Skip to content

fix: use constant-time comparison for auth token (CWE-208)#576

Open
spidershield-contrib wants to merge 1 commit intotaskgenius:masterfrom
spidershield-contrib:fix/cwe-208-timing-safe-comparison
Open

fix: use constant-time comparison for auth token (CWE-208)#576
spidershield-contrib wants to merge 1 commit intotaskgenius:masterfrom
spidershield-contrib:fix/cwe-208-timing-safe-comparison

Conversation

@spidershield-contrib
Copy link
Copy Markdown

@spidershield-contrib spidershield-contrib commented Apr 3, 2026

Summary

Fixes #575 — replaces timing-vulnerable === comparison with constant-time timingSafeEqual via SHA-256 digest.

Changes

  • Add safeEqual() helper using crypto.createHash + crypto.timingSafeEqual
  • Replace direct === in validateRequest() with constant-time comparison
  • No behavioral change for valid authentication flows

CWE Reference

  • CWE-208: Observable Timing Discrepancy
  • Uses stdlib only (crypto) — no new dependencies

Found by SpiderShield security scanner

@spidershield-contrib @claude
fix: use constant-time comparison for auth token (CWE-208)
7abfcd4 
Replace direct === comparison with crypto.timingSafeEqual via SHA-256
digest to prevent timing-based token extraction attacks.

- No behavioral change for valid authentication flows
- Uses stdlib only (crypto) — no new dependencies

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@spidershield-contrib
Copy link
Copy Markdown
Author

spidershield-contrib commented Apr 4, 2026

I have read the CLA Document and I hereby sign the CLA

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security: timing-vulnerable token comparison in AuthMiddleware (CWE-208)

1 participant

@spidershield-contrib