pre-check means the secret size is not leaked through timing. The null guards for a missing config value or missing header are appropriate and do not expose the secret's content. No functional behavior outside the auth gate is touched.
No files require special attention.
Important Files Changed
Reviews (3): Last reviewed commit: "fix(web): hash media-server webhook secr..." | Re-trigger Greptile