Merge pull request #850 from nyaruka/more-secret-comp

Use constant time comparison to check Meta webhook secret

Author: rowanseymour

handlers/facebook_legacy/handler.go

@@ -87,7 +87,7 @@ func (h *handler) receiveVerify(ctx context.Context, channel courier.Channel, w
 
 	// verify the token against our secret, if the same return the challenge FB sent us
 	secret := r.URL.Query().Get("hub.verify_token")
-	if secret != channel.StringConfigForKey(courier.ConfigSecret, "") {
+	if !utils.SecretEqual(secret, channel.StringConfigForKey(courier.ConfigSecret, "")) {
 		return nil, handlers.WriteAndLogRequestError(ctx, h, channel, w, r, fmt.Errorf("token does not match secret"))
 	}
 

handlers/jiochat/handler.go

@@ -19,6 +19,7 @@ import (
 	"github.com/gomodule/redigo/redis"
 	"github.com/nyaruka/courier"
 	"github.com/nyaruka/courier/handlers"
+	"github.com/nyaruka/courier/utils"
 	"github.com/nyaruka/gocommon/jsonx"
 	"github.com/nyaruka/gocommon/urns"
 )
@@ -87,7 +88,7 @@ func (h *handler) VerifyURL(ctx context.Context, channel courier.Channel, w http
 	ResponseText := "unknown request"
 	StatusCode := 400
 
-	if encoded == form.Signature {
+	if utils.SecretEqual(encoded, form.Signature) {
 		ResponseText = form.EchoStr
 		StatusCode = 200
 	}

handlers/meta/handlers.go

@@ -183,7 +183,7 @@ func (h *handler) receiveVerify(ctx context.Context, channel courier.Channel, w
 
 	// verify the token against our server facebook webhook secret, if the same return the challenge FB sent us
 	secret := r.URL.Query().Get("hub.verify_token")
-	if secret != h.Server().Config().FacebookWebhookSecret {
+	if !utils.SecretEqual(secret, h.Server().Config().FacebookWebhookSecret) {
 		return nil, handlers.WriteAndLogRequestError(ctx, h, channel, w, r, fmt.Errorf("token does not match secret"))
 	}
 	// and respond with the challenge token

handlers/slack/handler.go

@@ -52,8 +52,8 @@ func (h *handler) Initialize(s courier.Server) error {
 }
 
 func handleURLVerification(ctx context.Context, channel courier.Channel, w http.ResponseWriter, r *http.Request, payload *moPayload) ([]courier.Event, error) {
-	validationToken := channel.ConfigForKey(configValidationToken, "")
-	if validationToken != payload.Token {
+	validationToken := channel.StringConfigForKey(configValidationToken, "")
+	if !utils.SecretEqual(payload.Token, validationToken) {
 		w.WriteHeader(http.StatusForbidden)
 		return nil, fmt.Errorf("wrong validation token for channel: %s", channel.UUID())
 	}

handlers/vk/handler.go

@@ -17,6 +17,7 @@ import (
 	"github.com/buger/jsonparser"
 	"github.com/nyaruka/courier"
 	"github.com/nyaruka/courier/handlers"
+	"github.com/nyaruka/courier/utils"
 	"github.com/nyaruka/gocommon/httpx"
 	"github.com/nyaruka/gocommon/jsonx"
 	"github.com/nyaruka/gocommon/urns"
@@ -196,7 +197,7 @@ func (h *handler) receiveEvent(ctx context.Context, channel courier.Channel, w h
 	// check shared secret key before proceeding
 	secret := channel.StringConfigForKey(courier.ConfigSecret, "")
 
-	if payload.SecretKey != secret {
+	if !utils.SecretEqual(payload.SecretKey, secret) {
 		return nil, handlers.WriteAndLogRequestError(ctx, h, channel, w, r, errors.New("wrong secret key"))
 	}
 	// check event type and decode body to correspondent struct

handlers/wechat/handler.go

@@ -19,6 +19,7 @@ import (
 	"github.com/gomodule/redigo/redis"
 	"github.com/nyaruka/courier"
 	"github.com/nyaruka/courier/handlers"
+	"github.com/nyaruka/courier/utils"
 	"github.com/nyaruka/gocommon/urns"
 )
 
@@ -84,7 +85,7 @@ func (h *handler) VerifyURL(ctx context.Context, channel courier.Channel, w http
 	ResponseText := "unknown request"
 	StatusCode := 400
 
-	if encoded == form.Signature {
+	if utils.SecretEqual(encoded, form.Signature) {
 		ResponseText = form.EchoStr
 		StatusCode = 200
 	}